I followed boredsquirrel’s guide to layer usbguard, usbguard-notifier and usbguard-selinux to rpm-ostree, and set up some rules around commonly connected objects.
I did this because USBguard seemed like the most acknowledged option for usb security.
I didn’t know that GNOME came with usbguard, I didn’t know that usbguard was so unfriendly to a non-technical audience, and I now realize that documentation around this software is obscure and unreadable enough that it might not have been worth it for me.
Now a lot of issues are cropping up, especially with iOS devices that I need to back up. They fail to connect every time. Also, other user profiles won’t let USBs connect.
After failed man-page-reading attempts and hours spent in console, I’d like to either
reset usbguard completely to GNOME defaults, (possibly especially worth it if a USBguard UI is on the way)
at least figure something out to make the iOS device connect every time and/or get it working on other profiles
and should I unlayer usbguard from the ostree? If so, should I keep the others?
I have been using usbguard (configured to default-deny devices) on a GNOME desktop for years without problems. I have also tried it out on Silverblue and didn’t see any sticky problems either. In case there is anything I can help with, please write more details about the problems you are seeing.
General tips for a machine with usbguard installed:
I noticed that installing usbguard-notifier helped improve the usability a lot, you might want to try it. Apart from that, I am used to executing usbguard list-devices and usbguard allow-device in a terminal.
You can permanently allow a device by executing usbguard list-devices, find the ID in the list (probably the only device that is “blocked”), then execute usbguard allow-device --permanent [ID]. You should never need to allow this device again. (This is also part of boredsquirrel’s guide)
In case the iOS device is switching behavior a lot, you could (temporarily) allow all devices by executing something like usbguard set-parameter InsertedDevicePolicy allow and maybe also usbguard set-parameter ImplicitPolicyTarget allow. If you are backing up iOS devices from a script, you could make those commands part of your script.
Do the hints above help you solve this problem?
Did you change any of the configuration of usbguard or GNOME? To find this out, what do the following commands give you?
rpm -V usbguard
gsettings get org.gnome.desktop.privacy usb-protection
gsettings get org.gnome.desktop.privacy usb-protection-level
The first command lists all the config files of usbguard that are modified on your system. The other two command are for GNOME’s settings: usb-protection defaults to true, while usb-protection-level defaults to lockscreen.
And what do you mean with “profiles”? Is this maybe because you are using multiple accounts and not all of them are configured (allowed) to communicate with the usbguard daemon? Or because you are using different desktop environments and some of them don’t support usbguard?
As a first measure, you might want to set the InsertedDevicePolicy and PresentDevicePolicy to allow (which breaks all the security measures by usbguard, obviously) to avoid locking yourself out of the machine in case something goes wrong in the next step. To apply this change, you need to restart the usbguard service.
This should be possible following these steps:
Stop the usbguard daemon
Delete all your manually done USBGuard configuration in /etc/usbguard
Reinstall usbguard (execute dnf reinstall usbguard as root or with sudo)
Check the .rpmnew, .rpmsave, .rpmorig files in /etc/usbguard in case reinstallation of usbguard created them. rpmconf is a helpful tool for that, e.g. rpmconf -o usbguard.
Reboot your machine
After reboot, reset the two gsettings values mentioned above: gsettings reset org.gnome.desktop.privacy usb-protection and gsettings reset org.gnome.desktop.privacy usb-protection-level
I don’t think this should be necessary. In the default configuration with GNOME, usbguard should only block devices while you have the screen locked. As soon as the screen is unlocked and you attach a new device, it should be allowed. In other words, by default, if you only attach USB devices while the screen is unlocked, usbguard should behave as if it did not exist, always allowing all devices.
Thank you very much for the thorough answer! Sorry for the late reply.
I’m still dealing with this problem so it’s time to pick it back up!
About your three general tips:
I have usb-notifier, and it does help.
I do do the permanently allow thing, and it works for my USBs and HDDs. But not the iOS device. I need to constantly reallow it, and it doesn’t always work.
I’ve never tried that last one! You’re right, the iOS device is switching behaviour a lot. How do these scripts work? Do they allow all devices until the terminal is closed? Or for how long?
*I have, I think!
During setup, I ran some scripts from boredsquirrel and maybe some other place. I tried to be minimal, but I guess it’s easy to screw things up as long as you touch anything.
I don’t know if I touched GNOME.
I ran your commands!
The defaults were all right with the last two commands.
But the first command, rpm -V usbguard, turned up a whole list of paths.
Guess I somehow edited a bunch of files. Nooo! Now what?
Sorry, by profiles, I mean users. On one desktop, there can be multiple users with their own logins and home directories.
My usbguard and its notifier only works on the admin user, where I set usbguard up. When I’m logged into any other user, it just doesn’t register any usb devices I plug in.
Not great for any type of work.
I’ve tried to fix this and allow my other users with AllowUser or something, but I haven’t gotten it to work yet.
The steps you give here are a bit complex, so I’ll hold off on them for now.
One big thing is that dnf doesn’t work on Silverblue, I believe.
Let me know what you think given this new information!
And I hope you can let me know how I can get things working on my other users!