include/ntfs-3g/security.h

   1 /*
   2  * security.h - Exports for handling security/ACLs in NTFS.
   3  *              Originated from the Linux-NTFS project.
   4  *
   5  * Copyright (c) 2004      Anton Altaparmakov
   6  * Copyright (c) 2005-2006 Szabolcs Szakacsits
   7  * Copyright (c) 2007-2010 Jean-Pierre Andre
   8  *
   9  * This program/include file is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU General Public License as published
  11  * by the Free Software Foundation; either version 2 of the License, or
  12  * (at your option) any later version.
  13  *
  14  * This program/include file is distributed in the hope that it will be
  15  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
  16  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  * GNU General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU General Public License
  20  * along with this program (in the main directory of the NTFS-3G
  21  * distribution in the file COPYING); if not, write to the Free Software
  22  * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 #ifndef _NTFS_SECURITY_H
  26 #define _NTFS_SECURITY_H
  27
  28 #include "types.h"
  29 #include "layout.h"
  30 #include "inode.h"
  31 #include "dir.h"
  32 #include "endians.h"
  33
  34 #ifndef POSIXACLS
  35 #define POSIXACLS 0
  36 #endif
  37
  38 /*
  39  *          item in the mapping list
  40  */
  41
  42 struct MAPPING {
  43         struct MAPPING *next;
  44         int xid;                /* linux id : uid or gid */
  45         SID *sid;               /* Windows id : usid or gsid */
  46         int grcnt;              /* group count (for users only) */
  47         gid_t *groups;          /* groups which the user is member of */
  48 };
  49
  50 /*
  51  *              Entry in the permissions cache
  52  *      Note : this cache is not organized as a generic cache
  53  */
  54
  55 struct CACHED_PERMISSIONS {
  56         uid_t uid;
  57         gid_t gid;
  58         le32 inh_fileid;
  59         le32 inh_dirid;
  60 #if POSIXACLS
  61         struct POSIX_SECURITY *pxdesc;
  62         unsigned int pxdescsize:16;
  63 #endif
  64         unsigned int mode:12;
  65         unsigned int valid:1;
  66 } ;
  67
  68 /*
  69  *      Entry in the permissions cache for directories with no security_id
  70  */
  71
  72 struct CACHED_PERMISSIONS_LEGACY {
  73         struct CACHED_PERMISSIONS_LEGACY *next;
  74         struct CACHED_PERMISSIONS_LEGACY *previous;
  75         void *variable;
  76         size_t varsize;
  77         union ALIGNMENT payload[0];
  78                 /* above fields must match "struct CACHED_GENERIC" */
  79         u64 mft_no;
  80         struct CACHED_PERMISSIONS perm;
  81 } ;
  82
  83 /*
  84  *      Entry in the securid cache
  85  */
  86
  87 struct CACHED_SECURID {
  88         struct CACHED_SECURID *next;
  89         struct CACHED_SECURID *previous;
  90         void *variable;
  91         size_t varsize;
  92         union ALIGNMENT payload[0];
  93                 /* above fields must match "struct CACHED_GENERIC" */
  94         uid_t uid;
  95         gid_t gid;
  96         unsigned int dmode;
  97         le32 securid;
  98 } ;
  99
 100 /*
 101  *      Header of the security cache
 102  *      (has no cache structure by itself)
 103  */
 104
 105 struct CACHED_PERMISSIONS_HEADER {
 106         unsigned int last;
 107                         /* statistics for permissions */
 108         unsigned long p_writes;
 109         unsigned long p_reads;
 110         unsigned long p_hits;
 111 } ;
 112
 113 /*
 114  *      The whole permissions cache
 115  */
 116
 117 struct PERMISSIONS_CACHE {
 118         struct CACHED_PERMISSIONS_HEADER head;
 119         struct CACHED_PERMISSIONS *cachetable[1]; /* array of variable size */
 120 } ;
 121
 122 /*
 123  *      Security flags values
 124  */
 125
 126 enum {
 127         SECURITY_DEFAULT,       /* rely on fuse for permissions checking */
 128         SECURITY_RAW,           /* force same ownership/permissions on files */
 129         SECURITY_ACL,           /* enable Posix ACLs (when compiled in) */
 130         SECURITY_ADDSECURIDS,   /* upgrade old security descriptors */
 131         SECURITY_STATICGRPS,    /* use static groups for access control */
 132         SECURITY_WANTED         /* a security related option was present */
 133 } ;
 134
 135 /*
 136  *      Security context, needed by most security functions
 137  */
 138
 139 enum { MAPUSERS, MAPGROUPS, MAPCOUNT } ;
 140
 141 struct SECURITY_CONTEXT {
 142         ntfs_volume *vol;
 143         struct MAPPING *mapping[MAPCOUNT];
 144         struct PERMISSIONS_CACHE **pseccache;
 145         uid_t uid; /* uid of user requesting (not the mounter) */
 146         gid_t gid; /* gid of user requesting (not the mounter) */
 147         pid_t tid; /* thread id of thread requesting */
 148         mode_t umask; /* umask of requesting thread */
 149         } ;
 150
 151 #if POSIXACLS
 152
 153 /*
 154  *                     Posix ACL structures
 155  */
 156
 157 struct POSIX_ACE {
 158         u16 tag;
 159         u16 perms;
 160         s32 id;
 161 } __attribute__((__packed__));
 162
 163 struct POSIX_ACL {
 164         u8 version;
 165         u8 flags;
 166         u16 filler;
 167         struct POSIX_ACE ace[0];
 168 } __attribute__((__packed__));
 169
 170 struct POSIX_SECURITY {
 171         mode_t mode;
 172         int acccnt;
 173         int defcnt;
 174         int firstdef;
 175         u16 tagsset;
 176         u16 filler;
 177         struct POSIX_ACL acl;
 178 } ;
 179
 180 /*
 181  *              Posix tags, cpu-endian 16 bits
 182  */
 183
 184 enum {
 185         POSIX_ACL_USER_OBJ =    1,
 186         POSIX_ACL_USER =        2,
 187         POSIX_ACL_GROUP_OBJ =   4,
 188         POSIX_ACL_GROUP =       8,
 189         POSIX_ACL_MASK =        16,
 190         POSIX_ACL_OTHER =       32,
 191         POSIX_ACL_SPECIAL =     64  /* internal use only */
 192 } ;
 193
 194 #define POSIX_ACL_EXTENSIONS (POSIX_ACL_USER | POSIX_ACL_GROUP | POSIX_ACL_MASK)
 195
 196 /*
 197  *              Posix permissions, cpu-endian 16 bits
 198  */
 199
 200 enum {
 201         POSIX_PERM_X =          1,
 202         POSIX_PERM_W =          2,
 203         POSIX_PERM_R =          4,
 204         POSIX_PERM_DENIAL =     64 /* internal use only */
 205 } ;
 206
 207 #define POSIX_VERSION 2
 208
 209 #endif
 210
 211 extern BOOL ntfs_guid_is_zero(const GUID *guid);
 212 extern char *ntfs_guid_to_mbs(const GUID *guid, char *guid_str);
 213
 214 extern int ntfs_sid_to_mbs_size(const SID *sid);
 215 extern char *ntfs_sid_to_mbs(const SID *sid, char *sid_str,
 216                 size_t sid_str_size);
 217 extern void ntfs_generate_guid(GUID *guid);
 218 extern int ntfs_sd_add_everyone(ntfs_inode *ni);
 219
 220 extern le32 ntfs_security_hash(const SECURITY_DESCRIPTOR_RELATIVE *sd,
 221                                const u32 len);
 222
 223 int ntfs_build_mapping(struct SECURITY_CONTEXT *scx, const char *usermap_path,
 224                 BOOL allowdef);
 225 int ntfs_get_owner_mode(struct SECURITY_CONTEXT *scx,
 226                 ntfs_inode *ni, struct stat*);
 227 int ntfs_set_mode(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, mode_t mode);
 228 BOOL ntfs_allowed_as_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni);
 229 int ntfs_allowed_access(struct SECURITY_CONTEXT *scx,
 230                 ntfs_inode *ni, int accesstype);
 231 int ntfs_allowed_create(struct SECURITY_CONTEXT *scx,
 232                 ntfs_inode *ni, gid_t *pgid, mode_t *pdsetgid);
 233 BOOL old_ntfs_allowed_dir_access(struct SECURITY_CONTEXT *scx,
 234                 const char *path, int accesstype);
 235
 236 #if POSIXACLS
 237 le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx,
 238                 uid_t uid, gid_t gid, ntfs_inode *dir_ni,
 239                 mode_t mode, BOOL isdir);
 240 #else
 241 le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx,
 242                 uid_t uid, gid_t gid, mode_t mode, BOOL isdir);
 243 #endif
 244 int ntfs_set_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
 245                 uid_t uid, gid_t gid);
 246 int ntfs_set_ownmod(struct SECURITY_CONTEXT *scx,
 247                 ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode);
 248 #if POSIXACLS
 249 int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx,
 250                 ntfs_inode *ni, uid_t uid, gid_t gid,
 251                 mode_t mode, struct POSIX_SECURITY *pxdesc);
 252 #else
 253 int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx,
 254                 ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode);
 255 #endif
 256 le32 ntfs_inherited_id(struct SECURITY_CONTEXT *scx,
 257                 ntfs_inode *dir_ni, BOOL fordir);
 258 int ntfs_open_secure(ntfs_volume *vol);
 259 int ntfs_close_secure(ntfs_volume *vol);
 260
 261 void ntfs_destroy_security_context(struct SECURITY_CONTEXT *scx);
 262
 263 #if POSIXACLS
 264
 265 int ntfs_set_inherited_posix(struct SECURITY_CONTEXT *scx,
 266                 ntfs_inode *ni, uid_t uid, gid_t gid,
 267                 ntfs_inode *dir_ni, mode_t mode);
 268 int ntfs_get_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
 269                         const char *name, char *value, size_t size);
 270 int ntfs_set_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
 271                         const char *name, const char *value, size_t size,
 272                         int flags);
 273 int ntfs_remove_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
 274                         const char *name);
 275 #endif
 276
 277 int ntfs_get_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
 278                         char *value, size_t size);
 279 int ntfs_set_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
 280                         const char *value, size_t size, int flags);
 281
 282 int ntfs_get_ntfs_attrib(ntfs_inode *ni, char *value, size_t size);
 283 int ntfs_set_ntfs_attrib(ntfs_inode *ni,
 284                         const char *value, size_t size, int flags);
 285
 286
 287 /*
 288  *              Security API for direct access to security descriptors
 289  *      based on Win32 API
 290  */
 291
 292 #define MAGIC_API 0x09042009
 293
 294 struct SECURITY_API {
 295         u32 magic;
 296         struct SECURITY_CONTEXT security;
 297         struct PERMISSIONS_CACHE *seccache;
 298 } ;
 299
 300 /*
 301  *  The following constants are used in interfacing external programs.
 302  *  They are not to be stored on disk and must be defined in their
 303  *  native cpu representation.
 304  *  When disk representation (le) is needed, use SE_DACL_PRESENT, etc.
 305  */
 306 enum {  OWNER_SECURITY_INFORMATION = 1,
 307         GROUP_SECURITY_INFORMATION = 2,
 308         DACL_SECURITY_INFORMATION = 4,
 309         SACL_SECURITY_INFORMATION = 8
 310 } ;
 311
 312 int ntfs_get_file_security(struct SECURITY_API *scapi,
 313                 const char *path, u32 selection,
 314                 char *buf, u32 buflen, u32 *psize);
 315 int ntfs_set_file_security(struct SECURITY_API *scapi,
 316                 const char *path, u32 selection, const char *attr);
 317 int ntfs_get_file_attributes(struct SECURITY_API *scapi,
 318                 const char *path);
 319 BOOL ntfs_set_file_attributes(struct SECURITY_API *scapi,
 320                 const char *path, s32 attrib);
 321 BOOL ntfs_read_directory(struct SECURITY_API *scapi,
 322                 const char *path, ntfs_filldir_t callback, void *context);
 323 int ntfs_read_sds(struct SECURITY_API *scapi,
 324                 char *buf, u32 size, u32 offset);
 325 INDEX_ENTRY *ntfs_read_sii(struct SECURITY_API *scapi,
 326                 INDEX_ENTRY *entry);
 327 INDEX_ENTRY *ntfs_read_sdh(struct SECURITY_API *scapi,
 328                 INDEX_ENTRY *entry);
 329 struct SECURITY_API *ntfs_initialize_file_security(const char *device,
 330                                 unsigned long flags);
 331 BOOL ntfs_leave_file_security(struct SECURITY_API *scx);
 332
 333 int ntfs_get_usid(struct SECURITY_API *scapi, uid_t uid, char *buf);
 334 int ntfs_get_gsid(struct SECURITY_API *scapi, gid_t gid, char *buf);
 335 int ntfs_get_user(struct SECURITY_API *scapi, const SID *usid);
 336 int ntfs_get_group(struct SECURITY_API *scapi, const SID *gsid);
 337
 338 #endif /* defined _NTFS_SECURITY_H */