|
|
@@ -597,6 +597,32 @@ static int cifs_security_flags_proc_open(struct inode *inode, struct file *file)
|
|
|
return single_open(file, cifs_security_flags_proc_show, NULL);
|
|
|
}
|
|
|
|
|
|
+/*
|
|
|
+ * Ensure that if someone sets a MUST flag, that we disable all other MAY
|
|
|
+ * flags except for the ones corresponding to the given MUST flag. If there are
|
|
|
+ * multiple MUST flags, then try to prefer more secure ones.
|
|
|
+ */
|
|
|
+static void
|
|
|
+cifs_security_flags_handle_must_flags(unsigned int *flags)
|
|
|
+{
|
|
|
+ unsigned int signflags = *flags & CIFSSEC_MUST_SIGN;
|
|
|
+
|
|
|
+ if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
|
|
|
+ *flags = CIFSSEC_MUST_KRB5;
|
|
|
+ else if ((*flags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP)
|
|
|
+ *flags = CIFSSEC_MUST_NTLMSSP;
|
|
|
+ else if ((*flags & CIFSSEC_MUST_NTLMV2) == CIFSSEC_MUST_NTLMV2)
|
|
|
+ *flags = CIFSSEC_MUST_NTLMV2;
|
|
|
+ else if ((*flags & CIFSSEC_MUST_NTLM) == CIFSSEC_MUST_NTLM)
|
|
|
+ *flags = CIFSSEC_MUST_NTLM;
|
|
|
+ else if ((*flags & CIFSSEC_MUST_LANMAN) == CIFSSEC_MUST_LANMAN)
|
|
|
+ *flags = CIFSSEC_MUST_LANMAN;
|
|
|
+ else if ((*flags & CIFSSEC_MUST_PLNTXT) == CIFSSEC_MUST_PLNTXT)
|
|
|
+ *flags = CIFSSEC_MUST_PLNTXT;
|
|
|
+
|
|
|
+ *flags |= signflags;
|
|
|
+}
|
|
|
+
|
|
|
static ssize_t cifs_security_flags_proc_write(struct file *file,
|
|
|
const char __user *buffer, size_t count, loff_t *ppos)
|
|
|
{
|
|
|
@@ -650,6 +676,8 @@ static ssize_t cifs_security_flags_proc_write(struct file *file,
|
|
|
return -EINVAL;
|
|
|
}
|
|
|
|
|
|
+ cifs_security_flags_handle_must_flags(&flags);
|
|
|
+
|
|
|
/* flags look ok - update the global security flags for cifs module */
|
|
|
global_secflags = flags;
|
|
|
if (global_secflags & CIFSSEC_MUST_SIGN) {
|
Jeff Layton