From 1a71a3e954060aaf06a3daf491168bdf31942dc5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 9 Apr 2026 12:06:54 +0000
Subject: [PATCH] comment out bdev_allow_write_mounted=0

Causes breakages with disk management operations such as disk
resizing and VDI compaction in virtual machines.

https://github.com/Kicksecure/security-misc/pull/334
https://forums.whonix.org/t/kernel-hardening-security-misc/7296/609
https://forums.whonix.org/t/how-to-compress-and-prevent-vdi-from-ballooning-after-each-update-deleting-large-files/22675/9
https://forums.kicksecure.com/t/resizing-disk-for-guest-in-kvm/1657

https://claude.ai/code/session_01Cd9ka8sC7zLUvB31V4kxMk
---
 README.md                                                  | 5 +++--
 .../grub.d/40_kernel_hardening.cfg#security-misc-shared    | 7 ++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 09fde855..04d2b22e 100644
--- a/README.md
+++ b/README.md
@@ -273,8 +273,9 @@ Kernel space:
 - Restrict processes from modifying their own memory mappings unless actively done via
   `ptrace()` for debugging in order to limit self-modification which can trigger exploits.
 
-- Prevent runaway privileged processes from writing to block devices that are mounted by
-  filesystems to protect against filesystem corruption and kernel crashes.
+- Optional - Prevent runaway privileged processes from writing to block devices that are mounted by
+  filesystems to protect against filesystem corruption and kernel crashes. May cause breakages with
+  disk management operations such as disk resizing and VDI compaction in virtual machines.
 
 - Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
   cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 6a5ef134..498a6ddc 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -290,7 +290,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace"
 ## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/
 ## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186
 ##
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0"
+## https://github.com/Kicksecure/security-misc/pull/334
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/609
+## https://forums.whonix.org/t/how-to-compress-and-prevent-vdi-from-ballooning-after-each-update-deleting-large-files/22675/9
+## https://forums.kicksecure.com/t/resizing-disk-for-guest-in-kvm/1657
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0"
 
 ## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
 ## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.