[linux-cifs-client] cifs: show per mount security mode in /proc/mounts
diff mbox

Message ID 49B64C89.10407@suse.de
State New, archived
Headers show

Commit Message

Suresh Jayaraman March 10, 2009, 11:18 a.m. UTC
Currently, /proc/mounts does not display security mode of the cifs
mounts. With the availability multiple security modes including
kerberos security, it might be vital to display security mode as well.

Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
---

 fs/cifs/cifs_fs_sb.h |    1 +
 fs/cifs/cifsfs.c     |   32 ++++++++++++++++++++++++++++++++
 fs/cifs/connect.c    |    5 +++++
 3 files changed, 38 insertions(+), 0 deletions(-)

 		cERROR(1, ("mount option dynperm ignored if cifsacl "

Comments

Steve French March 10, 2009, 12:57 p.m. UTC | #1
On Tue, Mar 10, 2009 at 6:18 AM, Suresh Jayaraman <sjayaraman@suse.de> wrote:
> Currently, /proc/mounts does not display security mode of the cifs
> mounts. With the availability multiple security modes including
> kerberos security, it might be vital to display security mode as well.

The actual security used is not per superblock but per session, and it
would be misleading to leave out the global settings for extended
security flags.   The actual security flags that are used during negotiation
are the default flags (set in proc) and flags which are overridden on mount
See below:

	/* if any of auth flags (ie not sign or seal) are overriden use them */
	if (ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
		secFlags = ses->overrideSecFlg;  /* BB FIXME fix sign flags? */
	else /* if override flags set only sign/seal OR them with global auth */
		secFlags = extended_security | ses->overrideSecFlg;

But these security flags don't tell us which mechanism finally ended up
negotiated with the server - for this you need secType and secMode out
of the session structure to be displayed instead of a per-mount new variable.
We do display secMode in /proc (which indicates whether signing is required)
but might be useful to display this more clearly, and it would be useful to
display secType (which indicates what authentication mechanism was negotiated)

Patch
diff mbox

diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h
index c4c306f..08b525a 100644
--- a/fs/cifs/cifs_fs_sb.h
+++ b/fs/cifs/cifs_fs_sb.h
@@ -39,6 +39,7 @@  struct cifs_sb_info {
 	struct nls_table *local_nls;
 	unsigned int rsize;
 	unsigned int wsize;
+	unsigned int sec_flag;
 	uid_t	mnt_uid;
 	gid_t	mnt_gid;
 	mode_t	mnt_file_mode;
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 13ea532..9c48c46 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -331,6 +331,33 @@  cifs_destroy_inode(struct inode *inode)
 }
 
 /*
+ * Map the security flags to the corresponding mode 
+ */
+static const char *secflags_to_mode(unsigned int secflag)
+{
+	static const struct {
+		unsigned int flag;
+		const char *mode;
+	} sec_modes[] = {
+		{ CIFSSEC_MAY_KRB5 | CIFSSEC_MUST_SIGN, "krb5i"},
+	        { CIFSSEC_MAY_KRB5, "krb5"},
+		{ CIFSSEC_MAY_NTLMV2 | CIFSSEC_MUST_SIGN, "ntlmv2i"},
+		{ CIFSSEC_MAY_NTLMV2, "ntlmv2"},
+		{ CIFSSEC_MAY_NTLM | CIFSSEC_MUST_SIGN, "ntlm"},
+		{ CIFSSEC_MAY_NTLM, "ntlm"},
+		{ CIFSSEC_MAY_LANMAN, "lanman"}
+	};
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(sec_modes); i++) {
+		if (sec_modes[i].flag == secflag)
+			break;
+	}
+
+	return sec_modes[i].mode;
+}
+
+/*
  * cifs_show_options() is for displaying mount options in /proc/mounts.
  * Not all settable options are displayed but most of the important
  * ones are.
@@ -411,6 +438,11 @@  cifs_show_options(struct seq_file *s, struct vfsmount *m)
 			seq_printf(s, ",cifsacl");
 		if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_DYNPERM)
 			seq_printf(s, ",dynperm");
+		if (cifs_sb->sec_flag)
+			seq_printf(s, ",sec=%s",
+					secflags_to_mode(cifs_sb->sec_flag));
+		else
+			seq_printf(s, ",sec=none");
 		if (m->mnt_sb->s_flags & MS_POSIXACL)
 			seq_printf(s, ",acl");
 
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index da0f4ff..23e628e 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2174,6 +2174,11 @@  static void setup_cifs_sb(struct smb_vol *pvolume_info,
 		cFYI(1, ("mounting share using direct i/o"));
 		cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_DIRECT_IO;
 	}
+	/* sec flags */
+	if (pvolume_info->nullauth)
+		cifs_sb->sec_flag = 0;
+	else
+		cifs_sb->sec_flag = pvolume_info->secFlg;

 
 	if ((pvolume_info->cifs_acl) && (pvolume_info->dynperm))