USB Device Menu Configuration and Access Restriction

Hi all,

Is it possible to configure the USB-device/Block device menu and restrict certain actions to specific target Qubes. So far I looked into the policy editing but I was only able to limit to which Qubes raw USB device can be attached to (with the qubes.USBAttach service name). I have not found similar options to limit block device and microphone attachment. Ideally I would like to achieve the following things:

  1. Limit the Qubes that show up as target for block device attachment in the “Qubes Devices” menu
  2. Limit the Qubes that show up as attach target for USB devices and microphone in the “Qubes Devices” menu
  3. Remove certain block and USB device from showing up in the “Qubes Devices” menu (based on partition type, uuid or vendor:product id)
  4. Persistently attach a removable block device to a specific Qube (maybe based of FS UUID?). Alternatively ask the user where to attach the block device when it is inserted.
  5. Limit in policy to which Qubes block devices and microphones can be attached to (I’ve only found this for USB devices).

To provide a bit of a background, I work at a small organization that deeply cares about data confidentiality and security. We are planning to use Qubes for our connected devices to enhance the security posture. Our users are technical and non-malicious, but ideally I want to make it easier to use the system in a secure manner and follow opsec policy. We want to use specific Qubes for online communication, specific Qubes for browsing, and dedicated Qubes to handle different external storage devices. The idea is to make the “secure” and “correct” choice the easy and obvious one.

Thank you very much for the input.

1 Like