kexec: add sysctl to disable kexec_load

- domainname

- domainname

- hostname

- hostname

- hotplug

- hotplug

- kexec_load_disabled

- kptr_restrict

- kptr_restrict

- kstack_depth_to_print       [ X86 only ]

- kstack_depth_to_print       [ X86 only ]

- l2cr                        [ PPC only ]

- l2cr                        [ PPC only ]

==============================================================

==============================================================

kexec_load_disabled:

A toggle indicating if the kexec_load syscall has been disabled. This

value defaults to 0 (false: kexec_load enabled), but can be set to 1

(true: kexec_load disabled). Once true, kexec can no longer be used, and

the toggle cannot be set back to false. This allows a kexec image to be

loaded before disabling the syscall, allowing a system to set up (and

later use) an image without it being altered. Generally used together

with the "modules_disabled" sysctl.

==============================================================

kptr_restrict:

kptr_restrict:

This toggle indicates whether restrictions are placed on

This toggle indicates whether restrictions are placed on

in an otherwise modular kernel.  This toggle defaults to off

in an otherwise modular kernel.  This toggle defaults to off

(0), but can be set true (1).  Once true, modules can be

(0), but can be set true (1).  Once true, modules can be

neither loaded nor unloaded, and the toggle cannot be set back

neither loaded nor unloaded, and the toggle cannot be set back

to false.

to false.  Generally used with the "kexec_load_disabled" toggle.

==============================================================

==============================================================

extern struct kimage *kexec_image;

extern struct kimage *kexec_image;

extern struct kimage *kexec_crash_image;

extern struct kimage *kexec_crash_image;

extern int kexec_load_disabled;

#ifndef kexec_flush_icache_page

#ifndef kexec_flush_icache_page

#define kexec_flush_icache_page(page)

#define kexec_flush_icache_page(page)

 */

 */

struct kimage *kexec_image;

struct kimage *kexec_image;

struct kimage *kexec_crash_image;

struct kimage *kexec_crash_image;

int kexec_load_disabled;

static DEFINE_MUTEX(kexec_mutex);

static DEFINE_MUTEX(kexec_mutex);

	int result;

	int result;

	/* We only trust the superuser with rebooting the system. */

	/* We only trust the superuser with rebooting the system. */

	if (!capable(CAP_SYS_BOOT))

	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)

		return -EPERM;

		return -EPERM;

	/*

	/*

#include <linux/capability.h>

#include <linux/capability.h>

#include <linux/binfmts.h>

#include <linux/binfmts.h>

#include <linux/sched/sysctl.h>

#include <linux/sched/sysctl.h>

#include <linux/kexec.h>

#include <asm/uaccess.h>

#include <asm/uaccess.h>

#include <asm/processor.h>

#include <asm/processor.h>

		.proc_handler	= proc_dointvec,

		.proc_handler	= proc_dointvec,

	},

	},

#endif

#endif

#ifdef CONFIG_KEXEC

	{

		.procname	= "kexec_load_disabled",

		.data		= &kexec_load_disabled,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		/* only handle a transition from default "0" to "1" */

		.proc_handler	= proc_dointvec_minmax,

		.extra1		= &one,

		.extra2		= &one,

	},

#endif

#ifdef CONFIG_MODULES

#ifdef CONFIG_MODULES

	{

	{

		.procname	= "modprobe",

		.procname	= "modprobe",