Make bdev_allow_write_mounted kernel parameter optional

[assisted-by-ai]

Summary

This change makes the bdev_allow_write_mounted=0 kernel hardening parameter optional by commenting it out in the default GRUB configuration, while updating documentation to reflect potential compatibility issues.

Key Changes

• Commented out the bdev_allow_write_mounted=0 kernel parameter in etc/default/grub.d/40_kernel_hardening.cfg
• Added references to related discussions documenting issues with disk management operations
• Updated README.md to clarify that this is an optional hardening measure
• Added documentation of known breakages with disk resizing and VDI compaction in virtual machines

Details

The bdev_allow_write_mounted=0 parameter prevents privileged processes from writing to mounted block devices, protecting against filesystem corruption and kernel crashes. However, this parameter can interfere with legitimate disk management operations such as:

• Disk resizing in virtual machines
• VDI compaction operations

By making this parameter optional (disabled by default), users can choose to enable it based on their security requirements and use case compatibility. The documentation now clearly indicates this is an optional hardening feature with potential operational trade-offs.

• Prevent runaway privileged processes from writing to block devices bdev_allow_write_mounted=0 #334

https://claude.ai/code/session_01Cd9ka8sC7zLUvB31V4kxMk

[adrelanos]

Grow/shrink virtual hard disk versus bdev_allow_write_mounted is now documented.

• https://www.kicksecure.com/wiki/Grow_Virtual_Harddisk
• https://www.kicksecure.com/wiki/Shrink_Virtual_Harddisk

Issues with fwupd are more important. Was reported here:

#334 (comment)

Firmware updates,fwupd seems more important than bdev_allow_write_mounted=0.