4 * Copyright (C) International Business Machines Corp., 2007,2008
7 * Contains the routines for mapping CIFS/NTFS ACLs
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 #include <linux/slab.h>
26 #include <linux/string.h>
27 #include <linux/keyctl.h>
28 #include <linux/key-type.h>
29 #include <keys/user-type.h>
33 #include "cifsproto.h"
34 #include "cifs_debug.h"
35 #include "fs_context.h"
37 /* security id for everyone/world system group */
38 static const struct cifs_sid sid_everyone = {
39 1, 1, {0, 0, 0, 0, 0, 1}, {0} };
40 /* security id for Authenticated Users system group */
41 static const struct cifs_sid sid_authusers = {
42 1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11)} };
44 /* S-1-22-1 Unmapped Unix users */
45 static const struct cifs_sid sid_unix_users = {1, 1, {0, 0, 0, 0, 0, 22},
46 {cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
48 /* S-1-22-2 Unmapped Unix groups */
49 static const struct cifs_sid sid_unix_groups = { 1, 1, {0, 0, 0, 0, 0, 22},
50 {cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
53 * See https://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
56 /* S-1-5-88 MS NFS and Apple style UID/GID/mode */
58 /* S-1-5-88-1 Unix uid */
59 static const struct cifs_sid sid_unix_NFS_users = { 1, 2, {0, 0, 0, 0, 0, 5},
61 cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
63 /* S-1-5-88-2 Unix gid */
64 static const struct cifs_sid sid_unix_NFS_groups = { 1, 2, {0, 0, 0, 0, 0, 5},
66 cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
68 /* S-1-5-88-3 Unix mode */
69 static const struct cifs_sid sid_unix_NFS_mode = { 1, 2, {0, 0, 0, 0, 0, 5},
71 cpu_to_le32(3), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
73 static const struct cred *root_cred;
76 cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
81 * If the payload is less than or equal to the size of a pointer, then
82 * an allocation here is wasteful. Just copy the data directly to the
83 * payload.value union member instead.
85 * With this however, you must check the datalen before trying to
86 * dereference payload.data!
88 if (prep->datalen <= sizeof(key->payload)) {
89 key->payload.data[0] = NULL;
90 memcpy(&key->payload, prep->data, prep->datalen);
92 payload = kmemdup(prep->data, prep->datalen, GFP_KERNEL);
95 key->payload.data[0] = payload;
98 key->datalen = prep->datalen;
103 cifs_idmap_key_destroy(struct key *key)
105 if (key->datalen > sizeof(key->payload))
106 kfree(key->payload.data[0]);
109 static struct key_type cifs_idmap_key_type = {
110 .name = "cifs.idmap",
111 .instantiate = cifs_idmap_key_instantiate,
112 .destroy = cifs_idmap_key_destroy,
113 .describe = user_describe,
117 sid_to_key_str(struct cifs_sid *sidptr, unsigned int type)
121 char *sidstr, *strptr;
122 unsigned long long id_auth_val;
124 /* 3 bytes for prefix */
125 sidstr = kmalloc(3 + SID_STRING_BASE_SIZE +
126 (SID_STRING_SUBAUTH_SIZE * sidptr->num_subauth),
132 len = sprintf(strptr, "%cs:S-%hhu", type == SIDOWNER ? 'o' : 'g',
136 /* The authority field is a single 48-bit number */
137 id_auth_val = (unsigned long long)sidptr->authority[5];
138 id_auth_val |= (unsigned long long)sidptr->authority[4] << 8;
139 id_auth_val |= (unsigned long long)sidptr->authority[3] << 16;
140 id_auth_val |= (unsigned long long)sidptr->authority[2] << 24;
141 id_auth_val |= (unsigned long long)sidptr->authority[1] << 32;
142 id_auth_val |= (unsigned long long)sidptr->authority[0] << 48;
145 * MS-DTYP states that if the authority is >= 2^32, then it should be
146 * expressed as a hex value.
148 if (id_auth_val <= UINT_MAX)
149 len = sprintf(strptr, "-%llu", id_auth_val);
151 len = sprintf(strptr, "-0x%llx", id_auth_val);
155 for (i = 0; i < sidptr->num_subauth; ++i) {
156 saval = le32_to_cpu(sidptr->sub_auth[i]);
157 len = sprintf(strptr, "-%u", saval);
165 * if the two SIDs (roughly equivalent to a UUID for a user or group) are
166 * the same returns zero, if they do not match returns non-zero.
169 compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
172 int num_subauth, num_sat, num_saw;
174 if ((!ctsid) || (!cwsid))
177 /* compare the revision */
178 if (ctsid->revision != cwsid->revision) {
179 if (ctsid->revision > cwsid->revision)
185 /* compare all of the six auth values */
186 for (i = 0; i < NUM_AUTHS; ++i) {
187 if (ctsid->authority[i] != cwsid->authority[i]) {
188 if (ctsid->authority[i] > cwsid->authority[i])
195 /* compare all of the subauth values if any */
196 num_sat = ctsid->num_subauth;
197 num_saw = cwsid->num_subauth;
198 num_subauth = num_sat < num_saw ? num_sat : num_saw;
200 for (i = 0; i < num_subauth; ++i) {
201 if (ctsid->sub_auth[i] != cwsid->sub_auth[i]) {
202 if (le32_to_cpu(ctsid->sub_auth[i]) >
203 le32_to_cpu(cwsid->sub_auth[i]))
211 return 0; /* sids compare/match */
215 is_well_known_sid(const struct cifs_sid *psid, uint32_t *puid, bool is_group)
219 const struct cifs_sid *pwell_known_sid;
221 if (!psid || (puid == NULL))
224 num_subauth = psid->num_subauth;
226 /* check if Mac (or Windows NFS) vs. Samba format for Unix owner SID */
227 if (num_subauth == 2) {
229 pwell_known_sid = &sid_unix_groups;
231 pwell_known_sid = &sid_unix_users;
232 } else if (num_subauth == 3) {
234 pwell_known_sid = &sid_unix_NFS_groups;
236 pwell_known_sid = &sid_unix_NFS_users;
240 /* compare the revision */
241 if (psid->revision != pwell_known_sid->revision)
244 /* compare all of the six auth values */
245 for (i = 0; i < NUM_AUTHS; ++i) {
246 if (psid->authority[i] != pwell_known_sid->authority[i]) {
247 cifs_dbg(FYI, "auth %d did not match\n", i);
252 if (num_subauth == 2) {
253 if (psid->sub_auth[0] != pwell_known_sid->sub_auth[0])
256 *puid = le32_to_cpu(psid->sub_auth[1]);
257 } else /* 3 subauths, ie Windows/Mac style */ {
258 *puid = le32_to_cpu(psid->sub_auth[0]);
259 if ((psid->sub_auth[0] != pwell_known_sid->sub_auth[0]) ||
260 (psid->sub_auth[1] != pwell_known_sid->sub_auth[1]))
263 *puid = le32_to_cpu(psid->sub_auth[2]);
266 cifs_dbg(FYI, "Unix UID %d returned from SID\n", *puid);
267 return true; /* well known sid found, uid returned */
271 cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
274 __u16 size = 1 + 1 + 6;
276 dst->revision = src->revision;
277 dst->num_subauth = min_t(u8, src->num_subauth, SID_MAX_SUB_AUTHORITIES);
278 for (i = 0; i < NUM_AUTHS; ++i)
279 dst->authority[i] = src->authority[i];
280 for (i = 0; i < dst->num_subauth; ++i)
281 dst->sub_auth[i] = src->sub_auth[i];
282 size += (dst->num_subauth * 4);
288 id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
292 struct cifs_sid *ksid;
293 unsigned int ksid_size;
294 char desc[3 + 10 + 1]; /* 3 byte prefix + 10 bytes for value + NULL */
295 const struct cred *saved_cred;
297 rc = snprintf(desc, sizeof(desc), "%ci:%u",
298 sidtype == SIDOWNER ? 'o' : 'g', cid);
299 if (rc >= sizeof(desc))
303 saved_cred = override_creds(root_cred);
304 sidkey = request_key(&cifs_idmap_key_type, desc, "");
305 if (IS_ERR(sidkey)) {
307 cifs_dbg(FYI, "%s: Can't map %cid %u to a SID\n",
308 __func__, sidtype == SIDOWNER ? 'u' : 'g', cid);
309 goto out_revert_creds;
310 } else if (sidkey->datalen < CIFS_SID_BASE_SIZE) {
312 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
313 __func__, sidkey->datalen);
318 * A sid is usually too large to be embedded in payload.value, but if
319 * there are no subauthorities and the host has 8-byte pointers, then
322 ksid = sidkey->datalen <= sizeof(sidkey->payload) ?
323 (struct cifs_sid *)&sidkey->payload :
324 (struct cifs_sid *)sidkey->payload.data[0];
326 ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32));
327 if (ksid_size > sidkey->datalen) {
329 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu, ksid_size=%u)\n",
330 __func__, sidkey->datalen, ksid_size);
334 cifs_copy_sid(ssid, ksid);
338 revert_creds(saved_cred);
342 key_invalidate(sidkey);
347 sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid,
348 struct cifs_fattr *fattr, uint sidtype)
353 const struct cred *saved_cred;
354 kuid_t fuid = cifs_sb->ctx->linux_uid;
355 kgid_t fgid = cifs_sb->ctx->linux_gid;
358 * If we have too many subauthorities, then something is really wrong.
359 * Just return an error.
361 if (unlikely(psid->num_subauth > SID_MAX_SUB_AUTHORITIES)) {
362 cifs_dbg(FYI, "%s: %u subauthorities is too many!\n",
363 __func__, psid->num_subauth);
367 if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL) ||
368 (cifs_sb_master_tcon(cifs_sb)->posix_extensions)) {
372 if (sidtype != SIDOWNER)
377 if (is_well_known_sid(psid, &unix_id, is_group) == false)
378 goto try_upcall_to_get_id;
385 gid = make_kgid(&init_user_ns, id);
386 if (gid_valid(gid)) {
395 uid = make_kuid(&init_user_ns, id);
396 if (uid_valid(uid)) {
401 /* If unable to find uid/gid easily from SID try via upcall */
404 try_upcall_to_get_id:
405 sidstr = sid_to_key_str(psid, sidtype);
409 saved_cred = override_creds(root_cred);
410 sidkey = request_key(&cifs_idmap_key_type, sidstr, "");
411 if (IS_ERR(sidkey)) {
413 cifs_dbg(FYI, "%s: Can't map SID %s to a %cid\n",
414 __func__, sidstr, sidtype == SIDOWNER ? 'u' : 'g');
415 goto out_revert_creds;
419 * FIXME: Here we assume that uid_t and gid_t are same size. It's
420 * probably a safe assumption but might be better to check based on
423 BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
424 if (sidkey->datalen != sizeof(uid_t)) {
426 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
427 __func__, sidkey->datalen);
428 key_invalidate(sidkey);
432 if (sidtype == SIDOWNER) {
435 memcpy(&id, &sidkey->payload.data[0], sizeof(uid_t));
436 uid = make_kuid(&init_user_ns, id);
442 memcpy(&id, &sidkey->payload.data[0], sizeof(gid_t));
443 gid = make_kgid(&init_user_ns, id);
451 revert_creds(saved_cred);
455 * Note that we return 0 here unconditionally. If the mapping
456 * fails then we just fall back to using the ctx->linux_uid/linux_gid.
460 if (sidtype == SIDOWNER)
461 fattr->cf_uid = fuid;
463 fattr->cf_gid = fgid;
468 init_cifs_idmap(void)
474 cifs_dbg(FYI, "Registering the %s key type\n",
475 cifs_idmap_key_type.name);
477 /* create an override credential set with a special thread keyring in
478 * which requests are cached
480 * this is used to prevent malicious redirections from being installed
483 cred = prepare_kernel_cred(NULL);
487 keyring = keyring_alloc(".cifs_idmap",
488 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
489 (KEY_POS_ALL & ~KEY_POS_SETATTR) |
490 KEY_USR_VIEW | KEY_USR_READ,
491 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
492 if (IS_ERR(keyring)) {
493 ret = PTR_ERR(keyring);
494 goto failed_put_cred;
497 ret = register_key_type(&cifs_idmap_key_type);
501 /* instruct request_key() to use this special keyring as a cache for
502 * the results it looks up */
503 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
504 cred->thread_keyring = keyring;
505 cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
508 cifs_dbg(FYI, "cifs idmap keyring: %d\n", key_serial(keyring));
519 exit_cifs_idmap(void)
521 key_revoke(root_cred->thread_keyring);
522 unregister_key_type(&cifs_idmap_key_type);
524 cifs_dbg(FYI, "Unregistered %s key type\n", cifs_idmap_key_type.name);
527 /* copy ntsd, owner sid, and group sid from a security descriptor to another */
528 static __u32 copy_sec_desc(const struct cifs_ntsd *pntsd,
529 struct cifs_ntsd *pnntsd,
531 struct cifs_sid *pownersid,
532 struct cifs_sid *pgrpsid)
534 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
535 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
537 /* copy security descriptor control portion */
538 pnntsd->revision = pntsd->revision;
539 pnntsd->type = pntsd->type;
540 pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
541 pnntsd->sacloffset = 0;
542 pnntsd->osidoffset = cpu_to_le32(sidsoffset);
543 pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));
547 owner_sid_ptr = pownersid;
549 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
550 le32_to_cpu(pntsd->osidoffset));
551 nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
552 cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr);
556 group_sid_ptr = pgrpsid;
558 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
559 le32_to_cpu(pntsd->gsidoffset));
560 ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
561 sizeof(struct cifs_sid));
562 cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr);
564 return sidsoffset + (2 * sizeof(struct cifs_sid));
569 change posix mode to reflect permissions
570 pmode is the existing mode (we only want to overwrite part of this
571 bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
573 static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
574 umode_t *pdenied, umode_t mask)
576 __u32 flags = le32_to_cpu(ace_flags);
578 * Do not assume "preferred" or "canonical" order.
579 * The first DENY or ALLOW ACE which matches perfectly is
580 * the permission to be used. Once allowed or denied, same
581 * permission in later ACEs do not matter.
584 /* If not already allowed, deny these bits */
585 if (type == ACCESS_DENIED) {
586 if (flags & GENERIC_ALL &&
587 !(*pmode & mask & 0777))
588 *pdenied |= mask & 0777;
590 if (((flags & GENERIC_WRITE) ||
591 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
592 !(*pmode & mask & 0222))
593 *pdenied |= mask & 0222;
595 if (((flags & GENERIC_READ) ||
596 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
597 !(*pmode & mask & 0444))
598 *pdenied |= mask & 0444;
600 if (((flags & GENERIC_EXECUTE) ||
601 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
602 !(*pmode & mask & 0111))
603 *pdenied |= mask & 0111;
606 } else if (type != ACCESS_ALLOWED) {
607 cifs_dbg(VFS, "unknown access control type %d\n", type);
610 /* else ACCESS_ALLOWED type */
612 if ((flags & GENERIC_ALL) &&
613 !(*pdenied & mask & 0777)) {
614 *pmode |= mask & 0777;
615 cifs_dbg(NOISY, "all perms\n");
619 if (((flags & GENERIC_WRITE) ||
620 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
621 !(*pdenied & mask & 0222))
622 *pmode |= mask & 0222;
624 if (((flags & GENERIC_READ) ||
625 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
626 !(*pdenied & mask & 0444))
627 *pmode |= mask & 0444;
629 if (((flags & GENERIC_EXECUTE) ||
630 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
631 !(*pdenied & mask & 0111))
632 *pmode |= mask & 0111;
634 /* If DELETE_CHILD is set only on an owner ACE, set sticky bit */
635 if (flags & FILE_DELETE_CHILD) {
636 if (mask == ACL_OWNER_MASK) {
637 if (!(*pdenied & 01000))
639 } else if (!(*pdenied & 01000)) {
645 cifs_dbg(NOISY, "access flags 0x%x mode now %04o\n", flags, *pmode);
650 Generate access flags to reflect permissions mode is the existing mode.
651 This function is called for every ACE in the DACL whose SID matches
652 with either owner or group or everyone.
655 static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
658 /* reset access mask */
661 /* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
664 /* check for R/W/X UGO since we do not know whose flags
665 is this but we have cleared all the bits sans RWX for
666 either user or group or other as per bits_to_use */
668 *pace_flags |= SET_FILE_READ_RIGHTS;
670 *pace_flags |= SET_FILE_WRITE_RIGHTS;
672 *pace_flags |= SET_FILE_EXEC_RIGHTS;
674 cifs_dbg(NOISY, "mode: %04o, access flags now 0x%x\n",
679 static __u16 cifs_copy_ace(struct cifs_ace *dst, struct cifs_ace *src, struct cifs_sid *psid)
681 __u16 size = 1 + 1 + 2 + 4;
683 dst->type = src->type;
684 dst->flags = src->flags;
685 dst->access_req = src->access_req;
687 /* Check if there's a replacement sid specified */
689 size += cifs_copy_sid(&dst->sid, psid);
691 size += cifs_copy_sid(&dst->sid, &src->sid);
693 dst->size = cpu_to_le16(size);
698 static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
699 const struct cifs_sid *psid, __u64 nmode,
700 umode_t bits, __u8 access_type,
701 bool allow_delete_child)
705 __u32 access_req = 0;
707 pntace->type = access_type;
709 mode_to_access_flags(nmode, bits, &access_req);
711 if (access_type == ACCESS_ALLOWED && allow_delete_child)
712 access_req |= FILE_DELETE_CHILD;
714 if (access_type == ACCESS_ALLOWED && !access_req)
715 access_req = SET_MINIMUM_RIGHTS;
716 else if (access_type == ACCESS_DENIED)
717 access_req &= ~SET_MINIMUM_RIGHTS;
719 pntace->access_req = cpu_to_le32(access_req);
721 pntace->sid.revision = psid->revision;
722 pntace->sid.num_subauth = psid->num_subauth;
723 for (i = 0; i < NUM_AUTHS; i++)
724 pntace->sid.authority[i] = psid->authority[i];
725 for (i = 0; i < psid->num_subauth; i++)
726 pntace->sid.sub_auth[i] = psid->sub_auth[i];
728 size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
729 pntace->size = cpu_to_le16(size);
735 #ifdef CONFIG_CIFS_DEBUG2
736 static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
740 /* validate that we do not go past end of acl */
742 if (le16_to_cpu(pace->size) < 16) {
743 cifs_dbg(VFS, "ACE too small %d\n", le16_to_cpu(pace->size));
747 if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
748 cifs_dbg(VFS, "ACL too small to parse ACE\n");
752 num_subauth = pace->sid.num_subauth;
755 cifs_dbg(FYI, "ACE revision %d num_auth %d type %d flags %d size %d\n",
756 pace->sid.revision, pace->sid.num_subauth, pace->type,
757 pace->flags, le16_to_cpu(pace->size));
758 for (i = 0; i < num_subauth; ++i) {
759 cifs_dbg(FYI, "ACE sub_auth[%d]: 0x%x\n",
760 i, le32_to_cpu(pace->sid.sub_auth[i]));
763 /* BB add length check to make sure that we do not have huge
764 num auths and therefore go off the end */
771 static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
772 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
773 struct cifs_fattr *fattr, bool mode_from_special_sid)
779 struct cifs_ace **ppace;
781 /* BB need to add parm so we can store the SID BB */
784 /* no DACL in the security descriptor, set
785 all the permissions for user/group/other */
786 fattr->cf_mode |= 0777;
790 /* validate that we do not go past end of acl */
791 if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
792 cifs_dbg(VFS, "ACL too small to parse DACL\n");
796 cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
797 le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
798 le32_to_cpu(pdacl->num_aces));
800 /* reset rwx permissions for user/group/other.
801 Also, if num_aces is 0 i.e. DACL has no ACEs,
802 user/group/other have no permissions */
803 fattr->cf_mode &= ~(0777);
805 acl_base = (char *)pdacl;
806 acl_size = sizeof(struct cifs_acl);
808 num_aces = le32_to_cpu(pdacl->num_aces);
810 umode_t denied_mode = 0;
812 if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
814 ppace = kmalloc_array(num_aces, sizeof(struct cifs_ace *),
819 for (i = 0; i < num_aces; ++i) {
820 ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
821 #ifdef CONFIG_CIFS_DEBUG2
822 dump_ace(ppace[i], end_of_acl);
824 if (mode_from_special_sid &&
825 (compare_sids(&(ppace[i]->sid),
826 &sid_unix_NFS_mode) == 0)) {
828 * Full permissions are:
829 * 07777 = S_ISUID | S_ISGID | S_ISVTX |
830 * S_IRWXU | S_IRWXG | S_IRWXO
832 fattr->cf_mode &= ~07777;
834 le32_to_cpu(ppace[i]->sid.sub_auth[2]);
837 if (compare_sids(&(ppace[i]->sid), pownersid) == 0) {
838 access_flags_to_mode(ppace[i]->access_req,
843 } else if (compare_sids(&(ppace[i]->sid), pgrpsid) == 0) {
844 access_flags_to_mode(ppace[i]->access_req,
849 } else if ((compare_sids(&(ppace[i]->sid), &sid_everyone) == 0) ||
850 (compare_sids(&(ppace[i]->sid), &sid_authusers) == 0)) {
851 access_flags_to_mode(ppace[i]->access_req,
860 /* memcpy((void *)(&(cifscred->aces[i])),
862 sizeof(struct cifs_ace)); */
864 acl_base = (char *)ppace[i];
865 acl_size = le16_to_cpu(ppace[i]->size);
874 unsigned int setup_authusers_ACE(struct cifs_ace *pntace)
877 unsigned int ace_size = 20;
879 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
881 pntace->access_req = cpu_to_le32(GENERIC_ALL);
882 pntace->sid.num_subauth = 1;
883 pntace->sid.revision = 1;
884 for (i = 0; i < NUM_AUTHS; i++)
885 pntace->sid.authority[i] = sid_authusers.authority[i];
887 pntace->sid.sub_auth[0] = sid_authusers.sub_auth[0];
889 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
890 pntace->size = cpu_to_le16(ace_size);
895 * Fill in the special SID based on the mode. See
896 * https://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
898 unsigned int setup_special_mode_ACE(struct cifs_ace *pntace, __u64 nmode)
901 unsigned int ace_size = 28;
903 pntace->type = ACCESS_DENIED_ACE_TYPE;
905 pntace->access_req = 0;
906 pntace->sid.num_subauth = 3;
907 pntace->sid.revision = 1;
908 for (i = 0; i < NUM_AUTHS; i++)
909 pntace->sid.authority[i] = sid_unix_NFS_mode.authority[i];
911 pntace->sid.sub_auth[0] = sid_unix_NFS_mode.sub_auth[0];
912 pntace->sid.sub_auth[1] = sid_unix_NFS_mode.sub_auth[1];
913 pntace->sid.sub_auth[2] = cpu_to_le32(nmode & 07777);
915 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
916 pntace->size = cpu_to_le16(ace_size);
920 unsigned int setup_special_user_owner_ACE(struct cifs_ace *pntace)
923 unsigned int ace_size = 28;
925 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
927 pntace->access_req = cpu_to_le32(GENERIC_ALL);
928 pntace->sid.num_subauth = 3;
929 pntace->sid.revision = 1;
930 for (i = 0; i < NUM_AUTHS; i++)
931 pntace->sid.authority[i] = sid_unix_NFS_users.authority[i];
933 pntace->sid.sub_auth[0] = sid_unix_NFS_users.sub_auth[0];
934 pntace->sid.sub_auth[1] = sid_unix_NFS_users.sub_auth[1];
935 pntace->sid.sub_auth[2] = cpu_to_le32(current_fsgid().val);
937 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
938 pntace->size = cpu_to_le16(ace_size);
942 static void populate_new_aces(char *nacl_base,
943 struct cifs_sid *pownersid,
944 struct cifs_sid *pgrpsid,
945 __u64 *pnmode, u32 *pnum_aces, u16 *pnsize,
954 __u64 deny_user_mode = 0;
955 __u64 deny_group_mode = 0;
956 bool sticky_set = false;
957 struct cifs_ace *pnntace = NULL;
960 num_aces = *pnum_aces;
964 pnntace = (struct cifs_ace *) (nacl_base + nsize);
965 nsize += setup_special_mode_ACE(pnntace, nmode);
971 * We'll try to keep the mode as requested by the user.
972 * But in cases where we cannot meaningfully convert that
973 * into ACL, return back the updated mode, so that it is
974 * updated in the inode.
977 if (!memcmp(pownersid, pgrpsid, sizeof(struct cifs_sid))) {
979 * Case when owner and group SIDs are the same.
980 * Set the more restrictive of the two modes.
982 user_mode = nmode & (nmode << 3) & 0700;
983 group_mode = nmode & (nmode >> 3) & 0070;
985 user_mode = nmode & 0700;
986 group_mode = nmode & 0070;
989 other_mode = nmode & 0007;
991 /* We need DENY ACE when the perm is more restrictive than the next sets. */
992 deny_user_mode = ~(user_mode) & ((group_mode << 3) | (other_mode << 6)) & 0700;
993 deny_group_mode = ~(group_mode) & (other_mode << 3) & 0070;
995 *pnmode = user_mode | group_mode | other_mode | (nmode & ~0777);
997 /* This tells if we should allow delete child for group and everyone. */
1001 if (deny_user_mode) {
1002 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1003 nsize += fill_ace_for_sid(pnntace, pownersid, deny_user_mode,
1004 0700, ACCESS_DENIED, false);
1008 /* Group DENY ACE does not conflict with owner ALLOW ACE. Keep in preferred order*/
1009 if (deny_group_mode && !(deny_group_mode & (user_mode >> 3))) {
1010 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1011 nsize += fill_ace_for_sid(pnntace, pgrpsid, deny_group_mode,
1012 0070, ACCESS_DENIED, false);
1016 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1017 nsize += fill_ace_for_sid(pnntace, pownersid, user_mode,
1018 0700, ACCESS_ALLOWED, true);
1021 /* Group DENY ACE conflicts with owner ALLOW ACE. So keep it after. */
1022 if (deny_group_mode && (deny_group_mode & (user_mode >> 3))) {
1023 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1024 nsize += fill_ace_for_sid(pnntace, pgrpsid, deny_group_mode,
1025 0070, ACCESS_DENIED, false);
1029 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1030 nsize += fill_ace_for_sid(pnntace, pgrpsid, group_mode,
1031 0070, ACCESS_ALLOWED, !sticky_set);
1034 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1035 nsize += fill_ace_for_sid(pnntace, &sid_everyone, other_mode,
1036 0007, ACCESS_ALLOWED, !sticky_set);
1040 *pnum_aces = num_aces;
1044 static __u16 replace_sids_and_copy_aces(struct cifs_acl *pdacl, struct cifs_acl *pndacl,
1045 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
1046 struct cifs_sid *pnownersid, struct cifs_sid *pngrpsid)
1050 struct cifs_ace *pntace = NULL;
1051 char *acl_base = NULL;
1052 u32 src_num_aces = 0;
1054 struct cifs_ace *pnntace = NULL;
1055 char *nacl_base = NULL;
1058 acl_base = (char *)pdacl;
1059 size = sizeof(struct cifs_acl);
1060 src_num_aces = le32_to_cpu(pdacl->num_aces);
1062 nacl_base = (char *)pndacl;
1063 nsize = sizeof(struct cifs_acl);
1065 /* Go through all the ACEs */
1066 for (i = 0; i < src_num_aces; ++i) {
1067 pntace = (struct cifs_ace *) (acl_base + size);
1068 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1070 if (pnownersid && compare_sids(&pntace->sid, pownersid) == 0)
1071 ace_size = cifs_copy_ace(pnntace, pntace, pnownersid);
1072 else if (pngrpsid && compare_sids(&pntace->sid, pgrpsid) == 0)
1073 ace_size = cifs_copy_ace(pnntace, pntace, pngrpsid);
1075 ace_size = cifs_copy_ace(pnntace, pntace, NULL);
1077 size += le16_to_cpu(pntace->size);
1084 static int set_chmod_dacl(struct cifs_acl *pdacl, struct cifs_acl *pndacl,
1085 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
1086 __u64 *pnmode, bool mode_from_sid)
1090 struct cifs_ace *pntace = NULL;
1091 char *acl_base = NULL;
1092 u32 src_num_aces = 0;
1094 struct cifs_ace *pnntace = NULL;
1095 char *nacl_base = NULL;
1097 bool new_aces_set = false;
1099 /* Assuming that pndacl and pnmode are never NULL */
1100 nacl_base = (char *)pndacl;
1101 nsize = sizeof(struct cifs_acl);
1103 /* If pdacl is NULL, we don't have a src. Simply populate new ACL. */
1105 populate_new_aces(nacl_base,
1107 pnmode, &num_aces, &nsize,
1112 acl_base = (char *)pdacl;
1113 size = sizeof(struct cifs_acl);
1114 src_num_aces = le32_to_cpu(pdacl->num_aces);
1116 /* Retain old ACEs which we can retain */
1117 for (i = 0; i < src_num_aces; ++i) {
1118 pntace = (struct cifs_ace *) (acl_base + size);
1120 if (!new_aces_set && (pntace->flags & INHERITED_ACE)) {
1121 /* Place the new ACEs in between existing explicit and inherited */
1122 populate_new_aces(nacl_base,
1124 pnmode, &num_aces, &nsize,
1127 new_aces_set = true;
1130 /* If it's any one of the ACE we're replacing, skip! */
1131 if (((compare_sids(&pntace->sid, &sid_unix_NFS_mode) == 0) ||
1132 (compare_sids(&pntace->sid, pownersid) == 0) ||
1133 (compare_sids(&pntace->sid, pgrpsid) == 0) ||
1134 (compare_sids(&pntace->sid, &sid_everyone) == 0) ||
1135 (compare_sids(&pntace->sid, &sid_authusers) == 0))) {
1139 /* update the pointer to the next ACE to populate*/
1140 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1142 nsize += cifs_copy_ace(pnntace, pntace, NULL);
1146 size += le16_to_cpu(pntace->size);
1149 /* If inherited ACEs are not present, place the new ones at the tail */
1150 if (!new_aces_set) {
1151 populate_new_aces(nacl_base,
1153 pnmode, &num_aces, &nsize,
1156 new_aces_set = true;
1160 pndacl->num_aces = cpu_to_le32(num_aces);
1161 pndacl->size = cpu_to_le16(nsize);
1166 static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
1168 /* BB need to add parm so we can store the SID BB */
1170 /* validate that we do not go past end of ACL - sid must be at least 8
1171 bytes long (assuming no sub-auths - e.g. the null SID */
1172 if (end_of_acl < (char *)psid + 8) {
1173 cifs_dbg(VFS, "ACL too small to parse SID %p\n", psid);
1177 #ifdef CONFIG_CIFS_DEBUG2
1178 if (psid->num_subauth) {
1180 cifs_dbg(FYI, "SID revision %d num_auth %d\n",
1181 psid->revision, psid->num_subauth);
1183 for (i = 0; i < psid->num_subauth; i++) {
1184 cifs_dbg(FYI, "SID sub_auth[%d]: 0x%x\n",
1185 i, le32_to_cpu(psid->sub_auth[i]));
1188 /* BB add length check to make sure that we do not have huge
1189 num auths and therefore go off the end */
1190 cifs_dbg(FYI, "RID 0x%x\n",
1191 le32_to_cpu(psid->sub_auth[psid->num_subauth-1]));
1199 /* Convert CIFS ACL to POSIX form */
1200 static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
1201 struct cifs_ntsd *pntsd, int acl_len, struct cifs_fattr *fattr,
1202 bool get_mode_from_special_sid)
1205 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1206 struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
1207 char *end_of_acl = ((char *)pntsd) + acl_len;
1213 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1214 le32_to_cpu(pntsd->osidoffset));
1215 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1216 le32_to_cpu(pntsd->gsidoffset));
1217 dacloffset = le32_to_cpu(pntsd->dacloffset);
1218 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1219 cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
1220 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
1221 le32_to_cpu(pntsd->gsidoffset),
1222 le32_to_cpu(pntsd->sacloffset), dacloffset);
1223 /* cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
1224 rc = parse_sid(owner_sid_ptr, end_of_acl);
1226 cifs_dbg(FYI, "%s: Error %d parsing Owner SID\n", __func__, rc);
1229 rc = sid_to_id(cifs_sb, owner_sid_ptr, fattr, SIDOWNER);
1231 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to uid\n",
1236 rc = parse_sid(group_sid_ptr, end_of_acl);
1238 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to gid\n",
1242 rc = sid_to_id(cifs_sb, group_sid_ptr, fattr, SIDGROUP);
1244 cifs_dbg(FYI, "%s: Error %d mapping Group SID to gid\n",
1250 parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
1251 group_sid_ptr, fattr, get_mode_from_special_sid);
1253 cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
1258 /* Convert permission bits from mode to equivalent CIFS ACL */
1259 static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
1260 __u32 secdesclen, __u32 *pnsecdesclen, __u64 *pnmode, kuid_t uid, kgid_t gid,
1261 bool mode_from_sid, bool id_from_sid, int *aclflag)
1267 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1268 struct cifs_sid *nowner_sid_ptr = NULL, *ngroup_sid_ptr = NULL;
1269 struct cifs_acl *dacl_ptr = NULL; /* no need for SACL ptr */
1270 struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */
1271 char *end_of_acl = ((char *)pntsd) + secdesclen;
1274 dacloffset = le32_to_cpu(pntsd->dacloffset);
1276 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1277 if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
1278 cifs_dbg(VFS, "Server returned illegal ACL size\n");
1283 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1284 le32_to_cpu(pntsd->osidoffset));
1285 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1286 le32_to_cpu(pntsd->gsidoffset));
1288 if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
1289 ndacloffset = sizeof(struct cifs_ntsd);
1290 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1291 ndacl_ptr->revision =
1292 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION);
1294 ndacl_ptr->size = cpu_to_le16(0);
1295 ndacl_ptr->num_aces = cpu_to_le32(0);
1297 rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, owner_sid_ptr, group_sid_ptr,
1298 pnmode, mode_from_sid);
1300 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1301 /* copy the non-dacl portion of secdesc */
1302 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset,
1305 *aclflag |= CIFS_ACL_DACL;
1307 ndacloffset = sizeof(struct cifs_ntsd);
1308 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1309 ndacl_ptr->revision =
1310 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION);
1311 ndacl_ptr->num_aces = dacl_ptr->num_aces;
1313 if (uid_valid(uid)) { /* chown */
1315 nowner_sid_ptr = kmalloc(sizeof(struct cifs_sid),
1317 if (!nowner_sid_ptr) {
1319 goto chown_chgrp_exit;
1321 id = from_kuid(&init_user_ns, uid);
1323 struct owner_sid *osid = (struct owner_sid *)nowner_sid_ptr;
1324 /* Populate the user ownership fields S-1-5-88-1 */
1327 osid->Authority[5] = 5;
1328 osid->SubAuthorities[0] = cpu_to_le32(88);
1329 osid->SubAuthorities[1] = cpu_to_le32(1);
1330 osid->SubAuthorities[2] = cpu_to_le32(id);
1332 } else { /* lookup sid with upcall */
1333 rc = id_to_sid(id, SIDOWNER, nowner_sid_ptr);
1335 cifs_dbg(FYI, "%s: Mapping error %d for owner id %d\n",
1337 goto chown_chgrp_exit;
1340 *aclflag |= CIFS_ACL_OWNER;
1342 if (gid_valid(gid)) { /* chgrp */
1344 ngroup_sid_ptr = kmalloc(sizeof(struct cifs_sid),
1346 if (!ngroup_sid_ptr) {
1348 goto chown_chgrp_exit;
1350 id = from_kgid(&init_user_ns, gid);
1352 struct owner_sid *gsid = (struct owner_sid *)ngroup_sid_ptr;
1353 /* Populate the group ownership fields S-1-5-88-2 */
1356 gsid->Authority[5] = 5;
1357 gsid->SubAuthorities[0] = cpu_to_le32(88);
1358 gsid->SubAuthorities[1] = cpu_to_le32(2);
1359 gsid->SubAuthorities[2] = cpu_to_le32(id);
1361 } else { /* lookup sid with upcall */
1362 rc = id_to_sid(id, SIDGROUP, ngroup_sid_ptr);
1364 cifs_dbg(FYI, "%s: Mapping error %d for group id %d\n",
1366 goto chown_chgrp_exit;
1369 *aclflag |= CIFS_ACL_GROUP;
1373 /* Replace ACEs for old owner with new one */
1374 size = replace_sids_and_copy_aces(dacl_ptr, ndacl_ptr,
1375 owner_sid_ptr, group_sid_ptr,
1376 nowner_sid_ptr, ngroup_sid_ptr);
1377 ndacl_ptr->size = cpu_to_le16(size);
1380 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1381 /* copy the non-dacl portion of secdesc */
1382 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset,
1383 nowner_sid_ptr, ngroup_sid_ptr);
1386 /* errors could jump here. So make sure we return soon after this */
1387 kfree(nowner_sid_ptr);
1388 kfree(ngroup_sid_ptr);
1394 struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
1395 const struct cifs_fid *cifsfid, u32 *pacllen,
1396 u32 __maybe_unused unused)
1398 struct cifs_ntsd *pntsd = NULL;
1401 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1404 return ERR_CAST(tlink);
1407 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), cifsfid->netfid, &pntsd,
1411 cifs_put_tlink(tlink);
1413 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1419 static struct cifs_ntsd *get_cifs_acl_by_path(struct cifs_sb_info *cifs_sb,
1420 const char *path, u32 *pacllen)
1422 struct cifs_ntsd *pntsd = NULL;
1426 struct cifs_tcon *tcon;
1427 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1428 struct cifs_fid fid;
1429 struct cifs_open_parms oparms;
1432 return ERR_CAST(tlink);
1434 tcon = tlink_tcon(tlink);
1438 oparms.cifs_sb = cifs_sb;
1439 oparms.desired_access = READ_CONTROL;
1440 oparms.create_options = cifs_create_options(cifs_sb, 0);
1441 oparms.disposition = FILE_OPEN;
1444 oparms.reconnect = false;
1446 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1448 rc = CIFSSMBGetCIFSACL(xid, tcon, fid.netfid, &pntsd, pacllen);
1449 CIFSSMBClose(xid, tcon, fid.netfid);
1452 cifs_put_tlink(tlink);
1455 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1461 /* Retrieve an ACL from the server */
1462 struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
1463 struct inode *inode, const char *path,
1464 u32 *pacllen, u32 info)
1466 struct cifs_ntsd *pntsd = NULL;
1467 struct cifsFileInfo *open_file = NULL;
1470 open_file = find_readable_file(CIFS_I(inode), true);
1472 return get_cifs_acl_by_path(cifs_sb, path, pacllen);
1474 pntsd = get_cifs_acl_by_fid(cifs_sb, &open_file->fid, pacllen, info);
1475 cifsFileInfo_put(open_file);
1479 /* Set an ACL on the server */
1480 int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
1481 struct inode *inode, const char *path, int aclflag)
1485 int rc, access_flags;
1486 struct cifs_tcon *tcon;
1487 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1488 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1489 struct cifs_fid fid;
1490 struct cifs_open_parms oparms;
1493 return PTR_ERR(tlink);
1495 tcon = tlink_tcon(tlink);
1498 if (aclflag == CIFS_ACL_OWNER || aclflag == CIFS_ACL_GROUP)
1499 access_flags = WRITE_OWNER;
1501 access_flags = WRITE_DAC;
1504 oparms.cifs_sb = cifs_sb;
1505 oparms.desired_access = access_flags;
1506 oparms.create_options = cifs_create_options(cifs_sb, 0);
1507 oparms.disposition = FILE_OPEN;
1510 oparms.reconnect = false;
1512 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1514 cifs_dbg(VFS, "Unable to open file to set ACL\n");
1518 rc = CIFSSMBSetCIFSACL(xid, tcon, fid.netfid, pnntsd, acllen, aclflag);
1519 cifs_dbg(NOISY, "SetCIFSACL rc = %d\n", rc);
1521 CIFSSMBClose(xid, tcon, fid.netfid);
1524 cifs_put_tlink(tlink);
1528 /* Translate the CIFS ACL (similar to NTFS ACL) for a file into mode bits */
1530 cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
1531 struct inode *inode, bool mode_from_special_sid,
1532 const char *path, const struct cifs_fid *pfid)
1534 struct cifs_ntsd *pntsd = NULL;
1537 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1538 struct smb_version_operations *ops;
1541 cifs_dbg(NOISY, "converting ACL to mode for %s\n", path);
1544 return PTR_ERR(tlink);
1546 ops = tlink_tcon(tlink)->ses->server->ops;
1548 if (pfid && (ops->get_acl_by_fid))
1549 pntsd = ops->get_acl_by_fid(cifs_sb, pfid, &acllen, info);
1550 else if (ops->get_acl)
1551 pntsd = ops->get_acl(cifs_sb, inode, path, &acllen, info);
1553 cifs_put_tlink(tlink);
1556 /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
1557 if (IS_ERR(pntsd)) {
1558 rc = PTR_ERR(pntsd);
1559 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1560 } else if (mode_from_special_sid) {
1561 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, true);
1564 /* get approximated mode from ACL */
1565 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, false);
1568 cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc);
1571 cifs_put_tlink(tlink);
1576 /* Convert mode bits to an ACL so we can update the ACL on the server */
1578 id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
1579 kuid_t uid, kgid_t gid)
1582 int aclflag = CIFS_ACL_DACL; /* default flag to set */
1583 __u32 secdesclen = 0;
1584 __u32 nsecdesclen = 0;
1585 __u32 dacloffset = 0;
1586 struct cifs_acl *dacl_ptr = NULL;
1587 struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
1588 struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
1589 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1590 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1591 struct smb_version_operations *ops;
1592 bool mode_from_sid, id_from_sid;
1596 return PTR_ERR(tlink);
1598 ops = tlink_tcon(tlink)->ses->server->ops;
1600 cifs_dbg(NOISY, "set ACL from mode for %s\n", path);
1602 /* Get the security descriptor */
1604 if (ops->get_acl == NULL) {
1605 cifs_put_tlink(tlink);
1609 pntsd = ops->get_acl(cifs_sb, inode, path, &secdesclen, info);
1610 if (IS_ERR(pntsd)) {
1611 rc = PTR_ERR(pntsd);
1612 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1613 cifs_put_tlink(tlink);
1617 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MODE_FROM_SID)
1618 mode_from_sid = true;
1620 mode_from_sid = false;
1622 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL)
1625 id_from_sid = false;
1627 /* Potentially, five new ACEs can be added to the ACL for U,G,O mapping */
1628 nsecdesclen = secdesclen;
1629 if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
1631 nsecdesclen += sizeof(struct cifs_ace);
1633 nsecdesclen += 5 * sizeof(struct cifs_ace);
1634 } else { /* chown */
1635 /* When ownership changes, changes new owner sid length could be different */
1636 nsecdesclen = sizeof(struct cifs_ntsd) + (sizeof(struct cifs_sid) * 2);
1637 dacloffset = le32_to_cpu(pntsd->dacloffset);
1639 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1642 le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct cifs_ace);
1644 nsecdesclen += le16_to_cpu(dacl_ptr->size);
1649 * Add three ACEs for owner, group, everyone getting rid of other ACEs
1650 * as chmod disables ACEs and set the security descriptor. Allocate
1651 * memory for the smb header, set security descriptor request security
1652 * descriptor parameters, and security descriptor itself
1654 nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN);
1655 pnntsd = kmalloc(nsecdesclen, GFP_KERNEL);
1658 cifs_put_tlink(tlink);
1662 rc = build_sec_desc(pntsd, pnntsd, secdesclen, &nsecdesclen, pnmode, uid, gid,
1663 mode_from_sid, id_from_sid, &aclflag);
1665 cifs_dbg(NOISY, "build_sec_desc rc: %d\n", rc);
1667 if (ops->set_acl == NULL)
1671 /* Set the security descriptor */
1672 rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
1673 cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
1675 cifs_put_tlink(tlink);
projects / linux.git / blob