Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!news-transit.tcx.org.uk!rt.uk.eu.org!feeder.erje.net!news-2.dfn.de!news.dfn.de!news.uni-stuttgart.de!news.nask.pl!news.nask.org.pl!news.icm.edu.pl!.POSTED!not-for-mail
From: mcanswer@mcanswer.pl
Newsgroups: comp.os.linux.security
Subject: Re: Write protection on SD cards
Date: Sat, 17 Dec 2011 07:51:41 +0100
Organization: ICM, Uniwersytet Warszawski
Lines: 19
Message-ID: <7tobv7pu6a.fsf@leeloo.local.mcanswer.pl>
References: <9hb396F3fcU1@mid.individual.net> <j8rfg7$6n8$1@dont-email.me> <9hkma2Fcu3U1@mid.individual.net>
NNTP-Posting-Host: 89-79-4-246.dynamic.chello.pl
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: news.icm.edu.pl 1324104702 17883 89.79.4.246 (17 Dec 2011 06:51:42 GMT)
X-Complaints-To: usenet@news.icm.edu.pl
NNTP-Posting-Date: Sat, 17 Dec 2011 06:51:42 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)
Cancel-Lock: sha1:2uBCHd0UY4hOavZfogh7rKLdkjo=
Xref: x330-a1.tempe.blueboxinc.net comp.os.linux.security:75

Günther Schwarz <strap@gmx.de> writes:

> Tobias Blass wrote:
>
>> On 2011-11-01, Günther Schwarz <strap@gmx.de> wrote:
>>            the attacker could (root access provided) e.g. load a kernel
>> module or install another kernel that does not check the write
>> protection switch.
>
> You understood that correctly. The device is supposed to survive in a 
> clean state in case the systems gets compromised and thus allow for a 
> fresh installation without having to insert a CD or doing a PXE boot. It 
> should be better in this respect than an extra partition on the main hard 
> disk. But still the security needs are moderate.

You can always use some mandatory access control preventing attacker
from access to this device and/or from load kernel modules. 
The first one could be done by SeLinux or RBAC,
second one by for ex. GrSecurity