# veilor-os USBGuard baseline rules # # Default policy is `block` (set in usbguard-daemon.conf via the # overlay). Without any allow rule, every USB device — including the # user's keyboard — is blocked at boot. That includes the desktop # user with a USB keyboard at SDDM. # # This file allows HID-class interfaces (keyboard, mouse, touchpad, # fingerprint reader, NFC, gamepad) without pinning to specific # vendor:product/serial/hash. id-based rules survive dock replug and # vendor-bump kernel changes, where hash+parent-hash rules don't — # verified pain on onyx (memory: feedback_usbguard_dock.md). Same fix. # # After first login, the user runs: # ujust veilor-usbguard-enroll # (or `usbguard generate-policy --with-hash=false > rules.conf`) # to add their own keyboard's id-rule and tighten the policy further. # # References: # - usbguard-rules.conf(5) # - https://usbguard.github.io/documentation/rule-language.html # - veilor-os agent 9 audit, 2026-05-05 # HID class — keyboards, mice, pointers, gamepads, fingerprint, NFC. # Interface descriptor 03:NN:NN where 03=HID. We accept any HID # subclass + protocol so the rule is robust to future HID variants. allow with-interface match-all { 03:*:* } # Mass-storage prompt: ask the user before mounting a new flash drive. # Reject blanket-allow (would silently allow USB Rubber Ducky). # Accept only after user confirms via the gnome/plasma USB dialog. # (USBGuard has no native "ask" verb; we leave mass-storage devices # implicit-block here, the user runs `usbguard allow-device ` # from a Plasma applet OR the firstboot wizard documents this flow.) # Block known-bad. USB Killer signature shows up as a generic-HID # composite descriptor + power draw out of spec. We can't reliably # detect that from descriptors alone — relying on default-block # semantics for now. # DO NOT pin to specific id=, serial=, hash=, or parent-hash= here. # That's the user's job post-firstboot for their actual hardware. # Pre-shipped pinned rules break on every dock replug + kernel bump.