* mapping with --readonly option
@ 2022-11-05 10:15 Fourhundred Thecat
2022-11-06 22:15 ` Arno Wagner
0 siblings, 1 reply; 3+ messages in thread
From: Fourhundred Thecat @ 2022-11-05 10:15 UTC (permalink / raw)
To: cryptsetup
Hello,
if I use the --readonly option to create a mapping, and mount it as my
root partition, can the mapping later be changed during runtime to
read-write ?
Or, in other words, if mapping was created as readonly, can I be sure
that it cannot be remapped to read-write while being mounted as my root
filesystem?
Ofcourse mapping can be closed and opened again, but I am asking here
specifically for mapping that is mounted as root filesystem, which
cannot be unmounted at runtime (as far as I know)
I am interested whether I can use readonly mapping as sort of security
feature to enforce read-only filesystem?
thank you
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: mapping with --readonly option
2022-11-05 10:15 mapping with --readonly option Fourhundred Thecat
@ 2022-11-06 22:15 ` Arno Wagner
2022-11-06 22:29 ` Christoph Anton Mitterer
0 siblings, 1 reply; 3+ messages in thread
From: Arno Wagner @ 2022-11-06 22:15 UTC (permalink / raw)
To: Fourhundred Thecat; +Cc: cryptsetup
You probably should mount it as readonly instead. Because
that gets remounted in the typical boot-process as r/w
so it definitely is possible.
If you want protection against a malicious root, this is
probably not the way to go, I think.
Regards,
Arno
On Sat, Nov 05, 2022 at 11:15:12 CET, Fourhundred Thecat wrote:
> Hello,
>
> if I use the --readonly option to create a mapping, and mount it as my
> root partition, can the mapping later be changed during runtime to
> read-write ?
>
> Or, in other words, if mapping was created as readonly, can I be sure
> that it cannot be remapped to read-write while being mounted as my root
> filesystem?
>
> Ofcourse mapping can be closed and opened again, but I am asking here
> specifically for mapping that is mounted as root filesystem, which
> cannot be unmounted at runtime (as far as I know)
>
> I am interested whether I can use readonly mapping as sort of security
> feature to enforce read-only filesystem?
>
> thank you
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: mapping with --readonly option
2022-11-06 22:15 ` Arno Wagner
@ 2022-11-06 22:29 ` Christoph Anton Mitterer
0 siblings, 0 replies; 3+ messages in thread
From: Christoph Anton Mitterer @ 2022-11-06 22:29 UTC (permalink / raw)
To: Arno Wagner, Fourhundred Thecat; +Cc: cryptsetup
On Sun, 2022-11-06 at 23:15 +0100, Arno Wagner wrote:
> You probably should mount it as readonly instead.
A -o ro filesystem mount is not necessarily actually read-only, the fs
itself may still change its own contents... e.g. journal or log tree
replays.
Cheers,
Chris.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-07 3:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-05 10:15 mapping with --readonly option Fourhundred Thecat
2022-11-06 22:15 ` Arno Wagner
2022-11-06 22:29 ` Christoph Anton Mitterer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).