uswsusp: Disable when the kernel is locked down

uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel.  Disable this if the kernel
is locked down.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: linux-pm@vger.kernel.org

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch

diff --git a/kernel/power/user.c b/kernel/power/user.c
index 2d8b60a3c86b9f768cbe74e82f843c776a00619c..0305d513c274c0f5818e7935ebdd36207cb9f49e 100644 (file)
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
        if (!hibernation_available())
                return -EPERM;
 
+       if (kernel_is_locked_down("/dev/snapshot"))
+               return -EPERM;
+
        lock_system_sleep();
 
        if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {