Linux 4.16 Is Tightening Up Access To /dev/mem By Default

Written by Michael Larabel in Linux Kernel on 29 January 2018 at 05:26 AM EST. 22 Comments
LINUX KERNEL
One of the security improvements to Linux 4.16 is improving the default behavior for restricted access to /dev/mem for x86/x86_64 and ARM64 systems.

The CONFIG_STRICT_DEVMEM Kconfig switch that has been around since the end of the 2.6 kernel days is now going to be enabled by default for x86/x86_64 and ARM platforms.

Enabling CONFIG_STRICT_DEVMEM implements strict access to /dev/mem so that it only allows user-space access to memory mapped peripherals. With this option disabled, the root user from user-space can access all kernel and user-space memory through /dev/mem. The reason this unrestricted access is there in the first place is it can be useful when debugging the kernel but obviously isn't wise keeping this unrestricted memory access on production systems.

Most Linux distributions should already be enabling CONFIG_STRICT_DEVMEM for security best practices, but in the case your kernel build doesn't have it set, with Linux 4.16 it's set to be enabled by default.

Ingo Molnar sent in the brief change this morning with the Linux 4.16 merge window having kicked off last night following the release of Linux 4.15. It will be interesting to see what other Linux security improvements/changes are out on the horizon as a result of Spectre/Meltdown and other recent security vulnerabilities putting a renewed spotlight on the matter.
22 Comments
Related News
Linux 6.9-rc5 Released: The Diffstat "Looks A Bit Wonky" But Not Bad
Linux 6.9-rc5 Picking Up Fixes For Intel FRED, BHI & GFNI/VAES Checks
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.9-rc4 Brings More Bcachefs Fixes, Native BHI Mitigation
Linux 6.10 To Account For NUMA Node When Allocating Per-CPU Cpumasks
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"