Linux 4.16 Is Tightening Up Access To /dev/mem By Default
One of the security improvements to Linux 4.16 is improving the default behavior for restricted access to /dev/mem for x86/x86_64 and ARM64 systems.
The CONFIG_STRICT_DEVMEM Kconfig switch that has been around since the end of the 2.6 kernel days is now going to be enabled by default for x86/x86_64 and ARM platforms.
Enabling CONFIG_STRICT_DEVMEM implements strict access to /dev/mem so that it only allows user-space access to memory mapped peripherals. With this option disabled, the root user from user-space can access all kernel and user-space memory through /dev/mem. The reason this unrestricted access is there in the first place is it can be useful when debugging the kernel but obviously isn't wise keeping this unrestricted memory access on production systems.
Most Linux distributions should already be enabling CONFIG_STRICT_DEVMEM for security best practices, but in the case your kernel build doesn't have it set, with Linux 4.16 it's set to be enabled by default.
Ingo Molnar sent in the brief change this morning with the Linux 4.16 merge window having kicked off last night following the release of Linux 4.15. It will be interesting to see what other Linux security improvements/changes are out on the horizon as a result of Spectre/Meltdown and other recent security vulnerabilities putting a renewed spotlight on the matter.
The CONFIG_STRICT_DEVMEM Kconfig switch that has been around since the end of the 2.6 kernel days is now going to be enabled by default for x86/x86_64 and ARM platforms.
Enabling CONFIG_STRICT_DEVMEM implements strict access to /dev/mem so that it only allows user-space access to memory mapped peripherals. With this option disabled, the root user from user-space can access all kernel and user-space memory through /dev/mem. The reason this unrestricted access is there in the first place is it can be useful when debugging the kernel but obviously isn't wise keeping this unrestricted memory access on production systems.
Most Linux distributions should already be enabling CONFIG_STRICT_DEVMEM for security best practices, but in the case your kernel build doesn't have it set, with Linux 4.16 it's set to be enabled by default.
Ingo Molnar sent in the brief change this morning with the Linux 4.16 merge window having kicked off last night following the release of Linux 4.15. It will be interesting to see what other Linux security improvements/changes are out on the horizon as a result of Spectre/Meltdown and other recent security vulnerabilities putting a renewed spotlight on the matter.
22 Comments