Skip to content

Add USB protection daemon

Ludovico de Nittis requested to merge denittis/gnome-settings-daemon:usbguardv5 into master

This is related to the GNOME-Control-Center MR gnome-control-center!366 (merged), the GNOME-Shell MR gnome-shell!369 and the gsettings-desktop-schemas MR gsettings-desktop-schemas!15 (merged).

I talked about this in Planet GNOME. First post here https://ryuzakikk.github.io/gnome/internship-preparation/

The daemon has three jobs:

  1. Keep in sync the USBGuard configuration with what we have in gsettings.
  2. Authorize new USB devices when needed.
  3. Inform the users with a notification when a device gets blocked.

We have three protection levels for new USB devices: never block, block only when the lock screen is active and always block.

If a user plugs a USB device while the lock screen is active and the protection level is "block only when the lock screen is active" the following notification will be shown

g-s-d-usb-unknown-notification

To prevent the user from locking out itself when for example his keyboard breaks, when you plug a keyboard we check if it is the only one available in the system. If it is, we authorize it showing the following notification:

g-s-d-usb-new-keyboard-notification

But if touchscreen is available we don't authorize new keyboards, because the user can always use the on-screen keyboard, meaning that he will never be locked out.

Probably soon I'll do a new blog post explaining more in details all the different scenarios, and I'll link it also here.

Edited by Tobias Mueller

Merge request reports