Better internal hard disks lockdown
Originally created by Tails on #5918 (Redmine)
Tails user can currently access their local hard disks. It is only possible when an administrative password is set at boot time, but still it would be better to make internal drives read-only at kernel level to prevent anything bad from happening, unless explicitly desired. The later is useful to wipe a file or the whole device.
About implementation: live-boot’s
readonly option does the read-only
part, but it does that for every device, including removable ones, which
is painful when using persistence (#5910 (closed)) stored on the USB stick Tails
is running from. We need to add a
readonly=fixed option to live-boot
that would do that only for fixed (internal) disks.
Once that is done, an option must be added to get write access back. Either in Tails Greeter or on the command-line.
- Related to #17637