From 85fd8ea52b6614cb416514e1c541c46da708f502 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Thu, 28 Aug 2025 16:42:16 -0500
Subject: [PATCH] Enable USB video and audio devices, reject USB RNDIS devices

---
 etc/usbguard/rules.d/30_security-misc.conf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf
index 9b63314..05e5032 100644
--- a/etc/usbguard/rules.d/30_security-misc.conf
+++ b/etc/usbguard/rules.d/30_security-misc.conf
@@ -19,6 +19,15 @@ allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equa
 ## and keyboards. Also note, all HID devices other than mice and keyboards
 ## will be blocked, **including touchscreens.**
 
+## Allow USB audio devices. The intended functionality of these devices is
+## unlikely to be usable in a malicious capacity without having already
+## compromised the machine.
+allow with-interface equals { 01:*:* }
+
+## Allow USB video devices (i.e. webcams). Also tricky to use in a malicious
+## manner without having already compromised the machine.
+allow with-interface equals { 0e:*:* }
+
 ## Explicitly reject any device with a mouse/keyboard interface in
 ## combination with some other interface.
 ## Mice and keyboards should likely never have non-HID interfaces provided
@@ -48,6 +57,10 @@ reject with-interface all-of { 03:*:* ef:*:* }
 reject with-interface all-of { 03:*:* fe:*:* }
 reject with-interface all-of { 03:*:* ff:*:* }
 
+## Explicitly reject any device with an RNDIS interface. RNDIS is believed to
+## have protocol-level buffer overflow vulnerabilities that cannot be fixed.
+reject with-interface one-of { ef:04:* }
+
 ## Allow USB mass storage, if and only if the USB device only has the mass
 ## storage interface and nothing extra.
 ## Suspicious interface combinations with mass storage are blocked.