Generate policy when user locks his session and block all other USB devices?

[lafrenchpatate]

Hello everyone,

I'm creating an issue for technical guidance if possible.

I am trying to secure the machines of our personnels when they're not physically in front on them (cf when their session is locked).

I managed to be able to track the session's lock/unlock via the following command:

gdbus monitor -y -d org.freedesktop.login1 # grep '{'LockedHint': <true>}' or '{'LockedHint': <false>}'

Actually i am simply doing the following:

1. Calling usbguard set-parameter InsertedDevicePolicy block on session lock

2. Calling usbguard set-parameter InsertedDevicePolicy apply-policy on session unlock

It works fine but it's too rigid.

My new idea is to:

1. By default, USBGUARD must accept all USB devices.

2. When the session gets locked, generate a rule's policy with all the already inserted devices. We're gonna block all USB insertions in the next step so we wanna make sure that if users unplug their keyboard for whatever reason they can still plug it and unlock their session.

3. When the session is locked we block all USB insertions that are not in the previously generated policy.

4. When the session is unlocked, we're getting back to point 1. settings (accept all USB devices).

What would be the USBGUARD commands that i need to type to achieve this?

Thank you in advance for your answers and your work.