USBGuard on Fedora2026-02-04, 2mins
USBGuard is a daemon to manage USB device authorization. Here is an easy way to use it on Fedora.
sudo dnf install usbguard usbguard-notifier #install the packages
usbguard generate-policy | sudo tee /etc/usbguard/rules.conf #allow your expected default devices
sudo chmod 600 /etc/usbguard/rules.conf #ensure correct permission
sudo restorecon -rv /etc/usbguard
sudo systemctl enable usbguard --now #enable the daemon
sudo usbguard add-user $USER --devices=listen,modify #necessary for non-wheel users
systemctl --user enable usbguard-notifier --now #enable the allow/reject notifications
While GNOME does support lockscreen blocking via the additional usbguard-dbus integration, I personally prefer this approach even considering how finicky GNOME's notifications are.
Also of note, my iPhone doesn't seem to play nicely with the prompt delay and needs to be added to the permanent rules to connect successfully. But it doesn't seem to be a concern for how Android handles it.
If you're passing a USB device into a VM (via Spice at least) you still need to approve it on the host.
Lastly it should be noted that this approach is not as secure as what is offered by GrapheneOS and iOS since those lack persistent devices (eg. kb/mouse) which can be cloned for spoofing.