1 files changed, 28 insertions, 0 deletions
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index 0315824bbf01..f3ac4154cbb6 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -597,6 +597,32 @@ static int cifs_security_flags_proc_open(struct inode *inode, struct file *file)
        return single_open(file, cifs_security_flags_proc_show, NULL);
 }
+/*
+ * Ensure that if someone sets a MUST flag, that we disable all other MAY
+ * flags except for the ones corresponding to the given MUST flag. If there are
+ * multiple MUST flags, then try to prefer more secure ones.
+ */
+static void
+cifs_security_flags_handle_must_flags(unsigned int *flags)
+{
+        unsigned int signflags = *flags & CIFSSEC_MUST_SIGN;
+        if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
+                *flags = CIFSSEC_MUST_KRB5;
+        else if ((*flags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP)
+                *flags = CIFSSEC_MUST_NTLMSSP;
+        else if ((*flags & CIFSSEC_MUST_NTLMV2) == CIFSSEC_MUST_NTLMV2)
+                *flags = CIFSSEC_MUST_NTLMV2;
+        else if ((*flags & CIFSSEC_MUST_NTLM) == CIFSSEC_MUST_NTLM)
+                *flags = CIFSSEC_MUST_NTLM;
+        else if ((*flags & CIFSSEC_MUST_LANMAN) == CIFSSEC_MUST_LANMAN)
+                *flags = CIFSSEC_MUST_LANMAN;
+        else if ((*flags & CIFSSEC_MUST_PLNTXT) == CIFSSEC_MUST_PLNTXT)
+                *flags = CIFSSEC_MUST_PLNTXT;
+        *flags |= signflags;
+}
 static ssize_t cifs_security_flags_proc_write(struct file *file,
                const char __user *buffer, size_t count, loff_t *ppos)
 {
@@ -650,6 +676,8 @@ static ssize_t cifs_security_flags_proc_write(struct file *file,
                return -EINVAL;
        }
+        cifs_security_flags_handle_must_flags(&flags);
        /* flags look ok - update the global security flags for cifs module */
        global_secflags = flags;
        if (global_secflags & CIFSSEC_MUST_SIGN) {

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index 0315824bbf01..f3ac4154cbb6 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c
@@ -597,6 +597,32 @@ static int cifs_security_flags_proc_open(struct inode inode, struct file file)
597	return single_open(file, cifs_security_flags_proc_show, NULL);	597	return single_open(file, cifs_security_flags_proc_show, NULL);
598	}	598	}
599		599
		600	/*
		601	* Ensure that if someone sets a MUST flag, that we disable all other MAY
		602	* flags except for the ones corresponding to the given MUST flag. If there are
		603	* multiple MUST flags, then try to prefer more secure ones.
		604	*/
		605	static void
		606	cifs_security_flags_handle_must_flags(unsigned int *flags)
		607	{
		608	unsigned int signflags = *flags & CIFSSEC_MUST_SIGN;
		609
		610	if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
		611	*flags = CIFSSEC_MUST_KRB5;
		612	else if ((*flags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP)
		613	*flags = CIFSSEC_MUST_NTLMSSP;
		614	else if ((*flags & CIFSSEC_MUST_NTLMV2) == CIFSSEC_MUST_NTLMV2)
		615	*flags = CIFSSEC_MUST_NTLMV2;
		616	else if ((*flags & CIFSSEC_MUST_NTLM) == CIFSSEC_MUST_NTLM)
		617	*flags = CIFSSEC_MUST_NTLM;
		618	else if ((*flags & CIFSSEC_MUST_LANMAN) == CIFSSEC_MUST_LANMAN)
		619	*flags = CIFSSEC_MUST_LANMAN;
		620	else if ((*flags & CIFSSEC_MUST_PLNTXT) == CIFSSEC_MUST_PLNTXT)
		621	*flags = CIFSSEC_MUST_PLNTXT;
		622
		623	*flags \|= signflags;
		624	}
		625
600	static ssize_t cifs_security_flags_proc_write(struct file *file,	626	static ssize_t cifs_security_flags_proc_write(struct file *file,
601	const char __user buffer, size_t count, loff_t ppos)	627	const char __user buffer, size_t count, loff_t ppos)
602	{	628	{
@@ -650,6 +676,8 @@ static ssize_t cifs_security_flags_proc_write(struct file *file,
650	return -EINVAL;	676	return -EINVAL;
651	}	677	}
652		678
		679	cifs_security_flags_handle_must_flags(&flags);
		680
653	/* flags look ok - update the global security flags for cifs module */	681	/* flags look ok - update the global security flags for cifs module */
654	global_secflags = flags;	682	global_secflags = flags;
655	if (global_secflags & CIFSSEC_MUST_SIGN) {	683	if (global_secflags & CIFSSEC_MUST_SIGN) {