From 8b4993add0ac0aafd84cf3dbd9c2909c62d8feda Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Tue, 3 Sep 2013 11:23:29 -0400
Subject: [PATCH 09/16] uswsusp: Disable when securelevel is set

Patch-mainline: Queued in subsystem maintainer repository
Git-repo: https://github.com/mjg59/linux
Git-commit: 8b4993add0ac0aafd84cf3dbd9c2909c62d8feda
References: fate#320387

uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if securelevel
has been set.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Acked-by: Lee, Chun-Yi <jlee@suse.com>
---
 kernel/power/user.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -24,6 +24,7 @@
 #include <linux/console.h>
 #include <linux/cpu.h>
 #include <linux/freezer.h>
+#include <linux/security.h>
 
 #include <linux/uaccess.h>
 
@@ -52,6 +53,9 @@ static int snapshot_open(struct inode *i
 	if (!hibernation_available())
 		return -EPERM;
 
+	if (get_securelevel() > 0)
+		return -EPERM;
+
 	lock_system_sleep();
 
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {