Hardening USBGuard in dom0

Mirai · January 6, 2026, 9:59am

Now that dom0 uses fedora 41 it should be trivial to generate usbguard policys that only allow your specific keyboard and mice at a certain port instead of allowing all input devices by default.

A rules file can be generated like this:

$ sudo sh -c 'usbguard generate-policy > /etc/usbguard/rules.conf'

What do I need to do, to overwrite the default configuration in dom0? Is it enough to remove usb.authorized_default=0 from the Grub config and delete the config dir in /etc/usbguard/rules.d ? Won’t an update just overwrite it?

ChrisA · January 6, 2026, 11:19am

Hi Mirai

From the text on:

it looks like the answer is:

It depends on how the files are defined in the RPM package.

I recall seeing those .rpmsave/.rpmnew files … but never checked the difference …

Maybe it’s better to edit the files (and not delete them) - so the update can see that “This has been edited - then I better not overwrite it” (?)

marmarek · January 6, 2026, 11:58am

If you want to harden usbguard config, do not remove usbcore.authorized_default=0 - this one prevents automatic device accept before usbguard starts.

WhiteShadow · January 6, 2026, 1:27pm

How your solution is better then USB qubes — Qubes OS Documentation ?

Mirai · January 6, 2026, 6:41pm

I guess the proper way is just to comment out the preexisting rules and insert my own?