Linux 6.9 Sees Further Security Hardening

With security concerns at all-time highs in the industry, Linux 6.9 is seeing yet more work to beef up its security hardening with various additional safety checks and other compile-time defenses for ensuring security best practices.

Kees Cook submitted the wide assortment of hardening updates at the start of the Linux 6.9 merge window. He summed it up as being "pretty normal" and "all over the place" in terms of different changes and improvements.

Linux 6.9 is re-introducing the Undefined Behavior Sanitizer (UBSAN) signed overflow sanitizer to continue testing and making improvements compiler-side and discovering other ways to make that sanitizer more useful to the benefit of everyone. The signed overflow sanitizer was previously removed since it was effectively useless at the time when paired with the "-fno-strict-overflow" compiler option. But with the sanitizer improvements being made and wanting to better check against unexpected signed wrap-around, the sanitizer use is being restored.

The hardening pull also has various Kconfig updates, header updates, dropping a 13 year old CAP_SYS_ADMIN backward compatibility check, and other minor changes in the name of security hardening.

This pull since merged lays out the changes for further hardening Linux 6.9.