Introducing: bdev_allow_write_mounted!
Fun fact: Setting bdev_allow_write_mounted=0 on the kernel commandline prevents tools such as dd from writing to mounted block devices, even when given root privileges!
To set this as the default, compile your Linux kernel with CONFIG_BLK_DEV_WRITE_MOUNTED=N. This option will prevent some tools from functioning properly (e.g.
fscktools).
However, this protection doesn’t extend to parent device nodes. In other words, if you mount /dev/sda1 somewhere, then /dev/sda will still be a writeable device node. But, if you avoid partitions altogether, and format the entire disk with your chosen filesystem (BTRFS being ideal since subvolumes can act as a partial partition substitute), then you’re safe…
Right?
Right?
Introducing: Reality…
But, there’s a problem…
Okay, I lied, multiple problems…
- You can still submit SCSI commands to block devices to write to them, so
bdev_allow_write_mounted=0is not a secure method of preventing writes.- The only ways I know SCSI commands can be blocked is to disallow the
ioctlsyscall, or to hide the device nodes under/dev/, or at least that’s what I gathered reading the kernel documentation about the SCSI subsystem.
- The only ways I know SCSI commands can be blocked is to disallow the
- Block-level encryption, or device mapper technologies in general, aren’t viable either; they abstract away a new block device (e.g.
/dev/mapper/root) which leaves the underlying block device (e.g./dev/sda) unmounted and therefore writeable.