veilor-os/overlay/etc/usbguard/rules.conf

# veilor-os USBGuard baseline rules
#
# Default policy is `block` (set in usbguard-daemon.conf via the
# overlay). Without any allow rule, every USB device — including the
# user's keyboard — is blocked at boot. That includes the desktop
# user with a USB keyboard at SDDM.
#
# This file allows HID-class interfaces (keyboard, mouse, touchpad,
# fingerprint reader, NFC, gamepad) without pinning to specific
# vendor:product/serial/hash. id-based rules survive dock replug and
# vendor-bump kernel changes, where hash+parent-hash rules don't —
# verified pain on onyx (memory: feedback_usbguard_dock.md). Same fix.
#
# After first login, the user runs:
#     ujust veilor-usbguard-enroll
# (or `usbguard generate-policy --with-hash=false > rules.conf`)
# to add their own keyboard's id-rule and tighten the policy further.
#
# References:
#   - usbguard-rules.conf(5)
#   - https://usbguard.github.io/documentation/rule-language.html
#   - veilor-os agent 9 audit, 2026-05-05

# HID class — keyboards, mice, pointers, gamepads, fingerprint, NFC.
# Interface descriptor 03:NN:NN where 03=HID. We accept any HID
# subclass + protocol so the rule is robust to future HID variants.
allow with-interface match-all { 03:*:* }

# Mass-storage prompt: ask the user before mounting a new flash drive.
# Reject blanket-allow (would silently allow USB Rubber Ducky).
# Accept only after user confirms via the gnome/plasma USB dialog.
# (USBGuard has no native "ask" verb; we leave mass-storage devices
# implicit-block here, the user runs `usbguard allow-device <id>`
# from a Plasma applet OR the firstboot wizard documents this flow.)

# Block known-bad. USB Killer signature shows up as a generic-HID
# composite descriptor + power draw out of spec. We can't reliably
# detect that from descriptors alone — relying on default-block
# semantics for now.

# DO NOT pin to specific id=, serial=, hash=, or parent-hash= here.
# That's the user's job post-firstboot for their actual hardware.
# Pre-shipped pinned rules break on every dock replug + kernel bump.
v0.5.32: ship 7 blockers from 9-agent wave Per docs/research/2026-05-05-agent-wave/README.md priority list. All 7 land together to keep iteration cycles useful — partial fixes bury the lookahead findings agents already mapped. ## 1. CRITICAL — suspend/resume wifi death (Agent 9, B2) `veilor-modules-lock.service` runs `kernel.modules_disabled=1` 30s after graphical.target. iwlwifi/iwlmvm/cfg80211 reload on resume from S3/S0ix → with modules locked, resume breaks wifi until reboot. Same architectural class as the LUKS bug — security feature breaks legitimate kernel state transitions. The unit already has `ConditionKernelCommandLine=!module.sig_enforce=1` (self-skip when signed-modules enforcement is on cmdline). Adding `module.sig_enforce=1` to the kernel cmdline retains the security property (no unsigned modules) without runtime lock-down → resume works. Files: kickstart/veilor-os.ks line 61 + overlay/usr/local/bin/veilor-installer generated bootloader directive both gain `module.sig_enforce=1`. ## 2. veilor-firstboot.service WantedBy=graphical.target (Agent 2) Was `WantedBy=multi-user.target` only. Real installs default to graphical.target so the unit never ran on installed systems — admin pw stayed at install-time + chage -d 0 expired, SDDM PAM bounced to chauthtok screen (recoverable but ugly UX). Now `WantedBy=graphical.target multi-user.target`. Live ISO + multi-user installs both resolve via this list. ## 3. USBGuard hash → id-based baseline (Agent 9, A3) Mirrors memory feedback_usbguard_dock.md — onyx had hash+parent-hash rules that broke on dock replug; we shipped no rules.conf so first boot blocks the USB keyboard. Adds overlay/etc/usbguard/rules.conf with HID-class allow rule (`allow with-interface match-all { 03:: }`) — covers every USB keyboard, mouse, gamepad, fingerprint reader, NFC. Survives dock replug + kernel-bump vendor renumeration. Mass-storage stays implicit-block; user explicitly allows post-firstboot via `ujust veilor-usbguard-enroll` (planned v0.6). ## 4. firewalld trusted zone with tailscale0 pre-bound (Agent 9, D1) User uses Tailscale daily (memory: project_tailscale_mesh.md). Default firewalld zone = drop, blocks tailnet traffic on tailscale0. Adds overlay/etc/firewalld/zones/trusted.xml with `<interface name="tailscale0"/>`. After `tailscale up` brings the interface up, NetworkManager dispatcher associates it with the trusted zone automatically — no user intervention. Default zone stays drop. Only the tailscale0 interface gets ACCEPT. ## 5. /etc/skel branding (Agent 7) Was completely empty. Result: per-user KDE config (~/.config/kdeglobals etc.) pre-empty, so the moment user opened System Settings, KDE wrote fresh ~/.config/* and silently shadowed our /etc/xdg/kdedefaults/*. Visual brand evaporated on first click. Seeds: /etc/skel/.config/kdeglobals (copy of assets/kde/veilor-default.kdeglobals) /etc/skel/.config/breezerc (copy of assets/kde/breezerc) /etc/skel/.config/kwinrc (Plasma 6 wayland defaults: opengl, animspeed=0, blur off, click-to-focus) /etc/skel/.config/konsolerc (default profile = Veilor) /etc/skel/.local/share/konsole/Veilor.profile + .colorscheme User who opens System Settings now writes against branded baseline, not against vanilla Breeze. ## 6. KMS modeset args + initramfs keymap (Agents 1 + 9) Real laptop boot has a 5-15s blank between vt switch and SDDM start because simpledrm releases before i915/nvidia-drm/amdgpu claim. Plus non-US users get locked out at LUKS prompt because initramfs ships en-US keymap by default (RHBZ 1405539, RHBZ 1890085). Adds to bootloader cmdline (live + installed): i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1 rd.vconsole.keymap=us `rd.vconsole.keymap=us` is a placeholder; the v0.6 firstboot keymap picker will rewrite it from /etc/vconsole.conf. Until then, en-US users get correct LUKS keyboard; non-US users still need the v0.6 fix (per Agent 1). ## 7. virtio-9p log capture (Agent 6) The v0.5.30 virtio-serial wiring depends on rsyslog inside the live ISO (anaconda's setupVirtio writes a rsyslog forward rule), which the live ks doesn't install — files were 0-byte across three install runs. test/run-vm.sh now adds a `-virtfs local,...,mount_tag=hostlogs` share pointing at `test/test-runs/<timestamp>/`. veilor-installer runs `_dump_logs_to_host` via EXIT trap that mounts the share at /mnt/hostlogs and rsyncs /tmp/{anaconda,program,storage,packaging,dnf}.log + /var/log/veilor-installer.log + dmesg + journalctl + the generated ks. Runs on success AND failure AND ^C. No-op on real hardware (9p tag absent) — VM-only debug. ## Validate bash -n overlay/usr/local/bin/veilor-installer # OK ksvalidator kickstart/veilor-os.ks # clean ## Out-of-scope for v0.5.32 (deferred to v0.6) Per Agent 1 follow-ups: argon2id retune for slow CPUs, recovery key generation in firstboot, TPM2/FIDO2 unlock helpers. Per Agent 9 follow-ups: Plasma Wayland fallback X11 install, lid-close handling, SELinux relabel progress UX. Per Agent 4: AppArmor stack + nftables preset + audit log shipping CLI. Per Agent 8 (CI hardening): SHA-pin actions + dependabot + SBOM + SLSA L3 attestation — separate workflow-only commit. 2026-05-05 15:36:24 +01:00			`# veilor-os USBGuard baseline rules`
			`#`
			# Default policy is `block` (set in usbguard-daemon.conf via the
			`# overlay). Without any allow rule, every USB device — including the`
			`# user's keyboard — is blocked at boot. That includes the desktop`
			`# user with a USB keyboard at SDDM.`
			`#`
			`# This file allows HID-class interfaces (keyboard, mouse, touchpad,`
			`# fingerprint reader, NFC, gamepad) without pinning to specific`
			`# vendor:product/serial/hash. id-based rules survive dock replug and`
			`# vendor-bump kernel changes, where hash+parent-hash rules don't —`
			`# verified pain on onyx (memory: feedback_usbguard_dock.md). Same fix.`
			`#`
			`# After first login, the user runs:`
			`# ujust veilor-usbguard-enroll`
			# (or `usbguard generate-policy --with-hash=false > rules.conf`)
			`# to add their own keyboard's id-rule and tighten the policy further.`
			`#`
			`# References:`
			`# - usbguard-rules.conf(5)`
			`# - https://usbguard.github.io/documentation/rule-language.html`
			`# - veilor-os agent 9 audit, 2026-05-05`

			`# HID class — keyboards, mice, pointers, gamepads, fingerprint, NFC.`
			`# Interface descriptor 03:NN:NN where 03=HID. We accept any HID`
			`# subclass + protocol so the rule is robust to future HID variants.`
			`allow with-interface match-all { 03:: }`

			`# Mass-storage prompt: ask the user before mounting a new flash drive.`
			`# Reject blanket-allow (would silently allow USB Rubber Ducky).`
			`# Accept only after user confirms via the gnome/plasma USB dialog.`
			`# (USBGuard has no native "ask" verb; we leave mass-storage devices`
			# implicit-block here, the user runs `usbguard allow-device <id>`
			`# from a Plasma applet OR the firstboot wizard documents this flow.)`

			`# Block known-bad. USB Killer signature shows up as a generic-HID`
			`# composite descriptor + power draw out of spec. We can't reliably`
			`# detect that from descriptors alone — relying on default-block`
			`# semantics for now.`

			`# DO NOT pin to specific id=, serial=, hash=, or parent-hash= here.`
			`# That's the user's job post-firstboot for their actual hardware.`
			`# Pre-shipped pinned rules break on every dock replug + kernel bump.`