Skip to content

Instantly share code, notes, and snippets.

@linux4life798

linux4life798/udev-protected-usb-storage.md

Last active July 29, 2025 23:17
Show Gist options
  • Save linux4life798/b1db44f9fcff26a3dff93ea31bad1bc3 to your computer and use it in GitHub Desktop.
Save linux4life798/b1db44f9fcff26a3dff93ea31bad1bc3 to your computer and use it in GitHub Desktop.
Download ZIP
Protect USB storage devices, holding alternative operating systems, from overwrite
Raw
udev-protected-usb-storage.md

/etc/udev/rules.d/99-protected-usb-storage.rules:

# Craig Jul 29, 2025
#
# Prevent accidentally writing over alt OS boot volumes, like my
# Framework 1TB Expansion card for Windows 11.
#
# sudo udevadm control --reload-rules
# sudo udevadm trigger
#
# Run "sudo blockdev --setrw /dev/sda*" to change back to RW.

# Add the TAG "protected-usb-storage" to any block devices that
# should be protected. Set ENV{PROTECTED_REASON} to provide
# a reason in the kernel messages when protection occurs.
#
# Use "sudo udevadm info /dev/sda" to determine serial numbers
# or other attributes to filter on.

SUBSYSTEM=="block", ENV{ID_USB_SERIAL}=="FRMW_1TB_Card_0123456789-0:0", \
	TAG+="protected-usb-storage", ENV{PROTECTED_REASON}="Windows expansion card"

# ENV{DEVTYPE} can be "disk", for the root sda, or "partition", for sda1 and sda2.
SUBSYSTEM=="block", ENV{ID_USB_SERIAL}=="FRMW_1TB_Card_0123456789-0:0", \
	ENV{DEVTYPE}=="disk", \
	SYMLINK+="windows-usb-disk"

#### Apply Protections ####

TAG=="protected-usb-storage", ACTION=="add", SUBSYSTEM=="block", \
	MODE="0000", ENV{UDISKS_IGNORE}="1", OWNER="root", GROUP="root", \
	RUN+="/bin/sh -c 'echo craig-udev: Protecting $env{DEVNAME} for reason: $env{PROTECTED_REASON} >/dev/kmsg'", \
	RUN+="/sbin/blockdev --setro '$env{DEVNAME}'"

Reload:

sudo udevadm control --reload-rules
sudo udevadm trigger
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment