1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2020 Tintri by DDN, Inc. All rights reserved.
25 * Copyright 2022 RackTop Systems, Inc.
26 */
27
28 /*
29 * This module provides the common open functionality to the various
30 * open and create SMB interface functions.
31 */
32
33 #include <sys/types.h>
34 #include <sys/cmn_err.h>
35 #include <sys/fcntl.h>
36 #include <sys/nbmlock.h>
37 #include <smbsrv/string.h>
38 #include <smbsrv/smb2_kproto.h>
39 #include <smbsrv/smb_fsops.h>
40 #include <smbsrv/smbinfo.h>
41
42 extern uint32_t smb_is_executable(char *);
43 static void smb_delete_new_object(smb_request_t *);
44 static int smb_set_open_attributes(smb_request_t *, smb_ofile_t *);
45
46 /*
47 * smb_access_generic_to_file
48 *
49 * Search MSDN for IoCreateFile to see following mapping.
50 *
51 * GENERIC_READ STANDARD_RIGHTS_READ, FILE_READ_DATA,
52 * FILE_READ_ATTRIBUTES and FILE_READ_EA
53 *
54 * GENERIC_WRITE STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA,
55 * FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and FILE_APPEND_DATA
56 *
57 * GENERIC_EXECUTE STANDARD_RIGHTS_EXECUTE, SYNCHRONIZE, and FILE_EXECUTE.
58 */
59 static uint32_t
smb_access_generic_to_file(uint32_t desired_access)60 smb_access_generic_to_file(uint32_t desired_access)
61 {
62 uint32_t access = 0;
63
64 if (desired_access & GENERIC_ALL)
65 return (FILE_ALL_ACCESS & ~SYNCHRONIZE);
66
67 if (desired_access & GENERIC_EXECUTE) {
68 desired_access &= ~GENERIC_EXECUTE;
69 access |= (STANDARD_RIGHTS_EXECUTE |
70 SYNCHRONIZE | FILE_EXECUTE);
71 }
72
73 if (desired_access & GENERIC_WRITE) {
74 desired_access &= ~GENERIC_WRITE;
75 access |= (FILE_GENERIC_WRITE & ~SYNCHRONIZE);
76 }
77
78 if (desired_access & GENERIC_READ) {
79 desired_access &= ~GENERIC_READ;
80 access |= FILE_GENERIC_READ;
81 }
82
83 return (access | desired_access);
84 }
85
86 /*
87 * smb_omode_to_amask
88 *
89 * This function converts open modes used by Open and Open AndX
90 * commands to desired access bits used by NT Create AndX command.
91 */
92 uint32_t
smb_omode_to_amask(uint32_t desired_access)93 smb_omode_to_amask(uint32_t desired_access)
94 {
95 switch (desired_access & SMB_DA_ACCESS_MASK) {
96 case SMB_DA_ACCESS_READ:
97 return (FILE_GENERIC_READ);
98
99 case SMB_DA_ACCESS_WRITE:
100 return (FILE_GENERIC_WRITE);
101
102 case SMB_DA_ACCESS_READ_WRITE:
103 return (FILE_GENERIC_READ | FILE_GENERIC_WRITE);
104
105 case SMB_DA_ACCESS_EXECUTE:
106 return (FILE_GENERIC_READ | FILE_GENERIC_EXECUTE);
107
108 default:
109 return (FILE_GENERIC_ALL);
110 }
111 }
112
113 /*
114 * smb_denymode_to_sharemode
115 *
116 * This function converts deny modes used by Open and Open AndX
117 * commands to share access bits used by NT Create AndX command.
118 */
119 uint32_t
smb_denymode_to_sharemode(uint32_t desired_access,char * fname)120 smb_denymode_to_sharemode(uint32_t desired_access, char *fname)
121 {
122 switch (desired_access & SMB_DA_SHARE_MASK) {
123 case SMB_DA_SHARE_COMPATIBILITY:
124 if (smb_is_executable(fname))
125 return (FILE_SHARE_READ | FILE_SHARE_WRITE);
126
127 return (FILE_SHARE_ALL);
128
129 case SMB_DA_SHARE_EXCLUSIVE:
130 return (FILE_SHARE_NONE);
131
132 case SMB_DA_SHARE_DENY_WRITE:
133 return (FILE_SHARE_READ);
134
135 case SMB_DA_SHARE_DENY_READ:
136 return (FILE_SHARE_WRITE);
137
138 case SMB_DA_SHARE_DENY_NONE:
139 default:
140 return (FILE_SHARE_READ | FILE_SHARE_WRITE);
141 }
142 }
143
144 /*
145 * smb_ofun_to_crdisposition
146 *
147 * This function converts open function values used by Open and Open AndX
148 * commands to create disposition values used by NT Create AndX command.
149 */
150 uint32_t
smb_ofun_to_crdisposition(uint16_t ofun)151 smb_ofun_to_crdisposition(uint16_t ofun)
152 {
153 static int ofun_cr_map[3][2] =
154 {
155 { -1, FILE_CREATE },
156 { FILE_OPEN, FILE_OPEN_IF },
157 { FILE_OVERWRITE, FILE_OVERWRITE_IF }
158 };
159
160 int row = ofun & SMB_OFUN_OPEN_MASK;
161 int col = (ofun & SMB_OFUN_CREATE_MASK) >> 4;
162
163 if (row == 3)
164 return (FILE_MAXIMUM_DISPOSITION + 1);
165
166 return (ofun_cr_map[row][col]);
167 }
168
169 /*
170 * smb_common_open
171 *
172 * Notes on write-through behaviour. It looks like pre-LM0.12 versions
173 * of the protocol specify the write-through mode when a file is opened,
174 * (SmbOpen, SmbOpenAndX) so the write calls (SmbWrite, SmbWriteAndClose,
175 * SmbWriteAndUnlock) don't need to contain a write-through flag.
176 *
177 * With LM0.12, the open calls (SmbCreateAndX, SmbNtTransactCreate)
178 * don't indicate which write-through mode to use. Instead the write
179 * calls (SmbWriteAndX, SmbWriteRaw) specify the mode on a per call
180 * basis.
181 *
182 * We don't care which open call was used to get us here, we just need
183 * to ensure that the write-through mode flag is copied from the open
184 * parameters to the node. We test the omode write-through flag in all
185 * write functions.
186 *
187 * This function returns NT status codes.
188 *
189 * The following rules apply when processing a file open request:
190 *
191 * - Oplocks must be broken prior to share checking as the break may
192 * cause other clients to close the file, which would affect sharing
193 * checks.
194 *
195 * - Share checks must take place prior to access checks for correct
196 * Windows semantics and to prevent unnecessary NFS delegation recalls.
197 *
198 * - Oplocks must be acquired after open to ensure the correct
199 * synchronization with NFS delegation and FEM installation.
200 *
201 * DOS readonly bit rules
202 *
203 * 1. The creator of a readonly file can write to/modify the size of the file
204 * using the original create fid, even though the file will appear as readonly
205 * to all other fids and via a CIFS getattr call.
206 *
207 * 2. A setinfo operation (using either an open fid or a path) to set/unset
208 * readonly will be successful regardless of whether a creator of a readonly
209 * file has an open fid.
210 *
211 * 3. The DOS readonly bit affects only data and some metadata.
212 * The following metadata can be changed regardless of the readonly bit:
213 * - security descriptors
214 * - DOS attributes
215 * - timestamps
216 *
217 * In the current implementation, the file size cannot be changed (except for
218 * the exceptions in #1 and #2, above).
219 *
220 *
221 * DOS attribute rules
222 *
223 * These rules are specific to creating / opening files and directories.
224 * How the attribute value (specifically ZERO or FILE_ATTRIBUTE_NORMAL)
225 * should be interpreted may differ in other requests.
226 *
227 * - An attribute value equal to ZERO or FILE_ATTRIBUTE_NORMAL means that the
228 * file's attributes should be cleared.
229 * - If FILE_ATTRIBUTE_NORMAL is specified with any other attributes,
230 * FILE_ATTRIBUTE_NORMAL is ignored.
231 *
232 * 1. Creating a new file
233 * - The request attributes + FILE_ATTRIBUTE_ARCHIVE are applied to the file.
234 *
235 * 2. Creating a new directory
236 * - The request attributes + FILE_ATTRIBUTE_DIRECTORY are applied to the file.
237 * - FILE_ATTRIBUTE_ARCHIVE does not get set.
238 *
239 * 3. Overwriting an existing file
240 * - the request attributes are used as search attributes. If the existing
241 * file does not meet the search criteria access is denied.
242 * - otherwise, applies attributes + FILE_ATTRIBUTE_ARCHIVE.
243 *
244 * 4. Opening an existing file or directory
245 * The request attributes are ignored.
246 */
247 uint32_t
smb_common_open(smb_request_t * sr)248 smb_common_open(smb_request_t *sr)
249 {
250 smb_server_t *sv = sr->sr_server;
251 smb_tree_t *tree = sr->tid_tree;
252 smb_node_t *fnode = NULL;
253 smb_node_t *dnode = NULL;
254 smb_node_t *cur_node = NULL;
255 smb_node_t *tmp_node = NULL;
256 smb_arg_open_t *op = &sr->sr_open;
257 smb_pathname_t *pn = &op->fqi.fq_path;
258 smb_ofile_t *of = NULL;
259 smb_attr_t new_attr;
260 hrtime_t shrlock_t0;
261 int max_requested = 0;
262 uint32_t max_allowed;
263 uint32_t status = NT_STATUS_SUCCESS;
264 int is_dir;
265 int rc;
266 boolean_t is_stream = B_FALSE;
267 int lookup_flags = SMB_FOLLOW_LINKS;
268 uint32_t uniq_fid = 0;
269 uint16_t tree_fid = 0;
270 boolean_t created = B_FALSE;
271 boolean_t last_comp_found = B_FALSE;
272 boolean_t stream_found = B_FALSE;
273 boolean_t opening_incr = B_FALSE;
274 boolean_t dnode_held = B_FALSE;
275 boolean_t dnode_wlock = B_FALSE;
276 boolean_t fnode_held = B_FALSE;
277 boolean_t fnode_wlock = B_FALSE;
278 boolean_t fnode_shrlk = B_FALSE;
279 boolean_t did_open = B_FALSE;
280 boolean_t did_break_handle = B_FALSE;
281 boolean_t did_cleanup_orphans = B_FALSE;
282 char *sname = NULL;
283
284 /* Get out now if we've been cancelled. */
285 mutex_enter(&sr->sr_mutex);
286 if (sr->sr_state != SMB_REQ_STATE_ACTIVE) {
287 mutex_exit(&sr->sr_mutex);
288 return (NT_STATUS_CANCELLED);
289 }
290 mutex_exit(&sr->sr_mutex);
291
292 is_dir = (op->create_options & FILE_DIRECTORY_FILE) ? 1 : 0;
293
294 /*
295 * If the object being created or opened is a directory
296 * the Disposition parameter must be one of FILE_CREATE,
297 * FILE_OPEN, or FILE_OPEN_IF
298 */
299 if (is_dir) {
300 if ((op->create_disposition != FILE_CREATE) &&
301 (op->create_disposition != FILE_OPEN_IF) &&
302 (op->create_disposition != FILE_OPEN)) {
303 return (NT_STATUS_INVALID_PARAMETER);
304 }
305 }
306
307 if (op->desired_access & MAXIMUM_ALLOWED) {
308 max_requested = 1;
309 op->desired_access &= ~MAXIMUM_ALLOWED;
310 }
311 op->desired_access = smb_access_generic_to_file(op->desired_access);
312
313 if (sr->session->s_cfg.skc_max_opens != 0 &&
314 sr->session->s_file_cnt >= sr->session->s_cfg.skc_max_opens) {
315 ASSERT(sr->uid_user);
316 cmn_err(CE_NOTE, "smbsrv[%s\\%s]: TOO_MANY_OPENED_FILES",
317 sr->uid_user->u_domain, sr->uid_user->u_name);
318 return (NT_STATUS_TOO_MANY_OPENED_FILES);
319 }
320
321 if (smb_idpool_alloc(&tree->t_fid_pool, &tree_fid))
322 return (NT_STATUS_TOO_MANY_OPENED_FILES);
323
324 /* This must be NULL at this point */
325 sr->fid_ofile = NULL;
326
327 op->devstate = 0;
328
329 switch (sr->tid_tree->t_res_type & STYPE_MASK) {
330 case STYPE_DISKTREE:
331 case STYPE_PRINTQ:
332 break;
333
334 case STYPE_IPC:
335 /*
336 * Security descriptors for pipes are not implemented,
337 * so just setup a reasonable access mask.
338 */
339 op->desired_access = (READ_CONTROL | SYNCHRONIZE |
340 FILE_READ_DATA | FILE_READ_ATTRIBUTES |
341 FILE_WRITE_DATA | FILE_APPEND_DATA);
342
343 /*
344 * Limit the number of open pipe instances.
345 */
346 if ((rc = smb_threshold_enter(&sv->sv_opipe_ct)) != 0) {
347 status = RPC_NT_SERVER_TOO_BUSY;
348 goto errout;
349 }
350
351 /*
352 * Most of IPC open is handled in smb_opipe_open()
353 */
354 op->create_options = 0;
355 of = smb_ofile_alloc(sr, op, NULL, SMB_FTYPE_MESG_PIPE,
356 tree_fid);
357 tree_fid = 0; // given to the ofile
358 status = smb_opipe_open(sr, of);
359 smb_threshold_exit(&sv->sv_opipe_ct);
360 if (status != NT_STATUS_SUCCESS)
361 goto errout;
362 return (NT_STATUS_SUCCESS);
363
364 default:
365 status = NT_STATUS_BAD_DEVICE_TYPE;
366 goto errout;
367 }
368
369 smb_pathname_init(sr, pn, pn->pn_path);
370 if (!smb_pathname_validate(sr, pn)) {
371 status = sr->smb_error.status;
372 goto errout;
373 }
374
375 if (strlen(pn->pn_path) >= SMB_MAXPATHLEN) {
376 status = NT_STATUS_OBJECT_PATH_INVALID;
377 goto errout;
378 }
379
380 if (is_dir) {
381 if (!smb_validate_dirname(sr, pn)) {
382 status = sr->smb_error.status;
383 goto errout;
384 }
385 } else {
386 if (!smb_validate_object_name(sr, pn)) {
387 status = sr->smb_error.status;
388 goto errout;
389 }
390 }
391
392 cur_node = op->fqi.fq_dnode ?
393 op->fqi.fq_dnode : sr->tid_tree->t_snode;
394
395 rc = smb_pathname_reduce(sr, sr->user_cr, pn->pn_path,
396 sr->tid_tree->t_snode, cur_node, &op->fqi.fq_dnode,
397 op->fqi.fq_last_comp);
398 if (rc != 0) {
399 status = smb_errno2status(rc);
400 goto errout;
401 }
402 dnode = op->fqi.fq_dnode;
403 dnode_held = B_TRUE;
404
405 /*
406 * Lock the parent dir node in case another create
407 * request to the same parent directory comes in.
408 * Drop this once either lookup succeeds, or we've
409 * created the object in this directory.
410 */
411 smb_node_wrlock(dnode);
412 dnode_wlock = B_TRUE;
413
414 /*
415 * If the access mask has only DELETE set (ignore
416 * FILE_READ_ATTRIBUTES), then assume that this
417 * is a request to delete the link (if a link)
418 * and do not follow links. Otherwise, follow
419 * the link to the target.
420 */
421 if ((op->desired_access & ~FILE_READ_ATTRIBUTES) == DELETE)
422 lookup_flags &= ~SMB_FOLLOW_LINKS;
423
424 /*
425 * Lookup *just* the file portion of the name.
426 * Returns stream name in sname, which this allocates
427 */
428 rc = smb_fsop_lookup_file(sr, zone_kcred(), lookup_flags,
429 sr->tid_tree->t_snode, op->fqi.fq_dnode, op->fqi.fq_last_comp,
430 &sname, &op->fqi.fq_fnode);
431
432 if (rc == 0) {
433 last_comp_found = B_TRUE;
434 fnode = op->fqi.fq_fnode;
435 fnode_held = B_TRUE;
436
437 /*
438 * Need the DOS attributes below, where we
439 * check the search attributes (sattr).
440 */
441 op->fqi.fq_fattr.sa_mask = SMB_AT_DOSATTR;
442 rc = smb_node_getattr(sr, op->fqi.fq_fnode, zone_kcred(),
443 NULL, &op->fqi.fq_fattr);
444 if (rc != 0) {
445 status = NT_STATUS_INTERNAL_ERROR;
446 goto errout;
447 }
448 } else if (rc == ENOENT) {
449 last_comp_found = B_FALSE;
450 op->fqi.fq_fnode = NULL;
451 rc = 0;
452 } else {
453 status = smb_errno2status(rc);
454 goto errout;
455 }
456
457 if (last_comp_found) {
458
459 fnode = op->fqi.fq_fnode;
460 dnode = op->fqi.fq_dnode;
461
462 if (!smb_node_is_file(fnode) &&
463 !smb_node_is_dir(fnode) &&
464 !smb_node_is_symlink(fnode)) {
465 status = NT_STATUS_ACCESS_DENIED;
466 goto errout;
467 }
468
469 /*
470 * Reject this request if either:
471 * - the target IS a directory and the client requires that
472 * it must NOT be (required by Lotus Notes)
473 * - the target is NOT a directory and client requires that
474 * it MUST be.
475 * Streams are never directories.
476 */
477 if (smb_node_is_dir(fnode) && sname == NULL) {
478 if (op->create_options & FILE_NON_DIRECTORY_FILE) {
479 status = NT_STATUS_FILE_IS_A_DIRECTORY;
480 goto errout;
481 }
482 } else {
483 if ((op->create_options & FILE_DIRECTORY_FILE) ||
484 (op->nt_flags & NT_CREATE_FLAG_OPEN_TARGET_DIR)) {
485 status = NT_STATUS_NOT_A_DIRECTORY;
486 goto errout;
487 }
488 }
489
490 /* If we're given a stream name, look it up now */
491 if (sname != NULL) {
492 tmp_node = fnode;
493 rc = smb_fsop_lookup_stream(sr, zone_kcred(),
494 lookup_flags, sr->tid_tree->t_snode, fnode, sname,
495 &fnode);
496 } else {
497 rc = 0;
498 }
499
500 if (rc == 0) { /* Stream Exists (including unnamed stream) */
501 stream_found = B_TRUE;
502 smb_node_unlock(dnode);
503 dnode_wlock = B_FALSE;
504
505 if (tmp_node != NULL)
506 smb_node_release(tmp_node);
507
508 /*
509 * No more open should be accepted when
510 * "Delete on close" flag is set.
511 */
512 if (fnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) {
513 status = NT_STATUS_DELETE_PENDING;
514 goto errout;
515 }
516
517 /*
518 * Specified file already exists
519 * so the operation should fail.
520 */
521 if (op->create_disposition == FILE_CREATE) {
522 status = NT_STATUS_OBJECT_NAME_COLLISION;
523 goto errout;
524 }
525
526 if ((op->create_disposition == FILE_SUPERSEDE) ||
527 (op->create_disposition == FILE_OVERWRITE_IF) ||
528 (op->create_disposition == FILE_OVERWRITE)) {
529
530 if (sname == NULL) {
531 if (!smb_sattr_check(
532 op->fqi.fq_fattr.sa_dosattr,
533 op->dattr)) {
534 status =
535 NT_STATUS_ACCESS_DENIED;
536 goto errout;
537 }
538 op->desired_access |=
539 FILE_WRITE_ATTRIBUTES;
540 }
541
542 if (smb_node_is_dir(fnode)) {
543 status = NT_STATUS_ACCESS_DENIED;
544 goto errout;
545 }
546 }
547
548 /* MS-FSA 2.1.5.1.2 */
549 if (op->create_disposition == FILE_SUPERSEDE)
550 op->desired_access |= DELETE;
551 if ((op->create_disposition == FILE_OVERWRITE_IF) ||
552 (op->create_disposition == FILE_OVERWRITE))
553 op->desired_access |= FILE_WRITE_DATA;
554 } else if (rc == ENOENT) { /* File Exists, but Stream doesn't */
555 if (op->create_disposition == FILE_OPEN ||
556 op->create_disposition == FILE_OVERWRITE) {
557 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
558 goto errout;
559 }
560
561 op->desired_access |= FILE_WRITE_DATA;
562 } else { /* Error looking up stream */
563 status = smb_errno2status(rc);
564 fnode = tmp_node;
565 goto errout;
566 }
567
568 /*
569 * Windows seems to check read-only access before file
570 * sharing check.
571 *
572 * Check to see if the file is currently readonly (regardless
573 * of whether this open will make it readonly).
574 * Readonly is ignored on directories.
575 */
576 if (SMB_PATHFILE_IS_READONLY(sr, fnode) &&
577 !smb_node_is_dir(fnode)) {
578 if (op->desired_access &
579 (FILE_WRITE_DATA | FILE_APPEND_DATA)) {
580 status = NT_STATUS_ACCESS_DENIED;
581 goto errout;
582 }
583 if (op->create_options & FILE_DELETE_ON_CLOSE) {
584 status = NT_STATUS_CANNOT_DELETE;
585 goto errout;
586 }
587 }
588
589 /* Dataset roots can't be deleted, so don't set DOC */
590 if ((op->create_options & FILE_DELETE_ON_CLOSE) != 0 &&
591 (fnode->flags & NODE_FLAGS_VFSROOT) != 0) {
592 status = NT_STATUS_CANNOT_DELETE;
593 goto errout;
594 }
595
596 status = smb_fsop_access(sr, sr->user_cr, fnode,
597 op->desired_access);
598
599 if (status != NT_STATUS_SUCCESS)
600 goto errout;
601
602 if (max_requested) {
603 smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed);
604 op->desired_access |= max_allowed;
605 }
606
607 /*
608 * File owner should always get read control + read attr.
609 * Avoid asking for va_uid if we can (expensive) so
610 * only check if we don't already have access.
611 */
612 if ((op->desired_access &
613 (READ_CONTROL | FILE_READ_ATTRIBUTES)) == 0) {
614 op->fqi.fq_fattr.sa_mask = SMB_AT_DOSATTR | SMB_AT_UID;
615 rc = smb_node_getattr(sr, op->fqi.fq_fnode,
616 zone_kcred(), NULL, &op->fqi.fq_fattr);
617 if (rc == 0 && crgetuid(sr->user_cr) ==
618 op->fqi.fq_fattr.sa_vattr.va_uid) {
619 op->desired_access |=
620 (READ_CONTROL | FILE_READ_ATTRIBUTES);
621 }
622 }
623
624 /*
625 * According to MS "dochelp" mail in Mar 2015, any handle
626 * on which read or write access is granted implicitly
627 * gets "read attributes", even if it was not requested.
628 */
629 if ((op->desired_access & FILE_DATA_ALL) != 0)
630 op->desired_access |= FILE_READ_ATTRIBUTES;
631
632 /* If the stream didn't exist, create it now */
633 if (!stream_found) {
634 smb_node_t *tmp_node = fnode;
635
636 bzero(&new_attr, sizeof (new_attr));
637 new_attr.sa_vattr.va_type = VREG;
638 new_attr.sa_vattr.va_mode = S_IRUSR;
639 new_attr.sa_mask |= SMB_AT_TYPE | SMB_AT_MODE;
640
641 rc = smb_fsop_create_stream(sr, sr->user_cr, dnode,
642 fnode, sname, lookup_flags, &new_attr, &fnode);
643 smb_node_release(tmp_node);
644
645 if (rc != 0) {
646 status = smb_errno2status(rc);
647 fnode_held = B_FALSE;
648 goto errout;
649 }
650 op->action_taken = SMB_OACT_CREATED;
651 created = B_TRUE;
652
653 smb_node_unlock(dnode);
654 dnode_wlock = B_FALSE;
655 }
656
657 /*
658 * Oplock break is done prior to sharing checks as the break
659 * may cause other clients to close the file which would
660 * affect the sharing checks, and may delete the file due to
661 * DELETE_ON_CLOSE. This may block, so set the file opening
662 * count before oplock stuff.
663 *
664 * Need the "proposed" ofile (and its TargetOplockKey) for
665 * correct oplock break semantics.
666 */
667 of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK,
668 tree_fid);
669 tree_fid = 0; // given to the ofile
670 uniq_fid = of->f_uniqid;
671
672 smb_node_inc_opening_count(fnode);
673 opening_incr = B_TRUE;
674
675 if (!stream_found) {
676 /*
677 * Stake our Share Access claim.
678 */
679 smb_node_wrlock(fnode);
680 fnode_wlock = B_TRUE;
681
682 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid,
683 op->desired_access, op->share_access);
684 if (status != 0)
685 goto errout;
686
687 fnode_shrlk = B_TRUE;
688 smb_node_unlock(fnode);
689 fnode_wlock = B_FALSE;
690 goto stream_created;
691 }
692
693 /*
694 * XXX Supposed to do share access checks next.
695 * [MS-FSA] describes that as part of access check:
696 * 2.1.5.1.2.1 Alg... Check Access to an Existing File
697 *
698 * If CreateDisposition is FILE_OPEN or FILE_OPEN_IF:
699 * If Open.Stream.Oplock is not empty and
700 * Open.Stream.Oplock.State contains BATCH_OPLOCK,
701 * the object store MUST check for an oplock
702 * break according to the algorithm in section 2.1.4.12,
703 * with input values as follows:
704 * Open equal to this operation's Open
705 * Oplock equal to Open.Stream.Oplock
706 * Operation equal to "OPEN"
707 * OpParams containing two members:
708 * DesiredAccess, CreateDisposition
709 *
710 * It's not clear how Windows would ask the FS layer if
711 * the file has a BATCH oplock. We'll use a call to the
712 * common oplock code, which calls smb_oplock_break_OPEN
713 * only if the oplock state contains BATCH_OPLOCK.
714 * See: smb_oplock_break_BATCH()
715 *
716 * Also note: There's a nearly identical section in the
717 * spec. at the start of the "else" part of the above
718 * "if (disposition is overwrite, overwrite_if)" so this
719 * section (oplock break, the share mode check, and the
720 * next oplock_break_HANDLE) are all factored out to be
721 * in all cases above that if/else from the spec.
722 */
723 status = smb_oplock_break_BATCH(fnode, of,
724 op->desired_access, op->create_disposition);
725 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
726 if (sr->session->dialect >= SMB_VERS_2_BASE)
727 (void) smb2sr_go_async(sr);
728 status = smb_oplock_wait_break(sr, fnode, 0);
729 }
730 if (status != NT_STATUS_SUCCESS)
731 goto errout;
732
733 /*
734 * Check for sharing violations, and if any,
735 * do oplock break of handle caching.
736 *
737 * Need node_wrlock during shrlock checks,
738 * and not locked during oplock breaks etc.
739 */
740 shrlock_t0 = gethrtime();
741 shrlock_again:
742 smb_node_wrlock(fnode);
743 fnode_wlock = B_TRUE;
744 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid,
745 op->desired_access, op->share_access);
746 smb_node_unlock(fnode);
747 fnode_wlock = B_FALSE;
748
749 /*
750 * [MS-FSA] "OPEN_BREAK_H"
751 * If the (proposed) new open would violate sharing rules,
752 * indicate an oplock break with OPEN_BREAK_H (to break
753 * handle level caching rights) then try again.
754 */
755 if (status == NT_STATUS_SHARING_VIOLATION &&
756 did_break_handle == B_FALSE) {
757 did_break_handle = B_TRUE;
758
759 status = smb_oplock_break_HANDLE(fnode, of);
760 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
761 if (sr->session->dialect >= SMB_VERS_2_BASE)
762 (void) smb2sr_go_async(sr);
763 status = smb_oplock_wait_break(sr, fnode, 0);
764 } else {
765 /*
766 * Even when the oplock layer does NOT
767 * give us the special status indicating
768 * we should wait, it may have scheduled
769 * taskq jobs that may close handles.
770 * Give those a chance to run before we
771 * check again for sharing violations.
772 */
773 delay(MSEC_TO_TICK(10));
774 }
775 if (status != NT_STATUS_SUCCESS)
776 goto errout;
777
778 goto shrlock_again;
779 }
780
781 /*
782 * If we still have orphaned durable handles on this file,
783 * let's assume the client has lost interest in those and
784 * close them so they don't cause sharing violations.
785 * See longer comment at smb2_dh_close_my_orphans().
786 */
787 if (status == NT_STATUS_SHARING_VIOLATION &&
788 sr->session->dialect >= SMB_VERS_2_BASE &&
789 did_cleanup_orphans == B_FALSE) {
790
791 did_cleanup_orphans = B_TRUE;
792 smb2_dh_close_my_orphans(sr, of);
793
794 goto shrlock_again;
795 }
796
797 /*
798 * SMB1 expects a 1 sec. delay before returning a
799 * sharing violation error. If breaking oplocks
800 * above took less than a sec, wait some more.
801 * See: smbtorture base.defer_open
802 */
803 if (status == NT_STATUS_SHARING_VIOLATION &&
804 sr->session->dialect < SMB_VERS_2_BASE) {
805 hrtime_t t1 = shrlock_t0 + NANOSEC;
806 hrtime_t now = gethrtime();
807 if (now < t1) {
808 delay(NSEC_TO_TICK_ROUNDUP(t1 - now));
809 }
810 }
811
812 if (status != NT_STATUS_SUCCESS)
813 goto errout;
814 fnode_shrlk = B_TRUE;
815
816 /*
817 * The [MS-FSA] spec. describes this oplock break as
818 * part of the sharing access checks. See:
819 * 2.1.5.1.2.2 Algorithm to Check Sharing Access...
820 * At the end of the share mode tests described there,
821 * if it has not returned "sharing violation", it
822 * specifies a call to the alg. in sec. 2.1.4.12,
823 * that boils down to: smb_oplock_break_OPEN()
824 */
825 status = smb_oplock_break_OPEN(fnode, of,
826 op->desired_access,
827 op->create_disposition);
828 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
829 if (sr->session->dialect >= SMB_VERS_2_BASE)
830 (void) smb2sr_go_async(sr);
831 status = smb_oplock_wait_break(sr, fnode, 0);
832 }
833 if (status != NT_STATUS_SUCCESS)
834 goto errout;
835
836 if ((fnode->flags & NODE_FLAGS_DELETE_COMMITTED) != 0) {
837 /*
838 * Breaking the oplock caused the file to be deleted,
839 * so let's bail and pretend the file wasn't found.
840 * Have to duplicate much of the logic found a the
841 * "errout" label here.
842 *
843 * This code path is exercised by smbtorture
844 * smb2.durable-open.delete_on_close1
845 */
846 DTRACE_PROBE1(node_deleted, smb_node_t *, fnode);
847 tree_fid = of->f_fid;
848 of->f_fid = 0;
849 smb_ofile_free(of);
850 of = NULL;
851 last_comp_found = B_FALSE;
852
853 /*
854 * Get all the holds and locks into the state
855 * they would have if lookup had failed.
856 */
857 fnode_shrlk = B_FALSE;
858 smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid);
859
860 opening_incr = B_FALSE;
861 smb_node_dec_opening_count(fnode);
862
863 fnode_held = B_FALSE;
864 smb_node_release(fnode);
865
866 dnode_wlock = B_TRUE;
867 smb_node_wrlock(dnode);
868
869 goto create;
870 }
871
872 /*
873 * Go ahead with modifications as necessary.
874 */
875 switch (op->create_disposition) {
876 case FILE_SUPERSEDE:
877 case FILE_OVERWRITE_IF:
878 case FILE_OVERWRITE:
879 bzero(&new_attr, sizeof (new_attr));
880 if (sname == NULL) {
881 op->dattr |= FILE_ATTRIBUTE_ARCHIVE;
882 /*
883 * Don't apply readonly until
884 * smb_set_open_attributes
885 */
886 if (op->dattr & FILE_ATTRIBUTE_READONLY) {
887 op->dattr &= ~FILE_ATTRIBUTE_READONLY;
888 op->created_readonly = B_TRUE;
889 }
890 new_attr.sa_dosattr = op->dattr;
891 } else {
892 new_attr.sa_dosattr = FILE_ATTRIBUTE_ARCHIVE;
893 }
894
895 /*
896 * Truncate the file data here.
897 * We set alloc_size = op->dsize later,
898 * after we have an ofile. See:
899 * smb_set_open_attributes
900 */
901 new_attr.sa_vattr.va_size = 0;
902 new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_SIZE;
903 rc = smb_fsop_setattr(sr, sr->user_cr, fnode,
904 &new_attr);
905 if (rc != 0) {
906 status = smb_errno2status(rc);
907 goto errout;
908 }
909
910 /*
911 * If file is being replaced, remove existing streams
912 */
913 if (SMB_IS_STREAM(fnode) == 0) {
914 status = smb_fsop_remove_streams(sr,
915 sr->user_cr, fnode);
916 if (status != 0)
917 goto errout;
918 }
919
920 op->action_taken = SMB_OACT_TRUNCATED;
921 break;
922
923 default:
924 /*
925 * FILE_OPEN or FILE_OPEN_IF.
926 */
927 /*
928 * Ignore any user-specified alloc_size for
929 * existing files, to avoid truncation in
930 * smb_set_open_attributes
931 */
932 op->dsize = 0L;
933 op->action_taken = SMB_OACT_OPENED;
934 break;
935 }
936 } else {
937 create:
938 /* Last component was not found. */
939 dnode = op->fqi.fq_dnode;
940
941 if (is_dir == 0)
942 is_stream = smb_is_stream_name(pn->pn_path);
943
944 if ((op->create_disposition == FILE_OPEN) ||
945 (op->create_disposition == FILE_OVERWRITE)) {
946 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
947 goto errout;
948 }
949
950 if (is_dir != 0 &&
951 (op->dattr & FILE_ATTRIBUTE_TEMPORARY) != 0) {
952 status = NT_STATUS_INVALID_PARAMETER;
953 goto errout;
954 }
955
956 if ((op->dattr & FILE_ATTRIBUTE_READONLY) != 0 &&
957 (op->create_options & FILE_DELETE_ON_CLOSE) != 0) {
958 status = NT_STATUS_CANNOT_DELETE;
959 goto errout;
960 }
961
962 if ((op->desired_access & ACCESS_SYSTEM_SECURITY) != 0 &&
963 !smb_user_has_security_priv(sr->uid_user, sr->user_cr)) {
964 status = NT_STATUS_ACCESS_DENIED;
965 goto errout;
966 }
967
968 if (pn->pn_fname && smb_is_invalid_filename(pn->pn_fname)) {
969 status = NT_STATUS_OBJECT_NAME_INVALID;
970 goto errout;
971 }
972
973 /*
974 * Don't create in directories marked "Delete on close".
975 */
976 if (dnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) {
977 status = NT_STATUS_DELETE_PENDING;
978 goto errout;
979 }
980
981 /*
982 * Create always sets the DOS attributes, type, and mode
983 * in the if/else below (different for file vs directory).
984 * Don't set the readonly bit until smb_set_open_attributes
985 * or that would prevent this open. Note that op->dattr
986 * needs to be what smb_set_open_attributes will use,
987 * except for the readonly bit.
988 */
989 bzero(&new_attr, sizeof (new_attr));
990 new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_TYPE | SMB_AT_MODE;
991 if (op->dattr & FILE_ATTRIBUTE_READONLY) {
992 op->dattr &= ~FILE_ATTRIBUTE_READONLY;
993 op->created_readonly = B_TRUE;
994 }
995
996 /*
997 * SMB create can specify the create time.
998 */
999 if ((op->crtime.tv_sec != 0) &&
1000 (op->crtime.tv_sec != UINT_MAX)) {
1001 new_attr.sa_mask |= SMB_AT_CRTIME;
1002 new_attr.sa_crtime = op->crtime;
1003 }
1004
1005 if (is_dir == 0) {
1006 op->dattr |= FILE_ATTRIBUTE_ARCHIVE;
1007 new_attr.sa_dosattr = op->dattr;
1008 new_attr.sa_vattr.va_type = VREG;
1009 if (is_stream)
1010 new_attr.sa_vattr.va_mode = S_IRUSR | S_IWUSR;
1011 else
1012 new_attr.sa_vattr.va_mode =
1013 S_IRUSR | S_IRGRP | S_IROTH |
1014 S_IWUSR | S_IWGRP | S_IWOTH;
1015
1016 /*
1017 * We set alloc_size = op->dsize later,
1018 * (in smb_set_open_attributes) after we
1019 * have an ofile on which to save that.
1020 *
1021 * Legacy Open&X sets size to alloc_size
1022 * when creating a new file.
1023 */
1024 if (sr->smb_com == SMB_COM_OPEN_ANDX) {
1025 new_attr.sa_vattr.va_size = op->dsize;
1026 new_attr.sa_mask |= SMB_AT_SIZE;
1027 }
1028
1029 rc = smb_fsop_create(sr, sr->user_cr, dnode,
1030 op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode);
1031 } else {
1032 op->dattr |= FILE_ATTRIBUTE_DIRECTORY;
1033 new_attr.sa_dosattr = op->dattr;
1034 new_attr.sa_vattr.va_type = VDIR;
1035 new_attr.sa_vattr.va_mode = 0777;
1036
1037 rc = smb_fsop_mkdir(sr, sr->user_cr, dnode,
1038 op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode);
1039 }
1040 if (rc != 0) {
1041 status = smb_errno2status(rc);
1042 goto errout;
1043 }
1044
1045 /* Create done. */
1046 smb_node_unlock(dnode);
1047 dnode_wlock = B_FALSE;
1048
1049 created = B_TRUE;
1050 op->action_taken = SMB_OACT_CREATED;
1051
1052 /* Note: hold from create */
1053 fnode = op->fqi.fq_fnode;
1054 fnode_held = B_TRUE;
1055
1056 if (max_requested) {
1057 smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed);
1058 op->desired_access |= max_allowed;
1059 }
1060 /*
1061 * We created this object (we own it) so grant
1062 * read_control + read_attributes on this handle,
1063 * even if that was not requested. This avoids
1064 * unexpected access failures later.
1065 */
1066 op->desired_access |= (READ_CONTROL | FILE_READ_ATTRIBUTES);
1067
1068 /* Allocate the ofile and fill in most of it. */
1069 of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK,
1070 tree_fid);
1071 tree_fid = 0; // given to the ofile
1072 uniq_fid = of->f_uniqid;
1073
1074 smb_node_inc_opening_count(fnode);
1075 opening_incr = B_TRUE;
1076
1077 /*
1078 * Share access checks...
1079 */
1080 smb_node_wrlock(fnode);
1081 fnode_wlock = B_TRUE;
1082
1083 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid,
1084 op->desired_access, op->share_access);
1085 if (status != 0)
1086 goto errout;
1087 fnode_shrlk = B_TRUE;
1088
1089 /*
1090 * MS-FSA 2.1.5.1.1
1091 * If the Oplock member of the DirectoryStream in
1092 * Link.ParentFile.StreamList (ParentOplock) is
1093 * not empty ... oplock break on the parent...
1094 * (dnode is the parent directory)
1095 *
1096 * This compares of->ParentOplockKey with each
1097 * oplock of->TargetOplockKey and breaks...
1098 * so it's OK that we're passing an OF that's
1099 * NOT a member of dnode->n_ofile_list
1100 *
1101 * The break never blocks, so ignore the return.
1102 */
1103 (void) smb_oplock_break_PARENT(dnode, of);
1104 }
1105
1106 stream_created:
1107 /*
1108 * We might have blocked in smb_oplock_break_OPEN long enough
1109 * so a tree disconnect might have happened. In that case,
1110 * we would be adding an ofile to a tree that's disconnecting,
1111 * which would interfere with tear-down. If so, error out.
1112 */
1113 if (!smb_tree_is_connected(sr->tid_tree)) {
1114 status = NT_STATUS_INVALID_PARAMETER;
1115 goto errout;
1116 }
1117
1118 /*
1119 * Moved this up from smb_ofile_open()
1120 */
1121 if ((rc = smb_fsop_open(fnode, of->f_mode, of->f_cr)) != 0) {
1122 status = smb_errno2status(rc);
1123 goto errout;
1124 }
1125
1126 /*
1127 * Complete this open (add to ofile lists)
1128 */
1129 smb_ofile_open(sr, op, of);
1130 did_open = B_TRUE;
1131
1132 /*
1133 * This MUST be done after ofile creation, so that explicitly
1134 * set timestamps can be remembered on the ofile, and setting
1135 * the readonly flag won't affect access via this open.
1136 */
1137 if ((rc = smb_set_open_attributes(sr, of)) != 0) {
1138 status = smb_errno2status(rc);
1139 goto errout;
1140 }
1141
1142 /*
1143 * We've already done access checks above,
1144 * and want this call to succeed even when
1145 * !(desired_access & FILE_READ_ATTRIBUTES),
1146 * so pass kcred here.
1147 */
1148 op->fqi.fq_fattr.sa_mask = SMB_AT_ALL;
1149 (void) smb_node_getattr(sr, fnode, zone_kcred(), of,
1150 &op->fqi.fq_fattr);
1151
1152 /*
1153 * Propagate the write-through mode from the open params
1154 * to the node: see the notes in the function header.
1155 * XXX: write_through should be a flag on the ofile.
1156 */
1157 if (sr->sr_cfg->skc_sync_enable ||
1158 (op->create_options & FILE_WRITE_THROUGH))
1159 fnode->flags |= NODE_FLAGS_WRITE_THROUGH;
1160
1161 /*
1162 * Set up the fileid and dosattr in open_param for response
1163 */
1164 op->fileid = op->fqi.fq_fattr.sa_vattr.va_nodeid;
1165 op->dattr = op->fqi.fq_fattr.sa_dosattr;
1166
1167 /*
1168 * Set up the file type in open_param for the response
1169 */
1170 op->ftype = SMB_FTYPE_DISK;
1171 sr->smb_fid = of->f_fid;
1172 sr->fid_ofile = of;
1173
1174 if (smb_node_is_file(fnode)) {
1175 op->dsize = op->fqi.fq_fattr.sa_vattr.va_size;
1176 } else {
1177 /* directory or symlink */
1178 op->dsize = 0;
1179 }
1180
1181 /*
1182 * Note: oplock_acquire happens in callers, because
1183 * how that happens is protocol-specific.
1184 */
1185
1186 if (sname != NULL)
1187 kmem_free(sname, MAXNAMELEN);
1188 if (fnode_wlock)
1189 smb_node_unlock(fnode);
1190 if (opening_incr)
1191 smb_node_dec_opening_count(fnode);
1192 if (fnode_held)
1193 smb_node_release(fnode);
1194 if (dnode_wlock)
1195 smb_node_unlock(dnode);
1196 if (dnode_held)
1197 smb_node_release(dnode);
1198
1199 return (NT_STATUS_SUCCESS);
1200
1201 errout:
1202 if (did_open) {
1203 smb_ofile_close(of, 0);
1204 /* rele via sr->fid_ofile */
1205 } else if (of != NULL) {
1206 /* No other refs possible */
1207 smb_ofile_free(of);
1208 }
1209
1210 if (fnode_shrlk)
1211 smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid);
1212
1213 if (created) {
1214 /* Try to roll-back create. */
1215 smb_delete_new_object(sr);
1216 }
1217
1218 if (sname != NULL)
1219 kmem_free(sname, MAXNAMELEN);
1220 if (fnode_wlock)
1221 smb_node_unlock(fnode);
1222 if (opening_incr)
1223 smb_node_dec_opening_count(fnode);
1224 if (fnode_held)
1225 smb_node_release(fnode);
1226 if (dnode_wlock)
1227 smb_node_unlock(dnode);
1228 if (dnode_held)
1229 smb_node_release(dnode);
1230
1231 if (tree_fid != 0)
1232 smb_idpool_free(&tree->t_fid_pool, tree_fid);
1233
1234 return (status);
1235 }
1236
1237 /*
1238 * smb_set_open_attributes
1239 *
1240 * Last write time:
1241 * - If the last_write time specified in the open params is not 0 or -1,
1242 * use it as file's mtime. This will be considered an explicitly set
1243 * timestamps, not reset by subsequent writes.
1244 *
1245 * DOS attributes
1246 * - If we created_readonly, we now store the real DOS attributes
1247 * (including the readonly bit) so subsequent opens will see it.
1248 *
1249 * Returns: errno
1250 */
1251 static int
smb_set_open_attributes(smb_request_t * sr,smb_ofile_t * of)1252 smb_set_open_attributes(smb_request_t *sr, smb_ofile_t *of)
1253 {
1254 smb_attr_t attr;
1255 smb_arg_open_t *op = &sr->sr_open;
1256 smb_node_t *node = of->f_node;
1257 int rc = 0;
1258
1259 bzero(&attr, sizeof (smb_attr_t));
1260
1261 if (op->created_readonly) {
1262 attr.sa_dosattr = op->dattr | FILE_ATTRIBUTE_READONLY;
1263 attr.sa_mask |= SMB_AT_DOSATTR;
1264 }
1265
1266 if (op->dsize != 0) {
1267 attr.sa_allocsz = op->dsize;
1268 attr.sa_mask |= SMB_AT_ALLOCSZ;
1269 }
1270
1271 if ((op->mtime.tv_sec != 0) && (op->mtime.tv_sec != UINT_MAX)) {
1272 attr.sa_vattr.va_mtime = op->mtime;
1273 attr.sa_mask |= SMB_AT_MTIME;
1274 }
1275
1276 if (attr.sa_mask != 0)
1277 rc = smb_node_setattr(sr, node, of->f_cr, of, &attr);
1278
1279 return (rc);
1280 }
1281
1282 /*
1283 * This function is used to delete a newly created object (file or
1284 * directory) if an error occurs after creation of the object.
1285 */
1286 static void
smb_delete_new_object(smb_request_t * sr)1287 smb_delete_new_object(smb_request_t *sr)
1288 {
1289 smb_arg_open_t *op = &sr->sr_open;
1290 smb_fqi_t *fqi = &(op->fqi);
1291 uint32_t flags = 0;
1292
1293 if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1294 flags |= SMB_IGNORE_CASE;
1295 if (SMB_TREE_SUPPORTS_CATIA(sr))
1296 flags |= SMB_CATIA;
1297
1298 if (op->create_options & FILE_DIRECTORY_FILE)
1299 (void) smb_fsop_rmdir(sr, sr->user_cr, fqi->fq_dnode,
1300 fqi->fq_last_comp, flags);
1301 else
1302 (void) smb_fsop_remove(sr, sr->user_cr, fqi->fq_dnode,
1303 fqi->fq_last_comp, flags);
1304 }
1305