search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'regmap-fix-v5.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git...
[linux/fpc-iii.git] / fs / cifs / cifsacl.c
blob562913e2b3f2e21d9718ed3aa8e9976d2982657b
1 /*
2 * fs/cifs/cifsacl.c
3 *
4 * Copyright (C) International Business Machines Corp., 2007,2008
5 * Author(s): Steve French (sfrench@us.ibm.com)
6 *
7 * Contains the routines for mapping CIFS/NTFS ACLs
8 *
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
24 #include <linux/fs.h>
25 #include <linux/slab.h>
26 #include <linux/string.h>
27 #include <linux/keyctl.h>
28 #include <linux/key-type.h>
29 #include <keys/user-type.h>
30 #include "cifspdu.h"
31 #include "cifsglob.h"
32 #include "cifsacl.h"
33 #include "cifsproto.h"
34 #include "cifs_debug.h"
35 #include "fs_context.h"
36
37 /* security id for everyone/world system group */
38 static const struct cifs_sid sid_everyone = {
39 1, 1, {0, 0, 0, 0, 0, 1}, {0} };
40 /* security id for Authenticated Users system group */
41 static const struct cifs_sid sid_authusers = {
42 1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11)} };
43
44 /* S-1-22-1 Unmapped Unix users */
45 static const struct cifs_sid sid_unix_users = {1, 1, {0, 0, 0, 0, 0, 22},
46 {cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
47
48 /* S-1-22-2 Unmapped Unix groups */
49 static const struct cifs_sid sid_unix_groups = { 1, 1, {0, 0, 0, 0, 0, 22},
50 {cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
51
52 /*
53 * See https://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
54 */
55
56 /* S-1-5-88 MS NFS and Apple style UID/GID/mode */
57
58 /* S-1-5-88-1 Unix uid */
59 static const struct cifs_sid sid_unix_NFS_users = { 1, 2, {0, 0, 0, 0, 0, 5},
60 {cpu_to_le32(88),
61 cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
62
63 /* S-1-5-88-2 Unix gid */
64 static const struct cifs_sid sid_unix_NFS_groups = { 1, 2, {0, 0, 0, 0, 0, 5},
65 {cpu_to_le32(88),
66 cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
67
68 /* S-1-5-88-3 Unix mode */
69 static const struct cifs_sid sid_unix_NFS_mode = { 1, 2, {0, 0, 0, 0, 0, 5},
70 {cpu_to_le32(88),
71 cpu_to_le32(3), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
72
73 static const struct cred *root_cred;
74
75 static int
76 cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
77 {
78 char *payload;
79
80 /*
81 * If the payload is less than or equal to the size of a pointer, then
82 * an allocation here is wasteful. Just copy the data directly to the
83 * payload.value union member instead.
84 *
85 * With this however, you must check the datalen before trying to
86 * dereference payload.data!
87 */
88 if (prep->datalen <= sizeof(key->payload)) {
89 key->payload.data[0] = NULL;
90 memcpy(&key->payload, prep->data, prep->datalen);
91 } else {
92 payload = kmemdup(prep->data, prep->datalen, GFP_KERNEL);
93 if (!payload)
94 return -ENOMEM;
95 key->payload.data[0] = payload;
96 }
97
98 key->datalen = prep->datalen;
99 return 0;
100 }
101
102 static inline void
103 cifs_idmap_key_destroy(struct key *key)
104 {
105 if (key->datalen > sizeof(key->payload))
106 kfree(key->payload.data[0]);
107 }
108
109 static struct key_type cifs_idmap_key_type = {
110 .name = "cifs.idmap",
111 .instantiate = cifs_idmap_key_instantiate,
112 .destroy = cifs_idmap_key_destroy,
113 .describe = user_describe,
114 };
115
116 static char *
117 sid_to_key_str(struct cifs_sid *sidptr, unsigned int type)
118 {
119 int i, len;
120 unsigned int saval;
121 char *sidstr, *strptr;
122 unsigned long long id_auth_val;
123
124 /* 3 bytes for prefix */
125 sidstr = kmalloc(3 + SID_STRING_BASE_SIZE +
126 (SID_STRING_SUBAUTH_SIZE * sidptr->num_subauth),
127 GFP_KERNEL);
128 if (!sidstr)
129 return sidstr;
130
131 strptr = sidstr;
132 len = sprintf(strptr, "%cs:S-%hhu", type == SIDOWNER ? 'o' : 'g',
133 sidptr->revision);
134 strptr += len;
135
136 /* The authority field is a single 48-bit number */
137 id_auth_val = (unsigned long long)sidptr->authority[5];
138 id_auth_val |= (unsigned long long)sidptr->authority[4] << 8;
139 id_auth_val |= (unsigned long long)sidptr->authority[3] << 16;
140 id_auth_val |= (unsigned long long)sidptr->authority[2] << 24;
141 id_auth_val |= (unsigned long long)sidptr->authority[1] << 32;
142 id_auth_val |= (unsigned long long)sidptr->authority[0] << 48;
143
144 /*
145 * MS-DTYP states that if the authority is >= 2^32, then it should be
146 * expressed as a hex value.
147 */
148 if (id_auth_val <= UINT_MAX)
149 len = sprintf(strptr, "-%llu", id_auth_val);
150 else
151 len = sprintf(strptr, "-0x%llx", id_auth_val);
152
153 strptr += len;
154
155 for (i = 0; i < sidptr->num_subauth; ++i) {
156 saval = le32_to_cpu(sidptr->sub_auth[i]);
157 len = sprintf(strptr, "-%u", saval);
158 strptr += len;
159 }
160
161 return sidstr;
162 }
163
164 /*
165 * if the two SIDs (roughly equivalent to a UUID for a user or group) are
166 * the same returns zero, if they do not match returns non-zero.
167 */
168 static int
169 compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
170 {
171 int i;
172 int num_subauth, num_sat, num_saw;
173
174 if ((!ctsid) || (!cwsid))
175 return 1;
176
177 /* compare the revision */
178 if (ctsid->revision != cwsid->revision) {
179 if (ctsid->revision > cwsid->revision)
180 return 1;
181 else
182 return -1;
183 }
184
185 /* compare all of the six auth values */
186 for (i = 0; i < NUM_AUTHS; ++i) {
187 if (ctsid->authority[i] != cwsid->authority[i]) {
188 if (ctsid->authority[i] > cwsid->authority[i])
189 return 1;
190 else
191 return -1;
192 }
193 }
194
195 /* compare all of the subauth values if any */
196 num_sat = ctsid->num_subauth;
197 num_saw = cwsid->num_subauth;
198 num_subauth = num_sat < num_saw ? num_sat : num_saw;
199 if (num_subauth) {
200 for (i = 0; i < num_subauth; ++i) {
201 if (ctsid->sub_auth[i] != cwsid->sub_auth[i]) {
202 if (le32_to_cpu(ctsid->sub_auth[i]) >
203 le32_to_cpu(cwsid->sub_auth[i]))
204 return 1;
205 else
206 return -1;
207 }
208 }
209 }
210
211 return 0; /* sids compare/match */
212 }
213
214 static bool
215 is_well_known_sid(const struct cifs_sid *psid, uint32_t *puid, bool is_group)
216 {
217 int i;
218 int num_subauth;
219 const struct cifs_sid *pwell_known_sid;
220
221 if (!psid || (puid == NULL))
222 return false;
223
224 num_subauth = psid->num_subauth;
225
226 /* check if Mac (or Windows NFS) vs. Samba format for Unix owner SID */
227 if (num_subauth == 2) {
228 if (is_group)
229 pwell_known_sid = &sid_unix_groups;
230 else
231 pwell_known_sid = &sid_unix_users;
232 } else if (num_subauth == 3) {
233 if (is_group)
234 pwell_known_sid = &sid_unix_NFS_groups;
235 else
236 pwell_known_sid = &sid_unix_NFS_users;
237 } else
238 return false;
239
240 /* compare the revision */
241 if (psid->revision != pwell_known_sid->revision)
242 return false;
243
244 /* compare all of the six auth values */
245 for (i = 0; i < NUM_AUTHS; ++i) {
246 if (psid->authority[i] != pwell_known_sid->authority[i]) {
247 cifs_dbg(FYI, "auth %d did not match\n", i);
248 return false;
249 }
250 }
251
252 if (num_subauth == 2) {
253 if (psid->sub_auth[0] != pwell_known_sid->sub_auth[0])
254 return false;
255
256 *puid = le32_to_cpu(psid->sub_auth[1]);
257 } else /* 3 subauths, ie Windows/Mac style */ {
258 *puid = le32_to_cpu(psid->sub_auth[0]);
259 if ((psid->sub_auth[0] != pwell_known_sid->sub_auth[0]) ||
260 (psid->sub_auth[1] != pwell_known_sid->sub_auth[1]))
261 return false;
262
263 *puid = le32_to_cpu(psid->sub_auth[2]);
264 }
265
266 cifs_dbg(FYI, "Unix UID %d returned from SID\n", *puid);
267 return true; /* well known sid found, uid returned */
268 }
269
270 static void
271 cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
272 {
273 int i;
274
275 dst->revision = src->revision;
276 dst->num_subauth = min_t(u8, src->num_subauth, SID_MAX_SUB_AUTHORITIES);
277 for (i = 0; i < NUM_AUTHS; ++i)
278 dst->authority[i] = src->authority[i];
279 for (i = 0; i < dst->num_subauth; ++i)
280 dst->sub_auth[i] = src->sub_auth[i];
281 }
282
283 static int
284 id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
285 {
286 int rc;
287 struct key *sidkey;
288 struct cifs_sid *ksid;
289 unsigned int ksid_size;
290 char desc[3 + 10 + 1]; /* 3 byte prefix + 10 bytes for value + NULL */
291 const struct cred *saved_cred;
292
293 rc = snprintf(desc, sizeof(desc), "%ci:%u",
294 sidtype == SIDOWNER ? 'o' : 'g', cid);
295 if (rc >= sizeof(desc))
296 return -EINVAL;
297
298 rc = 0;
299 saved_cred = override_creds(root_cred);
300 sidkey = request_key(&cifs_idmap_key_type, desc, "");
301 if (IS_ERR(sidkey)) {
302 rc = -EINVAL;
303 cifs_dbg(FYI, "%s: Can't map %cid %u to a SID\n",
304 __func__, sidtype == SIDOWNER ? 'u' : 'g', cid);
305 goto out_revert_creds;
306 } else if (sidkey->datalen < CIFS_SID_BASE_SIZE) {
307 rc = -EIO;
308 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
309 __func__, sidkey->datalen);
310 goto invalidate_key;
311 }
312
313 /*
314 * A sid is usually too large to be embedded in payload.value, but if
315 * there are no subauthorities and the host has 8-byte pointers, then
316 * it could be.
317 */
318 ksid = sidkey->datalen <= sizeof(sidkey->payload) ?
319 (struct cifs_sid *)&sidkey->payload :
320 (struct cifs_sid *)sidkey->payload.data[0];
321
322 ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32));
323 if (ksid_size > sidkey->datalen) {
324 rc = -EIO;
325 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu, ksid_size=%u)\n",
326 __func__, sidkey->datalen, ksid_size);
327 goto invalidate_key;
328 }
329
330 cifs_copy_sid(ssid, ksid);
331 out_key_put:
332 key_put(sidkey);
333 out_revert_creds:
334 revert_creds(saved_cred);
335 return rc;
336
337 invalidate_key:
338 key_invalidate(sidkey);
339 goto out_key_put;
340 }
341
342 int
343 sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid,
344 struct cifs_fattr *fattr, uint sidtype)
345 {
346 int rc = 0;
347 struct key *sidkey;
348 char *sidstr;
349 const struct cred *saved_cred;
350 kuid_t fuid = cifs_sb->ctx->linux_uid;
351 kgid_t fgid = cifs_sb->ctx->linux_gid;
352
353 /*
354 * If we have too many subauthorities, then something is really wrong.
355 * Just return an error.
356 */
357 if (unlikely(psid->num_subauth > SID_MAX_SUB_AUTHORITIES)) {
358 cifs_dbg(FYI, "%s: %u subauthorities is too many!\n",
359 __func__, psid->num_subauth);
360 return -EIO;
361 }
362
363 if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL) ||
364 (cifs_sb_master_tcon(cifs_sb)->posix_extensions)) {
365 uint32_t unix_id;
366 bool is_group;
367
368 if (sidtype != SIDOWNER)
369 is_group = true;
370 else
371 is_group = false;
372
373 if (is_well_known_sid(psid, &unix_id, is_group) == false)
374 goto try_upcall_to_get_id;
375
376 if (is_group) {
377 kgid_t gid;
378 gid_t id;
379
380 id = (gid_t)unix_id;
381 gid = make_kgid(&init_user_ns, id);
382 if (gid_valid(gid)) {
383 fgid = gid;
384 goto got_valid_id;
385 }
386 } else {
387 kuid_t uid;
388 uid_t id;
389
390 id = (uid_t)unix_id;
391 uid = make_kuid(&init_user_ns, id);
392 if (uid_valid(uid)) {
393 fuid = uid;
394 goto got_valid_id;
395 }
396 }
397 /* If unable to find uid/gid easily from SID try via upcall */
398 }
399
400 try_upcall_to_get_id:
401 sidstr = sid_to_key_str(psid, sidtype);
402 if (!sidstr)
403 return -ENOMEM;
404
405 saved_cred = override_creds(root_cred);
406 sidkey = request_key(&cifs_idmap_key_type, sidstr, "");
407 if (IS_ERR(sidkey)) {
408 rc = -EINVAL;
409 cifs_dbg(FYI, "%s: Can't map SID %s to a %cid\n",
410 __func__, sidstr, sidtype == SIDOWNER ? 'u' : 'g');
411 goto out_revert_creds;
412 }
413
414 /*
415 * FIXME: Here we assume that uid_t and gid_t are same size. It's
416 * probably a safe assumption but might be better to check based on
417 * sidtype.
418 */
419 BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
420 if (sidkey->datalen != sizeof(uid_t)) {
421 rc = -EIO;
422 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
423 __func__, sidkey->datalen);
424 key_invalidate(sidkey);
425 goto out_key_put;
426 }
427
428 if (sidtype == SIDOWNER) {
429 kuid_t uid;
430 uid_t id;
431 memcpy(&id, &sidkey->payload.data[0], sizeof(uid_t));
432 uid = make_kuid(&init_user_ns, id);
433 if (uid_valid(uid))
434 fuid = uid;
435 } else {
436 kgid_t gid;
437 gid_t id;
438 memcpy(&id, &sidkey->payload.data[0], sizeof(gid_t));
439 gid = make_kgid(&init_user_ns, id);
440 if (gid_valid(gid))
441 fgid = gid;
442 }
443
444 out_key_put:
445 key_put(sidkey);
446 out_revert_creds:
447 revert_creds(saved_cred);
448 kfree(sidstr);
449
450 /*
451 * Note that we return 0 here unconditionally. If the mapping
452 * fails then we just fall back to using the ctx->linux_uid/linux_gid.
453 */
454 got_valid_id:
455 rc = 0;
456 if (sidtype == SIDOWNER)
457 fattr->cf_uid = fuid;
458 else
459 fattr->cf_gid = fgid;
460 return rc;
461 }
462
463 int
464 init_cifs_idmap(void)
465 {
466 struct cred *cred;
467 struct key *keyring;
468 int ret;
469
470 cifs_dbg(FYI, "Registering the %s key type\n",
471 cifs_idmap_key_type.name);
472
473 /* create an override credential set with a special thread keyring in
474 * which requests are cached
475 *
476 * this is used to prevent malicious redirections from being installed
477 * with add_key().
478 */
479 cred = prepare_kernel_cred(NULL);
480 if (!cred)
481 return -ENOMEM;
482
483 keyring = keyring_alloc(".cifs_idmap",
484 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
485 (KEY_POS_ALL & ~KEY_POS_SETATTR) |
486 KEY_USR_VIEW | KEY_USR_READ,
487 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
488 if (IS_ERR(keyring)) {
489 ret = PTR_ERR(keyring);
490 goto failed_put_cred;
491 }
492
493 ret = register_key_type(&cifs_idmap_key_type);
494 if (ret < 0)
495 goto failed_put_key;
496
497 /* instruct request_key() to use this special keyring as a cache for
498 * the results it looks up */
499 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
500 cred->thread_keyring = keyring;
501 cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
502 root_cred = cred;
503
504 cifs_dbg(FYI, "cifs idmap keyring: %d\n", key_serial(keyring));
505 return 0;
506
507 failed_put_key:
508 key_put(keyring);
509 failed_put_cred:
510 put_cred(cred);
511 return ret;
512 }
513
514 void
515 exit_cifs_idmap(void)
516 {
517 key_revoke(root_cred->thread_keyring);
518 unregister_key_type(&cifs_idmap_key_type);
519 put_cred(root_cred);
520 cifs_dbg(FYI, "Unregistered %s key type\n", cifs_idmap_key_type.name);
521 }
522
523 /* copy ntsd, owner sid, and group sid from a security descriptor to another */
524 static void copy_sec_desc(const struct cifs_ntsd *pntsd,
525 struct cifs_ntsd *pnntsd, __u32 sidsoffset)
526 {
527 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
528 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
529
530 /* copy security descriptor control portion */
531 pnntsd->revision = pntsd->revision;
532 pnntsd->type = pntsd->type;
533 pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
534 pnntsd->sacloffset = 0;
535 pnntsd->osidoffset = cpu_to_le32(sidsoffset);
536 pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));
537
538 /* copy owner sid */
539 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
540 le32_to_cpu(pntsd->osidoffset));
541 nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
542 cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr);
543
544 /* copy group sid */
545 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
546 le32_to_cpu(pntsd->gsidoffset));
547 ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
548 sizeof(struct cifs_sid));
549 cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr);
550
551 return;
552 }
553
554
555 /*
556 change posix mode to reflect permissions
557 pmode is the existing mode (we only want to overwrite part of this
558 bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
559 */
560 static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
561 umode_t *pdenied, umode_t mask)
562 {
563 __u32 flags = le32_to_cpu(ace_flags);
564 /*
565 * Do not assume "preferred" or "canonical" order.
566 * The first DENY or ALLOW ACE which matches perfectly is
567 * the permission to be used. Once allowed or denied, same
568 * permission in later ACEs do not matter.
569 */
570
571 /* If not already allowed, deny these bits */
572 if (type == ACCESS_DENIED) {
573 if (flags & GENERIC_ALL &&
574 !(*pmode & mask & 0777))
575 *pdenied |= mask & 0777;
576
577 if (((flags & GENERIC_WRITE) ||
578 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
579 !(*pmode & mask & 0222))
580 *pdenied |= mask & 0222;
581
582 if (((flags & GENERIC_READ) ||
583 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
584 !(*pmode & mask & 0444))
585 *pdenied |= mask & 0444;
586
587 if (((flags & GENERIC_EXECUTE) ||
588 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
589 !(*pmode & mask & 0111))
590 *pdenied |= mask & 0111;
591
592 return;
593 } else if (type != ACCESS_ALLOWED) {
594 cifs_dbg(VFS, "unknown access control type %d\n", type);
595 return;
596 }
597 /* else ACCESS_ALLOWED type */
598
599 if ((flags & GENERIC_ALL) &&
600 !(*pdenied & mask & 0777)) {
601 *pmode |= mask & 0777;
602 cifs_dbg(NOISY, "all perms\n");
603 return;
604 }
605
606 if (((flags & GENERIC_WRITE) ||
607 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
608 !(*pdenied & mask & 0222))
609 *pmode |= mask & 0222;
610
611 if (((flags & GENERIC_READ) ||
612 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
613 !(*pdenied & mask & 0444))
614 *pmode |= mask & 0444;
615
616 if (((flags & GENERIC_EXECUTE) ||
617 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
618 !(*pdenied & mask & 0111))
619 *pmode |= mask & 0111;
620
621 /* If DELETE_CHILD is set only on an owner ACE, set sticky bit */
622 if (flags & FILE_DELETE_CHILD) {
623 if (mask == ACL_OWNER_MASK) {
624 if (!(*pdenied & 01000))
625 *pmode |= 01000;
626 } else if (!(*pdenied & 01000)) {
627 *pmode &= ~01000;
628 *pdenied |= 01000;
629 }
630 }
631
632 cifs_dbg(NOISY, "access flags 0x%x mode now %04o\n", flags, *pmode);
633 return;
634 }
635
636 /*
637 Generate access flags to reflect permissions mode is the existing mode.
638 This function is called for every ACE in the DACL whose SID matches
639 with either owner or group or everyone.
640 */
641
642 static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
643 __u32 *pace_flags)
644 {
645 /* reset access mask */
646 *pace_flags = 0x0;
647
648 /* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
649 mode &= bits_to_use;
650
651 /* check for R/W/X UGO since we do not know whose flags
652 is this but we have cleared all the bits sans RWX for
653 either user or group or other as per bits_to_use */
654 if (mode & S_IRUGO)
655 *pace_flags |= SET_FILE_READ_RIGHTS;
656 if (mode & S_IWUGO)
657 *pace_flags |= SET_FILE_WRITE_RIGHTS;
658 if (mode & S_IXUGO)
659 *pace_flags |= SET_FILE_EXEC_RIGHTS;
660
661 cifs_dbg(NOISY, "mode: %04o, access flags now 0x%x\n",
662 mode, *pace_flags);
663 return;
664 }
665
666 static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
667 const struct cifs_sid *psid, __u64 nmode,
668 umode_t bits, __u8 access_type,
669 bool allow_delete_child)
670 {
671 int i;
672 __u16 size = 0;
673 __u32 access_req = 0;
674
675 pntace->type = access_type;
676 pntace->flags = 0x0;
677 mode_to_access_flags(nmode, bits, &access_req);
678
679 if (access_type == ACCESS_ALLOWED && allow_delete_child)
680 access_req |= FILE_DELETE_CHILD;
681
682 if (access_type == ACCESS_ALLOWED && !access_req)
683 access_req = SET_MINIMUM_RIGHTS;
684 else if (access_type == ACCESS_DENIED)
685 access_req &= ~SET_MINIMUM_RIGHTS;
686
687 pntace->access_req = cpu_to_le32(access_req);
688
689 pntace->sid.revision = psid->revision;
690 pntace->sid.num_subauth = psid->num_subauth;
691 for (i = 0; i < NUM_AUTHS; i++)
692 pntace->sid.authority[i] = psid->authority[i];
693 for (i = 0; i < psid->num_subauth; i++)
694 pntace->sid.sub_auth[i] = psid->sub_auth[i];
695
696 size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
697 pntace->size = cpu_to_le16(size);
698
699 return size;
700 }
701
702
703 #ifdef CONFIG_CIFS_DEBUG2
704 static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
705 {
706 int num_subauth;
707
708 /* validate that we do not go past end of acl */
709
710 if (le16_to_cpu(pace->size) < 16) {
711 cifs_dbg(VFS, "ACE too small %d\n", le16_to_cpu(pace->size));
712 return;
713 }
714
715 if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
716 cifs_dbg(VFS, "ACL too small to parse ACE\n");
717 return;
718 }
719
720 num_subauth = pace->sid.num_subauth;
721 if (num_subauth) {
722 int i;
723 cifs_dbg(FYI, "ACE revision %d num_auth %d type %d flags %d size %d\n",
724 pace->sid.revision, pace->sid.num_subauth, pace->type,
725 pace->flags, le16_to_cpu(pace->size));
726 for (i = 0; i < num_subauth; ++i) {
727 cifs_dbg(FYI, "ACE sub_auth[%d]: 0x%x\n",
728 i, le32_to_cpu(pace->sid.sub_auth[i]));
729 }
730
731 /* BB add length check to make sure that we do not have huge
732 num auths and therefore go off the end */
733 }
734
735 return;
736 }
737 #endif
738
739 static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
740 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
741 struct cifs_fattr *fattr, bool mode_from_special_sid)
742 {
743 int i;
744 int num_aces = 0;
745 int acl_size;
746 char *acl_base;
747 struct cifs_ace **ppace;
748
749 /* BB need to add parm so we can store the SID BB */
750
751 if (!pdacl) {
752 /* no DACL in the security descriptor, set
753 all the permissions for user/group/other */
754 fattr->cf_mode |= 0777;
755 return;
756 }
757
758 /* validate that we do not go past end of acl */
759 if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
760 cifs_dbg(VFS, "ACL too small to parse DACL\n");
761 return;
762 }
763
764 cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
765 le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
766 le32_to_cpu(pdacl->num_aces));
767
768 /* reset rwx permissions for user/group/other.
769 Also, if num_aces is 0 i.e. DACL has no ACEs,
770 user/group/other have no permissions */
771 fattr->cf_mode &= ~(0777);
772
773 acl_base = (char *)pdacl;
774 acl_size = sizeof(struct cifs_acl);
775
776 num_aces = le32_to_cpu(pdacl->num_aces);
777 if (num_aces > 0) {
778 umode_t denied_mode = 0;
779
780 if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
781 return;
782 ppace = kmalloc_array(num_aces, sizeof(struct cifs_ace *),
783 GFP_KERNEL);
784 if (!ppace)
785 return;
786
787 for (i = 0; i < num_aces; ++i) {
788 ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
789 #ifdef CONFIG_CIFS_DEBUG2
790 dump_ace(ppace[i], end_of_acl);
791 #endif
792 if (mode_from_special_sid &&
793 (compare_sids(&(ppace[i]->sid),
794 &sid_unix_NFS_mode) == 0)) {
795 /*
796 * Full permissions are:
797 * 07777 = S_ISUID | S_ISGID | S_ISVTX |
798 * S_IRWXU | S_IRWXG | S_IRWXO
799 */
800 fattr->cf_mode &= ~07777;
801 fattr->cf_mode |=
802 le32_to_cpu(ppace[i]->sid.sub_auth[2]);
803 break;
804 } else {
805 if (compare_sids(&(ppace[i]->sid), pownersid) == 0) {
806 access_flags_to_mode(ppace[i]->access_req,
807 ppace[i]->type,
808 &fattr->cf_mode,
809 &denied_mode,
810 ACL_OWNER_MASK);
811 } else if (compare_sids(&(ppace[i]->sid), pgrpsid) == 0) {
812 access_flags_to_mode(ppace[i]->access_req,
813 ppace[i]->type,
814 &fattr->cf_mode,
815 &denied_mode,
816 ACL_GROUP_MASK);
817 } else if ((compare_sids(&(ppace[i]->sid), &sid_everyone) == 0) ||
818 (compare_sids(&(ppace[i]->sid), &sid_authusers) == 0)) {
819 access_flags_to_mode(ppace[i]->access_req,
820 ppace[i]->type,
821 &fattr->cf_mode,
822 &denied_mode,
823 ACL_EVERYONE_MASK);
824 }
825 }
826
827
828 /* memcpy((void *)(&(cifscred->aces[i])),
829 (void *)ppace[i],
830 sizeof(struct cifs_ace)); */
831
832 acl_base = (char *)ppace[i];
833 acl_size = le16_to_cpu(ppace[i]->size);
834 }
835
836 kfree(ppace);
837 }
838
839 return;
840 }
841
842 unsigned int setup_authusers_ACE(struct cifs_ace *pntace)
843 {
844 int i;
845 unsigned int ace_size = 20;
846
847 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
848 pntace->flags = 0x0;
849 pntace->access_req = cpu_to_le32(GENERIC_ALL);
850 pntace->sid.num_subauth = 1;
851 pntace->sid.revision = 1;
852 for (i = 0; i < NUM_AUTHS; i++)
853 pntace->sid.authority[i] = sid_authusers.authority[i];
854
855 pntace->sid.sub_auth[0] = sid_authusers.sub_auth[0];
856
857 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
858 pntace->size = cpu_to_le16(ace_size);
859 return ace_size;
860 }
861
862 /*
863 * Fill in the special SID based on the mode. See
864 * https://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
865 */
866 unsigned int setup_special_mode_ACE(struct cifs_ace *pntace, __u64 nmode)
867 {
868 int i;
869 unsigned int ace_size = 28;
870
871 pntace->type = ACCESS_DENIED_ACE_TYPE;
872 pntace->flags = 0x0;
873 pntace->access_req = 0;
874 pntace->sid.num_subauth = 3;
875 pntace->sid.revision = 1;
876 for (i = 0; i < NUM_AUTHS; i++)
877 pntace->sid.authority[i] = sid_unix_NFS_mode.authority[i];
878
879 pntace->sid.sub_auth[0] = sid_unix_NFS_mode.sub_auth[0];
880 pntace->sid.sub_auth[1] = sid_unix_NFS_mode.sub_auth[1];
881 pntace->sid.sub_auth[2] = cpu_to_le32(nmode & 07777);
882
883 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
884 pntace->size = cpu_to_le16(ace_size);
885 return ace_size;
886 }
887
888 unsigned int setup_special_user_owner_ACE(struct cifs_ace *pntace)
889 {
890 int i;
891 unsigned int ace_size = 28;
892
893 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
894 pntace->flags = 0x0;
895 pntace->access_req = cpu_to_le32(GENERIC_ALL);
896 pntace->sid.num_subauth = 3;
897 pntace->sid.revision = 1;
898 for (i = 0; i < NUM_AUTHS; i++)
899 pntace->sid.authority[i] = sid_unix_NFS_users.authority[i];
900
901 pntace->sid.sub_auth[0] = sid_unix_NFS_users.sub_auth[0];
902 pntace->sid.sub_auth[1] = sid_unix_NFS_users.sub_auth[1];
903 pntace->sid.sub_auth[2] = cpu_to_le32(current_fsgid().val);
904
905 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
906 pntace->size = cpu_to_le16(ace_size);
907 return ace_size;
908 }
909
910 static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
911 struct cifs_sid *pgrpsid, __u64 *pnmode, bool modefromsid)
912 {
913 u16 size = 0;
914 u32 num_aces = 0;
915 struct cifs_acl *pnndacl;
916 __u64 nmode;
917 __u64 user_mode;
918 __u64 group_mode;
919 __u64 other_mode;
920 __u64 deny_user_mode = 0;
921 __u64 deny_group_mode = 0;
922 bool sticky_set = false;
923
924 pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));
925
926 nmode = *pnmode;
927
928 if (modefromsid) {
929 struct cifs_ace *pntace =
930 (struct cifs_ace *)((char *)pnndacl + size);
931
932 size += setup_special_mode_ACE(pntace, nmode);
933 num_aces++;
934 goto set_size;
935 }
936
937 /*
938 * We'll try to keep the mode as requested by the user.
939 * But in cases where we cannot meaningfully convert that
940 * into ACL, return back the updated mode, so that it is
941 * updated in the inode.
942 */
943
944 if (!memcmp(pownersid, pgrpsid, sizeof(struct cifs_sid))) {
945 /*
946 * Case when owner and group SIDs are the same.
947 * Set the more restrictive of the two modes.
948 */
949 user_mode = nmode & (nmode << 3) & 0700;
950 group_mode = nmode & (nmode >> 3) & 0070;
951 } else {
952 user_mode = nmode & 0700;
953 group_mode = nmode & 0070;
954 }
955
956 other_mode = nmode & 0007;
957
958 /* We need DENY ACE when the perm is more restrictive than the next sets. */
959 deny_user_mode = ~(user_mode) & ((group_mode << 3) | (other_mode << 6)) & 0700;
960 deny_group_mode = ~(group_mode) & (other_mode << 3) & 0070;
961
962 *pnmode = user_mode | group_mode | other_mode | (nmode & ~0777);
963
964 /* This tells if we should allow delete child for group and everyone. */
965 if (nmode & 01000)
966 sticky_set = true;
967
968 if (deny_user_mode) {
969 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
970 pownersid, deny_user_mode, 0700, ACCESS_DENIED, false);
971 num_aces++;
972 }
973 /* Group DENY ACE does not conflict with owner ALLOW ACE. Keep in preferred order*/
974 if (deny_group_mode && !(deny_group_mode & (user_mode >> 3))) {
975 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
976 pgrpsid, deny_group_mode, 0070, ACCESS_DENIED, false);
977 num_aces++;
978 }
979 size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
980 pownersid, user_mode, 0700, ACCESS_ALLOWED, true);
981 num_aces++;
982 /* Group DENY ACE conflicts with owner ALLOW ACE. So keep it after. */
983 if (deny_group_mode && (deny_group_mode & (user_mode >> 3))) {
984 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
985 pgrpsid, deny_group_mode, 0070, ACCESS_DENIED, false);
986 num_aces++;
987 }
988 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
989 pgrpsid, group_mode, 0070, ACCESS_ALLOWED, !sticky_set);
990 num_aces++;
991 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
992 &sid_everyone, other_mode, 0007, ACCESS_ALLOWED, !sticky_set);
993 num_aces++;
994
995 set_size:
996 pndacl->num_aces = cpu_to_le32(num_aces);
997 pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
998
999 return 0;
1000 }
1001
1002
1003 static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
1004 {
1005 /* BB need to add parm so we can store the SID BB */
1006
1007 /* validate that we do not go past end of ACL - sid must be at least 8
1008 bytes long (assuming no sub-auths - e.g. the null SID */
1009 if (end_of_acl < (char *)psid + 8) {
1010 cifs_dbg(VFS, "ACL too small to parse SID %p\n", psid);
1011 return -EINVAL;
1012 }
1013
1014 #ifdef CONFIG_CIFS_DEBUG2
1015 if (psid->num_subauth) {
1016 int i;
1017 cifs_dbg(FYI, "SID revision %d num_auth %d\n",
1018 psid->revision, psid->num_subauth);
1019
1020 for (i = 0; i < psid->num_subauth; i++) {
1021 cifs_dbg(FYI, "SID sub_auth[%d]: 0x%x\n",
1022 i, le32_to_cpu(psid->sub_auth[i]));
1023 }
1024
1025 /* BB add length check to make sure that we do not have huge
1026 num auths and therefore go off the end */
1027 cifs_dbg(FYI, "RID 0x%x\n",
1028 le32_to_cpu(psid->sub_auth[psid->num_subauth-1]));
1029 }
1030 #endif
1031
1032 return 0;
1033 }
1034
1035
1036 /* Convert CIFS ACL to POSIX form */
1037 static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
1038 struct cifs_ntsd *pntsd, int acl_len, struct cifs_fattr *fattr,
1039 bool get_mode_from_special_sid)
1040 {
1041 int rc = 0;
1042 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1043 struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
1044 char *end_of_acl = ((char *)pntsd) + acl_len;
1045 __u32 dacloffset;
1046
1047 if (pntsd == NULL)
1048 return -EIO;
1049
1050 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1051 le32_to_cpu(pntsd->osidoffset));
1052 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1053 le32_to_cpu(pntsd->gsidoffset));
1054 dacloffset = le32_to_cpu(pntsd->dacloffset);
1055 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1056 cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
1057 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
1058 le32_to_cpu(pntsd->gsidoffset),
1059 le32_to_cpu(pntsd->sacloffset), dacloffset);
1060 /* cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
1061 rc = parse_sid(owner_sid_ptr, end_of_acl);
1062 if (rc) {
1063 cifs_dbg(FYI, "%s: Error %d parsing Owner SID\n", __func__, rc);
1064 return rc;
1065 }
1066 rc = sid_to_id(cifs_sb, owner_sid_ptr, fattr, SIDOWNER);
1067 if (rc) {
1068 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to uid\n",
1069 __func__, rc);
1070 return rc;
1071 }
1072
1073 rc = parse_sid(group_sid_ptr, end_of_acl);
1074 if (rc) {
1075 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to gid\n",
1076 __func__, rc);
1077 return rc;
1078 }
1079 rc = sid_to_id(cifs_sb, group_sid_ptr, fattr, SIDGROUP);
1080 if (rc) {
1081 cifs_dbg(FYI, "%s: Error %d mapping Group SID to gid\n",
1082 __func__, rc);
1083 return rc;
1084 }
1085
1086 if (dacloffset)
1087 parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
1088 group_sid_ptr, fattr, get_mode_from_special_sid);
1089 else
1090 cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
1091
1092 return rc;
1093 }
1094
1095 /* Convert permission bits from mode to equivalent CIFS ACL */
1096 static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
1097 __u32 secdesclen, __u64 *pnmode, kuid_t uid, kgid_t gid,
1098 bool mode_from_sid, bool id_from_sid, int *aclflag)
1099 {
1100 int rc = 0;
1101 __u32 dacloffset;
1102 __u32 ndacloffset;
1103 __u32 sidsoffset;
1104 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1105 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
1106 struct cifs_acl *dacl_ptr = NULL; /* no need for SACL ptr */
1107 struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */
1108
1109 if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
1110 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1111 le32_to_cpu(pntsd->osidoffset));
1112 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1113 le32_to_cpu(pntsd->gsidoffset));
1114 dacloffset = le32_to_cpu(pntsd->dacloffset);
1115 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1116 ndacloffset = sizeof(struct cifs_ntsd);
1117 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1118 ndacl_ptr->revision = dacl_ptr->revision;
1119 ndacl_ptr->size = 0;
1120 ndacl_ptr->num_aces = 0;
1121
1122 rc = set_chmod_dacl(ndacl_ptr, owner_sid_ptr, group_sid_ptr,
1123 pnmode, mode_from_sid);
1124 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1125 /* copy sec desc control portion & owner and group sids */
1126 copy_sec_desc(pntsd, pnntsd, sidsoffset);
1127 *aclflag = CIFS_ACL_DACL;
1128 } else {
1129 memcpy(pnntsd, pntsd, secdesclen);
1130 if (uid_valid(uid)) { /* chown */
1131 uid_t id;
1132 owner_sid_ptr = (struct cifs_sid *)((char *)pnntsd +
1133 le32_to_cpu(pnntsd->osidoffset));
1134 nowner_sid_ptr = kmalloc(sizeof(struct cifs_sid),
1135 GFP_KERNEL);
1136 if (!nowner_sid_ptr)
1137 return -ENOMEM;
1138 id = from_kuid(&init_user_ns, uid);
1139 if (id_from_sid) {
1140 struct owner_sid *osid = (struct owner_sid *)nowner_sid_ptr;
1141 /* Populate the user ownership fields S-1-5-88-1 */
1142 osid->Revision = 1;
1143 osid->NumAuth = 3;
1144 osid->Authority[5] = 5;
1145 osid->SubAuthorities[0] = cpu_to_le32(88);
1146 osid->SubAuthorities[1] = cpu_to_le32(1);
1147 osid->SubAuthorities[2] = cpu_to_le32(id);
1148 } else { /* lookup sid with upcall */
1149 rc = id_to_sid(id, SIDOWNER, nowner_sid_ptr);
1150 if (rc) {
1151 cifs_dbg(FYI, "%s: Mapping error %d for owner id %d\n",
1152 __func__, rc, id);
1153 kfree(nowner_sid_ptr);
1154 return rc;
1155 }
1156 }
1157 cifs_copy_sid(owner_sid_ptr, nowner_sid_ptr);
1158 kfree(nowner_sid_ptr);
1159 *aclflag = CIFS_ACL_OWNER;
1160 }
1161 if (gid_valid(gid)) { /* chgrp */
1162 gid_t id;
1163 group_sid_ptr = (struct cifs_sid *)((char *)pnntsd +
1164 le32_to_cpu(pnntsd->gsidoffset));
1165 ngroup_sid_ptr = kmalloc(sizeof(struct cifs_sid),
1166 GFP_KERNEL);
1167 if (!ngroup_sid_ptr)
1168 return -ENOMEM;
1169 id = from_kgid(&init_user_ns, gid);
1170 if (id_from_sid) {
1171 struct owner_sid *gsid = (struct owner_sid *)ngroup_sid_ptr;
1172 /* Populate the group ownership fields S-1-5-88-2 */
1173 gsid->Revision = 1;
1174 gsid->NumAuth = 3;
1175 gsid->Authority[5] = 5;
1176 gsid->SubAuthorities[0] = cpu_to_le32(88);
1177 gsid->SubAuthorities[1] = cpu_to_le32(2);
1178 gsid->SubAuthorities[2] = cpu_to_le32(id);
1179 } else { /* lookup sid with upcall */
1180 rc = id_to_sid(id, SIDGROUP, ngroup_sid_ptr);
1181 if (rc) {
1182 cifs_dbg(FYI, "%s: Mapping error %d for group id %d\n",
1183 __func__, rc, id);
1184 kfree(ngroup_sid_ptr);
1185 return rc;
1186 }
1187 }
1188 cifs_copy_sid(group_sid_ptr, ngroup_sid_ptr);
1189 kfree(ngroup_sid_ptr);
1190 *aclflag = CIFS_ACL_GROUP;
1191 }
1192 }
1193
1194 return rc;
1195 }
1196
1197 struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
1198 const struct cifs_fid *cifsfid, u32 *pacllen,
1199 u32 __maybe_unused unused)
1200 {
1201 struct cifs_ntsd *pntsd = NULL;
1202 unsigned int xid;
1203 int rc;
1204 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1205
1206 if (IS_ERR(tlink))
1207 return ERR_CAST(tlink);
1208
1209 xid = get_xid();
1210 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), cifsfid->netfid, &pntsd,
1211 pacllen);
1212 free_xid(xid);
1213
1214 cifs_put_tlink(tlink);
1215
1216 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1217 if (rc)
1218 return ERR_PTR(rc);
1219 return pntsd;
1220 }
1221
1222 static struct cifs_ntsd *get_cifs_acl_by_path(struct cifs_sb_info *cifs_sb,
1223 const char *path, u32 *pacllen)
1224 {
1225 struct cifs_ntsd *pntsd = NULL;
1226 int oplock = 0;
1227 unsigned int xid;
1228 int rc;
1229 struct cifs_tcon *tcon;
1230 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1231 struct cifs_fid fid;
1232 struct cifs_open_parms oparms;
1233
1234 if (IS_ERR(tlink))
1235 return ERR_CAST(tlink);
1236
1237 tcon = tlink_tcon(tlink);
1238 xid = get_xid();
1239
1240 oparms.tcon = tcon;
1241 oparms.cifs_sb = cifs_sb;
1242 oparms.desired_access = READ_CONTROL;
1243 oparms.create_options = cifs_create_options(cifs_sb, 0);
1244 oparms.disposition = FILE_OPEN;
1245 oparms.path = path;
1246 oparms.fid = &fid;
1247 oparms.reconnect = false;
1248
1249 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1250 if (!rc) {
1251 rc = CIFSSMBGetCIFSACL(xid, tcon, fid.netfid, &pntsd, pacllen);
1252 CIFSSMBClose(xid, tcon, fid.netfid);
1253 }
1254
1255 cifs_put_tlink(tlink);
1256 free_xid(xid);
1257
1258 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1259 if (rc)
1260 return ERR_PTR(rc);
1261 return pntsd;
1262 }
1263
1264 /* Retrieve an ACL from the server */
1265 struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
1266 struct inode *inode, const char *path,
1267 u32 *pacllen, u32 info)
1268 {
1269 struct cifs_ntsd *pntsd = NULL;
1270 struct cifsFileInfo *open_file = NULL;
1271
1272 if (inode)
1273 open_file = find_readable_file(CIFS_I(inode), true);
1274 if (!open_file)
1275 return get_cifs_acl_by_path(cifs_sb, path, pacllen);
1276
1277 pntsd = get_cifs_acl_by_fid(cifs_sb, &open_file->fid, pacllen, info);
1278 cifsFileInfo_put(open_file);
1279 return pntsd;
1280 }
1281
1282 /* Set an ACL on the server */
1283 int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
1284 struct inode *inode, const char *path, int aclflag)
1285 {
1286 int oplock = 0;
1287 unsigned int xid;
1288 int rc, access_flags;
1289 struct cifs_tcon *tcon;
1290 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1291 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1292 struct cifs_fid fid;
1293 struct cifs_open_parms oparms;
1294
1295 if (IS_ERR(tlink))
1296 return PTR_ERR(tlink);
1297
1298 tcon = tlink_tcon(tlink);
1299 xid = get_xid();
1300
1301 if (aclflag == CIFS_ACL_OWNER || aclflag == CIFS_ACL_GROUP)
1302 access_flags = WRITE_OWNER;
1303 else
1304 access_flags = WRITE_DAC;
1305
1306 oparms.tcon = tcon;
1307 oparms.cifs_sb = cifs_sb;
1308 oparms.desired_access = access_flags;
1309 oparms.create_options = cifs_create_options(cifs_sb, 0);
1310 oparms.disposition = FILE_OPEN;
1311 oparms.path = path;
1312 oparms.fid = &fid;
1313 oparms.reconnect = false;
1314
1315 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1316 if (rc) {
1317 cifs_dbg(VFS, "Unable to open file to set ACL\n");
1318 goto out;
1319 }
1320
1321 rc = CIFSSMBSetCIFSACL(xid, tcon, fid.netfid, pnntsd, acllen, aclflag);
1322 cifs_dbg(NOISY, "SetCIFSACL rc = %d\n", rc);
1323
1324 CIFSSMBClose(xid, tcon, fid.netfid);
1325 out:
1326 free_xid(xid);
1327 cifs_put_tlink(tlink);
1328 return rc;
1329 }
1330
1331 /* Translate the CIFS ACL (similar to NTFS ACL) for a file into mode bits */
1332 int
1333 cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
1334 struct inode *inode, bool mode_from_special_sid,
1335 const char *path, const struct cifs_fid *pfid)
1336 {
1337 struct cifs_ntsd *pntsd = NULL;
1338 u32 acllen = 0;
1339 int rc = 0;
1340 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1341 struct smb_version_operations *ops;
1342 const u32 info = 0;
1343
1344 cifs_dbg(NOISY, "converting ACL to mode for %s\n", path);
1345
1346 if (IS_ERR(tlink))
1347 return PTR_ERR(tlink);
1348
1349 ops = tlink_tcon(tlink)->ses->server->ops;
1350
1351 if (pfid && (ops->get_acl_by_fid))
1352 pntsd = ops->get_acl_by_fid(cifs_sb, pfid, &acllen, info);
1353 else if (ops->get_acl)
1354 pntsd = ops->get_acl(cifs_sb, inode, path, &acllen, info);
1355 else {
1356 cifs_put_tlink(tlink);
1357 return -EOPNOTSUPP;
1358 }
1359 /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
1360 if (IS_ERR(pntsd)) {
1361 rc = PTR_ERR(pntsd);
1362 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1363 } else if (mode_from_special_sid) {
1364 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, true);
1365 kfree(pntsd);
1366 } else {
1367 /* get approximated mode from ACL */
1368 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, false);
1369 kfree(pntsd);
1370 if (rc)
1371 cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc);
1372 }
1373
1374 cifs_put_tlink(tlink);
1375
1376 return rc;
1377 }
1378
1379 /* Convert mode bits to an ACL so we can update the ACL on the server */
1380 int
1381 id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
1382 kuid_t uid, kgid_t gid)
1383 {
1384 int rc = 0;
1385 int aclflag = CIFS_ACL_DACL; /* default flag to set */
1386 __u32 secdesclen = 0;
1387 struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
1388 struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
1389 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1390 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1391 struct smb_version_operations *ops;
1392 bool mode_from_sid, id_from_sid;
1393 const u32 info = 0;
1394
1395 if (IS_ERR(tlink))
1396 return PTR_ERR(tlink);
1397
1398 ops = tlink_tcon(tlink)->ses->server->ops;
1399
1400 cifs_dbg(NOISY, "set ACL from mode for %s\n", path);
1401
1402 /* Get the security descriptor */
1403
1404 if (ops->get_acl == NULL) {
1405 cifs_put_tlink(tlink);
1406 return -EOPNOTSUPP;
1407 }
1408
1409 pntsd = ops->get_acl(cifs_sb, inode, path, &secdesclen, info);
1410 if (IS_ERR(pntsd)) {
1411 rc = PTR_ERR(pntsd);
1412 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1413 cifs_put_tlink(tlink);
1414 return rc;
1415 }
1416
1417 /*
1418 * Add three ACEs for owner, group, everyone getting rid of other ACEs
1419 * as chmod disables ACEs and set the security descriptor. Allocate
1420 * memory for the smb header, set security descriptor request security
1421 * descriptor parameters, and secuirty descriptor itself
1422 */
1423 secdesclen = max_t(u32, secdesclen, DEFAULT_SEC_DESC_LEN);
1424 pnntsd = kmalloc(secdesclen, GFP_KERNEL);
1425 if (!pnntsd) {
1426 kfree(pntsd);
1427 cifs_put_tlink(tlink);
1428 return -ENOMEM;
1429 }
1430
1431 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MODE_FROM_SID)
1432 mode_from_sid = true;
1433 else
1434 mode_from_sid = false;
1435
1436 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL)
1437 id_from_sid = true;
1438 else
1439 id_from_sid = false;
1440
1441 rc = build_sec_desc(pntsd, pnntsd, secdesclen, pnmode, uid, gid,
1442 mode_from_sid, id_from_sid, &aclflag);
1443
1444 cifs_dbg(NOISY, "build_sec_desc rc: %d\n", rc);
1445
1446 if (ops->set_acl == NULL)
1447 rc = -EOPNOTSUPP;
1448
1449 if (!rc) {
1450 /* Set the security descriptor */
1451 rc = ops->set_acl(pnntsd, secdesclen, inode, path, aclflag);
1452 cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
1453 }
1454 cifs_put_tlink(tlink);
1455
1456 kfree(pnntsd);
1457 kfree(pntsd);
1458 return rc;
1459 }
Linux with added FPC-III support