Enable USB video and audio devices, reject USB RNDIS devices

etc/usbguard/rules.d/30_security-misc.conf

@@ -19,6 +19,15 @@ allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equa
 ## and keyboards. Also note, all HID devices other than mice and keyboards
 ## will be blocked, **including touchscreens.**
 
+## Allow USB audio devices. The intended functionality of these devices is
+## unlikely to be usable in a malicious capacity without having already
+## compromised the machine.
+allow with-interface equals { 01:*:* }
+
+## Allow USB video devices (i.e. webcams). Also tricky to use in a malicious
+## manner without having already compromised the machine.
+allow with-interface equals { 0e:*:* }
+
 ## Explicitly reject any device with a mouse/keyboard interface in
 ## combination with some other interface.
 ## Mice and keyboards should likely never have non-HID interfaces provided
@@ -48,6 +57,10 @@ reject with-interface all-of { 03:*:* ef:*:* }
 reject with-interface all-of { 03:*:* fe:*:* }
 reject with-interface all-of { 03:*:* ff:*:* }
 
+## Explicitly reject any device with an RNDIS interface. RNDIS is believed to
+## have protocol-level buffer overflow vulnerabilities that cannot be fixed.
+reject with-interface one-of { ef:04:* }
+
 ## Allow USB mass storage, if and only if the USB device only has the mass
 ## storage interface and nothing extra.
 ## Suspicious interface combinations with mass storage are blocked.