From patchwork Thu May 24 09:14:03 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve French <smfrench@gmail.com>
X-Patchwork-Id: 10423217
Return-Path: <linux-cifs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6D68160327 for <patchwork-cifs-client@patchwork.kernel.org>;
	Thu, 24 May 2018 09:14:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C496292F8
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Thu, 24 May 2018 09:14:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4DB7B2934C; Thu, 24 May 2018 09:14:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8D1AC292F8
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Thu, 24 May 2018 09:14:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965745AbeEXJO0 (ORCPT
	<rfc822;patchwork-cifs-client@patchwork.kernel.org>);
	Thu, 24 May 2018 05:14:26 -0400
Received: from mail-pf0-f194.google.com ([209.85.192.194]:37957 "EHLO
	mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S965738AbeEXJOY (ORCPT
	<rfc822; linux-cifs@vger.kernel.org>); Thu, 24 May 2018 05:14:24 -0400
Received: by mail-pf0-f194.google.com with SMTP id o76-v6so559974pfi.5
	for <linux-cifs@vger.kernel.org>;
	Thu, 24 May 2018 02:14:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
	bh=qPjWa1p/bClw1LhfjzZt4Rls23PHql2nYoAPNg4Pryk=;
	b=p15AkUDIRW7xi9pGd80M5mHa8uUs/DmKGigCH413UgnyqEklLUPkKdkZrZu/51IaA6
	pBengjxv2C1LmHJJ3G1sc1vI7Q531a2jr5cNWfF7ohQ26c7JSYRFBeiE1FE58RudsjG/
	JS8NvwkPopgYm9EJ+f3fmguSfAUtoWumE9SF9YiLDgem2p2YSQzf5DYLUDosoIwsTct1
	1nAepQzLwmBuaAWvCIjv61yZw66kjzc8Iy0gABrCX+eshOQon4kcL2WueAdi58JYWC42
	rSstx3f80W3Ctr4TPdlIFvIMIsmwOQ2++8yXCzfCKsiEcta6LuQOy5QDDeM/PQmkyTvS
	ycFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to;
	bh=qPjWa1p/bClw1LhfjzZt4Rls23PHql2nYoAPNg4Pryk=;
	b=HXWqDJhpj5QIVF8sCh+yFRPwUI7hdTUbD8o2wv2j1Muey3lyIKb/m5szcs02nWHm/F
	+x4gTcZcWHf7IP1q2YvqJC0f9jJDvHuEIkflYbar52pleNSjeML5TgVGX7p3JMJWh2dS
	xZ1XZTaHgAiquhRfbMl/6XJFwEWIFZdnSvpSQbaJ4TcChk2EEeue6k8QlH9VY0T/IZwk
	PszhjrHWXk3Nn1CHCCfWh1kpeKdXRDqEzh0PN2KzScO3NLNi0QwDQ1IEC4vmkm+qKde0
	fasrReGSPPMHoI3YWrbMbBQajEWrKiWd0HkN9vWmzW72Hfjc4EJPZJEX3DEH7uAlJM+8
	hUQA==
X-Gm-Message-State: ALKqPwfzFL4da8dLDFxNLb6D+24kywS0R2Zcu/MIlOmV2hCOd/e1uMTK
	qB/4XBtR3zkaATEYPazgAGcftJzhyzirmiyF1jeumA==
X-Google-Smtp-Source: 
 AB8JxZrXhTnKKSSsi9cqU0SMYtVS2KfAAc/0sV+Jx4XYmzJozSnv6SAV/5i/KiDdt73NwIsP8UlMbXEzwHJLmggKikY=
X-Received: by 2002:a65:5607:: with SMTP id
	l7-v6mr5276871pgs.11.1527153263794;
	Thu, 24 May 2018 02:14:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:bd8f:0:0:0:0 with HTTP; Thu, 24 May 2018 02:14:03
	-0700 (PDT)
In-Reply-To: 
 <CAH2r5mvsCNcWQEO7yaXU+QZTPW4eCHKf9mpwERSiZUVbordhbA@mail.gmail.com>
References: 
 <CAH2r5mvsCNcWQEO7yaXU+QZTPW4eCHKf9mpwERSiZUVbordhbA@mail.gmail.com>
From: Steve French <smfrench@gmail.com>
Date: Thu, 24 May 2018 04:14:03 -0500
Message-ID: 
 <CAH2r5mtA9BP5_DO3P17+X=WS-K+qhNYc0+D+HC==yiEKKn3KyQ@mail.gmail.com>
Subject: Re: [PATCH] cifs: allow disabling less secure legacy dialects
To: CIFS <linux-cifs@vger.kernel.org>
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Updated with some minor changes to remove old build warnings on
various other of the module parms



On Thu, May 24, 2018 at 3:23 AM, Steve French <smfrench@gmail.com> wrote:
> To improve security it may be helpful to have additional ways to restrict the
> ability to override the default dialects (SMB2.1, SMB3 and SMB3.02) on mount
> with old dialects (CIFS/SMB1 and SMB2) since vers=1.0 (CIFS/SMB1) and vers=2.0
> are weaker and less secure.
>
> Add a module parameter "disable_legacy_dialects"
> (/sys/module/cifs/parameters/disable_legacy_dialects) which can be set to
> 1 (or equivalently Y) to forbid use of vers=1.0 or vers=2.0 on mount.
>
> Signed-off-by: Steve French <smfrench@gmail.com>
> ---
>  fs/cifs/cifsfs.c  | 10 ++++++++++
>  fs/cifs/connect.c |  9 +++++++++
>  2 files changed, 19 insertions(+)
>
> diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
> index c49d4a681017..600220388f0d 100644
> --- a/fs/cifs/cifsfs.c
> +++ b/fs/cifs/cifsfs.c
> @@ -58,6 +58,7 @@ bool traceSMB;
>  bool enable_oplocks = true;
>  bool linuxExtEnabled = true;
>  bool lookupCacheEnabled = true;
> +bool disable_legacy_dialects; /* false by default */
>  unsigned int global_secflags = CIFSSEC_DEF;
>  /* unsigned int ntlmv2_support = 0; */
>  unsigned int sign_CIFS_PDUs = 1;
> @@ -83,6 +84,15 @@ MODULE_PARM_DESC(cifs_max_pending, "Simultaneous
> requests to server for "
>  module_param(enable_oplocks, bool, 0644);
>  MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
>
> +module_param(disable_legacy_dialects, bool, 0644);
> +MODULE_PARM_DESC(disable_legacy_dialects, "To improve security it may be "
> +                  "helpful to restrict the ability to "
> +                  "override the default dialects (SMB2.1, "
> +                  "SMB3 and SMB3.02) on mount with old "
> +                  "dialects (CIFS/SMB1 and SMB2) since "
> +                  "vers=1.0 (CIFS/SMB1) and vers=2.0 are weaker"
> +                  " and less secure. Default: n/N/0");
> +
>  extern mempool_t *cifs_sm_req_poolp;
>  extern mempool_t *cifs_req_poolp;
>  extern mempool_t *cifs_mid_poolp;
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 83b0234d443c..ed3b6de88395 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -61,6 +61,7 @@
>  #define RFC1001_PORT 139
>
>  extern mempool_t *cifs_req_poolp;
> +extern bool disable_legacy_dialects;
>
>  /* FIXME: should these be tunable? */
>  #define TLINK_ERROR_EXPIRE    (1 * HZ)
> @@ -1146,10 +1147,18 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol)
>
>      switch (match_token(value, cifs_smb_version_tokens, args)) {
>      case Smb_1:
> +        if (disable_legacy_dialects) {
> +            cifs_dbg(VFS, "mount with legacy dialect disabled\n");
> +            return 1;
> +        }
>          vol->ops = &smb1_operations;
>          vol->vals = &smb1_values;
>          break;
>      case Smb_20:
> +        if (disable_legacy_dialects) {
> +            cifs_dbg(VFS, "mount with legacy dialect disabled\n");
> +            return 1;
> +        }
>          vol->ops = &smb20_operations;
>          vol->vals = &smb20_values;
>          break;
> --
> 2.17.0
>
>
> --
> Thanks,
>
> Steve

From 328589353bd84e6449c7433c7581b27064a784ce Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Thu, 24 May 2018 04:11:07 -0500
Subject: [PATCH] cifs: allow disabling less secure legacy dialects

To improve security it may be helpful to have additional ways to restrict the
ability to override the default dialects (SMB2.1, SMB3 and SMB3.02) on mount
with old dialects (CIFS/SMB1 and SMB2) since vers=1.0 (CIFS/SMB1) and vers=2.0
are weaker and less secure.

Add a module parameter "disable_legacy_dialects"
(/sys/module/cifs/parameters/disable_legacy_dialects) which can be set to
1 (or equivalently Y) to forbid use of vers=1.0 or vers=2.0 on mount.

Also cleans up a few build warnings about globals for various module parms.

Signed-off-by: Steve French <smfrench@gmail.com>
---
 fs/cifs/cifsfs.c   | 10 ++++++++++
 fs/cifs/cifsglob.h | 19 ++++++++++---------
 fs/cifs/connect.c  |  9 +++++++++
 3 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index fe30aabe00d7..c608ea62f536 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -58,6 +58,7 @@ bool traceSMB;
 bool enable_oplocks = true;
 bool linuxExtEnabled = true;
 bool lookupCacheEnabled = true;
+bool disable_legacy_dialects; /* false by default */
 unsigned int global_secflags = CIFSSEC_DEF;
 /* unsigned int ntlmv2_support = 0; */
 unsigned int sign_CIFS_PDUs = 1;
@@ -83,6 +84,15 @@ MODULE_PARM_DESC(cifs_max_pending, "Simultaneous requests to server for "
 module_param(enable_oplocks, bool, 0644);
 MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
 
+module_param(disable_legacy_dialects, bool, 0644);
+MODULE_PARM_DESC(disable_legacy_dialects, "To improve security it may be "
+				  "helpful to restrict the ability to "
+				  "override the default dialects (SMB2.1, "
+				  "SMB3 and SMB3.02) on mount with old "
+				  "dialects (CIFS/SMB1 and SMB2) since "
+				  "vers=1.0 (CIFS/SMB1) and vers=2.0 are weaker"
+				  " and less secure. Default: n/N/0");
+
 extern mempool_t *cifs_sm_req_poolp;
 extern mempool_t *cifs_req_poolp;
 extern mempool_t *cifs_mid_poolp;
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 1143daf3341e..2bdce1f68875 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1702,16 +1702,17 @@ GLOBAL_EXTERN atomic_t smBufAllocCount;
 GLOBAL_EXTERN atomic_t midCount;
 
 /* Misc globals */
-GLOBAL_EXTERN bool enable_oplocks; /* enable or disable oplocks */
-GLOBAL_EXTERN bool lookupCacheEnabled;
-GLOBAL_EXTERN unsigned int global_secflags;	/* if on, session setup sent
+extern bool enable_oplocks; /* enable or disable oplocks */
+extern bool lookupCacheEnabled;
+extern unsigned int global_secflags;	/* if on, session setup sent
 				with more secure ntlmssp2 challenge/resp */
-GLOBAL_EXTERN unsigned int sign_CIFS_PDUs;  /* enable smb packet signing */
-GLOBAL_EXTERN bool linuxExtEnabled;/*enable Linux/Unix CIFS extensions*/
-GLOBAL_EXTERN unsigned int CIFSMaxBufSize;  /* max size not including hdr */
-GLOBAL_EXTERN unsigned int cifs_min_rcv;    /* min size of big ntwrk buf pool */
-GLOBAL_EXTERN unsigned int cifs_min_small;  /* min size of small buf pool */
-GLOBAL_EXTERN unsigned int cifs_max_pending; /* MAX requests at once to server*/
+extern unsigned int sign_CIFS_PDUs;  /* enable smb packet signing */
+extern bool linuxExtEnabled;/*enable Linux/Unix CIFS extensions*/
+extern unsigned int CIFSMaxBufSize;  /* max size not including hdr */
+extern unsigned int cifs_min_rcv;    /* min size of big ntwrk buf pool */
+extern unsigned int cifs_min_small;  /* min size of small buf pool */
+extern unsigned int cifs_max_pending; /* MAX requests at once to server*/
+extern bool disable_legacy_dialects;  /* forbid vers=1.0 and vers=2.0 mounts */
 
 #ifdef CONFIG_CIFS_ACL
 GLOBAL_EXTERN struct rb_root uidtree;
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 83b0234d443c..ed3b6de88395 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -61,6 +61,7 @@
 #define RFC1001_PORT 139
 
 extern mempool_t *cifs_req_poolp;
+extern bool disable_legacy_dialects;
 
 /* FIXME: should these be tunable? */
 #define TLINK_ERROR_EXPIRE	(1 * HZ)
@@ -1146,10 +1147,18 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol)
 
 	switch (match_token(value, cifs_smb_version_tokens, args)) {
 	case Smb_1:
+		if (disable_legacy_dialects) {
+			cifs_dbg(VFS, "mount with legacy dialect disabled\n");
+			return 1;
+		}
 		vol->ops = &smb1_operations;
 		vol->vals = &smb1_values;
 		break;
 	case Smb_20:
+		if (disable_legacy_dialects) {
+			cifs_dbg(VFS, "mount with legacy dialect disabled\n");
+			return 1;
+		}
 		vol->ops = &smb20_operations;
 		vol->vals = &smb20_values;
 		break;
-- 
2.17.0