mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
237 lines
6.4 KiB
237 lines
6.4 KiB
/* SPDX-License-Identifier: LGPL-2.1+ */ |
|
/* |
|
* Copyright (c) International Business Machines Corp., 2007 |
|
* Author(s): Steve French ([email protected]) |
|
* Modified by Namjae Jeon ([email protected]) |
|
*/ |
|
|
|
#ifndef _SMBACL_H |
|
#define _SMBACL_H |
|
|
|
#include <linux/fs.h> |
|
#include <linux/namei.h> |
|
#include <linux/posix_acl.h> |
|
|
|
#include "mgmt/tree_connect.h" |
|
|
|
#define NUM_AUTHS (6) /* number of authority fields */ |
|
#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ |
|
|
|
/* |
|
* ACE types - see MS-DTYP 2.4.4.1 |
|
*/ |
|
enum { |
|
ACCESS_ALLOWED, |
|
ACCESS_DENIED, |
|
}; |
|
|
|
/* |
|
* Security ID types |
|
*/ |
|
enum { |
|
SIDOWNER = 1, |
|
SIDGROUP, |
|
SIDCREATOR_OWNER, |
|
SIDCREATOR_GROUP, |
|
SIDUNIX_USER, |
|
SIDUNIX_GROUP, |
|
SIDNFS_USER, |
|
SIDNFS_GROUP, |
|
SIDNFS_MODE, |
|
}; |
|
|
|
/* Revision for ACLs */ |
|
#define SD_REVISION 1 |
|
|
|
/* Control flags for Security Descriptor */ |
|
#define OWNER_DEFAULTED 0x0001 |
|
#define GROUP_DEFAULTED 0x0002 |
|
#define DACL_PRESENT 0x0004 |
|
#define DACL_DEFAULTED 0x0008 |
|
#define SACL_PRESENT 0x0010 |
|
#define SACL_DEFAULTED 0x0020 |
|
#define DACL_TRUSTED 0x0040 |
|
#define SERVER_SECURITY 0x0080 |
|
#define DACL_AUTO_INHERIT_REQ 0x0100 |
|
#define SACL_AUTO_INHERIT_REQ 0x0200 |
|
#define DACL_AUTO_INHERITED 0x0400 |
|
#define SACL_AUTO_INHERITED 0x0800 |
|
#define DACL_PROTECTED 0x1000 |
|
#define SACL_PROTECTED 0x2000 |
|
#define RM_CONTROL_VALID 0x4000 |
|
#define SELF_RELATIVE 0x8000 |
|
|
|
/* ACE types - see MS-DTYP 2.4.4.1 */ |
|
#define ACCESS_ALLOWED_ACE_TYPE 0x00 |
|
#define ACCESS_DENIED_ACE_TYPE 0x01 |
|
#define SYSTEM_AUDIT_ACE_TYPE 0x02 |
|
#define SYSTEM_ALARM_ACE_TYPE 0x03 |
|
#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 |
|
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 |
|
#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 |
|
#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 |
|
#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 |
|
#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 |
|
#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A |
|
#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B |
|
#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C |
|
#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D |
|
#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ |
|
#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F |
|
#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ |
|
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 |
|
#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 |
|
#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 |
|
|
|
/* ACE flags */ |
|
#define OBJECT_INHERIT_ACE 0x01 |
|
#define CONTAINER_INHERIT_ACE 0x02 |
|
#define NO_PROPAGATE_INHERIT_ACE 0x04 |
|
#define INHERIT_ONLY_ACE 0x08 |
|
#define INHERITED_ACE 0x10 |
|
#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 |
|
#define FAILED_ACCESS_ACE_FLAG 0x80 |
|
|
|
/* |
|
* Maximum size of a string representation of a SID: |
|
* |
|
* The fields are unsigned values in decimal. So: |
|
* |
|
* u8: max 3 bytes in decimal |
|
* u32: max 10 bytes in decimal |
|
* |
|
* "S-" + 3 bytes for version field + 15 for authority field + NULL terminator |
|
* |
|
* For authority field, max is when all 6 values are non-zero and it must be |
|
* represented in hex. So "-0x" + 12 hex digits. |
|
* |
|
* Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') |
|
*/ |
|
#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) |
|
#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ |
|
|
|
#define DOMAIN_USER_RID_LE cpu_to_le32(513) |
|
|
|
struct ksmbd_conn; |
|
|
|
struct smb_ntsd { |
|
__le16 revision; /* revision level */ |
|
__le16 type; |
|
__le32 osidoffset; |
|
__le32 gsidoffset; |
|
__le32 sacloffset; |
|
__le32 dacloffset; |
|
} __packed; |
|
|
|
struct smb_sid { |
|
__u8 revision; /* revision level */ |
|
__u8 num_subauth; |
|
__u8 authority[NUM_AUTHS]; |
|
__le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ |
|
} __packed; |
|
|
|
/* size of a struct cifs_sid, sans sub_auth array */ |
|
#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) |
|
|
|
struct smb_acl { |
|
__le16 revision; /* revision level */ |
|
__le16 size; |
|
__le32 num_aces; |
|
} __packed; |
|
|
|
struct smb_ace { |
|
__u8 type; |
|
__u8 flags; |
|
__le16 size; |
|
__le32 access_req; |
|
struct smb_sid sid; /* ie UUID of user or group who gets these perms */ |
|
} __packed; |
|
|
|
struct smb_fattr { |
|
kuid_t cf_uid; |
|
kgid_t cf_gid; |
|
umode_t cf_mode; |
|
__le32 daccess; |
|
struct posix_acl *cf_acls; |
|
struct posix_acl *cf_dacls; |
|
}; |
|
|
|
struct posix_ace_state { |
|
u32 allow; |
|
u32 deny; |
|
}; |
|
|
|
struct posix_user_ace_state { |
|
union { |
|
kuid_t uid; |
|
kgid_t gid; |
|
}; |
|
struct posix_ace_state perms; |
|
}; |
|
|
|
struct posix_ace_state_array { |
|
int n; |
|
struct posix_user_ace_state aces[]; |
|
}; |
|
|
|
/* |
|
* while processing the nfsv4 ace, this maintains the partial permissions |
|
* calculated so far: |
|
*/ |
|
|
|
struct posix_acl_state { |
|
struct posix_ace_state owner; |
|
struct posix_ace_state group; |
|
struct posix_ace_state other; |
|
struct posix_ace_state everyone; |
|
struct posix_ace_state mask; /* deny unused in this case */ |
|
struct posix_ace_state_array *users; |
|
struct posix_ace_state_array *groups; |
|
}; |
|
|
|
int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, |
|
int acl_len, struct smb_fattr *fattr); |
|
int build_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, |
|
struct smb_ntsd *ppntsd, int addition_info, |
|
__u32 *secdesclen, struct smb_fattr *fattr); |
|
int init_acl_state(struct posix_acl_state *state, int cnt); |
|
void free_acl_state(struct posix_acl_state *state); |
|
void posix_state_to_acl(struct posix_acl_state *state, |
|
struct posix_acl_entry *pace); |
|
int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid); |
|
bool smb_inherit_flags(int flags, bool is_dir); |
|
int smb_inherit_dacl(struct ksmbd_conn *conn, struct path *path, |
|
unsigned int uid, unsigned int gid); |
|
int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, |
|
__le32 *pdaccess, int uid); |
|
int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, |
|
struct path *path, struct smb_ntsd *pntsd, int ntsd_len, |
|
bool type_check); |
|
void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); |
|
void ksmbd_init_domain(u32 *sub_auth); |
|
|
|
static inline uid_t posix_acl_uid_translate(struct user_namespace *mnt_userns, |
|
struct posix_acl_entry *pace) |
|
{ |
|
kuid_t kuid; |
|
|
|
/* If this is an idmapped mount, apply the idmapping. */ |
|
kuid = kuid_into_mnt(mnt_userns, pace->e_uid); |
|
|
|
/* Translate the kuid into a userspace id ksmbd would see. */ |
|
return from_kuid(&init_user_ns, kuid); |
|
} |
|
|
|
static inline gid_t posix_acl_gid_translate(struct user_namespace *mnt_userns, |
|
struct posix_acl_entry *pace) |
|
{ |
|
kgid_t kgid; |
|
|
|
/* If this is an idmapped mount, apply the idmapping. */ |
|
kgid = kgid_into_mnt(mnt_userns, pace->e_gid); |
|
|
|
/* Translate the kgid into a userspace id ksmbd would see. */ |
|
return from_kgid(&init_user_ns, kgid); |
|
} |
|
|
|
#endif /* _SMBACL_H */
|
|
|