| blob | c2411c4649e083aaa05ac422f9029dd8075fb8a5 |
1 /*
2 * Unix SMB implementation.
3 * Functions for understanding conditional ACEs
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 3 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, see <http://www.gnu.org/licenses/>.
17 */
32 /*
33 * Conditional ACE logic truth tables.
34 *
35 * Conditional ACES use a ternary logic, with "unknown" as well as true and
36 * false. The ultimate meaning of unknown depends on the context; in a deny
37 * ace, unknown means yes, in an allow ace, unknown means no. That is, we
38 * treat unknown results with maximum suspicion.
39 *
40 * AND true false unknown
41 * true T F ?
42 * false F F F
43 * unknown ? F ?
44 *
45 * OR true false unknown
46 * true T T T
47 * false T F ?
48 * unknown T ? ?
49 *
50 * NOT
51 * true F
52 * false T
53 * unknown ?
54 *
55 * This can be summed up by saying unknown values taint the result except in
56 * the cases where short circuit evaluation could apply (true OR anything,
57 * false AND anything, which hold their value).
58 *
59 * What counts as unknown
60 *
61 * - NULL attributes.
62 * - certain comparisons between incompatible types
63 *
64 * What counts as false
65 *
66 * - zero
67 * - empty strings
68 *
69 * An error means the entire expression is unknown.
70 */
74 {
80 }
85 }
90 }
93 /* val has these limits naturally */
97 }
103 }
108 }
110 }
116 {
117 ssize_t bytes_used;
123 }
128 }
132 }
136 {
138 DATA_BLOB v;
140 tok,
144 }
148 }
152 }
158 {
159 ssize_t bytes_used;
165 }
170 }
174 }
178 {
180 DATA_BLOB v;
182 tok,
186 }
190 }
194 }
200 {
201 ssize_t bytes_used;
207 }
212 }
216 }
220 {
228 }
234 }
239 }
244 }
249 {
250 ssize_t bytes_used;
256 }
263 }
267 }
271 {
273 DATA_BLOB v;
275 tok,
279 }
283 }
287 }
293 {
300 }
304 }
305 /*
306 * There is a list of other literal tokens (possibly including nested
307 * composites), which we will store in an array.
308 *
309 * This array can *only* be literals.
310 */
314 alloc_length);
317 }
323 ssize_t consumed;
328 i++;
339 el_data,
340 available,
345 }
349 el_data,
350 available,
356 el_data,
357 available,
363 el_data,
364 available,
374 }
378 }
380 j++;
384 }
390 tokens,
392 alloc_length);
396 }
398 }
399 }
403 error:
406 }
411 {
417 }
418 /*
419 * We have no idea what the eventual length will be, so we keep a
420 * pointer to write it in at the end.
421 */
428 ssize_t consumed;
433 used++;
435 /*
436 * used == length is not expected here; the token
437 * types that only have an opcode and no data are not
438 * literals that can be in composites.
439 */
441 }
453 }
455 available,
460 available,
466 available,
472 available,
478 available,
484 }
488 }
490 }
493 }
497 }
500 {
501 /*
502 * We just check that we have the right kind of number of zero
503 * bytes. The blob must end on a multiple of 4. One zero byte
504 * has already been swallowed as tok->type, which sends us
505 * here, so we expect 1 or two more -- total padding is 0, 1,
506 * 2, or 3.
507 *
508 * zero is also called CONDITIONAL_ACE_TOKEN_INVALID_OR_PADDING.
509 */
510 ssize_t i;
513 }
517 }
518 }
520 }
524 DATA_BLOB data)
525 {
536 /*
537 * lacks the "artx" conditional ace identifier magic.
538 * NULL returns will deny access.
539 */
541 }
544 /*
545 * >= 64k or non-multiples of 4 are not possible in the ACE
546 * wire format.
547 */
549 }
554 }
556 /*
557 * We will normally end up with fewer than data.length tokens, as
558 * values are stored in multiple bytes (all integers are 10 bytes,
559 * strings and attributes are utf16 + length, SIDs are SID-size +
560 * length, etc). But operators are one byte, so something like
561 * !(!(!(!(!(!(x)))))) -- where each '!(..)' is one byte -- will bring
562 * the number of tokens close to the number of bytes.
563 *
564 * This is all to say we're guessing a token length that hopes to
565 * avoid reallocs without wasting too much up front.
566 */
570 alloc_length);
574 }
586 i++;
596 tok_data,
597 available,
602 }
605 /*
606 * The next four are pulled as unicode, but are
607 * processed as user attribute look-ups.
608 */
614 tok_data,
615 available,
621 tok_data,
622 available,
628 tok_data,
629 available,
635 tok_data,
636 available,
648 /*
649 * these require a SID or composite SID list operand,
650 * and we could check that now in most cases.
651 */
653 /* binary relational operators */
664 /* unary logical operators */
668 /* binary logical operators */
673 /* this is only valid at the end */
675 available);
680 }
684 }
687 }
689 j++;
693 tokens,
695 alloc_length);
698 }
699 }
700 }
703 tokens,
708 }
710 fail:
713 }
720 {
723 }
731 {
732 /*
733 * For a @Resource.attr, the claims come from a resource ACE
734 * in the object's SACL. That's why we need a security descriptor.
735 *
736 * If there is no matching resource ACE, a NULL result is returned,
737 * which should compare UNKNOWN to anything. The NULL will have the
738 * CONDITIONAL_ACE_FLAG_NULL_MEANS_ERROR flag set if it seems failure
739 * is not simply due to the sought claim not existing. This is useful for
740 * the Exists and Not_Exists operators.
741 */
748 /* what are we even doing here? */
751 }
760 }
768 }
772 }
773 /* this is the one */
777 }
778 }
782 }
790 {
791 /*
792 * The operator has an attribute name; if there is a claim of
793 * the right type with that name, that is returned as the result.
794 *
795 * XXX what happens otherwise? NULL result?
796 */
826 }
831 }
836 }
837 /*
838 * Loop backwards: a later claim will override an earlier one with the
839 * same name.
840 */
845 }
847 /* this is the one */
850 }
851 }
854 }
864 {
865 /*
866 * We need to compare the lists of SIDs in the token with the
867 * SID[s] in the argument. There are 8 combinations of
868 * operation, depending on whether we want to match all or any
869 * of the SIDs, whether we're using the device SIDs or user
870 * SIDs, and whether the operator name starts with "Not_".
871 *
872 * _MEMBER_OF User has all operand SIDs
873 * _DEVICE_MEMBER_OF Device has all operand SIDs
874 * _MEMBER_OF_ANY User has one or more operand SIDs
875 * _DEVICE_MEMBER_OF_ANY Device has one or more operand SIDs
876 *
877 * NOT_* has the effect of !(the operator without NOT_).
878 *
879 * The operand can either be a composite of SIDs or a single SID.
880 * This adds an additional branch.
881 */
905 }
932 }
943 }
951 }
954 /*
955 * In this case the any and all operations are the
956 * same.
957 */
964 }
965 }
968 }
973 }
975 }
977 /* This is a composite list (hopefully of SIDs) */
981 }
991 }
998 }
999 }
1002 /* we have matched one SID, which is enough */
1004 }
1007 /* failing one is enough */
1009 }
1010 }
1011 }
1012 /*
1013 * Reaching the end of that loop means either:
1014 * 1. it was an ALL op and we never failed to find one, or
1015 * 2. it was an ANY op, and we didn't find one.
1016 */
1019 apply_not:
1022 }
1027 }
1030 }
1036 {
1037 /*
1038 * Find the truth value of the argument, stored in the result token.
1039 *
1040 * A return value of false means the operation is invalid, and the
1041 * result is undefined.
1042 */
1044 /* pass through */
1047 }
1053 /* zero is false */
1058 }
1060 }
1062 /* empty is false */
1067 }
1069 }
1071 /*
1072 * everything else in UNKNOWN. This includes NULL values (i.e. an
1073 * unsuccessful look-up).
1074 */
1077 }
1082 {
1085 /*
1086 * Logic operators don't work on literals.
1087 */
1089 }
1094 }
1099 }
1100 /* unknown stays unknown */
1102 }
1112 {
1118 };
1121 }
1125 /*
1126 * Not_Exists and Exists require the same work, except we negate the
1127 * answer in one case. From [MS-DTYP] 2.4.4.17.7:
1128 *
1129 * If the type of the operand is "Local Attribute"
1130 * If the value is non-null return TRUE
1131 * Else return FALSE
1132 * Else if the type of the operand is "Resource Attribute"
1133 * Return TRUE if value is non-null; FALSE otherwise.
1134 * Else return Error
1135 */
1139 /*
1140 * "not ok" usually means a failure to find the attribute,
1141 * which is the false condition and not an error.
1142 *
1143 * XXX or do we need an extra flag?
1144 */
1151 }
1153 /*
1154 *
1155 */
1163 }
1170 /* should not get here */
1172 }
1176 }
1186 {
1195 /*
1196 * Logic operators don't work on literals.
1197 */
1199 }
1204 }
1208 }
1213 /*
1214 * AND true false unknown
1215 * true T F ?
1216 * false F F F
1217 * unknown ? F ?
1218 *
1219 * unknown unless BOTH true or EITHER false
1220 */
1225 }
1230 }
1231 /*
1232 * Neither value is False, so the result is Unknown,
1233 * as set at the start of this function.
1234 */
1236 }
1237 /*
1238 * OR true false unknown
1239 * true T T T
1240 * false T F ?
1241 * unknown T ? ?
1242 *
1243 * unknown unless EITHER true or BOTH false
1244 */
1249 }
1254 }
1256 }
1262 {
1264 /*
1265 * we can't compare different types *unless* they are both
1266 * integers, or one is a bool and the other is an integer 0 or
1267 * 1, and the operator is == or != (or NULL, which for convenience,
1268 * is treated as ==).
1269 */
1270 //XXX actually it says "literal integers", do we need to check flags?
1273 }
1276 /* don't block e.g. comparing an int32 to an int64 */
1278 }
1280 /* is it == or != */
1285 }
1286 /* is one a bool and the other an int? */
1293 }
1296 }
1298 }
1304 {
1328 }
1332 }
1340 {
1343 /*
1344 * Comparison is case-insensitive UNLESS the claim structure
1345 * has the case-sensitive flag, which is passed through as a
1346 * flag on the token. Usually only the LHS is a claim value,
1347 * but in the event that they both are, we allow either to
1348 * request case-sensitivity.
1349 *
1350 * For greater than and less than, the sort order is utf-8 order,
1351 * which is not exactly what Windows does, but we don't sort like
1352 * Windows does anywhere else either.
1353 */
1359 }
1361 }
1368 {
1373 }
1380 {
1384 }
1391 {
1401 }
1403 }
1410 {
1416 /*
1417 * we can compare a boolean LHS to a literal RHS, but not
1418 * vice versa
1419 */
1421 }
1425 }
1429 }
1433 }
1441 /* we are not allowing non-equality comparisons with bools */
1443 }
1445 }
1456 };
1461 {
1464 /*
1465 * simple_relational_operator uses the operator token only to
1466 * decide whether the comparison is allowed for the type. In
1467 * particular, boolean result and composite arguments can only
1468 * be used with equality operators. We want those to fail (we
1469 * should not see them here, remembering that claim booleans
1470 * become composite integers), so we use a non-equality op.
1471 */
1474 };
1479 }
1480 /*
1481 * This sort isn't going to work out, but the sort function
1482 * will only find out at the end.
1483 */
1486 }
1489 /*
1490 * Return a sorted copy of the composite tokens array.
1491 *
1492 * The copy is shallow, so the actual string pointers are the same, which is
1493 * fine for the purposes of comparison.
1494 */
1500 {
1506 };
1508 /*
1509 * Case sensitivity is a bit tricky. Each token can have a flag saying
1510 * it should be sorted case-sensitively and when comparing two tokens,
1511 * we should respect this flag on either side. The flag can only come
1512 * from claims (including resource attribute ACEs), and as there is only
1513 * one flag per claim, it must apply the same to all members (in fact we
1514 * don't set it on the members, only the composite). So to be sure we
1515 * sort in the way we want, we might need to set the flag on all the
1516 * members of the copy *before* sorting it.
1517 *
1518 * When it comes to comparing two composites, we want to be
1519 * case-sensitive if either side has the flag. This can have odd
1520 * effects. Think of these RA claims:
1521 *
1522 * (RA;;;;;WD;("foo",TS,0,"a","A"))
1523 * (RA;;;;;WD;("bar",TS,2,"a","A")) <-- 2 is the case-sensitive flag
1524 * (RA;;;;;WD;("baz",TS,0,"a"))
1525 *
1526 * (@Resource.foo == @Resource.bar) is true
1527 * (@Resource.bar == @Resource.foo) is true
1528 * (@Resource.bar == @Resource.bar) is true
1529 * (@Resource.foo == @Resource.foo) is an error (duplicate values on LHS)
1530 * (@Resource.baz == @Resource.foo) is true (RHS case-folds down)
1531 * (@Resource.baz == @Resource.bar) is false
1532 * (@Resource.bar == {"A", "a"}) is true
1533 * (@Resource.baz == {"A", "a"}) is true
1534 * (@Resource.foo == {"A", "a"}) is an error
1535 */
1539 }
1545 }
1546 }
1549 copy,
1560 }
1562 }
1565 /*
1566 * This is a helper for compare composites.
1567 */
1571 {
1584 };
1588 /* we should not have got this far */
1590 }
1595 }
1602 /*
1603 * All LHS tokens are the same type (because it is a
1604 * claim), and that type is not one that cares about
1605 * case, so nor do we.
1606 */
1609 /* phew, no extra work */
1611 /* trigger a sorted copy */
1614 /*
1615 * Do we need to rescan for uniqueness, given the new
1616 * comparison function? No! The strings were already
1617 * unique in the looser comparison, and now they can
1618 * only be more so. The number of unique values can't
1619 * change, just their order.
1620 */
1626 }
1627 }
1630 /*
1631 * we need an RHS sorted copy (it's a literal, or
1632 * there was a case sensitivity disagreement).
1633 */
1638 }
1639 }
1640 /*
1641 * Each member of LHS must match one or more members of RHS.
1642 * Each member of RHS must match at least one of LHS.
1643 *
1644 * If they are the same length we can compare directly, so let's get
1645 * rid of duplicates in RHS. This can only happen with literal
1646 * composites.
1647 */
1657 }
1659 gap++;
1660 }
1663 }
1664 }
1666 /*
1667 * There were too many or too few duplicates to account
1668 * for the difference, and no further comparison is
1669 * necessary.
1670 */
1672 }
1673 }
1674 /*
1675 * OK, now we know LHS and RHS are the same length and sorted in the
1676 * same way, so we can just iterate over them and check each pair.
1677 */
1686 }
1689 }
1690 }
1694 not_equal:
1697 error:
1700 }
1705 {
1706 /*
1707 * Are all members of the composite comparable to the token?
1708 */
1715 /*
1716 * all members are known to be the same type, so we
1717 * can just check one.
1718 */
1720 }
1724 tok,
1729 }
1730 }
1732 }
1739 {
1740 /*
1741 * This is for comparing multivalued sets, which includes
1742 * conditional ACE composites and claim sets. Because these
1743 * are sets, there are no < and > operations, just equality or
1744 * otherwise.
1745 *
1746 * Claims are true sets, while composites are multisets --
1747 * duplicate values are allowed -- but these are reduced to
1748 * sets in evaluation, and the number of duplicates has no
1749 * effect in comparisons. Resource attribute ACEs live in an
1750 * intermediate state -- they can contain duplicates on the
1751 * wire and as ACE structures, but as soon as they are
1752 * evaluated as claims their values must be unique. Windows
1753 * will treat RA ACEs with duplicate values as not existing,
1754 * rather than as UNKNOWN (This is significant for the Exists
1755 * operator). Claims can have a case-sensitive flags set,
1756 * meaning they must be compared case-sensitively.
1757 *
1758 * Some good news is that the LHS of a comparison must always
1759 * be a claim. That means we can assume it has unique values
1760 * when it comes to pairwise comparisons. Using the magic of
1761 * flags, we try to check this only once per claim.
1762 *
1763 * Conditional ACE composites, which can have duplicates (and
1764 * mixed types), can only be on the RHS.
1765 *
1766 * To summarise:
1767 *
1768 * {a, b} vs {a, b} equal
1769 * { } vs { } equal
1770 * {a, b} vs {b, a} equal
1771 * {a, b} vs {a, c} not equal
1772 * {a, b} vs {a, a, b} equal
1773 * {b, a} vs {a, b, a} equal
1774 * {a, b} vs {a, a, b, c} not equal
1775 * {a, b, a} vs {a, b} should not happen, error
1776 * {a, b, a} vs {a, b, a} should not happen, error
1777 *
1778 * mixed types:
1779 * {1, 2} vs {1, "2"} error
1780 * {1, "2"} vs {1, "2"} should not happen, error
1781 *
1782 * case sensitivity (*{ }* indicates case-sensitive flag):
1783 *
1784 * {"a", "b"} vs {"a", "B"} equal
1785 * {"a", "b"} vs *{"a", "B"}* not equal
1786 * *{"a", "b"}* vs {"a", "B"} not equal
1787 * *{"a", "A"}* vs {"a", "A"} equal (if RHS is composite)
1788 * {"a", "A"} vs *{"a", "A"}* impossible (LHS is not unique)
1789 * *{"a"}* vs {"a", "A"} not equal
1790 *
1791 * The naive approach is of course O(n * m) with an additional O(n²)
1792 * if the LHS values are not known to be unique (that is, in resource
1793 * attribute claims). We want to avoid that with big sets.
1794 */
1800 /*
1801 * The LHS needs to be a claim, and it should have gone
1802 * through claim_v1_check_and_sort() to get here.
1803 */
1806 }
1808 /* if one or both are empty, the answer is easy */
1813 }
1816 }
1820 }
1822 /*
1823 * LHS must be a claim, so it must be unique, so if there are
1824 * fewer members on the RHS, we know they can't be equal.
1825 *
1826 * If you think about it too much, you might think this is
1827 * affected by case sensitivity, but it isn't. One side can be
1828 * infected by case-sensitivity by the other, but that can't
1829 * shrink the number of elements on the RHS -- it can only
1830 * make a literal {"a", "A"} have effective length 2 rather
1831 * than 1.
1832 *
1833 * On the other hand, if the RHS is case sensitive, it must be
1834 * a claim and unique in its own terms, and its finer-grained
1835 * distinctions can't collapse members of the case sensitive
1836 * LHS.
1837 */
1841 }
1843 /*
1844 * It *could* be that RHS is also unique and we know it. In that
1845 * case we can short circuit if RHS has more members. This is
1846 * the case when both sides are claims.
1847 *
1848 * This is also not affected by case-senstivity.
1849 */
1854 }
1859 }
1861 }
1869 {
1873 }
1874 }
1882 }
1895 /* leave the result unknown */
1900 }
1903 }
1909 {
1915 };
1921 tok,
1926 }
1930 }
1931 }
1933 }
1939 {
1945 };
1947 /*
1948 * All the required objects must be identical to something in
1949 * candidates. But what do we mean by *identical*? We'll use
1950 * the equality operator to decide that.
1951 *
1952 * Both the lhs or rhs can be solitary objects or composites.
1953 * This makes it a bit fiddlier.
1954 *
1955 * NOTE: this operator does not take advantage of the
1956 * CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED flag. It could, but it
1957 * doesn't.
1958 */
1964 }
1968 }
1974 }
1976 /*
1977 * one required item was not there,
1978 * *answer is false
1979 */
1981 }
1982 }
1983 /* all required items are there, *answer will be true */
1985 }
1986 /* LHS is a single item */
1988 /*
1989 * There could be more than one RHS member that is
1990 * equal to the single LHS value, so it doesn't help
1991 * to compare lengths or anything.
1992 */
1996 }
1999 lhs,
2004 }
2006 /*
2007 * one required item was not there,
2008 * *answer is false
2009 */
2012 }
2013 }
2016 }
2017 /* LHS and RHS are both single */
2019 lhs,
2020 rhs,
2024 }
2027 }
2033 {
2039 };
2041 /*
2042 * There has to be *some* overlap between the LHS and RHS.
2043 * Both sides can be solitary objects or composites.
2044 *
2045 * We can exploit this symmetry.
2046 */
2051 }
2053 /* both singles */
2055 lhs,
2056 rhs,
2060 }
2063 }
2066 }
2067 /* both are composites */
2070 }
2074 answer);
2077 }
2079 /* We have found one match, which is enough. */
2081 }
2082 }
2084 }
2091 {
2104 }
2107 }
2109 /* negate the NOTs */
2112 {
2114 }
2120 }
2122 }
2131 {
2138 /* LHS was not derived from an attribute */
2140 }
2142 /*
2143 * This first nested switch is ensuring that >, >=, <, <= are
2144 * not being tried on tokens that are not numbers, strings, or
2145 * octet strings. Equality operators are available for all types.
2146 */
2164 }
2165 }
2167 /*
2168 * Dispatch according to operator type.
2169 */
2178 lhs,
2179 rhs,
2183 }
2191 lhs,
2192 rhs,
2193 result);
2196 }
2197 }
2204 {
2213 /*
2214 * When interpreting the program we will need a stack, which in the
2215 * very worst case can be as deep as the program is long.
2216 */
2222 }
2235 /* just plonk these literals on the stack */
2237 depth++;
2246 }
2248 depth++;
2253 tok,
2254 sd,
2258 }
2260 depth++;
2273 }
2274 depth--;
2279 }
2281 depth++;
2283 /* binary relational operators */
2296 }
2297 depth--;
2299 depth--;
2304 }
2306 depth++;
2308 /* unary logical operators */
2314 }
2315 depth--;
2320 }
2322 depth++;
2324 /* binary logical operators */
2329 }
2330 depth--;
2332 depth--;
2337 }
2339 depth++;
2343 }
2344 }
2345 /*
2346 * The evaluation should have left a single result value (true, false,
2347 * or unknown) on the stack. If not, the expression was malformed.
2348 */
2351 }
2355 }
2359 error:
2360 /*
2361 * the result of an error is always UNKNOWN, which should be
2362 * interpreted pessimistically, not allowing access.
2363 */
2366 }
2369 /** access_check_conditional_ace()
2370 *
2371 * Run the conditional ACE from the blob form. Return false if it is
2372 * not a valid conditional ACE, true if it is, even if there is some
2373 * other error in running it. The *result parameter is set to
2374 * ACE_CONDITION_FALSE, ACE_CONDITION_TRUE, or ACE_CONDITION_UNKNOWN.
2375 *
2376 * ACE_CONDITION_UNKNOWN should be treated pessimistically, as if it were
2377 * TRUE for deny ACEs, and FALSE for allow ACEs.
2378 *
2379 * @param[in] ace - the ACE being processed.
2380 * @param[in] token - the security token the ACE is processing.
2381 * @param[out] result - a ternary result value.
2382 *
2383 * @return true if it is a valid conditional ACE.
2384 */
2390 {
2398 }
2404 }
2410 {
2419 alloc_size);
2422 }
2432 ssize_t consumed;
2434 /*
2435 * In all cases we write the token type byte.
2436 */
2438 j++;
2442 }
2468 /*
2469 * All of these are simple operators that operate on
2470 * the stack. We have already added the tok->type and
2471 * there's nothing else to do.
2472 */
2482 }
2516 }
2520 }
2525 }
2526 }
2527 /* align to a 4 byte boundary */
2532 }
2535 j++;
2536 }
2538 data,
2540 required_size);
2543 }
2549 error:
2552 }