Is it possible to mount an entire disk device read only?

[Colin Watson]

On Sun, Sep 06, 2015 at 05:59:13PM +1000, Karl Auer wrote:
> While looking at another poster's issue I started wondering whether it
> is possible to attach an entire hard disk drive in read-only mode.
> Mounting a partition read-only is easy, but I'm not talking about
> partitions here - I mean the entire drive.
> 
> That is, can I have a read-only /dev/sdb?

(Disclaimer: some of the following is from reading kernel code and I
haven't actually tried it on a whole disk device.)

"blockdev --setro" is a useful tool that makes a block device read-only.
In and of itself I do not believe that applying it to a disk device,
e.g. "blockdev --setro /dev/sdb", automatically applies it to all the
partitions on that disk.  However, when a new partition is added, it
inherits the read-only policy from its disk; so I believe that if you
mark the disk and all its partitions read-only using "blockdev --setro"
after it appears (and figure out a non-racy way to do this), then that
should be sufficient.

Does that help?  It should at least give you something to experiment
with.

Some people mentioned journalling filesystems: if the block device is
read-only, those will simply refuse to "mount -oro" if they still need
to make changes such as replaying a journal.  For such cases, grub-mount
can be useful since it can read most filesystems but entirely lacks
write support, so it can safely be used to inspect things in a
guaranteed read-only mode.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]