From 947278438a5cc469a263a03cd15f73f40492d654 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 30 Jun 2021 13:26:48 +0200
Subject: [PATCH] Add insertRule method * add ruleset names * add insertRule
 method into USBGuard interface * add ruleset option to append-rule command

---
 doc/man/usbguard.1.adoc                    |  8 ++-
 scripts/bash_completion/usbguard           |  5 +-
 scripts/usbguard-zsh-completion            |  1 +
 src/CLI/usbguard-append-rule.cpp           | 23 +++++--
 src/DBus/DBusBridge.cpp                    | 15 ++++-
 src/DBus/DBusInterface.xml                 | 24 +++++++
 src/DBus/org.usbguard1.policy              |  9 +++
 src/Daemon/Daemon.cpp                      | 19 ++++++
 src/Daemon/Daemon.hpp                      |  1 +
 src/Daemon/FileRuleSet.cpp                 |  2 +
 src/Daemon/RuleSetFactory.cpp              |  2 +-
 src/Library/IPC/Policy.proto               | 18 +++++
 src/Library/IPCClientPrivate.cpp           | 21 ++++--
 src/Library/IPCClientPrivate.hpp           |  4 +-
 src/Library/IPCPrivate.cpp                 | 13 ++--
 src/Library/IPCServerPrivate.cpp           | 28 +++++++-
 src/Library/IPCServerPrivate.hpp           |  1 +
 src/Library/public/usbguard/IPCClient.cpp  |  8 ++-
 src/Library/public/usbguard/IPCClient.hpp  |  8 ++-
 src/Library/public/usbguard/Interface.hpp  | 19 ++++++
 src/Library/public/usbguard/Policy.cpp     | 77 ++++++++++++++--------
 src/Library/public/usbguard/Policy.hpp     | 37 +++++++++++
 src/Library/public/usbguard/RuleParser.cpp |  4 +-
 src/Library/public/usbguard/RuleSet.cpp    | 23 +++++++
 src/Library/public/usbguard/RuleSet.hpp    |  6 ++
 25 files changed, 319 insertions(+), 57 deletions(-)

diff --git a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
index 84b4f9bb..2e0d37b2 100644
--- a/doc/man/usbguard.1.adoc
+++ b/doc/man/usbguard.1.adoc
@@ -157,7 +157,13 @@ Append the 'rule' to the current rule set.
 Available options:
 
 *-a, --after* 'id'::
-    Append the new rule after a rule with the specified rule 'id'.
+    Append the new rule after a rule with the specified rule 'id'
+    instead of appending it at the end of the rule set.
+    If 'id' is 0, then the rule is appended to the beginning
+    of the rule set.
+
+*-r, --ruleset* 'prefix'::
+    Append the new rule into a rule set with specified prefix.
 
 *-t, --temporary*::
     Make the decision temporary. The rule policy file will not be updated.
diff --git a/scripts/bash_completion/usbguard b/scripts/bash_completion/usbguard
index 721bf1d8..8b50b745 100755
--- a/scripts/bash_completion/usbguard
+++ b/scripts/bash_completion/usbguard
@@ -303,11 +303,14 @@ function _usbguard()
                 if _usbguard_contains "-a --after" $prev; then
                     opts=$(_usbguard_get_rules || :)
 
+                elif _usbguard_contains "-r --ruleset" $prev; then
+                    return 0
+
                 elif ! _usbguard_in_option && [[ $args -eq 2 ]]; then
                     return 0
 
                 else
-                    opts="$opts -a --after -t --temporary"
+                    opts="$opts -a --after -r --ruleset -t --temporary"
                 fi
                 ;;
 
diff --git a/scripts/usbguard-zsh-completion b/scripts/usbguard-zsh-completion
index d98089a0..48f5493c 100644
--- a/scripts/usbguard-zsh-completion
+++ b/scripts/usbguard-zsh-completion
@@ -113,6 +113,7 @@ case $state in
           '<rule>[rule]'
         _command_args=( \
           '(--after)--after <id>[Append the new rule after a rule with the specified id instead of appending it]' \
+          '(--ruleset)--ruleset <prefix>[Append the new rule into a rule set with specified prefix.]' \
           '(--help)--help[Show help]'
         )
         ;;
diff --git a/src/CLI/usbguard-append-rule.cpp b/src/CLI/usbguard-append-rule.cpp
index beb5f49e..753dddba 100644
--- a/src/CLI/usbguard-append-rule.cpp
+++ b/src/CLI/usbguard-append-rule.cpp
@@ -29,11 +29,12 @@
 
 namespace usbguard
 {
-  static const char* options_short = "ha:t";
+  static const char* options_short = "ha:r:t";
 
   static const struct ::option options_long[] = {
     { "help", no_argument, nullptr, 'h' },
     { "after", required_argument, nullptr, 'a' },
+    { "ruleset", required_argument, nullptr, 'r' },
     { "temporary", no_argument, nullptr, 't' },
     { nullptr, 0, nullptr, 0 }
   };
@@ -43,17 +44,21 @@ namespace usbguard
     stream << " Usage: " << usbguard_arg0 << " append-rule [OPTIONS] <rule>" << std::endl;
     stream << std::endl;
     stream << " Options:" << std::endl;
-    stream << "  -a, --after <id>  Append the new rule after a rule with the specified id" << std::endl;
-    stream << "                    instead of appending it at the end of the rule set." << std::endl;
-    stream << "  -t, --temporary   Make the decision temporary. The rule policy file will not" << std::endl;
-    stream << "                    be updated." << std::endl;
-    stream << "  -h, --help        Show this help." << std::endl;
+    stream << "  -a, --after <id>       Append the new rule after a rule with the specified id" << std::endl;
+    stream << "                         instead of appending it at the end of the rule set." << std::endl;
+    stream << "                         If 'id' is 0, then the rule is appended to the beginning" << std::endl;
+    stream << "                         of the rule set." << std::endl;
+    stream << "  -r, --ruleset <prefix> Append the new rule into a ruleset with specified prefix." << std::endl;
+    stream << "  -t, --temporary        Make the decision temporary. The rule policy file will not" << std::endl;
+    stream << "                         be updated." << std::endl;
+    stream << "  -h, --help             Show this help." << std::endl;
     stream << std::endl;
   }
 
   int usbguard_append_rule(int argc, char* argv[])
   {
     uint32_t parent_id = usbguard::Rule::LastID;
+    std::string ruleset;
     bool permanent = true;
     int opt = 0;
 
@@ -67,6 +72,10 @@ namespace usbguard
         parent_id = std::stoul(optarg);
         break;
 
+      case 'r':
+        ruleset = optarg;
+        break;
+
       case 't':
         permanent = false;
         break;
@@ -89,7 +98,7 @@ namespace usbguard
 
     usbguard::IPCClient ipc(/*connected=*/true);
     const std::string rule_spec = argv[0];
-    const uint32_t id = ipc.appendRule(rule_spec, parent_id, permanent);
+    const uint32_t id = ipc.insertRule(rule_spec, parent_id, ruleset, permanent);
     std::cout << id << std::endl;
     return EXIT_SUCCESS;
   }
diff --git a/src/DBus/DBusBridge.cpp b/src/DBus/DBusBridge.cpp
index 76471e7b..fdef0d58 100644
--- a/src/DBus/DBusBridge.cpp
+++ b/src/DBus/DBusBridge.cpp
@@ -135,6 +135,19 @@ namespace usbguard
       return;
     }
 
+    if (method_name == "insertRule") {
+      const char* rule_spec_cstr = nullptr;
+      uint32_t parent_id = 0;
+      const char* ruleset_cstr = nullptr;
+      gboolean temporary = false;
+      g_variant_get(parameters, "(&sub)", &rule_spec_cstr, &parent_id, &ruleset_cstr, &temporary);
+      std::string rule_spec(rule_spec_cstr);
+      std::string ruleset(ruleset_cstr);
+      const uint32_t rule_id = insertRule(rule_spec, parent_id, ruleset, !temporary);
+      g_dbus_method_invocation_return_value(invocation, g_variant_new("(u)", rule_id));
+      return;
+    }
+
     if (method_name == "appendRule") {
       const char* rule_spec_cstr = nullptr;
       uint32_t parent_id = 0;
@@ -337,11 +350,9 @@ namespace usbguard
     g_variant_builder_add(builder, "{ss}",
       "with-interface",
       with_interface_string.c_str());
-
     g_variant_builder_add(builder, "{ss}",
       "with-connect-type",
       device_rule.getWithConnectType().c_str());
-
     return builder;
   }
 } /* namespace usbguard */
diff --git a/src/DBus/DBusInterface.xml b/src/DBus/DBusInterface.xml
index 3b78fe9c..91c996e9 100644
--- a/src/DBus/DBusInterface.xml
+++ b/src/DBus/DBusInterface.xml
@@ -74,6 +74,30 @@
       <arg name="ruleset" direction="out" type="a(us)"/>
     </method>
 
+    <!--
+      insertRule:
+       @rule: The rule that should be appended to the policy.
+       @parent_id: Rule id of the parent rule.
+       @ruleset: Prefix of a ruleset where the rule should be appended.
+       @temporary: A boolean to avoid adding this rule to the policy file.
+       @id: The rule id assigned to the succesfully appended rule.
+
+      Append a new rule to the current policy. Using the parent_id
+      parameter and ruleset prefix, the rule can be inserted anywhere in the
+      policy. 4294967293 (UINT32_MAX-2) is the last possible
+      ID and thus, when using this as parent_id, the rule is effectively
+      appended to the end of the ruleset. If parent_id is 0, the rule is
+      appended to the beginning of the ruleset. When the rule is successfully
+      appended, the id assigned to the new rule is returned.
+     -->
+    <method name="insertRule">
+      <arg name="rule" direction="in" type="s"/>
+      <arg name="parent_id" direction="in" type="u"/>
+      <arg name="ruleset" direction="in" type="s"/>
+      <arg name="temporary" direction="in" type="b"/>
+      <arg name="id" direction="out" type="u"/>
+    </method>
+
     <!--
       appendRule:
        @rule: The rule that should be appended to the policy.
diff --git a/src/DBus/org.usbguard1.policy b/src/DBus/org.usbguard1.policy
index ce842393..aa8cf340 100644
--- a/src/DBus/org.usbguard1.policy
+++ b/src/DBus/org.usbguard1.policy
@@ -15,6 +15,15 @@
     </defaults>
   </action>
 
+  <action id="org.usbguard.Policy1.insertRule">
+    <description>Append a new rule to the policy</description>
+    <message>Prevents from appending rules to the USBGuard policy</message>
+    <defaults>
+      <allow_inactive>no</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+  </action>
+
   <action id="org.usbguard.Policy1.appendRule">
     <description>Append a new rule to the policy</description>
     <message>Prevents from appending rules to the USBGuard policy</message>
diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
index 9dd5fbc4..e934a157 100644
--- a/src/Daemon/Daemon.cpp
+++ b/src/Daemon/Daemon.cpp
@@ -730,6 +730,25 @@ namespace usbguard
     }
   }
 
+  uint32_t Daemon::insertRule(const std::string& rule_spec,
+    uint32_t parent_id, const std::string& ruleset, bool permanent)
+  {
+    USBGUARD_LOG(Trace) << "entry:"
+      << " rule_spec=" << rule_spec
+      << " parent_id=" << parent_id
+      << " ruleset=" << ruleset;
+    const Rule rule = Rule::fromString(rule_spec);
+    /* TODO: reevaluate the firewall rules for all active devices */
+    const uint32_t id = _policy.insertRule(rule, parent_id, ruleset);
+
+    if (_config.hasSettingValue("RuleFile") && permanent) {
+      _policy.save();
+    }
+
+    USBGUARD_LOG(Trace) << "return: id=" << id;
+    return id;
+  }
+
   uint32_t Daemon::appendRule(const std::string& rule_spec,
     uint32_t parent_id, bool permanent)
   {
diff --git a/src/Daemon/Daemon.hpp b/src/Daemon/Daemon.hpp
index a9681c65..0787b033 100644
--- a/src/Daemon/Daemon.hpp
+++ b/src/Daemon/Daemon.hpp
@@ -87,6 +87,7 @@ namespace usbguard
     std::string setParameter(const std::string& name, const std::string& value) override;
     std::string getParameter(const std::string& name) override;
 
+    uint32_t insertRule(const std::string& rule_spec, uint32_t parent_id, const std::string& ruleset, bool permanent) override;
     uint32_t appendRule(const std::string& rule_spec, uint32_t parent_id, bool permanent) override;
     void removeRule(uint32_t id) override;
     const std::vector<Rule> listRules(const std::string& query) override;
diff --git a/src/Daemon/FileRuleSet.cpp b/src/Daemon/FileRuleSet.cpp
index 36e21263..1fc4af56 100644
--- a/src/Daemon/FileRuleSet.cpp
+++ b/src/Daemon/FileRuleSet.cpp
@@ -22,6 +22,7 @@
 
 #include "FileRuleSet.hpp"
 
+#include "Common/Utility.hpp"
 #include "usbguard/Typedefs.hpp"
 #include "usbguard/Rule.hpp"
 #include "usbguard/RuleParser.hpp"
@@ -36,6 +37,7 @@ namespace usbguard
     : RuleSet(interface_ptr),
       _rulesPath(path)
   {
+    setName(filenameFromPath(path, false));
     setWritable();
     USBGUARD_LOG(Info) << "Creating FileRuleSet";
   }
diff --git a/src/Daemon/RuleSetFactory.cpp b/src/Daemon/RuleSetFactory.cpp
index 32cc2156..8d964175 100644
--- a/src/Daemon/RuleSetFactory.cpp
+++ b/src/Daemon/RuleSetFactory.cpp
@@ -75,7 +75,7 @@ namespace usbguard
         }
       }
 
-      if (ruleSet.empty()){
+      if (ruleSet.empty()) {
         USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
         ruleSet = generateDefaultRuleSet();
       }
diff --git a/src/Library/IPC/Policy.proto b/src/Library/IPC/Policy.proto
index 46fe9777..a82d2c7b 100644
--- a/src/Library/IPC/Policy.proto
+++ b/src/Library/IPC/Policy.proto
@@ -18,6 +18,24 @@ message listRules {
 }
 
 
+message insertRuleRequest {
+  required string rule = 1;
+  required uint32 parent_id = 2;
+  required string ruleset = 3;
+  required bool permanent = 4;
+}
+
+message insertRuleResponse {
+  required uint32 id = 1;
+}
+
+message insertRule {
+  required MessageHeader header = 1;
+  required insertRuleRequest request = 2;
+  optional insertRuleResponse response = 3;
+}
+
+
 message appendRuleRequest {
   required string rule = 1;
   required uint32 parent_id = 2;
diff --git a/src/Library/IPCClientPrivate.cpp b/src/Library/IPCClientPrivate.cpp
index 5ba6c02e..5a19fb21 100644
--- a/src/Library/IPCClientPrivate.cpp
+++ b/src/Library/IPCClientPrivate.cpp
@@ -77,6 +77,7 @@ namespace usbguard
     registerHandler<IPC::getParameter>(&IPCClientPrivate::handleMethodResponse);
     registerHandler<IPC::setParameter>(&IPCClientPrivate::handleMethodResponse);
     registerHandler<IPC::listRules>(&IPCClientPrivate::handleMethodResponse);
+    registerHandler<IPC::insertRule>(&IPCClientPrivate::handleMethodResponse);
     registerHandler<IPC::appendRule>(&IPCClientPrivate::handleMethodResponse);
     registerHandler<IPC::removeRule>(&IPCClientPrivate::handleMethodResponse);
     registerHandler<IPC::applyDevicePolicy>(&IPCClientPrivate::handleMethodResponse);
@@ -143,7 +144,6 @@ namespace usbguard
       << " do_wait=" << do_wait;
     USBGUARD_LOG(Trace) << "_qb_conn=" << _qb_conn
       << " _qb_fd=" << _qb_fd;
-
     std::unique_lock<std::mutex> disconnect_lock(_disconnect_mutex);
 
     if (_qb_conn != nullptr && _qb_fd >= 0) {
@@ -386,6 +386,18 @@ namespace usbguard
     return message_in->response().value();
   }
 
+  uint32_t IPCClientPrivate::insertRule(const std::string& rule_spec,
+    uint32_t parent_id, const std::string& ruleset, bool permanent)
+  {
+    IPC::insertRule message_out;
+    message_out.mutable_request()->set_rule(rule_spec);
+    message_out.mutable_request()->set_parent_id(parent_id);
+    message_out.mutable_request()->set_ruleset(ruleset);
+    message_out.mutable_request()->set_permanent(permanent);
+    auto message_in = qbIPCSendRecvMessage(message_out);
+    return message_in->response().id();
+  }
+
   uint32_t IPCClientPrivate::appendRule(const std::string& rule_spec, uint32_t parent_id, bool permanent)
   {
     IPC::appendRule message_out;
@@ -445,16 +457,17 @@ namespace usbguard
     return devices;
   }
 
-  bool IPCClientPrivate::checkIPCPermissions(const IPCServer::AccessControl::Section& section, const IPCServer::AccessControl::Privilege& privilege)
+  bool IPCClientPrivate::checkIPCPermissions(const IPCServer::AccessControl::Section& section,
+    const IPCServer::AccessControl::Privilege& privilege)
   {
     IPC::checkIPCPermissions message_out;
     message_out.mutable_request()->set_uid(getuid());
     message_out.mutable_request()->set_gid(getgid());
     message_out.mutable_request()->set_section(
-        IPCServer::AccessControl::sectionToString(section)
+      IPCServer::AccessControl::sectionToString(section)
     );
     message_out.mutable_request()->set_privilege(
-        IPCServer::AccessControl::privilegeToString(privilege)
+      IPCServer::AccessControl::privilegeToString(privilege)
     );
     auto message_in = qbIPCSendRecvMessage(message_out);
     return message_in->response().permit();
diff --git a/src/Library/IPCClientPrivate.hpp b/src/Library/IPCClientPrivate.hpp
index 35ff50ca..11e858b0 100644
--- a/src/Library/IPCClientPrivate.hpp
+++ b/src/Library/IPCClientPrivate.hpp
@@ -58,6 +58,7 @@ namespace usbguard
     std::string setParameter(const std::string& name, const std::string& value);
     std::string getParameter(const std::string& name);
 
+    uint32_t insertRule(const std::string& rule_spec, uint32_t parent_id, const std::string& ruleset, bool permanent);
     uint32_t appendRule(const std::string& rule_spec, uint32_t parent_id, bool permanent);
     void removeRule(uint32_t id);
     const std::vector<Rule> listRules(const std::string& label);
@@ -65,7 +66,8 @@ namespace usbguard
     uint32_t applyDevicePolicy(uint32_t id, Rule::Target target, bool permanent);
     const std::vector<Rule> listDevices(const std::string& query);
 
-    bool checkIPCPermissions(const IPCServer::AccessControl::Section& section, const IPCServer::AccessControl::Privilege& privilege);
+    bool checkIPCPermissions(const IPCServer::AccessControl::Section& section,
+      const IPCServer::AccessControl::Privilege& privilege);
 
     void processReceiveEvent();
 
diff --git a/src/Library/IPCPrivate.cpp b/src/Library/IPCPrivate.cpp
index 2a661e95..308b6196 100644
--- a/src/Library/IPCPrivate.cpp
+++ b/src/Library/IPCPrivate.cpp
@@ -40,12 +40,13 @@ namespace usbguard
     { 0x04, "usbguard.IPC.DevicePolicyChangedSignal" },
     { 0x05, "usbguard.IPC.PropertyParameterChangedSignal" },
     { 0x06, "usbguard.IPC.listRules" },
-    { 0x07, "usbguard.IPC.appendRule" },
-    { 0x08, "usbguard.IPC.removeRule" },
-    { 0x09, "usbguard.IPC.Exception" },
-    { 0x0a, "usbguard.IPC.getParameter" },
-    { 0x0b, "usbguard.IPC.setParameter" },
-    { 0x0c, "usbguard.IPC.checkIPCPermissions" }
+    { 0x07, "usbguard.IPC.insertRule" },
+    { 0x08, "usbguard.IPC.appendRule" },
+    { 0x09, "usbguard.IPC.removeRule" },
+    { 0x0a, "usbguard.IPC.Exception" },
+    { 0x0b, "usbguard.IPC.getParameter" },
+    { 0x0c, "usbguard.IPC.setParameter" },
+    { 0x0d, "usbguard.IPC.checkIPCPermissions" }
   };
 
   uint32_t IPC::messageTypeNameToNumber(const std::string& name)
diff --git a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
index b1343f98..c751f487 100644
--- a/src/Library/IPCServerPrivate.cpp
+++ b/src/Library/IPCServerPrivate.cpp
@@ -70,6 +70,8 @@ namespace usbguard
       throw;
     }
 
+    registerHandler<IPC::insertRule>(&IPCServerPrivate::handleInsertRule, IPCServer::AccessControl::Section::POLICY,
+      IPCServer::AccessControl::Privilege::MODIFY);
     registerHandler<IPC::appendRule>(&IPCServerPrivate::handleAppendRule, IPCServer::AccessControl::Section::POLICY,
       IPCServer::AccessControl::Privilege::MODIFY);
     registerHandler<IPC::removeRule>(&IPCServerPrivate::handleRemoveRule, IPCServer::AccessControl::Section::POLICY,
@@ -842,6 +844,29 @@ namespace usbguard
     }
   }
 
+  void IPCServerPrivate::handleInsertRule(IPC::MessagePointer& request, IPC::MessagePointer& response)
+  {
+    /*
+     * Get request field values.
+     */
+    const IPC::insertRule* const message_in = static_cast<const IPC::insertRule*>(request.get());
+    const std::string rule = message_in->request().rule();
+    const uint32_t parent_id = message_in->request().parent_id();
+    const std::string ruleset = message_in->request().ruleset();
+    const bool permanent = message_in->request().permanent();
+    /*
+     * Execute the method.
+     */
+    const uint32_t id = _p_instance.insertRule(rule, parent_id, ruleset, permanent);
+    /*
+     * Construct the response.
+     */
+    IPC::insertRule* const message_out = message_in->New();
+    message_out->MergeFrom(*message_in);
+    message_out->mutable_response()->set_id(id);
+    response.reset(message_out);
+  }
+
   void IPCServerPrivate::handleAppendRule(IPC::MessagePointer& request, IPC::MessagePointer& response)
   {
     /*
@@ -1000,7 +1025,8 @@ namespace usbguard
     IPCServer::AccessControl access_control = IPCServer::AccessControl();
     const bool auth = qbIPCConnectionAllowed(uid, gid, &access_control);
     IPCServer::AccessControl::Section section = IPCServer::AccessControl::sectionFromString(message_in->request().section());
-    IPCServer::AccessControl::Privilege privilege = IPCServer::AccessControl::privilegeFromString(message_in->request().privilege());
+    IPCServer::AccessControl::Privilege privilege = IPCServer::AccessControl::privilegeFromString(
+        message_in->request().privilege());
     const bool permit = auth && access_control.hasPrivilege(section, privilege);
     IPC::checkIPCPermissions* const message_out = message_in->New();
     message_out->MergeFrom(*message_in);
diff --git a/src/Library/IPCServerPrivate.hpp b/src/Library/IPCServerPrivate.hpp
index 98ebf9ca..69a4283e 100644
--- a/src/Library/IPCServerPrivate.hpp
+++ b/src/Library/IPCServerPrivate.hpp
@@ -133,6 +133,7 @@ namespace usbguard
       _handlers.emplace(type_number, MessageHandler::create<T>(*this, method, section, privilege));
     }
 
+    void handleInsertRule(IPC::MessagePointer& request, IPC::MessagePointer& response);
     void handleAppendRule(IPC::MessagePointer& request, IPC::MessagePointer& response);
     void handleRemoveRule(IPC::MessagePointer& request, IPC::MessagePointer& response);
     void handleListRules(IPC::MessagePointer& request, IPC::MessagePointer& response);
diff --git a/src/Library/public/usbguard/IPCClient.cpp b/src/Library/public/usbguard/IPCClient.cpp
index 9f76e8a5..0cfbec43 100644
--- a/src/Library/public/usbguard/IPCClient.cpp
+++ b/src/Library/public/usbguard/IPCClient.cpp
@@ -62,6 +62,11 @@ namespace usbguard
     return d_pointer->getParameter(name);
   }
 
+  uint32_t IPCClient::insertRule(const std::string& rule_spec, uint32_t parent_id, const std::string& ruleset, bool permanent)
+  {
+    return d_pointer->insertRule(rule_spec, parent_id, ruleset, permanent);
+  }
+
   uint32_t IPCClient::appendRule(const std::string& rule_spec, uint32_t parent_id, bool permanent)
   {
     return d_pointer->appendRule(rule_spec, parent_id, permanent);
@@ -87,7 +92,8 @@ namespace usbguard
     return d_pointer->listDevices(query);
   }
 
-  bool IPCClient::checkIPCPermissions(const IPCServer::AccessControl::Section& section, const IPCServer::AccessControl::Privilege& privilege)
+  bool IPCClient::checkIPCPermissions(const IPCServer::AccessControl::Section& section,
+    const IPCServer::AccessControl::Privilege& privilege)
   {
     return d_pointer->checkIPCPermissions(section, privilege);
   }
diff --git a/src/Library/public/usbguard/IPCClient.hpp b/src/Library/public/usbguard/IPCClient.hpp
index 1675d4d3..219b86ac 100644
--- a/src/Library/public/usbguard/IPCClient.hpp
+++ b/src/Library/public/usbguard/IPCClient.hpp
@@ -105,6 +105,11 @@ namespace usbguard
      */
     std::string getParameter(const std::string& name) override;
 
+    /**
+     * @copydoc Interface::insertRule()
+     */
+    uint32_t insertRule(const std::string& rule_spec, uint32_t parent_id, const std::string& ruleset, bool permanent) override;
+
     /**
      * @copydoc Interface::appendRule()
      */
@@ -163,7 +168,8 @@ namespace usbguard
      * @return True if IPC client has enough permission
      * for (section, privilege), otherwise false.
      */
-    bool checkIPCPermissions(const IPCServer::AccessControl::Section& section, const IPCServer::AccessControl::Privilege& privilege);
+    bool checkIPCPermissions(const IPCServer::AccessControl::Section& section,
+      const IPCServer::AccessControl::Privilege& privilege);
 
     /**
      * @brief Defines algorithm to perform in the case of IPC connection.
diff --git a/src/Library/public/usbguard/Interface.hpp b/src/Library/public/usbguard/Interface.hpp
index 8cf1d55c..8d093012 100644
--- a/src/Library/public/usbguard/Interface.hpp
+++ b/src/Library/public/usbguard/Interface.hpp
@@ -66,6 +66,25 @@ namespace usbguard
      ******************************* METHODS *********************************
      *************************************************************************/
 
+    /**
+     * @brief Inserts \p rule into a \p ruleset after a rule with \p parent_id
+     *
+     * @param rule_spec Rule to insert. If this rule has a default ID,
+     * it will be assigned a new one
+     * @param parent_id Specifies a rule after which the rule should be inserted.
+     * If \p parent_id is 0, then the rule is inserted at the beginning of a ruleset.
+     * If \p parent_id is not set, then the rule is inserted at the end of a ruleset
+     * @param ruleset Specifies a ruleset by it's name prefix. The rule can be
+     * inserted only into this ruleset. If \p ruleset is not set, all rulesets
+     * will be searched for \p parent_id
+     * @param permanent When set, the ruleset is saved into a file.
+     * @return ID of inserted rule
+     * @throw Exception If this method fails to find a \p ruleset or a rule
+     * with \p parent_id
+     */
+    virtual uint32_t insertRule(const std::string& rule_spec,
+      uint32_t parent_id, const std::string& ruleset, bool permanent) = 0;
+
     /**
      * @brief Append a new rule to the current policy.
      *
diff --git a/src/Library/public/usbguard/Policy.cpp b/src/Library/public/usbguard/Policy.cpp
index 8ebf997d..631c1e53 100644
--- a/src/Library/public/usbguard/Policy.cpp
+++ b/src/Library/public/usbguard/Policy.cpp
@@ -55,42 +55,58 @@ namespace usbguard
     return _defaultTarget;
   }
 
-  uint32_t Policy::appendRule(const Rule& _rule, uint32_t parent_id)
+  std::shared_ptr<RuleSet> Policy::findRuleSetByRuleId(uint32_t rule_id) const
   {
-    USBGUARD_LOG(Trace) << "parent_id=" << parent_id;
-    auto rule = std::make_shared<Rule>(_rule);
+    if (rule_id == 0) {
+      return _rulesets_ptr.front();
+    }
 
-    // If the parent_id is set to Rule::LastID then we get the the ID of the last rule in rulesets
-    if (parent_id == Rule::LastID) {
-      auto ruleset = _rulesets_ptr.back();
+    if (rule_id == Rule::LastID) {
+      return _rulesets_ptr.back();
+    }
 
-      if (rule->getRuleID() == Rule::DefaultID) {
-        assignID(rule);
+    for (auto ruleset : _rulesets_ptr) {
+      for (const auto& rule : ruleset->getRules()) {
+        if (rule->getRuleID() == rule_id) {
+          return ruleset;
+        }
       }
-
-      auto rules = ruleset->getRules();
-      return ruleset->appendRule(*rule);
     }
 
+    return nullptr;
+  }
+
+  std::shared_ptr<RuleSet> Policy::findRuleSetByPrefix(const std::string& prefix) const
+  {
     for (auto ruleset : _rulesets_ptr) {
-      try {
-        // Find if rule with parent_id is in the ruleset
-        auto _parent_rule = ruleset->getRule(parent_id);
+      if (ruleset->getName().substr(0, prefix.length()) == prefix) {
+        return ruleset;
+      }
+    }
 
-        /* if the method did not throw the exception that means the parent_id is
-        in the ruleset and now we will try to append the rule */
-        if (rule->getRuleID() == Rule::DefaultID) {
-          assignID(rule);
-        }
+    return nullptr;
+  }
 
-        return ruleset->appendRule(*rule, parent_id);
-      }
-      catch (const std::exception& e) {
-        continue;
-      }
+  uint32_t Policy::insertRule(const Rule& rule, uint32_t parent_id, const std::string& ruleset)
+  {
+    USBGUARD_LOG(Trace) << "parent_id=" << parent_id << " ruleset=" << ruleset;
+    auto _rule = std::make_shared<Rule>(rule);
+    auto _ruleset = ruleset.empty() ? findRuleSetByRuleId(parent_id) : findRuleSetByPrefix(ruleset);
+
+    if (_ruleset == nullptr) {
+      throw Exception("Policy insert", "rule", "Failed to find a ruleset");
+    }
+
+    if (parent_id != 0 && parent_id != Rule::LastID && !_ruleset->hasRule(parent_id)) {
+      throw Exception("Policy insert", "rule", "Ruleset does not contain rule with given id");
     }
 
-    throw Exception("Policy append", "rule", "Invalid parent ID");
+    return _ruleset->appendRule(*_rule, parent_id);
+  }
+
+  uint32_t Policy::appendRule(const Rule& _rule, uint32_t parent_id)
+  {
+    return insertRule(_rule, parent_id);
   }
 
   /*
@@ -114,10 +130,13 @@ namespace usbguard
 
     for (auto ruleset : _rulesets_ptr) {
       uint32_t id = ruleset->upsertRule(match_rule, new_rule, parent_insensitive);
-      if (id == Rule::DefaultID)
-	continue;
-      else
-	return id;
+
+      if (id == Rule::DefaultID) {
+        continue;
+      }
+      else {
+        return id;
+      }
     }
 
     return _rulesets_ptr.back()->appendRule(new_rule, Rule::LastID, /*lock*/true);
diff --git a/src/Library/public/usbguard/Policy.hpp b/src/Library/public/usbguard/Policy.hpp
index 014c78eb..26649dfd 100644
--- a/src/Library/public/usbguard/Policy.hpp
+++ b/src/Library/public/usbguard/Policy.hpp
@@ -44,6 +44,24 @@ namespace usbguard
     void setDefaultTarget(Rule::Target target);
     Rule::Target getDefaultTarget() const;
     void setDefaultAction(const std::string& action);
+
+    /**
+     * @brief Inserts \p rule into a \p ruleset after a rule with \p parent_id
+     *
+     * @param rule Rule to insert. If this rule has a default ID,
+     * it will be assigned a new one
+     * @param parent_id Specifies a rule after which the rule should be inserted.
+     * If \p parent_id is 0, then the rule is inserted at the beginning of a ruleset.
+     * If \p parent_id is not set, then the rule is inserted at the end of a ruleset
+     * @param ruleset Specifies a ruleset by it's name prefix. The rule can be
+     * inserted only into this ruleset. If \p ruleset is not set, all rulesets
+     * will be searched for \p parent_id
+     * @return ID of inserted rule
+     * @throw Exception If this method fails to find a \p ruleset or a rule
+     * with \p parent_id
+     */
+    uint32_t insertRule(const Rule& rule, uint32_t parent_id = Rule::LastID, const std::string& ruleset = "");
+
     uint32_t appendRule(const Rule& rule, uint32_t parent_id = Rule::LastID);
     uint32_t upsertRule(const Rule& match_rule, const Rule& new_rule, bool parent_insensitive = false);
     std::shared_ptr<Rule> getRule(uint32_t id);
@@ -65,6 +83,25 @@ namespace usbguard
     static std::string eventTypeToString(EventType event);
   private:
 
+    /**
+     * @brief Looks for the first ruleset containing a rule with \p rule_id
+     *
+     * @param rule_id Rule ID
+     * @return Ruleset that contains a rule with \p rule_id or nullptr
+     * if such ruleset doesn't exist. If \p rule_id is 0, first ruleset is
+     * returned. If \p rule_id is Rule::LastID, last ruleset is returned
+     */
+    std::shared_ptr<RuleSet> findRuleSetByRuleId(uint32_t rule_id) const;
+
+    /**
+     * @brief Looks for the first ruleset whose name is prefixed with \p prefix
+     *
+     * @param prefix Ruleset prefix to match
+     * @return Ruleset whose name is prefixed with \p prefix or nullptr if such
+     * ruleset doesn't exist
+     */
+    std::shared_ptr<RuleSet> findRuleSetByPrefix(const std::string& prefix) const;
+
     std::vector<std::shared_ptr<RuleSet>> _rulesets_ptr;
     Rule::Target _defaultTarget;
   };
diff --git a/src/Library/public/usbguard/RuleParser.cpp b/src/Library/public/usbguard/RuleParser.cpp
index 288d81e8..183117c1 100644
--- a/src/Library/public/usbguard/RuleParser.cpp
+++ b/src/Library/public/usbguard/RuleParser.cpp
@@ -35,9 +35,9 @@
 #include <stdlib.h>
 
 #if TAO_PEGTL_VERSION_MAJOR >= 3
-#include <tao/pegtl/contrib/trace.hpp>
+  #include <tao/pegtl/contrib/trace.hpp>
 #else
-#include <tao/pegtl/contrib/tracer.hpp>
+  #include <tao/pegtl/contrib/tracer.hpp>
 #endif
 
 namespace usbguard
diff --git a/src/Library/public/usbguard/RuleSet.cpp b/src/Library/public/usbguard/RuleSet.cpp
index f5342429..bd0c62b9 100644
--- a/src/Library/public/usbguard/RuleSet.cpp
+++ b/src/Library/public/usbguard/RuleSet.cpp
@@ -57,6 +57,16 @@ namespace usbguard
     return *this;
   }
 
+  void RuleSet::setName(const std::string& name)
+  {
+    _name = name;
+  }
+
+  const std::string& RuleSet::getName() const
+  {
+    return _name;
+  }
+
   void RuleSet::setDefaultTarget(Rule::Target target)
   {
     std::unique_lock<std::mutex> op_lock(_op_mutex);
@@ -151,6 +161,19 @@ namespace usbguard
     }
   }
 
+  bool RuleSet::hasRule(uint32_t id) const
+  {
+    std::unique_lock<std::mutex> op_lock(_op_mutex);
+
+    for (auto const& rule : _rules) {
+      if (rule->getRuleID() == id) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
   std::shared_ptr<Rule> RuleSet::getRule(uint32_t id)
   {
     std::unique_lock<std::mutex> op_lock(_op_mutex);
diff --git a/src/Library/public/usbguard/RuleSet.hpp b/src/Library/public/usbguard/RuleSet.hpp
index 31549c9f..d0bb6ee2 100644
--- a/src/Library/public/usbguard/RuleSet.hpp
+++ b/src/Library/public/usbguard/RuleSet.hpp
@@ -42,10 +42,15 @@ namespace usbguard
 
     void serialize(std::ostream& stream) const;
 
+    void setName(const std::string& name);
+    const std::string& getName() const;
+
     void setDefaultTarget(Rule::Target target);
     Rule::Target getDefaultTarget() const;
+
     uint32_t appendRule(const Rule& rule, uint32_t parent_id = Rule::LastID, bool lock = true);
     uint32_t upsertRule(const Rule& match_rule, const Rule& new_rule, bool parent_insensitive = false);
+    bool hasRule(uint32_t id) const;
     std::shared_ptr<Rule> getRule(uint32_t id);
     bool removeRule(uint32_t id);
 
@@ -68,6 +73,7 @@ namespace usbguard
     Rule::Target _default_target;
     static Atomic<uint32_t> _id_next;
     std::vector<std::shared_ptr<Rule>> _rules;
+    std::string _name;
   };
 
 } /* namespace usbguard */