Skip to content

feat: add two more kernel arguments#1587

Merged
RoyalOughtness merged 3 commits intosecureblue:livefrom
HastD:more-kargs
Nov 9, 2025
Merged

feat: add two more kernel arguments#1587
RoyalOughtness merged 3 commits intosecureblue:livefrom
HastD:more-kargs

Conversation

@HastD
Copy link
Copy Markdown
Collaborator

@HastD HastD commented Nov 7, 2025
edited
Loading

  • proc_mem.force_override=ptrace: Prevent processes from modifying memory mappings via /proc/<pid>/mem unless the process is attached via ptrace.
  • bdev_allow_write_mounted=0: Prevent direct writes to block devices, which in most circumstances is likely to cause filesystem corruption. Added to unstable (not default) kargs.

Thanks to @raja-grewal for suggesting these (in #1393).

@HastD
feat: add two more kernel arguments to defaults
406ad0a 
* `proc_mem.force_override=ptrace`: Prevent processes from modifying
  memory mappings via `/proc/<pid>/mem` unless the process is attached
  via ptrace.
* `bdev_allow_write_mounted=0`: Prevent direct writes to block devices,
  which in most circumstances is likely to cause filesystem corruption.

Thanks to raja-grewal for suggesting these.

Signed-off-by: Daniel Hast <[email protected]>
@HastD HastD requested a review from RoyalOughtness as a code owner November 7, 2025 20:30
@RoyalOughtness
Copy link
Copy Markdown
Collaborator

RoyalOughtness commented Nov 7, 2025

linking docs for reference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=41e8149c8892

also, bdev_allow_write_mounted=0 can break stuff. might be worth making it unstable?

                 # 1) bdev_allow_write_mounted=0 may break snap and its applications on Ubuntu,
                 # since snap uses the squashfs filesystem and creates loop devices.
                 # 2) On Gentoo with openrc-init, bdev_allow_write_mounted=0 makes fsck fail
                 # on boot during the root filesystem check.

@HastD
Copy link
Copy Markdown
Collaborator Author

HastD commented Nov 7, 2025

That's a good point, I agree it would make sense to make bdev_allow_write_mounted=0 unstable, at least initially (we could always change it later).

Should we also start out with proc_mem.force_override=ptrace as an unstable karg? Seems like it's unlikely to break things since anything that legitimately needs to directly write to /proc/<pid>/mem should be ptrace-attaching to the process anyway, right?

@HastD HastD changed the title feat: add two more kernel arguments to defaults feat: add two more kernel arguments Nov 7, 2025
@RoyalOughtness
Copy link
Copy Markdown
Collaborator

RoyalOughtness commented Nov 7, 2025

@HastD yeah I agree, proc_mem.force_override=ptrace seems like it shouldn't be too problematic

@RoyalOughtness RoyalOughtness merged commit 2920771 into secureblue:live Nov 9, 2025
15 checks passed
@HastD HastD deleted the more-kargs branch November 9, 2025 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EsseLowNitro EsseLowNitro EsseLowNitro approved these changes

@RoyalOughtness RoyalOughtness RoyalOughtness approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@HastD @RoyalOughtness @EsseLowNitro