1 // SPDX-License-Identifier: LGPL-2.1
4 * Copyright (C) International Business Machines Corp., 2007,2008
5 * Author(s): Steve French (sfrench@us.ibm.com)
7 * Contains the routines for mapping CIFS/NTFS ACLs
12 #include <linux/slab.h>
13 #include <linux/string.h>
14 #include <linux/keyctl.h>
15 #include <linux/key-type.h>
16 #include <keys/user-type.h>
20 #include "cifsproto.h"
21 #include "cifs_debug.h"
22 #include "fs_context.h"
24 /* security id for everyone/world system group */
25 static const struct cifs_sid sid_everyone = {
26 1, 1, {0, 0, 0, 0, 0, 1}, {0} };
27 /* security id for Authenticated Users system group */
28 static const struct cifs_sid sid_authusers = {
29 1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11)} };
31 /* S-1-22-1 Unmapped Unix users */
32 static const struct cifs_sid sid_unix_users = {1, 1, {0, 0, 0, 0, 0, 22},
33 {cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
35 /* S-1-22-2 Unmapped Unix groups */
36 static const struct cifs_sid sid_unix_groups = { 1, 1, {0, 0, 0, 0, 0, 22},
37 {cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
40 * See https://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
43 /* S-1-5-88 MS NFS and Apple style UID/GID/mode */
45 /* S-1-5-88-1 Unix uid */
46 static const struct cifs_sid sid_unix_NFS_users = { 1, 2, {0, 0, 0, 0, 0, 5},
48 cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
50 /* S-1-5-88-2 Unix gid */
51 static const struct cifs_sid sid_unix_NFS_groups = { 1, 2, {0, 0, 0, 0, 0, 5},
53 cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
55 /* S-1-5-88-3 Unix mode */
56 static const struct cifs_sid sid_unix_NFS_mode = { 1, 2, {0, 0, 0, 0, 0, 5},
58 cpu_to_le32(3), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
60 static const struct cred *root_cred;
63 cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
68 * If the payload is less than or equal to the size of a pointer, then
69 * an allocation here is wasteful. Just copy the data directly to the
70 * payload.value union member instead.
72 * With this however, you must check the datalen before trying to
73 * dereference payload.data!
75 if (prep->datalen <= sizeof(key->payload)) {
76 key->payload.data[0] = NULL;
77 memcpy(&key->payload, prep->data, prep->datalen);
79 payload = kmemdup(prep->data, prep->datalen, GFP_KERNEL);
82 key->payload.data[0] = payload;
85 key->datalen = prep->datalen;
90 cifs_idmap_key_destroy(struct key *key)
92 if (key->datalen > sizeof(key->payload))
93 kfree(key->payload.data[0]);
96 static struct key_type cifs_idmap_key_type = {
98 .instantiate = cifs_idmap_key_instantiate,
99 .destroy = cifs_idmap_key_destroy,
100 .describe = user_describe,
104 sid_to_key_str(struct cifs_sid *sidptr, unsigned int type)
108 char *sidstr, *strptr;
109 unsigned long long id_auth_val;
111 /* 3 bytes for prefix */
112 sidstr = kmalloc(3 + SID_STRING_BASE_SIZE +
113 (SID_STRING_SUBAUTH_SIZE * sidptr->num_subauth),
119 len = sprintf(strptr, "%cs:S-%hhu", type == SIDOWNER ? 'o' : 'g',
123 /* The authority field is a single 48-bit number */
124 id_auth_val = (unsigned long long)sidptr->authority[5];
125 id_auth_val |= (unsigned long long)sidptr->authority[4] << 8;
126 id_auth_val |= (unsigned long long)sidptr->authority[3] << 16;
127 id_auth_val |= (unsigned long long)sidptr->authority[2] << 24;
128 id_auth_val |= (unsigned long long)sidptr->authority[1] << 32;
129 id_auth_val |= (unsigned long long)sidptr->authority[0] << 48;
132 * MS-DTYP states that if the authority is >= 2^32, then it should be
133 * expressed as a hex value.
135 if (id_auth_val <= UINT_MAX)
136 len = sprintf(strptr, "-%llu", id_auth_val);
138 len = sprintf(strptr, "-0x%llx", id_auth_val);
142 for (i = 0; i < sidptr->num_subauth; ++i) {
143 saval = le32_to_cpu(sidptr->sub_auth[i]);
144 len = sprintf(strptr, "-%u", saval);
152 * if the two SIDs (roughly equivalent to a UUID for a user or group) are
153 * the same returns zero, if they do not match returns non-zero.
156 compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
159 int num_subauth, num_sat, num_saw;
161 if ((!ctsid) || (!cwsid))
164 /* compare the revision */
165 if (ctsid->revision != cwsid->revision) {
166 if (ctsid->revision > cwsid->revision)
172 /* compare all of the six auth values */
173 for (i = 0; i < NUM_AUTHS; ++i) {
174 if (ctsid->authority[i] != cwsid->authority[i]) {
175 if (ctsid->authority[i] > cwsid->authority[i])
182 /* compare all of the subauth values if any */
183 num_sat = ctsid->num_subauth;
184 num_saw = cwsid->num_subauth;
185 num_subauth = num_sat < num_saw ? num_sat : num_saw;
187 for (i = 0; i < num_subauth; ++i) {
188 if (ctsid->sub_auth[i] != cwsid->sub_auth[i]) {
189 if (le32_to_cpu(ctsid->sub_auth[i]) >
190 le32_to_cpu(cwsid->sub_auth[i]))
198 return 0; /* sids compare/match */
202 is_well_known_sid(const struct cifs_sid *psid, uint32_t *puid, bool is_group)
206 const struct cifs_sid *pwell_known_sid;
208 if (!psid || (puid == NULL))
211 num_subauth = psid->num_subauth;
213 /* check if Mac (or Windows NFS) vs. Samba format for Unix owner SID */
214 if (num_subauth == 2) {
216 pwell_known_sid = &sid_unix_groups;
218 pwell_known_sid = &sid_unix_users;
219 } else if (num_subauth == 3) {
221 pwell_known_sid = &sid_unix_NFS_groups;
223 pwell_known_sid = &sid_unix_NFS_users;
227 /* compare the revision */
228 if (psid->revision != pwell_known_sid->revision)
231 /* compare all of the six auth values */
232 for (i = 0; i < NUM_AUTHS; ++i) {
233 if (psid->authority[i] != pwell_known_sid->authority[i]) {
234 cifs_dbg(FYI, "auth %d did not match\n", i);
239 if (num_subauth == 2) {
240 if (psid->sub_auth[0] != pwell_known_sid->sub_auth[0])
243 *puid = le32_to_cpu(psid->sub_auth[1]);
244 } else /* 3 subauths, ie Windows/Mac style */ {
245 *puid = le32_to_cpu(psid->sub_auth[0]);
246 if ((psid->sub_auth[0] != pwell_known_sid->sub_auth[0]) ||
247 (psid->sub_auth[1] != pwell_known_sid->sub_auth[1]))
250 *puid = le32_to_cpu(psid->sub_auth[2]);
253 cifs_dbg(FYI, "Unix UID %d returned from SID\n", *puid);
254 return true; /* well known sid found, uid returned */
258 cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
261 __u16 size = 1 + 1 + 6;
263 dst->revision = src->revision;
264 dst->num_subauth = min_t(u8, src->num_subauth, SID_MAX_SUB_AUTHORITIES);
265 for (i = 0; i < NUM_AUTHS; ++i)
266 dst->authority[i] = src->authority[i];
267 for (i = 0; i < dst->num_subauth; ++i)
268 dst->sub_auth[i] = src->sub_auth[i];
269 size += (dst->num_subauth * 4);
275 id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
279 struct cifs_sid *ksid;
280 unsigned int ksid_size;
281 char desc[3 + 10 + 1]; /* 3 byte prefix + 10 bytes for value + NULL */
282 const struct cred *saved_cred;
284 rc = snprintf(desc, sizeof(desc), "%ci:%u",
285 sidtype == SIDOWNER ? 'o' : 'g', cid);
286 if (rc >= sizeof(desc))
290 saved_cred = override_creds(root_cred);
291 sidkey = request_key(&cifs_idmap_key_type, desc, "");
292 if (IS_ERR(sidkey)) {
294 cifs_dbg(FYI, "%s: Can't map %cid %u to a SID\n",
295 __func__, sidtype == SIDOWNER ? 'u' : 'g', cid);
296 goto out_revert_creds;
297 } else if (sidkey->datalen < CIFS_SID_BASE_SIZE) {
299 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
300 __func__, sidkey->datalen);
305 * A sid is usually too large to be embedded in payload.value, but if
306 * there are no subauthorities and the host has 8-byte pointers, then
309 ksid = sidkey->datalen <= sizeof(sidkey->payload) ?
310 (struct cifs_sid *)&sidkey->payload :
311 (struct cifs_sid *)sidkey->payload.data[0];
313 ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32));
314 if (ksid_size > sidkey->datalen) {
316 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu, ksid_size=%u)\n",
317 __func__, sidkey->datalen, ksid_size);
321 cifs_copy_sid(ssid, ksid);
325 revert_creds(saved_cred);
329 key_invalidate(sidkey);
334 sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid,
335 struct cifs_fattr *fattr, uint sidtype)
340 const struct cred *saved_cred;
341 kuid_t fuid = cifs_sb->ctx->linux_uid;
342 kgid_t fgid = cifs_sb->ctx->linux_gid;
345 * If we have too many subauthorities, then something is really wrong.
346 * Just return an error.
348 if (unlikely(psid->num_subauth > SID_MAX_SUB_AUTHORITIES)) {
349 cifs_dbg(FYI, "%s: %u subauthorities is too many!\n",
350 __func__, psid->num_subauth);
354 if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL) ||
355 (cifs_sb_master_tcon(cifs_sb)->posix_extensions)) {
359 if (sidtype != SIDOWNER)
364 if (is_well_known_sid(psid, &unix_id, is_group) == false)
365 goto try_upcall_to_get_id;
372 gid = make_kgid(&init_user_ns, id);
373 if (gid_valid(gid)) {
382 uid = make_kuid(&init_user_ns, id);
383 if (uid_valid(uid)) {
388 /* If unable to find uid/gid easily from SID try via upcall */
391 try_upcall_to_get_id:
392 sidstr = sid_to_key_str(psid, sidtype);
396 saved_cred = override_creds(root_cred);
397 sidkey = request_key(&cifs_idmap_key_type, sidstr, "");
398 if (IS_ERR(sidkey)) {
399 cifs_dbg(FYI, "%s: Can't map SID %s to a %cid\n",
400 __func__, sidstr, sidtype == SIDOWNER ? 'u' : 'g');
401 goto out_revert_creds;
405 * FIXME: Here we assume that uid_t and gid_t are same size. It's
406 * probably a safe assumption but might be better to check based on
409 BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
410 if (sidkey->datalen != sizeof(uid_t)) {
411 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
412 __func__, sidkey->datalen);
413 key_invalidate(sidkey);
417 if (sidtype == SIDOWNER) {
420 memcpy(&id, &sidkey->payload.data[0], sizeof(uid_t));
421 uid = make_kuid(&init_user_ns, id);
427 memcpy(&id, &sidkey->payload.data[0], sizeof(gid_t));
428 gid = make_kgid(&init_user_ns, id);
436 revert_creds(saved_cred);
440 * Note that we return 0 here unconditionally. If the mapping
441 * fails then we just fall back to using the ctx->linux_uid/linux_gid.
445 if (sidtype == SIDOWNER)
446 fattr->cf_uid = fuid;
448 fattr->cf_gid = fgid;
453 init_cifs_idmap(void)
459 cifs_dbg(FYI, "Registering the %s key type\n",
460 cifs_idmap_key_type.name);
462 /* create an override credential set with a special thread keyring in
463 * which requests are cached
465 * this is used to prevent malicious redirections from being installed
468 cred = prepare_kernel_cred(NULL);
472 keyring = keyring_alloc(".cifs_idmap",
473 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
474 (KEY_POS_ALL & ~KEY_POS_SETATTR) |
475 KEY_USR_VIEW | KEY_USR_READ,
476 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
477 if (IS_ERR(keyring)) {
478 ret = PTR_ERR(keyring);
479 goto failed_put_cred;
482 ret = register_key_type(&cifs_idmap_key_type);
486 /* instruct request_key() to use this special keyring as a cache for
487 * the results it looks up */
488 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
489 cred->thread_keyring = keyring;
490 cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
493 cifs_dbg(FYI, "cifs idmap keyring: %d\n", key_serial(keyring));
504 exit_cifs_idmap(void)
506 key_revoke(root_cred->thread_keyring);
507 unregister_key_type(&cifs_idmap_key_type);
509 cifs_dbg(FYI, "Unregistered %s key type\n", cifs_idmap_key_type.name);
512 /* copy ntsd, owner sid, and group sid from a security descriptor to another */
513 static __u32 copy_sec_desc(const struct cifs_ntsd *pntsd,
514 struct cifs_ntsd *pnntsd,
516 struct cifs_sid *pownersid,
517 struct cifs_sid *pgrpsid)
519 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
520 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
522 /* copy security descriptor control portion */
523 pnntsd->revision = pntsd->revision;
524 pnntsd->type = pntsd->type;
525 pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
526 pnntsd->sacloffset = 0;
527 pnntsd->osidoffset = cpu_to_le32(sidsoffset);
528 pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));
532 owner_sid_ptr = pownersid;
534 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
535 le32_to_cpu(pntsd->osidoffset));
536 nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
537 cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr);
541 group_sid_ptr = pgrpsid;
543 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
544 le32_to_cpu(pntsd->gsidoffset));
545 ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
546 sizeof(struct cifs_sid));
547 cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr);
549 return sidsoffset + (2 * sizeof(struct cifs_sid));
554 change posix mode to reflect permissions
555 pmode is the existing mode (we only want to overwrite part of this
556 bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
558 static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
559 umode_t *pdenied, umode_t mask)
561 __u32 flags = le32_to_cpu(ace_flags);
563 * Do not assume "preferred" or "canonical" order.
564 * The first DENY or ALLOW ACE which matches perfectly is
565 * the permission to be used. Once allowed or denied, same
566 * permission in later ACEs do not matter.
569 /* If not already allowed, deny these bits */
570 if (type == ACCESS_DENIED) {
571 if (flags & GENERIC_ALL &&
572 !(*pmode & mask & 0777))
573 *pdenied |= mask & 0777;
575 if (((flags & GENERIC_WRITE) ||
576 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
577 !(*pmode & mask & 0222))
578 *pdenied |= mask & 0222;
580 if (((flags & GENERIC_READ) ||
581 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
582 !(*pmode & mask & 0444))
583 *pdenied |= mask & 0444;
585 if (((flags & GENERIC_EXECUTE) ||
586 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
587 !(*pmode & mask & 0111))
588 *pdenied |= mask & 0111;
591 } else if (type != ACCESS_ALLOWED) {
592 cifs_dbg(VFS, "unknown access control type %d\n", type);
595 /* else ACCESS_ALLOWED type */
597 if ((flags & GENERIC_ALL) &&
598 !(*pdenied & mask & 0777)) {
599 *pmode |= mask & 0777;
600 cifs_dbg(NOISY, "all perms\n");
604 if (((flags & GENERIC_WRITE) ||
605 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
606 !(*pdenied & mask & 0222))
607 *pmode |= mask & 0222;
609 if (((flags & GENERIC_READ) ||
610 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
611 !(*pdenied & mask & 0444))
612 *pmode |= mask & 0444;
614 if (((flags & GENERIC_EXECUTE) ||
615 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
616 !(*pdenied & mask & 0111))
617 *pmode |= mask & 0111;
619 /* If DELETE_CHILD is set only on an owner ACE, set sticky bit */
620 if (flags & FILE_DELETE_CHILD) {
621 if (mask == ACL_OWNER_MASK) {
622 if (!(*pdenied & 01000))
624 } else if (!(*pdenied & 01000)) {
630 cifs_dbg(NOISY, "access flags 0x%x mode now %04o\n", flags, *pmode);
635 Generate access flags to reflect permissions mode is the existing mode.
636 This function is called for every ACE in the DACL whose SID matches
637 with either owner or group or everyone.
640 static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
643 /* reset access mask */
646 /* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
649 /* check for R/W/X UGO since we do not know whose flags
650 is this but we have cleared all the bits sans RWX for
651 either user or group or other as per bits_to_use */
653 *pace_flags |= SET_FILE_READ_RIGHTS;
655 *pace_flags |= SET_FILE_WRITE_RIGHTS;
657 *pace_flags |= SET_FILE_EXEC_RIGHTS;
659 cifs_dbg(NOISY, "mode: %04o, access flags now 0x%x\n",
664 static __u16 cifs_copy_ace(struct cifs_ace *dst, struct cifs_ace *src, struct cifs_sid *psid)
666 __u16 size = 1 + 1 + 2 + 4;
668 dst->type = src->type;
669 dst->flags = src->flags;
670 dst->access_req = src->access_req;
672 /* Check if there's a replacement sid specified */
674 size += cifs_copy_sid(&dst->sid, psid);
676 size += cifs_copy_sid(&dst->sid, &src->sid);
678 dst->size = cpu_to_le16(size);
683 static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
684 const struct cifs_sid *psid, __u64 nmode,
685 umode_t bits, __u8 access_type,
686 bool allow_delete_child)
690 __u32 access_req = 0;
692 pntace->type = access_type;
694 mode_to_access_flags(nmode, bits, &access_req);
696 if (access_type == ACCESS_ALLOWED && allow_delete_child)
697 access_req |= FILE_DELETE_CHILD;
699 if (access_type == ACCESS_ALLOWED && !access_req)
700 access_req = SET_MINIMUM_RIGHTS;
701 else if (access_type == ACCESS_DENIED)
702 access_req &= ~SET_MINIMUM_RIGHTS;
704 pntace->access_req = cpu_to_le32(access_req);
706 pntace->sid.revision = psid->revision;
707 pntace->sid.num_subauth = psid->num_subauth;
708 for (i = 0; i < NUM_AUTHS; i++)
709 pntace->sid.authority[i] = psid->authority[i];
710 for (i = 0; i < psid->num_subauth; i++)
711 pntace->sid.sub_auth[i] = psid->sub_auth[i];
713 size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
714 pntace->size = cpu_to_le16(size);
720 #ifdef CONFIG_CIFS_DEBUG2
721 static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
725 /* validate that we do not go past end of acl */
727 if (le16_to_cpu(pace->size) < 16) {
728 cifs_dbg(VFS, "ACE too small %d\n", le16_to_cpu(pace->size));
732 if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
733 cifs_dbg(VFS, "ACL too small to parse ACE\n");
737 num_subauth = pace->sid.num_subauth;
740 cifs_dbg(FYI, "ACE revision %d num_auth %d type %d flags %d size %d\n",
741 pace->sid.revision, pace->sid.num_subauth, pace->type,
742 pace->flags, le16_to_cpu(pace->size));
743 for (i = 0; i < num_subauth; ++i) {
744 cifs_dbg(FYI, "ACE sub_auth[%d]: 0x%x\n",
745 i, le32_to_cpu(pace->sid.sub_auth[i]));
748 /* BB add length check to make sure that we do not have huge
749 num auths and therefore go off the end */
756 static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
757 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
758 struct cifs_fattr *fattr, bool mode_from_special_sid)
764 struct cifs_ace **ppace;
766 /* BB need to add parm so we can store the SID BB */
769 /* no DACL in the security descriptor, set
770 all the permissions for user/group/other */
771 fattr->cf_mode |= 0777;
775 /* validate that we do not go past end of acl */
776 if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
777 cifs_dbg(VFS, "ACL too small to parse DACL\n");
781 cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
782 le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
783 le32_to_cpu(pdacl->num_aces));
785 /* reset rwx permissions for user/group/other.
786 Also, if num_aces is 0 i.e. DACL has no ACEs,
787 user/group/other have no permissions */
788 fattr->cf_mode &= ~(0777);
790 acl_base = (char *)pdacl;
791 acl_size = sizeof(struct cifs_acl);
793 num_aces = le32_to_cpu(pdacl->num_aces);
795 umode_t denied_mode = 0;
797 if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
799 ppace = kmalloc_array(num_aces, sizeof(struct cifs_ace *),
804 for (i = 0; i < num_aces; ++i) {
805 ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
806 #ifdef CONFIG_CIFS_DEBUG2
807 dump_ace(ppace[i], end_of_acl);
809 if (mode_from_special_sid &&
810 (compare_sids(&(ppace[i]->sid),
811 &sid_unix_NFS_mode) == 0)) {
813 * Full permissions are:
814 * 07777 = S_ISUID | S_ISGID | S_ISVTX |
815 * S_IRWXU | S_IRWXG | S_IRWXO
817 fattr->cf_mode &= ~07777;
819 le32_to_cpu(ppace[i]->sid.sub_auth[2]);
822 if (compare_sids(&(ppace[i]->sid), pownersid) == 0) {
823 access_flags_to_mode(ppace[i]->access_req,
828 } else if (compare_sids(&(ppace[i]->sid), pgrpsid) == 0) {
829 access_flags_to_mode(ppace[i]->access_req,
834 } else if ((compare_sids(&(ppace[i]->sid), &sid_everyone) == 0) ||
835 (compare_sids(&(ppace[i]->sid), &sid_authusers) == 0)) {
836 access_flags_to_mode(ppace[i]->access_req,
845 /* memcpy((void *)(&(cifscred->aces[i])),
847 sizeof(struct cifs_ace)); */
849 acl_base = (char *)ppace[i];
850 acl_size = le16_to_cpu(ppace[i]->size);
859 unsigned int setup_authusers_ACE(struct cifs_ace *pntace)
862 unsigned int ace_size = 20;
864 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
866 pntace->access_req = cpu_to_le32(GENERIC_ALL);
867 pntace->sid.num_subauth = 1;
868 pntace->sid.revision = 1;
869 for (i = 0; i < NUM_AUTHS; i++)
870 pntace->sid.authority[i] = sid_authusers.authority[i];
872 pntace->sid.sub_auth[0] = sid_authusers.sub_auth[0];
874 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
875 pntace->size = cpu_to_le16(ace_size);
880 * Fill in the special SID based on the mode. See
881 * https://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
883 unsigned int setup_special_mode_ACE(struct cifs_ace *pntace, __u64 nmode)
886 unsigned int ace_size = 28;
888 pntace->type = ACCESS_DENIED_ACE_TYPE;
890 pntace->access_req = 0;
891 pntace->sid.num_subauth = 3;
892 pntace->sid.revision = 1;
893 for (i = 0; i < NUM_AUTHS; i++)
894 pntace->sid.authority[i] = sid_unix_NFS_mode.authority[i];
896 pntace->sid.sub_auth[0] = sid_unix_NFS_mode.sub_auth[0];
897 pntace->sid.sub_auth[1] = sid_unix_NFS_mode.sub_auth[1];
898 pntace->sid.sub_auth[2] = cpu_to_le32(nmode & 07777);
900 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
901 pntace->size = cpu_to_le16(ace_size);
905 unsigned int setup_special_user_owner_ACE(struct cifs_ace *pntace)
908 unsigned int ace_size = 28;
910 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
912 pntace->access_req = cpu_to_le32(GENERIC_ALL);
913 pntace->sid.num_subauth = 3;
914 pntace->sid.revision = 1;
915 for (i = 0; i < NUM_AUTHS; i++)
916 pntace->sid.authority[i] = sid_unix_NFS_users.authority[i];
918 pntace->sid.sub_auth[0] = sid_unix_NFS_users.sub_auth[0];
919 pntace->sid.sub_auth[1] = sid_unix_NFS_users.sub_auth[1];
920 pntace->sid.sub_auth[2] = cpu_to_le32(current_fsgid().val);
922 /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
923 pntace->size = cpu_to_le16(ace_size);
927 static void populate_new_aces(char *nacl_base,
928 struct cifs_sid *pownersid,
929 struct cifs_sid *pgrpsid,
930 __u64 *pnmode, u32 *pnum_aces, u16 *pnsize,
939 __u64 deny_user_mode = 0;
940 __u64 deny_group_mode = 0;
941 bool sticky_set = false;
942 struct cifs_ace *pnntace = NULL;
945 num_aces = *pnum_aces;
949 pnntace = (struct cifs_ace *) (nacl_base + nsize);
950 nsize += setup_special_mode_ACE(pnntace, nmode);
952 pnntace = (struct cifs_ace *) (nacl_base + nsize);
953 nsize += setup_authusers_ACE(pnntace);
959 * We'll try to keep the mode as requested by the user.
960 * But in cases where we cannot meaningfully convert that
961 * into ACL, return back the updated mode, so that it is
962 * updated in the inode.
965 if (!memcmp(pownersid, pgrpsid, sizeof(struct cifs_sid))) {
967 * Case when owner and group SIDs are the same.
968 * Set the more restrictive of the two modes.
970 user_mode = nmode & (nmode << 3) & 0700;
971 group_mode = nmode & (nmode >> 3) & 0070;
973 user_mode = nmode & 0700;
974 group_mode = nmode & 0070;
977 other_mode = nmode & 0007;
979 /* We need DENY ACE when the perm is more restrictive than the next sets. */
980 deny_user_mode = ~(user_mode) & ((group_mode << 3) | (other_mode << 6)) & 0700;
981 deny_group_mode = ~(group_mode) & (other_mode << 3) & 0070;
983 *pnmode = user_mode | group_mode | other_mode | (nmode & ~0777);
985 /* This tells if we should allow delete child for group and everyone. */
989 if (deny_user_mode) {
990 pnntace = (struct cifs_ace *) (nacl_base + nsize);
991 nsize += fill_ace_for_sid(pnntace, pownersid, deny_user_mode,
992 0700, ACCESS_DENIED, false);
996 /* Group DENY ACE does not conflict with owner ALLOW ACE. Keep in preferred order*/
997 if (deny_group_mode && !(deny_group_mode & (user_mode >> 3))) {
998 pnntace = (struct cifs_ace *) (nacl_base + nsize);
999 nsize += fill_ace_for_sid(pnntace, pgrpsid, deny_group_mode,
1000 0070, ACCESS_DENIED, false);
1004 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1005 nsize += fill_ace_for_sid(pnntace, pownersid, user_mode,
1006 0700, ACCESS_ALLOWED, true);
1009 /* Group DENY ACE conflicts with owner ALLOW ACE. So keep it after. */
1010 if (deny_group_mode && (deny_group_mode & (user_mode >> 3))) {
1011 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1012 nsize += fill_ace_for_sid(pnntace, pgrpsid, deny_group_mode,
1013 0070, ACCESS_DENIED, false);
1017 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1018 nsize += fill_ace_for_sid(pnntace, pgrpsid, group_mode,
1019 0070, ACCESS_ALLOWED, !sticky_set);
1022 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1023 nsize += fill_ace_for_sid(pnntace, &sid_everyone, other_mode,
1024 0007, ACCESS_ALLOWED, !sticky_set);
1028 *pnum_aces = num_aces;
1032 static __u16 replace_sids_and_copy_aces(struct cifs_acl *pdacl, struct cifs_acl *pndacl,
1033 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
1034 struct cifs_sid *pnownersid, struct cifs_sid *pngrpsid)
1038 struct cifs_ace *pntace = NULL;
1039 char *acl_base = NULL;
1040 u32 src_num_aces = 0;
1042 struct cifs_ace *pnntace = NULL;
1043 char *nacl_base = NULL;
1046 acl_base = (char *)pdacl;
1047 size = sizeof(struct cifs_acl);
1048 src_num_aces = le32_to_cpu(pdacl->num_aces);
1050 nacl_base = (char *)pndacl;
1051 nsize = sizeof(struct cifs_acl);
1053 /* Go through all the ACEs */
1054 for (i = 0; i < src_num_aces; ++i) {
1055 pntace = (struct cifs_ace *) (acl_base + size);
1056 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1058 if (pnownersid && compare_sids(&pntace->sid, pownersid) == 0)
1059 ace_size = cifs_copy_ace(pnntace, pntace, pnownersid);
1060 else if (pngrpsid && compare_sids(&pntace->sid, pgrpsid) == 0)
1061 ace_size = cifs_copy_ace(pnntace, pntace, pngrpsid);
1063 ace_size = cifs_copy_ace(pnntace, pntace, NULL);
1065 size += le16_to_cpu(pntace->size);
1072 static int set_chmod_dacl(struct cifs_acl *pdacl, struct cifs_acl *pndacl,
1073 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
1074 __u64 *pnmode, bool mode_from_sid)
1078 struct cifs_ace *pntace = NULL;
1079 char *acl_base = NULL;
1080 u32 src_num_aces = 0;
1082 struct cifs_ace *pnntace = NULL;
1083 char *nacl_base = NULL;
1085 bool new_aces_set = false;
1087 /* Assuming that pndacl and pnmode are never NULL */
1088 nacl_base = (char *)pndacl;
1089 nsize = sizeof(struct cifs_acl);
1091 /* If pdacl is NULL, we don't have a src. Simply populate new ACL. */
1093 populate_new_aces(nacl_base,
1095 pnmode, &num_aces, &nsize,
1100 acl_base = (char *)pdacl;
1101 size = sizeof(struct cifs_acl);
1102 src_num_aces = le32_to_cpu(pdacl->num_aces);
1104 /* Retain old ACEs which we can retain */
1105 for (i = 0; i < src_num_aces; ++i) {
1106 pntace = (struct cifs_ace *) (acl_base + size);
1108 if (!new_aces_set && (pntace->flags & INHERITED_ACE)) {
1109 /* Place the new ACEs in between existing explicit and inherited */
1110 populate_new_aces(nacl_base,
1112 pnmode, &num_aces, &nsize,
1115 new_aces_set = true;
1118 /* If it's any one of the ACE we're replacing, skip! */
1119 if (((compare_sids(&pntace->sid, &sid_unix_NFS_mode) == 0) ||
1120 (compare_sids(&pntace->sid, pownersid) == 0) ||
1121 (compare_sids(&pntace->sid, pgrpsid) == 0) ||
1122 (compare_sids(&pntace->sid, &sid_everyone) == 0) ||
1123 (compare_sids(&pntace->sid, &sid_authusers) == 0))) {
1127 /* update the pointer to the next ACE to populate*/
1128 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1130 nsize += cifs_copy_ace(pnntace, pntace, NULL);
1134 size += le16_to_cpu(pntace->size);
1137 /* If inherited ACEs are not present, place the new ones at the tail */
1138 if (!new_aces_set) {
1139 populate_new_aces(nacl_base,
1141 pnmode, &num_aces, &nsize,
1144 new_aces_set = true;
1148 pndacl->num_aces = cpu_to_le32(num_aces);
1149 pndacl->size = cpu_to_le16(nsize);
1154 static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
1156 /* BB need to add parm so we can store the SID BB */
1158 /* validate that we do not go past end of ACL - sid must be at least 8
1159 bytes long (assuming no sub-auths - e.g. the null SID */
1160 if (end_of_acl < (char *)psid + 8) {
1161 cifs_dbg(VFS, "ACL too small to parse SID %p\n", psid);
1165 #ifdef CONFIG_CIFS_DEBUG2
1166 if (psid->num_subauth) {
1168 cifs_dbg(FYI, "SID revision %d num_auth %d\n",
1169 psid->revision, psid->num_subauth);
1171 for (i = 0; i < psid->num_subauth; i++) {
1172 cifs_dbg(FYI, "SID sub_auth[%d]: 0x%x\n",
1173 i, le32_to_cpu(psid->sub_auth[i]));
1176 /* BB add length check to make sure that we do not have huge
1177 num auths and therefore go off the end */
1178 cifs_dbg(FYI, "RID 0x%x\n",
1179 le32_to_cpu(psid->sub_auth[psid->num_subauth-1]));
1187 /* Convert CIFS ACL to POSIX form */
1188 static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
1189 struct cifs_ntsd *pntsd, int acl_len, struct cifs_fattr *fattr,
1190 bool get_mode_from_special_sid)
1193 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1194 struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
1195 char *end_of_acl = ((char *)pntsd) + acl_len;
1201 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1202 le32_to_cpu(pntsd->osidoffset));
1203 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1204 le32_to_cpu(pntsd->gsidoffset));
1205 dacloffset = le32_to_cpu(pntsd->dacloffset);
1206 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1207 cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
1208 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
1209 le32_to_cpu(pntsd->gsidoffset),
1210 le32_to_cpu(pntsd->sacloffset), dacloffset);
1211 /* cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
1212 rc = parse_sid(owner_sid_ptr, end_of_acl);
1214 cifs_dbg(FYI, "%s: Error %d parsing Owner SID\n", __func__, rc);
1217 rc = sid_to_id(cifs_sb, owner_sid_ptr, fattr, SIDOWNER);
1219 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to uid\n",
1224 rc = parse_sid(group_sid_ptr, end_of_acl);
1226 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to gid\n",
1230 rc = sid_to_id(cifs_sb, group_sid_ptr, fattr, SIDGROUP);
1232 cifs_dbg(FYI, "%s: Error %d mapping Group SID to gid\n",
1238 parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
1239 group_sid_ptr, fattr, get_mode_from_special_sid);
1241 cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
1246 /* Convert permission bits from mode to equivalent CIFS ACL */
1247 static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
1248 __u32 secdesclen, __u32 *pnsecdesclen, __u64 *pnmode, kuid_t uid, kgid_t gid,
1249 bool mode_from_sid, bool id_from_sid, int *aclflag)
1255 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1256 struct cifs_sid *nowner_sid_ptr = NULL, *ngroup_sid_ptr = NULL;
1257 struct cifs_acl *dacl_ptr = NULL; /* no need for SACL ptr */
1258 struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */
1259 char *end_of_acl = ((char *)pntsd) + secdesclen;
1262 dacloffset = le32_to_cpu(pntsd->dacloffset);
1264 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1265 if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
1266 cifs_dbg(VFS, "Server returned illegal ACL size\n");
1271 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1272 le32_to_cpu(pntsd->osidoffset));
1273 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1274 le32_to_cpu(pntsd->gsidoffset));
1276 if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
1277 ndacloffset = sizeof(struct cifs_ntsd);
1278 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1279 ndacl_ptr->revision =
1280 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION);
1282 ndacl_ptr->size = cpu_to_le16(0);
1283 ndacl_ptr->num_aces = cpu_to_le32(0);
1285 rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, owner_sid_ptr, group_sid_ptr,
1286 pnmode, mode_from_sid);
1288 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1289 /* copy the non-dacl portion of secdesc */
1290 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset,
1293 *aclflag |= CIFS_ACL_DACL;
1295 ndacloffset = sizeof(struct cifs_ntsd);
1296 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1297 ndacl_ptr->revision =
1298 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION);
1299 ndacl_ptr->num_aces = dacl_ptr ? dacl_ptr->num_aces : 0;
1301 if (uid_valid(uid)) { /* chown */
1303 nowner_sid_ptr = kzalloc(sizeof(struct cifs_sid),
1305 if (!nowner_sid_ptr) {
1307 goto chown_chgrp_exit;
1309 id = from_kuid(&init_user_ns, uid);
1311 struct owner_sid *osid = (struct owner_sid *)nowner_sid_ptr;
1312 /* Populate the user ownership fields S-1-5-88-1 */
1315 osid->Authority[5] = 5;
1316 osid->SubAuthorities[0] = cpu_to_le32(88);
1317 osid->SubAuthorities[1] = cpu_to_le32(1);
1318 osid->SubAuthorities[2] = cpu_to_le32(id);
1320 } else { /* lookup sid with upcall */
1321 rc = id_to_sid(id, SIDOWNER, nowner_sid_ptr);
1323 cifs_dbg(FYI, "%s: Mapping error %d for owner id %d\n",
1325 goto chown_chgrp_exit;
1328 *aclflag |= CIFS_ACL_OWNER;
1330 if (gid_valid(gid)) { /* chgrp */
1332 ngroup_sid_ptr = kzalloc(sizeof(struct cifs_sid),
1334 if (!ngroup_sid_ptr) {
1336 goto chown_chgrp_exit;
1338 id = from_kgid(&init_user_ns, gid);
1340 struct owner_sid *gsid = (struct owner_sid *)ngroup_sid_ptr;
1341 /* Populate the group ownership fields S-1-5-88-2 */
1344 gsid->Authority[5] = 5;
1345 gsid->SubAuthorities[0] = cpu_to_le32(88);
1346 gsid->SubAuthorities[1] = cpu_to_le32(2);
1347 gsid->SubAuthorities[2] = cpu_to_le32(id);
1349 } else { /* lookup sid with upcall */
1350 rc = id_to_sid(id, SIDGROUP, ngroup_sid_ptr);
1352 cifs_dbg(FYI, "%s: Mapping error %d for group id %d\n",
1354 goto chown_chgrp_exit;
1357 *aclflag |= CIFS_ACL_GROUP;
1361 /* Replace ACEs for old owner with new one */
1362 size = replace_sids_and_copy_aces(dacl_ptr, ndacl_ptr,
1363 owner_sid_ptr, group_sid_ptr,
1364 nowner_sid_ptr, ngroup_sid_ptr);
1365 ndacl_ptr->size = cpu_to_le16(size);
1368 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1369 /* copy the non-dacl portion of secdesc */
1370 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset,
1371 nowner_sid_ptr, ngroup_sid_ptr);
1374 /* errors could jump here. So make sure we return soon after this */
1375 kfree(nowner_sid_ptr);
1376 kfree(ngroup_sid_ptr);
1382 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
1383 struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
1384 const struct cifs_fid *cifsfid, u32 *pacllen,
1385 u32 __maybe_unused unused)
1387 struct cifs_ntsd *pntsd = NULL;
1390 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1393 return ERR_CAST(tlink);
1396 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), cifsfid->netfid, &pntsd,
1400 cifs_put_tlink(tlink);
1402 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1408 static struct cifs_ntsd *get_cifs_acl_by_path(struct cifs_sb_info *cifs_sb,
1409 const char *path, u32 *pacllen)
1411 struct cifs_ntsd *pntsd = NULL;
1415 struct cifs_tcon *tcon;
1416 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1417 struct cifs_fid fid;
1418 struct cifs_open_parms oparms;
1421 return ERR_CAST(tlink);
1423 tcon = tlink_tcon(tlink);
1426 oparms = (struct cifs_open_parms) {
1429 .desired_access = READ_CONTROL,
1430 .create_options = cifs_create_options(cifs_sb, 0),
1431 .disposition = FILE_OPEN,
1436 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1438 rc = CIFSSMBGetCIFSACL(xid, tcon, fid.netfid, &pntsd, pacllen);
1439 CIFSSMBClose(xid, tcon, fid.netfid);
1442 cifs_put_tlink(tlink);
1445 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1451 /* Retrieve an ACL from the server */
1452 struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
1453 struct inode *inode, const char *path,
1454 u32 *pacllen, u32 info)
1456 struct cifs_ntsd *pntsd = NULL;
1457 struct cifsFileInfo *open_file = NULL;
1460 open_file = find_readable_file(CIFS_I(inode), true);
1462 return get_cifs_acl_by_path(cifs_sb, path, pacllen);
1464 pntsd = get_cifs_acl_by_fid(cifs_sb, &open_file->fid, pacllen, info);
1465 cifsFileInfo_put(open_file);
1469 /* Set an ACL on the server */
1470 int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
1471 struct inode *inode, const char *path, int aclflag)
1475 int rc, access_flags;
1476 struct cifs_tcon *tcon;
1477 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1478 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1479 struct cifs_fid fid;
1480 struct cifs_open_parms oparms;
1483 return PTR_ERR(tlink);
1485 tcon = tlink_tcon(tlink);
1488 if (aclflag == CIFS_ACL_OWNER || aclflag == CIFS_ACL_GROUP)
1489 access_flags = WRITE_OWNER;
1491 access_flags = WRITE_DAC;
1493 oparms = (struct cifs_open_parms) {
1496 .desired_access = access_flags,
1497 .create_options = cifs_create_options(cifs_sb, 0),
1498 .disposition = FILE_OPEN,
1503 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1505 cifs_dbg(VFS, "Unable to open file to set ACL\n");
1509 rc = CIFSSMBSetCIFSACL(xid, tcon, fid.netfid, pnntsd, acllen, aclflag);
1510 cifs_dbg(NOISY, "SetCIFSACL rc = %d\n", rc);
1512 CIFSSMBClose(xid, tcon, fid.netfid);
1515 cifs_put_tlink(tlink);
1518 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
1520 /* Translate the CIFS ACL (similar to NTFS ACL) for a file into mode bits */
1522 cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
1523 struct inode *inode, bool mode_from_special_sid,
1524 const char *path, const struct cifs_fid *pfid)
1526 struct cifs_ntsd *pntsd = NULL;
1529 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1530 struct smb_version_operations *ops;
1533 cifs_dbg(NOISY, "converting ACL to mode for %s\n", path);
1536 return PTR_ERR(tlink);
1538 ops = tlink_tcon(tlink)->ses->server->ops;
1540 if (pfid && (ops->get_acl_by_fid))
1541 pntsd = ops->get_acl_by_fid(cifs_sb, pfid, &acllen, info);
1542 else if (ops->get_acl)
1543 pntsd = ops->get_acl(cifs_sb, inode, path, &acllen, info);
1545 cifs_put_tlink(tlink);
1548 /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
1549 if (IS_ERR(pntsd)) {
1550 rc = PTR_ERR(pntsd);
1551 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1552 } else if (mode_from_special_sid) {
1553 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, true);
1556 /* get approximated mode from ACL */
1557 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, false);
1560 cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc);
1563 cifs_put_tlink(tlink);
1568 /* Convert mode bits to an ACL so we can update the ACL on the server */
1570 id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
1571 kuid_t uid, kgid_t gid)
1574 int aclflag = CIFS_ACL_DACL; /* default flag to set */
1575 __u32 secdesclen = 0;
1576 __u32 nsecdesclen = 0;
1577 __u32 dacloffset = 0;
1578 struct cifs_acl *dacl_ptr = NULL;
1579 struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
1580 struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
1581 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1582 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1583 struct smb_version_operations *ops;
1584 bool mode_from_sid, id_from_sid;
1588 return PTR_ERR(tlink);
1590 ops = tlink_tcon(tlink)->ses->server->ops;
1592 cifs_dbg(NOISY, "set ACL from mode for %s\n", path);
1594 /* Get the security descriptor */
1596 if (ops->get_acl == NULL) {
1597 cifs_put_tlink(tlink);
1601 pntsd = ops->get_acl(cifs_sb, inode, path, &secdesclen, info);
1602 if (IS_ERR(pntsd)) {
1603 rc = PTR_ERR(pntsd);
1604 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1605 cifs_put_tlink(tlink);
1609 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MODE_FROM_SID)
1610 mode_from_sid = true;
1612 mode_from_sid = false;
1614 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL)
1617 id_from_sid = false;
1619 /* Potentially, five new ACEs can be added to the ACL for U,G,O mapping */
1620 nsecdesclen = secdesclen;
1621 if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
1623 nsecdesclen += 2 * sizeof(struct cifs_ace);
1625 nsecdesclen += 5 * sizeof(struct cifs_ace);
1626 } else { /* chown */
1627 /* When ownership changes, changes new owner sid length could be different */
1628 nsecdesclen = sizeof(struct cifs_ntsd) + (sizeof(struct cifs_sid) * 2);
1629 dacloffset = le32_to_cpu(pntsd->dacloffset);
1631 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1634 le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct cifs_ace);
1636 nsecdesclen += le16_to_cpu(dacl_ptr->size);
1641 * Add three ACEs for owner, group, everyone getting rid of other ACEs
1642 * as chmod disables ACEs and set the security descriptor. Allocate
1643 * memory for the smb header, set security descriptor request security
1644 * descriptor parameters, and security descriptor itself
1646 nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN);
1647 pnntsd = kmalloc(nsecdesclen, GFP_KERNEL);
1650 cifs_put_tlink(tlink);
1654 rc = build_sec_desc(pntsd, pnntsd, secdesclen, &nsecdesclen, pnmode, uid, gid,
1655 mode_from_sid, id_from_sid, &aclflag);
1657 cifs_dbg(NOISY, "build_sec_desc rc: %d\n", rc);
1659 if (ops->set_acl == NULL)
1663 /* Set the security descriptor */
1664 rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
1665 cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
1667 cifs_put_tlink(tlink);
projects / releases.git / blob