Source: gnome-settings-daemon Version: 3.38.0-2 Severity: normal As I understand it, gsd-usb-protection adds a rule to allow any USB device but only while the system is not locked.
On my system, gsd-usb-protection is unable to add the rule. $ /usr/libexec/gsd-usb-protection -v (gsd-usb-protection:437340): GLib-DEBUG: 11:03:34.418: unsetenv() is not thread-safe and should not be used after threads are created (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.420: Starting USB protection manager (gsd-usb-protection:437340): GLib-GIO-DEBUG: 11:03:34.422: _g_io_module_get_default: Found default implementation dconf (DConfSettingsBackend) for ‘gsettings-backend’ (gsd-usb-protection:437340): dconf-DEBUG: 11:03:34.429: watch_fast: "/org/gnome/desktop/privacy/" (establishing: 0, active: 0) (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.431: bus_acquired_cb: acquired bus 0x5627ceb83070 for name org.gnome.SettingsDaemon.UsbProtection (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.432: Registered client at path /org/gnome/SessionManager/Client43 (gsd-usb-protection:437340): dconf-DEBUG: 11:03:34.440: watch_established: "/org/gnome/desktop/privacy/" (establishing: 1) (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.443: name_acquired_cb: acquired name org.gnome.SettingsDaemon.UsbProtection on bus 0x5627ceb83070 (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.444: name_lost_cb: lost name org.gnome.SettingsDaemon.UsbProtection on bus 0x5627ceb83070 (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.456: Received screensaver ActiveChanged signal: 0 (old: 0) (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.464: usb_protection_policy_proxy_ready (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.464: Set protection policy proxy to 0x5627ceb961e0 (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.465: Attempting to sync USB parameters: 1 0x5627ceb961e0 0x5627ceb76fa0 (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.466: Listening to signals (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.470: InsertedDevicePolicy is: apply-policy (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.470: Ensuring allow all (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.481: Detecting rule... (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.481: Adding rule 0 (gsd-usb-protection:437340): usb-protection-plugin-WARNING **: 11:03:34.484: Error appending USBGuard rule: GDBus.Error:org.freedesktop.DBus.Error.Failed: Policy append: rule: Invalid parent ID I've got usbguard 0.7.8+ds-2 instaled. It looks like it doesn't recognize rule ID 0 as meaning prepend to existing rules. Here are the D-Bus calls made by gsd-usb-protection: ‣ Type=method_call Endian=l Flags=0 Version=1 Cookie=20 Sender=:1.79980 Destination=:1.923 Path=/org/usbguard1/Policy Interface=org.usbguard.Policy1 Member=appendRule UniqueName=:1.79980 MESSAGE "sub" { STRING "allow id *:* label "GNOME_SETTINGS_DAEMON_RULE""; UINT32 0; BOOLEAN true; }; ‣ Type=signal Endian=l Flags=1 Version=1 Cookie=110 Sender=:1.923 Path=/org/usbguard1 Interface=org.usbguard1 Member=ExceptionMessage UniqueName=:1.923 MESSAGE "sss" { STRING "Policy append"; STRING "rule"; STRING "Invalid parent ID"; }; ‣ Type=error Endian=l Flags=1 Version=1 Cookie=111 ReplyCookie=20 Sender=:1.923 Destination=:1.79980 ErrorName=org.freedesktop.DBus.Error.Failed ErrorMessage="Policy append: rule: Invalid parent ID" UniqueName=:1.923 MESSAGE "s" { STRING "Policy append: rule: Invalid parent ID"; }; -- System Information: Debian Release: 10.6 APT prefers stable-updates APT policy: (535, 'stable-updates'), (535, 'stable'), (520, 'testing'), (510, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 4.19.0-9-686-pae (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled