Using usbguard is pretty essential to protect against common attacks like malicious devices, rubber duckies, OMG cables or the “governmental 3 letter agency equivalents”.
Especially thunderbolt (which can be blocked globally, see this config as to how can grant attackers access to your RAM, which means encryption keys and more.
1. Install usbguard
This depends on your distro, on Fedora
sudo dnf install -y usbguard usbguard-notifier usbguard-selinux
On Fedora Atomic Desktops (Silverblue, Kinoite, uBlue, Bazzite, Aurora/Bluefin, Secureblue)
rpm-ostree update --install usbguard-selinux --install usbguard-notifier
2. Set it up
Make sure to have plugged in your keyboard and mouse. These commands will permanently allow all currently connected devices.
pkexec sh -c '
mkdir -p /var/log/usbguard
mkdir -p /etc/usbguard
chmod 755 /etc/usbguard
usbguard generate-policy > /etc/usbguard/rules.conf
systemctl enable --now usbguard.service
usbguard add-user $1
' -- $ACTIVE_USERNAME
systemctl enable --user --now usbguard-notifier.service
3. Fix webcam
In my case, my webcam is shown in lsusb and blocked by usbguard
usbguard list-devices
usbguard allow-device -p NUMBER
The list command shows devices with numbers like 1,2,3. This permanently allows your webcam.
4. Fix connected devices
You can do the same for your Android/GrapheneOS phone. Make sure to go into the Android settings, “Connections”, “USB” and switch to the modes “file sharing”, “usb tethering”, “webcam” and what else you want to allow.
For each mode / device, list the devices, the last added one will be at the bottom, and allow it permanently.
This also applies for the Nitrokeys. These too have different modes which need to be allowed. I dont yet know how to invoke all these modes, to make them work all the time.
Otherwise, you can always use the usbguard-notifier popup to temporarily allow devices / device modes, but this didnt work for Android MTP for me.