Skip to content

Latest commit

 

History

History
69 lines (38 loc) · 3.46 KB

README.md

File metadata and controls

69 lines (38 loc) · 3.46 KB

Untouchable

Install initcpio hooks to create readonly snapshots during early boot and mount an overlayfs on top.


! CAUTION !

Do not blindly install the mkinitcpio hook provided by this repository !

This is an ongoing WIP with some missing parts, and above all it's completely untested at this point. Using this as-is may leave you with an unbootable system.



Requirements

Currently, the supported system configuration is :

I'd be more than happy though to accept contributions which adapt the project to additional distros or initrd frameworks (e.g. dracut).



Rationale

The intention of this project is to enable users to boot and run their system in a way that the actual file system is write-protected, hence to use their everyday OS like an immutable live environment.

Some possible use cases :

  • testing packages without risking to damage the actual system
  • analyzing malware, e.g. viruses or proprietary applications
  • trying out new/untested configurations before deploying them to the system


How is this achieved ?

An initcpio hook will be installed onto your system, which will insert a script into your initial RAM-disk. This script is executed at early boot time and will create a write protected snapshot of the subvolume that would be mounted at the filesystem root (/), mount that snapshot instead and create a writeable RAM overlay, so that you can work with the system like normal, with the difference that each and every change made during runtime won't affect your permanent filesystem but will be discarded on shutdown/reboot.

Besides this, untouchable installs a new mkinitcpio preset for each installed kernel which includes this hook, so that an additional initramfs-linux[-xyz]-untouchable.img will be created, besides your default initramfs-linux[-xyz]{,-fallback}.img ones.

Eventually, after the initcpio-hook and -preset(s) have been installed onto the system and the additional initrd's have been built, the GRUB configuration will be updated to add entries to the boot menu, enabling the user to choose to boot into the "untouchable" system.



Credits

A big THANK YOU to :

Hat tip to all of you, and to all developers/contributors of projects like the Linux kernel, Btrfs, GRUB etc., and all those I forgot to mention, as well as to each and every FOSS proponent.