usbguard is a really nice tool, that allows to control access to USB media.
With rubber duckies and many more stuff from Hak5 clearly presenting that this is easy to exploit and really dangerous, and macOS (And GrapheneOS, kinda) having such a system enabled by default, I think we should enable and setup usbguard in all Fedora Desktop variants too.
It just requires 3 packages for a good UX: usbguard usbguard-selinux usbguard-notifier
The latter shows popup notifications on events, and also allows temporarily allowing or rejecting USB devices. It poorly has no option to hide unneeded messages, and permanently set behaviors.
Setting it up can be done automatically and graphically. Here is an implementation using kdialog for KDE Plasma, Zenity on GNOME would be the obvious equivalent.
USBGuard has quite some hoops to jump through
- we need official Fedora docs on it, also with a clearer way for the end user, how to set it up, list devices, allow devices, block devices. Thats it, more is mostly not needed
- things like webcams and other internal USB devices may be blocked, these need to be allowed through CLI
- permanently allowing requires CLI
- phones have multiple modes, MTP is broken when only temporary allowing is used, it needs to be permanently allowed (CLI) for each mode