allow qubes.InputKeyboard by default in sys-usb salt

[adrelanos]

https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/sys-usb.sls does

sys-usb-input-proxy:
  file.prepend:
    - name: /etc/qubes-rpc/policy/qubes.InputMouse
    - text: sys-usb dom0 allow,user=root
    - require:
      - pkg:       qubes-input-proxy

Wouldn't it make sense to also add...

  file.prepend:
    - name: /etc/qubes-rpc/policy/qubes.InputKeyboard
    - text: sys-usb dom0 allow,user=root
    - require:
      - pkg:       qubes-input-proxy

...?

Why only allow mouse but not keyboard? For security reasons?

A mouse is as good as a keyboard when scripted. Mouse actions reburied for an attack could be recorded and replayed. (There are applications for mouse automation.) Letters can be copied. Well, there is no enter key? But then a virtual keyboard should better not be installed? Or I guess there is also another way to use a mouse to get the same action as enter?

Unless I am missing something (quite possible), if mouse is allowed, keyboard should as well.

[marmarek]

The main point is you can't unlock the screen with only mouse. So, if user is away, it can do nothing. But if user is there, he/she probably will notice the attack. See explanation here: https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices

This is also one of the reasons why installer refuse to create sys-usb when you use USB keyboard.

[marmarek]

The main point is you can't unlock the screen with only mouse. So, if user is away, it can do nothing. But if user is there, he/she probably will notice the attack. See explanation here: https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices

This is also one of the reasons why installer refuse to create sys-usb when you use USB keyboard.