uswsusp: Disable when securelevel is set

Orabug: 21539498

uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if securelevel
has been set.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

diff --git a/kernel/power/user.c b/kernel/power/user.c
index 526e8911460a0b550011b2aae89c1fe9ad11a2cf..40618bf41620a478bb849202df53dd20f5ebbce3 100644 (file)
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -24,6 +24,7 @@
 #include <linux/console.h>
 #include <linux/cpu.h>
 #include <linux/freezer.h>
+#include <linux/security.h>
 
 #include <asm/uaccess.h>
 
@@ -52,6 +53,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
        if (!hibernation_available())
                return -EPERM;
 
+       if (get_securelevel() > 0)
+               return -EPERM;
+
        lock_system_sleep();
 
        if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {