Not easy.
- It’s not even clear what the knobs are. First, Disk & USB Automount in Kicksecure - #20 by 59mpci2GJ5xlHhY isn’t even fully understood, needs to be fixed / documented as much as possible before thinking about simplification.
- Some (maybe related or unrelated) knobs aren’t set for reasons of USB security such as proc-hidepid.
- As it’s implemented currently, solution needs to be good enough to be deployed inside VMs and on the host as at the same time because we don’t have any security related packages which are only installed inside VMs only. These could be invented, yes, but we still don’t want auto mounting of USB on the host by default.
- Blacklisting USB (storage) kernel modules on the host could break booting from external USB HDD.