From 7e016b563239e31c650aece115bb19af0395ec52 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Sun, 28 Sep 2025 14:11:10 -0500
Subject: [PATCH] Allow users in the qubes group to access USBGuard IPC

---
 debian/security-misc-shared.install                         | 1 +
 debian/security-misc-shared.postinst                        | 1 +
 etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared | 1 +
 3 files changed, 3 insertions(+)
 create mode 100644 etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared

diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install
index d56c3da..36e5867 100755
--- a/debian/security-misc-shared.install
+++ b/debian/security-misc-shared.install
@@ -14,6 +14,7 @@ etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared => /etc/apparm
 etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/ssh_config.d/30_security-misc.conf
 etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/sshd_config.d/30_security-misc.conf
 etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:sudo
+etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:qubes
 etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared => /etc/usbguard/rules.d/30_security-misc.conf
 etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared => /etc/usbguard/usbguard-daemon.conf.security-misc
 etc/kernel/postinst.d/30_remove-system-map#security-misc-shared => /etc/kernel/postinst.d/30_remove-system-map
diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst
index 6dfea78..f77f39a 100644
--- a/debian/security-misc-shared.postinst
+++ b/debian/security-misc-shared.postinst
@@ -96,6 +96,7 @@ case "$1" in
           '/etc/usbguard/rules.d/30_security-misc.conf'
           '/etc/usbguard/usbguard-daemon.conf.security-misc'
           '/etc/usbguard/IPCAccessControl.d/:sudo'
+          '/etc/usbguard/IPCAccessControl.d/:qubes'
         )
         for usbguard_config_file in "${usbguard_config_file_list[@]}"; do
           if test -f "${usbguard_config_file}"; then
diff --git a/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared b/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared
new file mode 100644
index 0000000..c12628a
--- /dev/null
+++ b/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared
@@ -0,0 +1 @@
+Devices=listen