Attack Vector Controls: a new framework to manage CPU vulnerability mitigations by attack vector class rather than per-mitigation toggles
Refined Spectre/SRSO mitigations
Rust integration now built with the same speculative execution defenses as C code
SELinux gets a neversaudit flag and a 5-second delay on a deprecated sysfs interface
Lockdown LSM has active maintainers again
AppArmor can now mediate AF_UNIX sockets with fine-grained rules
Kernel stack erasing improvements for better memory safety
Full post here: https://www.armosec.io/blog/linux-6-17-security-features/
Curious what the HN crowd thinks — do these changes make Linux more secure in practice? Any hidden trade-offs or regressions people have seen testing 6.17-rc?
Attack Vector Controls: a new framework to manage CPU vulnerability mitigations by attack vector class rather than per-mitigation toggles
Refined Spectre/SRSO mitigations
Rust integration now built with the same speculative execution defenses as C code
SELinux gets a neversaudit flag and a 5-second delay on a deprecated sysfs interface
Lockdown LSM has active maintainers again
AppArmor can now mediate AF_UNIX sockets with fine-grained rules
Kernel stack erasing improvements for better memory safety
Full post here: https://www.armosec.io/blog/linux-6-17-security-features/
Curious what the HN crowd thinks — do these changes make Linux more secure in practice? Any hidden trade-offs or regressions people have seen testing 6.17-rc?