2013/5/23 Jeff Layton <jlayton@xxxxxxxxxx>:
> CIFS has mount options for sealing (aka encryption), but they aren't
> actually hooked up to the code and errors are not generated when someone
> requests it. Ensure that no one is tricked by this by removing the stub
> option handling, thereby causing a mount-time error to be generated when
> someone tries to set this option.
>
> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
> ---
> fs/cifs/cifsfs.c | 2 --
> fs/cifs/cifsglob.h | 2 --
> fs/cifs/connect.c | 18 +++---------------
> 3 files changed, 3 insertions(+), 19 deletions(-)
>
> diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
> index 3752b9f..bb27269 100644
> --- a/fs/cifs/cifsfs.c
> +++ b/fs/cifs/cifsfs.c
> @@ -416,8 +416,6 @@ cifs_show_options(struct seq_file *s, struct dentry *root)
> seq_printf(s, ",file_mode=0%ho,dir_mode=0%ho",
> cifs_sb->mnt_file_mode,
> cifs_sb->mnt_dir_mode);
> - if (tcon->seal)
> - seq_printf(s, ",seal");
> if (tcon->nocase)
> seq_printf(s, ",nocase");
> if (tcon->retry)
> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
> index be993ec..874b29b 100644
> --- a/fs/cifs/cifsglob.h
> +++ b/fs/cifs/cifsglob.h
> @@ -425,7 +425,6 @@ struct smb_vol {
> bool nocase:1; /* request case insensitive filenames */
> bool nobrl:1; /* disable sending byte range locks to srv */
> bool mand_lock:1; /* send mandatory not posix byte range lock reqs */
> - bool seal:1; /* request transport encryption on share */
> bool nodfs:1; /* Do not request DFS, even if available */
> bool local_lease:1; /* check leases only on local system, not remote */
> bool noblocksnd:1;
> @@ -792,7 +791,6 @@ struct cifs_tcon {
> bool ipc:1; /* set if connection to IPC$ eg for RPC/PIPES */
> bool retry:1;
> bool nocase:1;
> - bool seal:1; /* transport encryption for this mounted share */
> bool unix_ext:1; /* if false disable Linux extensions to CIFS protocol
> for this mount even if server would support */
> bool local_lease:1; /* check leases (only) on local system not remote */
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 118cc9c..b367a5a 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -83,7 +83,7 @@ enum {
> Opt_serverino, Opt_noserverino,
> Opt_rwpidforward, Opt_cifsacl, Opt_nocifsacl,
> Opt_acl, Opt_noacl, Opt_locallease,
> - Opt_sign, Opt_seal, Opt_noac,
> + Opt_sign, Opt_noac,
> Opt_fsc, Opt_mfsymlinks,
> Opt_multiuser, Opt_sloppy, Opt_nosharesock,
>
> @@ -159,7 +159,6 @@ static const match_table_t cifs_mount_option_tokens = {
> { Opt_noacl, "noacl" },
> { Opt_locallease, "locallease" },
> { Opt_sign, "sign" },
> - { Opt_seal, "seal" },
> { Opt_noac, "noac" },
> { Opt_fsc, "fsc" },
> { Opt_mfsymlinks, "mfsymlinks" },
> @@ -1034,8 +1033,8 @@ static int cifs_parse_security_flavors(char *value,
> break;
> case Opt_sec_krb5p:
> /* vol->secFlg |= CIFSSEC_MUST_SEAL | CIFSSEC_MAY_KRB5; */
> - cifs_dbg(VFS, "Krb5 cifs privacy not supported\n");
> - break;
> + cifs_dbg(VFS, "sec=krb5p is not supported!\n");
> + return 1;
> case Opt_sec_ntlmssp:
> vol->secFlg |= CIFSSEC_MAY_NTLMSSP;
> break;
> @@ -1427,14 +1426,6 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
> case Opt_sign:
> vol->secFlg |= CIFSSEC_MUST_SIGN;
> break;
> - case Opt_seal:
> - /* we do not do the following in secFlags because seal
> - * is a per tree connection (mount) not a per socket
> - * or per-smb connection option in the protocol
> - * vol->secFlg |= CIFSSEC_MUST_SEAL;
> - */
> - vol->seal = 1;
> - break;
> case Opt_noac:
> printk(KERN_WARNING "CIFS: Mount option noac not "
> "supported. Instead set "
> @@ -2589,8 +2580,6 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info)
> cifs_dbg(FYI, "Found match on UNC path\n");
> /* existing tcon already has a reference */
> cifs_put_smb_ses(ses);
> - if (tcon->seal != volume_info->seal)
> - cifs_dbg(VFS, "transport encryption setting conflicts with existing tid\n");
> return tcon;
> }
>
> @@ -2630,7 +2619,6 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info)
> tcon->Flags &= ~SMB_SHARE_IS_IN_DFS;
> cifs_dbg(FYI, "DFS disabled (%d)\n", tcon->Flags);
> }
> - tcon->seal = volume_info->seal;
> /*
> * We can have only one retry value for a connection to a share so for
> * resources mounted more than once to the same server share the last
> --
> 1.8.1.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Acked-by: Pavel Shilovsky <piastry@xxxxxxxxxxx>
--
Best regards,
Pavel Shilovsky.
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
