Attaching USB devices to dom0

I have a basic Qubes 4.1.2 setup with sys-usb. However (while understanding the security risk), there are specific USB devices I would like dom0 to have access to (or rather be exposed to) such as: USB audio devices, USB monitors (used for multi-monitor setup), or basically any other USB device of my choosing. Also, I want to still have the functionality of sys-usb for other USB deivces that are not attached to dom0. How can I achieve this?

I know that I can give dom0 access to specific USB controllers as outlined here: USB qubes | Qubes OS. However I don’t see this as a practical approach too what I want to achieve as this would expose dom0 to an entire USB controller and all of it’s devices.

I’ve also experimented with adding different configurations to the “qubes.USB” rpc-policy (located in /etc/qubes-rpc/policy/) but with little success. I was even thinking of re-building Qubes OS from source with my own modifications but that would be to much of a hassle. If anyone can assist me with this that would be great.

The USB controller PCI device will have to remain in dom0. You might still be able to assign some devices from it to specific VMs via usbip / qvm-usb, but that would mean some security issues as USB is a shared bus.

Also, if you want to somewhat secure Qubes OS from being compromised from the dom0 USB ports (assuming your laptop isn’t always in some safe when switched on), you’ll have to look into usbguard. Qubes OS enables it on usbcore.authorized_default=0 IIRC. Look into the Qubes OS USB doc for further details.
usbguard isn’t perfect though as most USB parameters (e.g. vendor & device ID) can be spoofed easily.

Whilst you’re at it, you might also want to set rd.qubes.hide_pci to all PCI devices assigned to sys-usb as Qubes OS may load drivers for these devices during boot otherwise (to be more precise it happens for non-network and non-USB devices, i.e. e.g. SD card readers, CD drives, …), which may also lead to a security compromise…