Blame - modules/usbguard.nix - Minion/NixFiles

blob: 49bf90930d4e0b57a07f2d01b465f4b0ca8b2a39 [file] [log] [blame]

Skyler Grey	475f6ac	2023-05-01 08:06:16 +0000	[diff] [blame^]	1	{
				2	config.services.usbguard = {
				3	enable = true;
				4	presentControllerPolicy = "apply-policy";
				5	rules = ''
				6	allow id 13fe:6500 serial "07001A619AA30209" name "USB DISK 3.2" hash "FlEx/NqvcbbmeLX9nBH9jYlA5v4iNlVaDAbhuZiSVCU="
				7	# Allow our USB expansion card, which is essential for editing NixFiles
				8
				9	allow id 1d6b:0002 serial "0000:00:0d.0" name "xHCI Host Controller" hash "d3YN7OD60Ggqc9hClW0/al6tlFEshidDnQKzZRRk410="
				10	allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o="
				11	allow id 1d6b:0003 serial "0000:00:0d.0" name "xHCI Host Controller" hash "4Q3Ski/Lqi8RbTFr10zFlIpagY9AKVMszyzBQJVKE+c="
				12	allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ="
				13	# Permit all of our USB controllers
				14
				15	allow id 2109:2822 serial "000000001" name "USB2.0 Hub " hash "nNtFngze2aK/lLwMEaNVxnZFHSGKRmUvOxKvWPaUBdY="
				16	allow id 2109:0822 serial "000000001" name "USB3.1 Hub " hash "mUkwP3O/3LVSILcfnanU2c2/SYxR6Wlb9Y/4VhehANM="
				17	# ^ 7-port USB hub
				18	allow id 0424:5534 serial "" name "USB5534B" hash "lB2Y9gjh8npbRQ27rG3idTN6924ryDLRf63bPbeymUo="
				19	allow id 0424:2134 serial "" name "USB2134B" hash "1bfHz4/5nO4aYIwQG5Ci/F/9HBCKCPOdq/1eoUswB0M="
				20	# ^ Monitor USB hub
				21	# And our USB hubs
				22
				23	allow id 27c6:609c serial "UID419B7B07_XXXX_MOC_B0" name "Goodix USB2.0 MISC" hash "KTVrE0NabTXPFvACpFvVsHWwQQ8jaytMoTziVo2lJu4="
				24	# Allow our fingerprint scanner
				25
				26	allow id 8087:0032 hash "ClCa9utWpkfhSL14jLzpmilrrbre65+44YYBM4ysI/4=" with-connect-type "hardwired"
				27	# Allow our bluetooth controller
				28
				29	allow with-interface equals { 08:: }
				30	# Allow pure USB storage
				31
				32	reject with-interface all-of { 08:: 03:00:* }
				33	reject with-interface all-of { 08:: 03:01:* }
				34	reject with-interface all-of { 08:: e0:: }
				35	reject with-interface all-of { 08:: 02:: }
				36	# Reject (read: disconnect) USB storage that's also doing something other than storage
				37
				38	allow id 045e:07b1 serial "" name "Microsoft\xc2\xae Nano Transceiver v1.0" hash "hTBZLj0mVeCFy8pvhS7WB0nD6j0u+U27JnigRrXcEZY="
				39	# Allow our Arc-touch mouse
				40
				41	allow id 056a:0042 serial "" name "XD-0608-U" hash "PTutnro9J1p6I9GeNUIblNOtQrpVgWEWJs43aHoHUFI="
				42	allow id 256c:006d serial "" name "Gaomon Tablet" hash "nbuHDO++57blBwSpr8ZEiRRyFcs4dg4u2IkKjCSP+ho="
				43	# Allow our drawing tablets
				44	'';
				45	};
				46	}