1 files changed, 28 insertions, 0 deletions

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index 0315824bbf01..f3ac4154cbb6 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -597,6 +597,32 @@ static int cifs_security_flags_proc_open(struct inode *inode, struct file *file)
         return single_open(file, cifs_security_flags_proc_show, NULL);
 }
 
+/*
+ * Ensure that if someone sets a MUST flag, that we disable all other MAY
+ * flags except for the ones corresponding to the given MUST flag. If there are
+ * multiple MUST flags, then try to prefer more secure ones.
+ */
+static void
+cifs_security_flags_handle_must_flags(unsigned int *flags)
+{
+        unsigned int signflags = *flags & CIFSSEC_MUST_SIGN;
+
+        if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
+                *flags = CIFSSEC_MUST_KRB5;
+        else if ((*flags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP)
+                *flags = CIFSSEC_MUST_NTLMSSP;
+        else if ((*flags & CIFSSEC_MUST_NTLMV2) == CIFSSEC_MUST_NTLMV2)
+                *flags = CIFSSEC_MUST_NTLMV2;
+        else if ((*flags & CIFSSEC_MUST_NTLM) == CIFSSEC_MUST_NTLM)
+                *flags = CIFSSEC_MUST_NTLM;
+        else if ((*flags & CIFSSEC_MUST_LANMAN) == CIFSSEC_MUST_LANMAN)
+                *flags = CIFSSEC_MUST_LANMAN;
+        else if ((*flags & CIFSSEC_MUST_PLNTXT) == CIFSSEC_MUST_PLNTXT)
+                *flags = CIFSSEC_MUST_PLNTXT;
+
+        *flags |= signflags;
+}
+
 static ssize_t cifs_security_flags_proc_write(struct file *file,
                 const char __user *buffer, size_t count, loff_t *ppos)
 {
@@ -650,6 +676,8 @@ static ssize_t cifs_security_flags_proc_write(struct file *file,
                 return -EINVAL;
         }
 
+        cifs_security_flags_handle_must_flags(&flags);
+
         /* flags look ok - update the global security flags for cifs module */
         global_secflags = flags;
         if (global_secflags & CIFSSEC_MUST_SIGN) {