Usbguard not authorizing devices after docked suspend/resume

i’m using usbguard to improve the physical security of my laptop. this has worked well with all of my past laptops but i’m running into some issues which may be specific to the framework’s modular port architecture.

previously, this was only affecting my external soundcard. however, after a reinstall of debian bullseye following a hard drive failure, the problem is affecting my entire monitor/dock interface. this means none of my connected devices are being authorized (including my keyboard). i didn’t make any change to the arrangement of my physical ports.

systemctl restart usbguard fixes the problem immediately, but this is a tedious thing to do since the laptop is docked 99% of the time in a location that is not very convenient to reach and type on.

i’ve submitted more detail about this problem upstream to the usbguard project at device not properly authorized after docked suspend/resume · Issue #543 · USBGuard/usbguard · GitHub

any thoughts would be greatly appreciated.

this definitely feels like a hack and may compromise the security of the laptop, but i’ve found a temporary workaround.

create /usr/lib/systemd/system-sleep/usbguard, chmod +x it and add the following content to ensure usbguard is restarted on resume:

set -e

if [ "$1" = "post" ]; then
    systemctl restart usbguard.service

there may be a way to achieve this using a systemd unit file, something akin to after-suspend.service · GitHub