[linux-cifs-client] Re: [PATCH] cifs: show per mount security mode in /proc/mounts (try #2)

Commit Message

Suresh Jayaraman March 11, 2009, 12:18 p.m. UTC

Steve French wrote:
> On Tue, Mar 10, 2009 at 6:18 AM, Suresh Jayaraman <sjayaraman@suse.de> wrote:
>> Currently, /proc/mounts does not display security mode of the cifs
>> mounts. With the availability multiple security modes including
>> kerberos security, it might be vital to display security mode as well.
> 
> The actual security used is not per superblock but per session, and it
> would be misleading to leave out the global settings for extended
> security flags.   The actual security flags that are used during negotiation
> are the default flags (set in proc) and flags which are overridden on mount

Ah, ok. Thanks for explaining this.

> negotiated with the server - for this you need secType and secMode out
> of the session structure to be displayed instead of a per-mount new variable.

I see struct cifsSesInfo already has a pointer to struct TCP_Server_Info
that has secMode and secType for that session. My try #2 at this patch
below tries to use them.

> We do display secMode in /proc (which indicates whether signing is required)

We display secMode as part of /proc/fs/cifs/SecurityFlags, however when
they are overriden during mount, SecurityFlags is not being updated to
reflect overriden flags. For e.g. default setting is 0x7 and after mount
using 'sec=ntlmv2i' succeeds I still see 0x7.

> but might be useful to display this more clearly, and it would be useful to
> display secType (which indicates what authentication mechanism was negotiated)
> 
Here's a second try.. I have done minimal testing and found it to be
working fine. Let me know whether this make sense?

---
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>


 fs/cifs/cifsfs.c |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 47 insertions(+), 0 deletions(-)

Comments

Steve French March 11, 2009, 3:24 p.m. UTC | #1

On Wed, Mar 11, 2009 at 7:18 AM, Suresh Jayaraman <sjayaraman@suse.de> wrote:

> +       for (i = 0; i < ARRAY_SIZE(sec_flags); i++) {
> +               if (sec_flags[i].sec == flag)
> +                       break;
> +       }
> +
> +       return sec_flags[i].flavor;

This seems better, but won't it oops if there is no match on sec_flags
(since i is one greater than array size).

Patch

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 13ea532..a96e075 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -331,6 +331,50 @@  cifs_destroy_inode(struct inode *inode)
 }
 
 /*
+ * Map auth info
+ */
+static const char *map_auth_info(enum securityEnum type, char mode)
+{
+	unsigned int flag = 0;
+	static const struct {
+		unsigned int sec;
+		const char *flavor;
+	} sec_flags[] = {
+		{ CIFSSEC_MAY_KRB5 | CIFSSEC_MUST_SIGN, "krb5i"},
+	        { CIFSSEC_MAY_KRB5, "krb5"},
+		{ CIFSSEC_MAY_NTLMV2 | CIFSSEC_MUST_SIGN, "ntlmv2i"},
+		{ CIFSSEC_MAY_NTLMV2, "ntlmv2"},
+		{ CIFSSEC_MAY_NTLM | CIFSSEC_MUST_SIGN, "ntlmi"},
+		{ CIFSSEC_MAY_NTLM, "ntlm"},
+		{ CIFSSEC_MAY_LANMAN, "lanman"}
+	};
+	int i;
+
+	cFYI(1, ("secType=%d secMode=0x%x\n", type, mode));
+	if (type == NTLMv2)
+		flag |= CIFSSEC_MAY_NTLMV2;
+	else if (type == NTLM)
+		flag |= CIFSSEC_MAY_NTLM;
+	else if (type == Kerberos || type == MSKerberos)
+		flag |= CIFSSEC_MAY_KRB5;
+	else if (type == LANMAN)
+		flag |= CIFSSEC_MAY_LANMAN;
+
+	if (mode & SECMODE_SIGN_REQUIRED)
+		flag |= CIFSSEC_MUST_SIGN;
+	else if (mode & SECMODE_SIGN_ENABLED)
+		flag |= CIFSSEC_MAY_SIGN;
+
+
+	for (i = 0; i < ARRAY_SIZE(sec_flags); i++) {
+		if (sec_flags[i].sec == flag)
+			break;
+	}
+
+	return sec_flags[i].flavor;
+}
+
+/*
  * cifs_show_options() is for displaying mount options in /proc/mounts.
  * Not all settable options are displayed but most of the important
  * ones are.
@@ -369,6 +413,9 @@  cifs_show_options(struct seq_file *s, struct vfsmount *m)
 							   &server->addr.sockAddr.sin_addr.s_addr);
 						break;
 					}
+					seq_printf(s, ",sec=%s",
+						   map_auth_info(server->secType,
+						   server->secMode));
 				}
 			}
 			if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_OVERR_UID) ||