From 8b4993add0ac0aafd84cf3dbd9c2909c62d8feda Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Tue, 3 Sep 2013 11:23:29 -0400
Subject: [PATCH 09/16] uswsusp: Disable when securelevel is set
Patch-mainline: Queued in subsystem maintainer repository
Git-repo: https://github.com/mjg59/linux
Git-commit: 8b4993add0ac0aafd84cf3dbd9c2909c62d8feda
References: fate#320387
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if securelevel
has been set.
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Acked-by: Lee, Chun-Yi <jlee@suse.com>
---
kernel/power/user.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -24,6 +24,7 @@
#include <linux/console.h>
#include <linux/cpu.h>
#include <linux/freezer.h>
+#include <linux/security.h>
#include <linux/uaccess.h>
@@ -52,6 +53,9 @@ static int snapshot_open(struct inode *i
if (!hibernation_available())
return -EPERM;
+ if (get_securelevel() > 0)
+ return -EPERM;
+
lock_system_sleep();
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {