Linux 4.16 Is Tightening Up Access To /dev/mem By Default

Written by Michael Larabel in Linux Kernel on 29 January 2018 at 05:26 AM EST. 22 Comments
One of the security improvements to Linux 4.16 is improving the default behavior for restricted access to /dev/mem for x86/x86_64 and ARM64 systems.

The CONFIG_STRICT_DEVMEM Kconfig switch that has been around since the end of the 2.6 kernel days is now going to be enabled by default for x86/x86_64 and ARM platforms.

Enabling CONFIG_STRICT_DEVMEM implements strict access to /dev/mem so that it only allows user-space access to memory mapped peripherals. With this option disabled, the root user from user-space can access all kernel and user-space memory through /dev/mem. The reason this unrestricted access is there in the first place is it can be useful when debugging the kernel but obviously isn't wise keeping this unrestricted memory access on production systems.

Most Linux distributions should already be enabling CONFIG_STRICT_DEVMEM for security best practices, but in the case your kernel build doesn't have it set, with Linux 4.16 it's set to be enabled by default.

Ingo Molnar sent in the brief change this morning with the Linux 4.16 merge window having kicked off last night following the release of Linux 4.15. It will be interesting to see what other Linux security improvements/changes are out on the horizon as a result of Spectre/Meltdown and other recent security vulnerabilities putting a renewed spotlight on the matter.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week