-
Notifications
You must be signed in to change notification settings - Fork 0
Home
As the name describes the kernel patch in this repository is to make linux more strict in its write blocking behaviour.
As described in the forensicswiki some forensics CD's depend on hdparm or blockdev to prevent writes. Both work by performing an IOCTL on the block device and influences the posix operations on the /dev/ filesystem; More specifically the IOCTL mostly effects the "open" operation.
It all effects the policy flag as set in genhd.c.
This is not extremely effective as the filesystem drivers live in kernel space. This makes it extremely easy to pass this blocking, and for example ReiserFS is mentioned as being able to do so.
When complaining at the kernel developers this feature is mentioned as old and unmaintained. This patch gives it another shot.
The module works by mimicking part of the behaviour of the fault module within the linux kernel. This existing feature can block all communication with the physical device below the IO-scheduler. Clearly I only want to block the Write access. At the block IO layer, IO transactions are turned into bio's which are in a list. The IO scheduler can reorder the list and thus optimize the IO throughput. The function generic_make_request_checks in block/blk-core.c does some basic sanity checking and implements the blocking for the individual bio's.
This is implemented in the function
static bool should_prevent_write(struct hd_struct *part, unsigned int bytes)
{
return part->policy || part->prevent_write;
}
It could have been as simple as
static bool should_prevent_write(struct hd_struct *part, unsigned int bytes)
{
return part->policy;
}
but then it would be very difficult to test as the blocking at the posix layer and the bio layer would always have the same state. The current default state is to NOT block at the posix /dev/ pseudofile layer and to ONLY block at the bio layer. This makes it possible to mount a filesystem RW, and have it fail as it attempts to write.
The rest of the code in the patch is glue to make the prevent_write option configurable both runtime and compile time. A default build will not block writes, one needs to set CONFIG_BLK_PREVENT_WRITE=y in the .config file.
#Testing
The easiest way to test is just to boot the kernel and stay in the ram-disk phase, then no write support is needed at all. However it is not too difficult to make a bootable live CD like an Ubuntu install disk. However please note that for building an ubuntu kernel one needs to integrate aufs as well (bumped my head there).
If you do not want to take that effort now, feel free to download (bittorrent) my build of an ubuntu 14.04 AMD live CD with this kernel and experiment.
Bittorrent download of patched ubuntu 14.04 AMD
- So boot the live CD on system with filled disks (preferably not crucial as during testing you may explicitly want to write).
- Find the partitions (e.g. cat /proc/partitions)
- Try to mount a filesystem read write, this should succeed.
- Try to modify a file, this should (seem to) work.
- Call "sync"
- Observe dmesg for warnings