mirror of
https://github.com/torvalds/linux.git
synced 2026-05-25 23:52:08 +02:00
bd1886d6e4
-----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmnqdE8ACgkQiiy9cAdy T1E4uwwAtRDds+fqFZHgqEW/0Vd8O1RJCvUGomoampb4z9rzHOMrekofAjRT6OJs M6jVx5L/22TT9Vf+Ya+WMrOkxQbjyFy8j6IjdefJi2SxX5Z9QM7ZvEWhQlDhdVUV Hfb7Zd3jsdDk6GvvIfVzlEXMLbWtkD5zhGYCVOfNuh/RlyGy+orkjbUfbGEI56c4 WPXkVUvGqHnniU/AB4/9pDFFMOwy4IAY9Bs8u2b65FWoxDsPFbz8ntJ1+Ehcy+Er Try0JqSQT7uJNHN7O334NeylbsxLyszkqDyYUv3A8un7Txzi4OIZFNJuHE4Av95S XVbmrkCgZ7Bm4wvPBxc35usZk+7WFdIgLM5vA37pG93zQ/n/zdjTdOiGQ6+8qw/L rHgG6A1ti6/f48Lk5vj01fOcCoNIEBcwVYtajSGU45f44cGjyqgnDe0Id8OZe1yY DMhsthL45kK1mmYPaq9h85mdxCeec3aKTrMd79dgwiyVMIFEeVJwd6Yvs8SH6qFb +OSVq87r =WKB0 -----END PGP SIGNATURE----- Merge tag 'v7.1-rc-part2-ksmbd-fixes' of git://git.samba.org/ksmbd Pull more smb server updates from Steve French: - move fs/smb/common/smbdirect to fs/smb/smbdirect - change signature calc to use AES-CMAC library, simpler and faster - invalid signature fix - multichannel fix - open create options fix - fix durable handle leak - cap maximum lock count to avoid potential denial of service - four connection fixes: connection free and session destroy IDA fixes, refcount fix, connection leak fix, max_connections off by one fix - IPC validation fix - fix out of bounds write in getting xattrs - fix use after free in durable handle reconnect - three ACL fixes: fix potential ACL overflow, harden num_aces check, and fix minimum ACE size check * tag 'v7.1-rc-part2-ksmbd-fixes' of git://git.samba.org/ksmbd: smb: smbdirect: move fs/smb/common/smbdirect/ to fs/smb/smbdirect/ smb: server: stop sending fake security descriptors ksmbd: scope conn->binding slowpath to bound sessions only ksmbd: fix CreateOptions sanitization clobbering the whole field ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open ksmbd: fix O(N^2) DoS in smb2_lock via unbounded LockCount ksmbd: destroy async_ida in ksmbd_conn_free() ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() ksmbd: Use AES-CMAC library for SMB3 signature calculation ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment ksmbd: use check_add_overflow() to prevent u16 DACL size overflow ksmbd: fix use-after-free in smb2_open during durable reconnect ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb: server: fix max_connections off-by-one in tcp accept path ksmbd: require minimum ACE size in smb_check_perm_dacl() ksmbd: validate response sizes in ipc_validate_msg() smb: server: fix active_num_conn leak on transport allocation failure
233 lines
8.3 KiB
Plaintext
233 lines
8.3 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
config CIFS
|
|
tristate "SMB3 and CIFS support (advanced network filesystem)"
|
|
depends on INET
|
|
select NLS
|
|
select NLS_UCS2_UTILS
|
|
select CRYPTO
|
|
select CRYPTO_AEAD2
|
|
select CRYPTO_CCM
|
|
select CRYPTO_GCM
|
|
select CRYPTO_AES
|
|
select CRYPTO_LIB_AES_CBC_MACS
|
|
select CRYPTO_LIB_ARC4
|
|
select CRYPTO_LIB_MD5
|
|
select CRYPTO_LIB_SHA256
|
|
select CRYPTO_LIB_SHA512
|
|
select KEYS
|
|
select DNS_RESOLVER
|
|
select ASN1
|
|
select OID_REGISTRY
|
|
select NETFS_SUPPORT
|
|
help
|
|
This is the client VFS module for the SMB3 family of network file
|
|
protocols (including the most recent, most secure dialect SMB3.1.1).
|
|
This module also includes support for earlier dialects such as
|
|
SMB2.1, SMB2 and even the old Common Internet File System (CIFS)
|
|
protocol. CIFS was the successor to the original network filesystem
|
|
protocol, Server Message Block (SMB ie SMB1), the native file sharing
|
|
mechanism for most early PC operating systems.
|
|
|
|
The SMB3.1.1 protocol is supported by most modern operating systems
|
|
and NAS appliances (e.g. Samba, Windows 11, Windows Server 2022,
|
|
MacOS) and even in the cloud (e.g. Microsoft Azure) and also by the
|
|
Linux kernel server, ksmbd. Support for the older CIFS protocol was
|
|
included in Windows NT4, 2000 and XP (and later). Use of dialects
|
|
older than SMB2.1 is often discouraged on public networks.
|
|
This module also provides limited support for OS/2 and Windows ME
|
|
and similar very old servers.
|
|
|
|
This module provides an advanced network file system client for
|
|
mounting to SMB3 (and CIFS) compliant servers. It includes support
|
|
for DFS (hierarchical name space), secure per-user session
|
|
establishment via Kerberos or NTLMv2, RDMA (smbdirect), advanced
|
|
security features, per-share encryption, packet-signing, snapshots,
|
|
directory leases, safe distributed caching (leases), multichannel,
|
|
Unicode and other internationalization improvements.
|
|
|
|
In general, the default dialects, SMB3 and later, enable better
|
|
performance, security and features, than would be possible with CIFS.
|
|
|
|
If you need to mount to Samba, Azure, ksmbd, Macs or Windows from this
|
|
machine, say Y.
|
|
|
|
config CIFS_STATS2
|
|
bool "Extended statistics"
|
|
depends on CIFS
|
|
default y
|
|
help
|
|
Enabling this option will allow more detailed statistics on SMB
|
|
request timing to be displayed in /proc/fs/cifs/DebugData and also
|
|
allow optional logging of slow responses to dmesg (depending on the
|
|
value of /proc/fs/cifs/cifsFYI). See Documentation/admin-guide/cifs/usage.rst
|
|
for more details. These additional statistics may have a minor effect
|
|
on performance and memory utilization.
|
|
|
|
If unsure, say Y.
|
|
|
|
config CIFS_ALLOW_INSECURE_LEGACY
|
|
bool "Support legacy servers which use less secure dialects"
|
|
depends on CIFS
|
|
default y
|
|
help
|
|
Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
|
|
additional security features, including protection against
|
|
man-in-the-middle attacks and stronger crypto hashes, so the use
|
|
of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
|
|
|
|
Disabling this option prevents users from using vers=1.0 or vers=2.0
|
|
on mounts with cifs.ko
|
|
|
|
If unsure, say Y.
|
|
|
|
config CIFS_UPCALL
|
|
bool "Kerberos/SPNEGO advanced session setup"
|
|
depends on CIFS
|
|
help
|
|
Enables an upcall mechanism for CIFS which accesses userspace helper
|
|
utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
|
|
which are needed to mount to certain secure servers (for which more
|
|
secure Kerberos authentication is required). If unsure, say Y.
|
|
|
|
config CIFS_XATTR
|
|
bool "CIFS extended attributes"
|
|
depends on CIFS
|
|
help
|
|
Extended attributes are name:value pairs associated with inodes by
|
|
the kernel or by users (see the attr(5) manual page for details).
|
|
CIFS maps the name of extended attributes beginning with the user
|
|
namespace prefix to SMB/CIFS EAs. EAs are stored on Windows
|
|
servers without the user namespace prefix, but their names are
|
|
seen by Linux cifs clients prefaced by the user namespace prefix.
|
|
The system namespace (used by some filesystems to store ACLs) is
|
|
not supported at this time.
|
|
|
|
If unsure, say Y.
|
|
|
|
config CIFS_POSIX
|
|
bool "CIFS POSIX Extensions"
|
|
depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
|
|
help
|
|
Enabling this option will cause the cifs client to attempt to
|
|
negotiate a feature of the older cifs dialect with servers, such as
|
|
Samba 3.0.5 or later, that optionally can handle more POSIX like
|
|
(rather than Windows like) file behavior. It also enables support
|
|
for POSIX ACLs (getfacl and setfacl) to servers (such as Samba 3.10
|
|
and later) which can negotiate CIFS POSIX ACL support. This config
|
|
option is not needed when mounting with SMB3.1.1. If unsure, say N.
|
|
|
|
config CIFS_DEBUG
|
|
bool "Enable CIFS debugging routines"
|
|
default y
|
|
depends on CIFS
|
|
help
|
|
Enabling this option adds helpful debugging messages to
|
|
the cifs code which increases the size of the cifs module.
|
|
If unsure, say Y.
|
|
|
|
config CIFS_DEBUG2
|
|
bool "Enable additional CIFS debugging routines"
|
|
depends on CIFS_DEBUG
|
|
help
|
|
Enabling this option adds a few more debugging routines
|
|
to the cifs code which slightly increases the size of
|
|
the cifs module and can cause additional logging of debug
|
|
messages in some error paths, slowing performance. This
|
|
option can be turned off unless you are debugging
|
|
cifs problems. If unsure, say N.
|
|
|
|
config CIFS_DEBUG_DUMP_KEYS
|
|
bool "Dump encryption keys for offline decryption (Unsafe)"
|
|
depends on CIFS_DEBUG
|
|
help
|
|
Enabling this will dump the encryption and decryption keys
|
|
used to communicate on an encrypted share connection on the
|
|
console. This allows Wireshark to decrypt and dissect
|
|
encrypted network captures. Enable this carefully.
|
|
If unsure, say N.
|
|
|
|
config CIFS_DFS_UPCALL
|
|
bool "DFS feature support"
|
|
depends on CIFS
|
|
help
|
|
Distributed File System (DFS) support is used to access shares
|
|
transparently in an enterprise name space, even if the share
|
|
moves to a different server. This feature also enables
|
|
an upcall mechanism for CIFS which contacts userspace helper
|
|
utilities to provide server name resolution (host names to
|
|
IP addresses) which is needed in order to reconnect to
|
|
servers if their addresses change or for implicit mounts of
|
|
DFS junction points. If unsure, say Y.
|
|
|
|
config CIFS_SWN_UPCALL
|
|
bool "SWN feature support"
|
|
depends on CIFS
|
|
help
|
|
The Service Witness Protocol (SWN) is used to get notifications
|
|
from a highly available server of resource state changes. This
|
|
feature enables an upcall mechanism for CIFS which contacts a
|
|
userspace daemon to establish the DCE/RPC connection to retrieve
|
|
the cluster available interfaces and resource change notifications.
|
|
If unsure, say Y.
|
|
|
|
config CIFS_NFSD_EXPORT
|
|
bool "Allow nfsd to export CIFS file system"
|
|
depends on CIFS && BROKEN
|
|
help
|
|
Allows NFS server to export a CIFS mounted share (nfsd over cifs)
|
|
|
|
if CIFS
|
|
|
|
config CIFS_SMB_DIRECT
|
|
bool "SMB Direct support"
|
|
depends on CIFS && INFINIBAND && INFINIBAND_ADDR_TRANS
|
|
depends on CIFS=m || INFINIBAND=y
|
|
select SMBDIRECT
|
|
help
|
|
Enables SMB Direct support for SMB 3.0, 3.02 and 3.1.1.
|
|
SMB Direct allows transferring SMB packets over RDMA. If unsure,
|
|
say Y.
|
|
|
|
config CIFS_FSCACHE
|
|
bool "Provide CIFS client caching support"
|
|
depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
|
|
help
|
|
Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
|
|
to be cached locally on disk through the general filesystem cache
|
|
manager. If unsure, say N.
|
|
|
|
config CIFS_ROOT
|
|
bool "SMB root file system (Experimental)"
|
|
depends on CIFS=y && IP_PNP
|
|
help
|
|
Enables root file system support over SMB protocol.
|
|
|
|
Most people say N here.
|
|
|
|
config CIFS_COMPRESSION
|
|
bool "SMB message compression (Experimental)"
|
|
depends on CIFS
|
|
default n
|
|
help
|
|
Enables over-the-wire message compression for SMB 3.1.1
|
|
mounts when negotiated with the server.
|
|
|
|
Only write requests with data size >= PAGE_SIZE will be
|
|
compressed to avoid wasting resources.
|
|
|
|
Say Y here if you want SMB traffic to be compressed.
|
|
If unsure, say N.
|
|
|
|
config SMB1_KUNIT_TESTS
|
|
tristate "KUnit tests for SMB1"
|
|
depends on SMB_KUNIT_TESTS && CIFS_ALLOW_INSECURE_LEGACY
|
|
default SMB_KUNIT_TESTS
|
|
help
|
|
This builds the SMB1-specific KUnit tests.
|
|
|
|
These tests are only enabled when legacy insecure SMB1 support
|
|
(CIFS_ALLOW_INSECURE_LEGACY) is enabled.
|
|
|
|
If unsure, say N.
|
|
endif
|