gsd-usb-protection: Allow rules in /etc/usbguard/rules.conf are not obeyed
I have the following gsettings:
org.gnome.desktop.privacy usb-protection true
org.gnome.desktop.privacy usb-protection-level 'lockscreen'
The intention is to prevent [potentially malicious] devices plugged in my absence from being authorized. However, there are some devices I need to be authorized even when the screen is locked. My use cases:
- Plugging a Thunderbolt 4 docking station wakes up the laptop from suspend, and it shows the lock screen. The docking station has some legitimate USB devices plugged in, which fail to be authorized.
- Sometimes my laptop's internal USB fingerprint scanner reconnects by itself. If it happens when the screen is locked, I can't use my fingerprint to unlock it, because the fingerprint reader fails to be authorized.
I have the allow rules in /etc/usbguard/rules.conf for all my devices that I need to be authorized at any time. However, GNOME sets usbguard's InsertedDevicePolicy to block when the screen is locked, which makes all these rules a no-op.
This sort of doesn't make sense to me, as I need to have a way to whitelist certain devices, while still blocking all other devices if they are plugged when the screen is locked. I think gsd-usb-protection should keep InsertedDevicePolicy as apply-policy even when the screen is locked. It doesn't change the behavior if there are no rules in /etc/usbguard/rules.conf (the default), but it allows to whitelist some devices for use cases like mine.
Steps to reproduce:
- Create an allow rule for some USB device in /etc/usbguard/rules.conf (for example, plug in the device and run
usbguard generate-policy > /etc/usbguard/rules.conf
). gsettings set org.gnome.desktop.privacy usb-protection true
gsettings set org.gnome.desktop.privacy usb-protection-level "'lockscreen'"
- Unplug the USB device and lock the screen.
- Plug in a USB device (either the legitimate one added on step 1, or a different one) while the screen is still locked.
- Unlock the screen.
Expected result:
If the device plugged on step 5 matches the rule added on step 1, it should be authorized. If the device plugged on step 5 doesn't match any allow rule from /etc/usbguard/rules.conf, it should not be authorized.
Actual result:
Any device plugged on step 5 is not authorized, and a notification appears after step 6 saying "New device has been detected while you were away. Please disconnect and reconnect the device to start using it".