I'm trying to (reversibly) disable USB HID support on a Raspbian Jessie install, kernel version 4.4.16-v7+. We need to have the Raspberry Pi in a semi-public space and display stuff on a TV, and we'd like to make it at least somewhat hard to mess with it.
So far I've managed to make the usbhid module removable from the kernel via rmmod. After rmmod'ing the module, tt seems, though, that each time I plug in a USB keyboard or mouse, the device driver gets loaded back into the Kernel.
Is there any way to prevent that?
udev is the best and easiest way doing that, add a new rule in e.g.:
/etc/udev/rules.d/99-disable-usb-hid.rules:
SUBSYSTEMS=="usb", DRIVERS=="usbhid", ACTION=="add", ATTR{authorized}="0"
and restart udev.
I've just tested it in Debian Jessie ARM 4.4.16.
I can think of two options:
EASIER:
Blacklist the kernel module inside /etc/modprobe.d/blacklist.conf by adding:
blacklist usbhid
Make sure that you do this as root by using sudo or logging in as root, otherwise this file is read-only.
HARDER:
If you have the capacity to recompile the kernel that you are using then you could set CONFIG_USB_HID=n in the kernel configuration file to disable usbhid entirely.
You could follow Raspberry Pi's kernel building steps, and once you have everything all set to build, you can modify the configuration file so that CONFIG_USB_HID=n. You could do this during a menuconfig or the way I usually do it, which is by editing the hidden .config file after running a make defconfig. See linux kernel in a nutshell for more information on configuring and building the linux kernel.
Since Raspberry Pi is ARM, and I'm assuming your computer is x86, you will need to set up a cross-compiler toolchain. That information should be foud in the RasPi's kernel building steps as well.
Then continue following RasPi's kernel building steps to get the kernel onto your Raspberry Pi. This should solve the problem of having usbhid showing up. It won't be baked into the kernel in the first place.