On Fri, Mar 13, 2015 at 2:38 PM, Matthew Garrett <matthew.garr...@nebula.com> wrote: > uswsusp allows a user process to dump and then restore kernel state, which > makes it possible to modify the running kernel. Disable this if > trusted_kernel is true. > > Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> > --- > kernel/power/user.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/power/user.c b/kernel/power/user.c > index 526e891..43b7b59 100644 > --- a/kernel/power/user.c > +++ b/kernel/power/user.c > @@ -24,6 +24,7 @@ > #include <linux/console.h> > #include <linux/cpu.h> > #include <linux/freezer.h> > +#include <linux/security.h> > > #include <asm/uaccess.h> > > @@ -49,7 +50,7 @@ static int snapshot_open(struct inode *inode, struct file > *filp) > struct snapshot_data *data; > int error; > > - if (!hibernation_available()) > + if (get_trusted_kernel() || !hibernation_available()) > return -EPERM; > > lock_system_sleep(); > -- > 2.1.0 >
Perhaps this should be folded into the hibernation_available check instead of added as an "||" check here? -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
