Linux Security Summit Europe 2025

Starting with Linux 6.14, we will be able to securely control script execution using new execveat(2) and prctl(2) flags, successors to O_MAYEXEC. This marks a crucial step toward fully supporting code integrity on Linux.

The next steps involve enlighting script interpreters and providing users with straightforward ways to incrementally enforce such restrictions. Options include leveraging existing LSM policies and configuring user-space process management services (e.g., systemd).

In this talk, we will explore the kernel changes that were required (e.g., uAPI, IMA, IPE) and the ongoing complementary user-space updates, including script enlightenment. We will also explain the rationale behind the new securebits and how they facilitate a smooth migration, especially for generic Linux distributions.