Blocking USB devices while the screen is locked (Tech Preview)

Updated -

In Red Hat Enterprise Linux 7, the USBGuard framework enables also to influence how an already running usbguard-daemon instance handles newly inserted USB devices. The behaviour is defined by the value of the InsertedDevicePolicy runtime parameter and the default choice is to apply the policy rules to figure out whether to authorize the device or not.

The parameter can be read and modified using the usbguard CLI:

$ sudo usbguard get-parameter InsertedDevicePolicy

To change the policy to block use:

$ sudo usbguard set-parameter InsertedDevicePolicy block

Now try to insert a USB device and it is not authorized even if there is a rule in your policy that says otherwise. Devices connected before the parameter value change are not affected and remain in the same state.

Note that for the examples below to work, you need to allow your desktop user to modify the USBGuard runtime parameters. This can be done either with USBGuard IPC access control or by giving sudo permissions to run usbguard set-parameter without authentication.

The following command will allow user joe to read and modify the runtime parameters via USBGuard IPC:

$ sudo usbguard add-user joe --parameters ALL

Note that the command sets the ACL exactly to what is specified on the command line, not append to the existing ACL settings for the user in case they exist.

Blocking new USB device while the screen is locked

Method #1: Screen locker wrapper script

If you are using a custom screen locker, such as i3lock, create a wrapper script that takes care of setting the InsertedDevicePolicy parameter, for example:



revert() {
  usbguard set-parameter InsertedDevicePolicy $POLICY_UNLOCKED

usbguard set-parameter InsertedDevicePolicy $POLICY_LOCKED
i3lock -n

Then adjust your screen locker shortcuts and setting to point to this wrapper script instead of the original locker command.

Method #2: D-Bus screen (un)lock signals

If you are using a desktop environment, which has built-in screen locking support, then it probably signals the "screen (un)locked" state via D-Bus. In that case you need to create a script to watch for these signals and set the InsertedDevicePolicy parameter appropriately. Set your environment to automatically start the script after you log in.

Example script:



dbus-monitor --session "type='signal',interface='"$DBUS_INTERFACE"'" |
  while read x; do
    case "$x" in 
      *"boolean true"*) usbguard set-parameter InsertedDevicePolicy $POLICY_LOCKED
      *"boolean false"*) usbguard set-parameter InsertedDevicePolicy $POLICY_UNLOCKED

For more information about the USBGuard framework, see the Red Hat Enterprise Linux 7 Security Guide.


The D-Bus signal can not be monitored because the monitoring process gets killed when the screen gets locked. The while loop is leaved then.

May 24 16:28:08 sd.localdomain gnome-shell[12015]: [System monitor] applet disable

May 24 16:28:08 sd.localdomain dbus-daemon[11947]: [session uid=1200 pid=11947] Monitoring connection :1.66 closed.

May 24 16:28:08 sd.localdomain MYSCRIPT[14662]: Exception: while loop leaved

One workaround would be using two while loops and starting the dbus monitoring again and evaluate the exceptional as screen locking.

Can this race condition be avoided?