From patchwork Wed Mar 11 12:18:29 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Suresh Jayaraman X-Patchwork-Id: 11116 Received: from lists.samba.org (mail.samba.org [66.70.73.150]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n2BCIwlv023882 for ; Wed, 11 Mar 2009 12:18:58 GMT Received: from dp.samba.org (localhost [127.0.0.1]) by lists.samba.org (Postfix) with ESMTP id A1EE1163CE3 for ; Wed, 11 Mar 2009 12:18:43 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on dp.samba.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.8 tests=AWL, BAYES_00 autolearn=ham version=3.1.7 X-Original-To: linux-cifs-client@lists.samba.org Delivered-To: linux-cifs-client@lists.samba.org Received: from victor.provo.novell.com (victor.provo.novell.com [137.65.250.26]) by lists.samba.org (Postfix) with ESMTP id 43329163C84 for ; Wed, 11 Mar 2009 12:18:29 +0000 (GMT) Received: from [164.99.138.63] (prv-ext-foundry1.gns.novell.com [137.65.251.240]) by victor.provo.novell.com with ESMTP; Wed, 11 Mar 2009 06:18:33 -0600 Message-ID: <49B7AC15.3000302@suse.de> Date: Wed, 11 Mar 2009 17:48:29 +0530 From: Suresh Jayaraman User-Agent: Thunderbird 2.0.0.19 (X11/20081227) MIME-Version: 1.0 To: Steve French Subject: Re: [linux-cifs-client] Re: [PATCH] cifs: show per mount security mode in /proc/mounts (try #2) References: <49B64C89.10407@suse.de> <524f69650903100557o2e01fb5ci892e6db5acc23619@mail.gmail.com> In-Reply-To: <524f69650903100557o2e01fb5ci892e6db5acc23619@mail.gmail.com> X-Enigmail-Version: 0.95.7 Cc: "linux-cifs-client@lists.samba.org" , Steve French X-BeenThere: linux-cifs-client@lists.samba.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: The Linux CIFS VFS client List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-cifs-client-bounces+patchwork-cifs-client=patchwork.kernel.org@lists.samba.org Errors-To: linux-cifs-client-bounces+patchwork-cifs-client=patchwork.kernel.org@lists.samba.org Steve French wrote: > On Tue, Mar 10, 2009 at 6:18 AM, Suresh Jayaraman wrote: >> Currently, /proc/mounts does not display security mode of the cifs >> mounts. With the availability multiple security modes including >> kerberos security, it might be vital to display security mode as well. > > The actual security used is not per superblock but per session, and it > would be misleading to leave out the global settings for extended > security flags. The actual security flags that are used during negotiation > are the default flags (set in proc) and flags which are overridden on mount Ah, ok. Thanks for explaining this. > negotiated with the server - for this you need secType and secMode out > of the session structure to be displayed instead of a per-mount new variable. I see struct cifsSesInfo already has a pointer to struct TCP_Server_Info that has secMode and secType for that session. My try #2 at this patch below tries to use them. > We do display secMode in /proc (which indicates whether signing is required) We display secMode as part of /proc/fs/cifs/SecurityFlags, however when they are overriden during mount, SecurityFlags is not being updated to reflect overriden flags. For e.g. default setting is 0x7 and after mount using 'sec=ntlmv2i' succeeds I still see 0x7. > but might be useful to display this more clearly, and it would be useful to > display secType (which indicates what authentication mechanism was negotiated) > Here's a second try.. I have done minimal testing and found it to be working fine. Let me know whether this make sense? --- Signed-off-by: Suresh Jayaraman fs/cifs/cifsfs.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 47 insertions(+), 0 deletions(-) diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 13ea532..a96e075 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -331,6 +331,50 @@ cifs_destroy_inode(struct inode *inode) } /* + * Map auth info + */ +static const char *map_auth_info(enum securityEnum type, char mode) +{ + unsigned int flag = 0; + static const struct { + unsigned int sec; + const char *flavor; + } sec_flags[] = { + { CIFSSEC_MAY_KRB5 | CIFSSEC_MUST_SIGN, "krb5i"}, + { CIFSSEC_MAY_KRB5, "krb5"}, + { CIFSSEC_MAY_NTLMV2 | CIFSSEC_MUST_SIGN, "ntlmv2i"}, + { CIFSSEC_MAY_NTLMV2, "ntlmv2"}, + { CIFSSEC_MAY_NTLM | CIFSSEC_MUST_SIGN, "ntlmi"}, + { CIFSSEC_MAY_NTLM, "ntlm"}, + { CIFSSEC_MAY_LANMAN, "lanman"} + }; + int i; + + cFYI(1, ("secType=%d secMode=0x%x\n", type, mode)); + if (type == NTLMv2) + flag |= CIFSSEC_MAY_NTLMV2; + else if (type == NTLM) + flag |= CIFSSEC_MAY_NTLM; + else if (type == Kerberos || type == MSKerberos) + flag |= CIFSSEC_MAY_KRB5; + else if (type == LANMAN) + flag |= CIFSSEC_MAY_LANMAN; + + if (mode & SECMODE_SIGN_REQUIRED) + flag |= CIFSSEC_MUST_SIGN; + else if (mode & SECMODE_SIGN_ENABLED) + flag |= CIFSSEC_MAY_SIGN; + + + for (i = 0; i < ARRAY_SIZE(sec_flags); i++) { + if (sec_flags[i].sec == flag) + break; + } + + return sec_flags[i].flavor; +} + +/* * cifs_show_options() is for displaying mount options in /proc/mounts. * Not all settable options are displayed but most of the important * ones are. @@ -369,6 +413,9 @@ cifs_show_options(struct seq_file *s, struct vfsmount *m) &server->addr.sockAddr.sin_addr.s_addr); break; } + seq_printf(s, ",sec=%s", + map_auth_info(server->secType, + server->secMode)); } } if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_OVERR_UID) ||