1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 26 * Copyright (c) 2016 by Delphix. All rights reserved. 27 * Copyright 2022 RackTop Systems, Inc. 28 */ 29 30 #ifndef _SMBSRV_NTIFS_H 31 #define _SMBSRV_NTIFS_H 32 33 /* 34 * This file provides definitions compatible with the NT Installable 35 * File System (IFS) interface. This header file also defines the Security 36 * Descriptor module from Windows. 37 */ 38 39 #ifdef __cplusplus 40 extern "C" { 41 #endif 42 43 #include <sys/acl.h> 44 #include <sys/list.h> 45 #include <smbsrv/smb_sid.h> 46 47 /* 48 * The Volume and Directory bits are for SMB rather than NT. 49 * NT has an explicit Normal bit; this bit is implied in SMB 50 * when the Hidden, System and Directory bits are not set. 51 * 52 * File attributes and creation flags share the same 32-bit 53 * space. 54 */ 55 #define FILE_ATTRIBUTE_READONLY 0x00000001 56 #define FILE_ATTRIBUTE_HIDDEN 0x00000002 57 #define FILE_ATTRIBUTE_SYSTEM 0x00000004 58 #define FILE_ATTRIBUTE_VOLUME 0x00000008 59 #define FILE_ATTRIBUTE_DIRECTORY 0x00000010 60 #define FILE_ATTRIBUTE_ARCHIVE 0x00000020 61 #define FILE_ATTRIBUTE_DEVICE 0x00000040 62 #define FILE_ATTRIBUTE_NORMAL 0x00000080 63 #define FILE_ATTRIBUTE_TEMPORARY 0x00000100 64 #define FILE_ATTRIBUTE_SPARSE_FILE 0x00000200 65 #define FILE_ATTRIBUTE_REPARSE_POINT 0x00000400 66 #define FILE_ATTRIBUTE_COMPRESSED 0x00000800 67 #define FILE_ATTRIBUTE_OFFLINE 0x00001000 68 #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000 69 #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000 70 #define FILE_ATTRIBUTE_VIRTUAL 0x00010000 71 #define FILE_FLAG_OPEN_NO_RECALL 0x00100000 72 #define FILE_FLAG_OPEN_REPARSE_POINT 0x00200000 73 #define FILE_FLAG_POSIX_SEMANTICS 0x01000000 74 #define FILE_FLAG_BACKUP_SEMANTICS 0x02000000 75 #define FILE_FLAG_DELETE_ON_CLOSE 0x04000000 76 #define FILE_FLAG_SEQUENTIAL_SCAN 0x08000000 77 #define FILE_FLAG_RANDOM_ACCESS 0x10000000 78 #define FILE_FLAG_NO_BUFFERING 0x20000000 79 #define FILE_FLAG_OVERLAPPED 0x40000000 80 #define FILE_FLAG_WRITE_THROUGH 0x80000000 81 82 #define FILE_ATTRIBUTE_VALID_FLAGS 0x00001fb7 83 #define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x00001fa7 84 #define FILE_ATTRIBUTE_MASK 0x00003FFF 85 86 /* 87 * The create/open option flags: used in NtCreateAndx and NtTransactCreate 88 * SMB requests. 89 * 90 * The CreateOptions specify the options to be applied when creating or 91 * opening the file, as a compatible combination of the following flags: 92 * 93 * FILE_DIRECTORY_FILE 94 * The file being created or opened is a directory file. With this 95 * flag, the Disposition parameter must be set to one of FILE_CREATE, 96 * FILE_OPEN, or FILE_OPEN_IF. With this flag, other compatible 97 * CreateOptions flags include only the following: 98 * FILE_SYNCHRONOUS_IO_ALERT 99 * FILE_SYNCHRONOUS_IO_NONALERT 100 * FILE_WRITE_THROUGH 101 * FILE_OPEN_FOR_BACKUP_INTENT 102 * FILE_OPEN_BY_FILE_ID 103 * 104 * FILE_NON_DIRECTORY_FILE 105 * The file being opened must not be a directory file or this call 106 * will fail. The file object being opened can represent a data file, 107 * a logical, virtual, or physical device, or a volume. 108 * 109 * FILE_WRITE_THROUGH 110 * System services, FSDs, and drivers that write data to the file must 111 * actually transfer the data into the file before any requested write 112 * operation is considered complete. This flag is automatically set if 113 * the CreateOptions flag FILE_NO_INTERMEDIATE _BUFFERING is set. 114 * 115 * FILE_SEQUENTIAL_ONLY 116 * All accesses to the file will be sequential. 117 * 118 * FILE_RANDOM_ACCESS 119 * Accesses to the file can be random, so no sequential read-ahead 120 * operations should be performed on the file by FSDs or the system. 121 * FILE_NO_INTERMEDIATE _BUFFERING The file cannot be cached or 122 * buffered in a driver's internal buffers. This flag is incompatible 123 * with the DesiredAccess FILE_APPEND_DATA flag. 124 * 125 * FILE_SYNCHRONOUS_IO_ALERT 126 * All operations on the file are performed synchronously. Any wait 127 * on behalf of the caller is subject to premature termination from 128 * alerts. This flag also causes the I/O system to maintain the file 129 * position context. If this flag is set, the DesiredAccess 130 * SYNCHRONIZE flag also must be set. 131 * 132 * FILE_SYNCHRONOUS_IO _NONALERT 133 * All operations on the file are performed synchronously. Waits in 134 * the system to synchronize I/O queuing and completion are not subject 135 * to alerts. This flag also causes the I/O system to maintain the file 136 * position context. If this flag is set, the DesiredAccess SYNCHRONIZE 137 * flag also must be set. 138 * 139 * FILE_CREATE_TREE _CONNECTION 140 * Create a tree connection for this file in order to open it over the 141 * network. This flag is irrelevant to device and intermediate drivers. 142 * 143 * FILE_COMPLETE_IF_OPLOCKED 144 * Complete this operation immediately with an alternate success code 145 * if the target file is oplocked, rather than blocking the caller's 146 * thread. If the file is oplocked, another caller already has access 147 * to the file over the network. This flag is irrelevant to device and 148 * intermediate drivers. 149 * 150 * FILE_NO_EA_KNOWLEDGE 151 * If the extended attributes on an existing file being opened indicate 152 * that the caller must understand EAs to properly interpret the file, 153 * fail this request because the caller does not understand how to deal 154 * with EAs. Device and intermediate drivers can ignore this flag. 155 * 156 * FILE_DELETE_ON_CLOSE 157 * Delete the file when the last reference to it is passed to close. 158 * 159 * FILE_OPEN_BY_FILE_ID 160 * The file name contains the name of a device and a 64-bit ID to 161 * be used to open the file. This flag is irrelevant to device and 162 * intermediate drivers. 163 * 164 * FILE_OPEN_FOR_BACKUP _INTENT 165 * The file is being opened for backup intent, hence, the system should 166 * check for certain access rights and grant the caller the appropriate 167 * accesses to the file before checking the input DesiredAccess against 168 * the file's security descriptor. This flag is irrelevant to device 169 * and intermediate drivers. 170 */ 171 #define FILE_DIRECTORY_FILE 0x00000001 172 #define FILE_WRITE_THROUGH 0x00000002 173 #define FILE_SEQUENTIAL_ONLY 0x00000004 174 #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 175 176 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 177 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 178 #define FILE_NON_DIRECTORY_FILE 0x00000040 179 #define FILE_CREATE_TREE_CONNECTION 0x00000080 180 181 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 182 #define FILE_NO_EA_KNOWLEDGE 0x00000200 183 /* UNUSED 0x00000400 */ 184 #define FILE_RANDOM_ACCESS 0x00000800 185 186 #define FILE_DELETE_ON_CLOSE 0x00001000 187 #define FILE_OPEN_BY_FILE_ID 0x00002000 188 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 189 #define FILE_NO_COMPRESSION 0x00008000 190 191 #define FILE_RESERVE_OPFILTER 0x00100000 192 #define FILE_RESERVED0 0x00200000 193 #define FILE_RESERVED1 0x00400000 194 #define FILE_RESERVED2 0x00800000 195 196 #define FILE_VALID_OPTION_FLAGS 0x00ffffff 197 #define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 198 #define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 199 #define FILE_VALID_SET_FLAGS 0x00000036 200 201 /* 202 * "Granular" oplock flags; [MS-FSA], WinDDK/ntifs.h 203 * Same as smb2.h SMB2_LEASE_... 204 */ 205 #define OPLOCK_LEVEL_CACHE_READ 0x01 206 #define OPLOCK_LEVEL_CACHE_HANDLE 0x02 207 #define OPLOCK_LEVEL_CACHE_WRITE 0x04 208 #define OPLOCK_LEVEL_CACHE_MASK 0x07 209 210 /* 211 * [MS-FSA] oplock types (also "levels") 212 */ 213 #define OPLOCK_LEVEL_NONE 0 214 #define OPLOCK_LEVEL_TWO 0x100 215 #define OPLOCK_LEVEL_ONE 0x200 216 #define OPLOCK_LEVEL_BATCH 0x400 217 #define OPLOCK_LEVEL_GRANULAR 0x800 218 #define OPLOCK_LEVEL_TYPE_MASK 0xf00 219 220 /* 221 * Define the file information class values used by the NT DDK and HAL. 222 */ 223 typedef enum _FILE_INFORMATION_CLASS { 224 FileDirectoryInformation = 1, 225 FileFullDirectoryInformation, /* 2 */ 226 FileBothDirectoryInformation, /* 3 */ 227 FileBasicInformation, /* 4 */ 228 FileStandardInformation, /* 5 */ 229 FileInternalInformation, /* 6 */ 230 FileEaInformation, /* 7 */ 231 FileAccessInformation, /* 8 */ 232 FileNameInformation, /* 9 */ 233 FileRenameInformation, /* 10 */ 234 FileLinkInformation, /* 11 */ 235 FileNamesInformation, /* 12 */ 236 FileDispositionInformation, /* 13 */ 237 FilePositionInformation, /* 14 */ 238 FileFullEaInformation, /* 15 */ 239 FileModeInformation, /* 16 */ 240 FileAlignmentInformation, /* 17 */ 241 FileAllInformation, /* 18 */ 242 FileAllocationInformation, /* 19 */ 243 FileEndOfFileInformation, /* 20 */ 244 FileAlternateNameInformation, /* 21 */ 245 FileStreamInformation, /* 22 */ 246 FilePipeInformation, /* 23 */ 247 FilePipeLocalInformation, /* 24 */ 248 FilePipeRemoteInformation, /* 25 */ 249 FileMailslotQueryInformation, /* 26 */ 250 FileMailslotSetInformation, /* 27 */ 251 FileCompressionInformation, /* 28 */ 252 FileObjectIdInformation, /* 29 */ 253 FileCompletionInformation, /* 30 */ 254 FileMoveClusterInformation, /* 31 */ 255 FileQuotaInformation, /* 32 */ 256 FileReparsePointInformation, /* 33 */ 257 FileNetworkOpenInformation, /* 34 */ 258 FileAttributeTagInformation, /* 35 */ 259 FileTrackingInformation, /* 36 */ 260 FileIdBothDirectoryInformation, /* 37 */ 261 FileIdFullDirectoryInformation, /* 38 */ 262 FileValidDataLengthInformation, /* 39 */ 263 FileShortNameInformation, /* 40 */ 264 FileInformationReserved41, /* 41 */ 265 FileInformationReserved42, /* 42 */ 266 FileInformationReserved43, /* 43 */ 267 FileSfioReserveInformation, /* 44 */ 268 FileSfioVolumeInformation, /* 45 */ 269 FileHardLinkInformation, /* 46 */ 270 FileInformationReserved47, /* 47 */ 271 FileNormalizedNameInformation, /* 48 */ 272 FileInformationReserved49, /* 49 */ 273 FileIdGlobalTxDirectoryInformation, /* 50 */ 274 FileInformationReserved51, /* 51 */ 275 FileInformationReserved52, /* 52 */ 276 FileInformationReserved53, /* 53 */ 277 FileStandardLinkInformation, /* 54 */ 278 FileInformationReserved55, /* 55 */ 279 FileInformationReserved56, /* 56 */ 280 FileInformationReserved57, /* 57 */ 281 FileInformationReserved58, /* 58 */ 282 FileIdInformation, /* 59 */ 283 FileMaximumInformation 284 } FILE_INFORMATION_CLASS; 285 286 /* 287 * Define the file system information class values. 288 */ 289 typedef enum _FILE_FS_INFORMATION_CLASS { 290 FileFsVolumeInformation = 1, 291 FileFsLabelInformation, /* 2 */ 292 FileFsSizeInformation, /* 3 */ 293 FileFsDeviceInformation, /* 4 */ 294 FileFsAttributeInformation, /* 5 */ 295 FileFsControlInformation, /* 6 */ 296 FileFsFullSizeInformation, /* 7 */ 297 FileFsObjectIdInformation, /* 8 */ 298 FileFsDriverPathInformation, /* 9 */ 299 FileFsVolumeFlagsInformation, /* A */ 300 FileFsSectorSizeInformation /* B */ 301 } FILE_FS_INFORMATION_CLASS; 302 303 /* 304 * Discretionary Access Control List (DACL) 305 * 306 * A Discretionary Access Control List (DACL), often abbreviated to 307 * ACL, is a list of access controls which either allow or deny access 308 * for users or groups to a resource. There is a list header followed 309 * by a list of access control entries (ACE). Each ACE specifies the 310 * access allowed or denied to a single user or group (identified by 311 * a SID). 312 * 313 * There is another access control list object called a System Access 314 * Control List (SACL), which is used to control auditing, but no 315 * support is provideed for SACLs at this time. 316 * 317 * ACL header format: 318 * 319 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 320 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 321 * +-------------------------------+---------------+---------------+ 322 * | AclSize | Sbz1 | AclRevision | 323 * +-------------------------------+---------------+---------------+ 324 * | Sbz2 | AceCount | 325 * +-------------------------------+-------------------------------+ 326 * 327 * AclRevision specifies the revision level of the ACL. This value should 328 * be ACL_REVISION, unless the ACL contains an object-specific ACE, in which 329 * case this value must be ACL_REVISION_DS. All ACEs in an ACL must be at the 330 * same revision level. 331 * 332 * ACE header format: 333 * 334 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 335 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 336 * +---------------+-------+-------+---------------+---------------+ 337 * | AceSize | AceFlags | AceType | 338 * +---------------+-------+-------+---------------+---------------+ 339 * 340 * Access mask format: 341 * 342 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 343 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 344 * +---------------+---------------+-------------------------------+ 345 * |G|G|G|G|Res'd|A| StandardRights| SpecificRights | 346 * |R|W|E|A| |S| | | 347 * +-+-------------+---------------+-------------------------------+ 348 * 349 * typedef struct ACCESS_MASK { 350 * WORD SpecificRights; 351 * BYTE StandardRights; 352 * BYTE AccessSystemAcl : 1; 353 * BYTE Reserved : 3; 354 * BYTE GenericAll : 1; 355 * BYTE GenericExecute : 1; 356 * BYTE GenericWrite : 1; 357 * BYTE GenericRead : 1; 358 * } ACCESS_MASK; 359 * 360 */ 361 362 #define ACL_REVISION1 1 363 #define ACL_REVISION2 2 364 #define MIN_ACL_REVISION2 ACL_REVISION2 365 #define ACL_REVISION3 3 366 #define ACL_REVISION4 4 367 #define MAX_ACL_REVISION ACL_REVISION4 368 369 /* 370 * Current ACE and ACL revision Levels 371 */ 372 #define ACE_REVISION 1 373 #define ACL_REVISION ACL_REVISION2 374 #define ACL_REVISION_DS ACL_REVISION4 375 376 377 #define ACCESS_ALLOWED_ACE_TYPE 0 378 #define ACCESS_DENIED_ACE_TYPE 1 379 #define SYSTEM_AUDIT_ACE_TYPE 2 380 #define SYSTEM_ALARM_ACE_TYPE 3 381 382 /* 383 * se_flags 384 * ---------- 385 * Specifies a set of ACE type-specific control flags. This member can be a 386 * combination of the following values. 387 * 388 * CONTAINER_INHERIT_ACE: Child objects that are containers, such as 389 * directories, inherit the ACE as an effective ACE. The inherited 390 * ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag 391 * is also set. 392 * 393 * INHERIT_ONLY_ACE: Indicates an inherit-only ACE which does not control 394 * access to the object to which it is attached. 395 * If this flag is not set, 396 * the ACE is an effective ACE which controls access to the object 397 * to which it is attached. 398 * Both effective and inherit-only ACEs can be inherited 399 * depending on the state of the other inheritance flags. 400 * 401 * INHERITED_ACE: Windows 2000/XP: Indicates that the ACE was inherited. 402 * The system sets this bit when it propagates an 403 * inherited ACE to a child object. 404 * 405 * NO_PROPAGATE_INHERIT_ACE: If the ACE is inherited by a child object, the 406 * system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE 407 * flags in the inherited ACE. 408 * This prevents the ACE from being inherited by 409 * subsequent generations of objects. 410 * 411 * OBJECT_INHERIT_ACE: Noncontainer child objects inherit the ACE as an 412 * effective ACE. For child objects that are containers, 413 * the ACE is inherited as an inherit-only ACE unless the 414 * NO_PROPAGATE_INHERIT_ACE bit flag is also set. 415 */ 416 #define OBJECT_INHERIT_ACE 0x01 417 #define CONTAINER_INHERIT_ACE 0x02 418 #define NO_PROPOGATE_INHERIT_ACE 0x04 419 #define INHERIT_ONLY_ACE 0x08 420 #define INHERITED_ACE 0x10 421 #define INHERIT_MASK_ACE 0x1F 422 423 424 /* 425 * These flags are only used in system audit or alarm ACEs to 426 * indicate when an audit message should be generated, i.e. 427 * on successful access or on unsuccessful access. 428 */ 429 #define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 430 #define FAILED_ACCESS_ACE_FLAG 0x80 431 432 /* 433 * se_bsize is the size, in bytes, of ACE as it appears on the wire. 434 * se_sln is used to sort the ACL when it's required. 435 */ 436 typedef struct smb_acehdr { 437 uint8_t se_type; 438 uint8_t se_flags; 439 uint16_t se_bsize; 440 } smb_acehdr_t; 441 442 typedef struct smb_ace { 443 smb_acehdr_t se_hdr; 444 uint32_t se_mask; 445 list_node_t se_sln; 446 smb_sid_t *se_sid; 447 } smb_ace_t; 448 449 /* 450 * sl_bsize is the size of ACL in bytes as it appears on the wire. 451 */ 452 typedef struct smb_acl { 453 uint8_t sl_revision; 454 uint16_t sl_bsize; 455 uint16_t sl_acecnt; 456 smb_ace_t *sl_aces; 457 list_t sl_sorted; 458 } smb_acl_t; 459 460 /* 461 * ACE/ACL header size, in byte, as it appears on the wire 462 */ 463 #define SMB_ACE_HDRSIZE 4 464 #define SMB_ACL_HDRSIZE 8 465 466 /* 467 * Security Descriptor (SD) 468 * 469 * Security descriptors provide protection for objects, for example 470 * files and directories. It identifies the owner and primary group 471 * (SIDs) and contains an access control list. When a user tries to 472 * access an object their SID is compared to the permissions in the 473 * DACL to determine if access should be allowed or denied. Note that 474 * this is a simplification because there are other factors, such as 475 * default behavior and privileges to be taken into account (see also 476 * access tokens). 477 * 478 * The boolean flags have the following meanings when set: 479 * 480 * SE_OWNER_DEFAULTED indicates that the SID pointed to by the Owner 481 * field was provided by a defaulting mechanism rather than explicitly 482 * provided by the original provider of the security descriptor. This 483 * may affect the treatment of the SID with respect to inheritance of 484 * an owner. 485 * 486 * SE_GROUP_DEFAULTED indicates that the SID in the Group field was 487 * provided by a defaulting mechanism rather than explicitly provided 488 * by the original provider of the security descriptor. This may 489 * affect the treatment of the SID with respect to inheritance of a 490 * primary group. 491 * 492 * SE_DACL_PRESENT indicates that the security descriptor contains a 493 * discretionary ACL. If this flag is set and the Dacl field of the 494 * SECURITY_DESCRIPTOR is null, then a null ACL is explicitly being 495 * specified. 496 * 497 * SE_DACL_DEFAULTED indicates that the ACL pointed to by the Dacl 498 * field was provided by a defaulting mechanism rather than explicitly 499 * provided by the original provider of the security descriptor. This 500 * may affect the treatment of the ACL with respect to inheritance of 501 * an ACL. This flag is ignored if the DaclPresent flag is not set. 502 * 503 * SE_SACL_PRESENT indicates that the security descriptor contains a 504 * system ACL pointed to by the Sacl field. If this flag is set and 505 * the Sacl field of the SECURITY_DESCRIPTOR is null, then an empty 506 * (but present) ACL is being specified. 507 * 508 * SE_SACL_DEFAULTED indicates that the ACL pointed to by the Sacl 509 * field was provided by a defaulting mechanism rather than explicitly 510 * provided by the original provider of the security descriptor. This 511 * may affect the treatment of the ACL with respect to inheritance of 512 * an ACL. This flag is ignored if the SaclPresent flag is not set. 513 * 514 * SE_DACL_PROTECTED Prevents ACEs set on the DACL of the parent container 515 * (and any objects above the parent container in the directory hierarchy) 516 * from being applied to the object's DACL. 517 * 518 * SE_SACL_PROTECTED Prevents ACEs set on the SACL of the parent container 519 * (and any objects above the parent container in the directory hierarchy) 520 * from being applied to the object's SACL. 521 * 522 * Note that the SE_DACL_PRESENT flag needs to be present to set 523 * SE_DACL_PROTECTED and SE_SACL_PRESENT needs to be present to set 524 * SE_SACL_PROTECTED. 525 * 526 * SE_SELF_RELATIVE indicates that the security descriptor is in self- 527 * relative form. In this form, all fields of the security descriptor 528 * are contiguous in memory and all pointer fields are expressed as 529 * offsets from the beginning of the security descriptor. 530 * 531 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 532 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 533 * +---------------------------------------------------------------+ 534 * | Control |Reserved1 (SBZ)| Revision | 535 * +---------------------------------------------------------------+ 536 * | Owner | 537 * +---------------------------------------------------------------+ 538 * | Group | 539 * +---------------------------------------------------------------+ 540 * | Sacl | 541 * +---------------------------------------------------------------+ 542 * | Dacl | 543 * +---------------------------------------------------------------+ 544 * 545 */ 546 547 #define SMB_OWNER_SECINFO 0x0001 548 #define SMB_GROUP_SECINFO 0x0002 549 #define SMB_DACL_SECINFO 0x0004 550 #define SMB_SACL_SECINFO 0x0008 551 #define SMB_ALL_SECINFO 0x000F 552 #define SMB_ACL_SECINFO (SMB_DACL_SECINFO | SMB_SACL_SECINFO) 553 554 #define SECURITY_DESCRIPTOR_REVISION 1 555 556 557 #define SE_OWNER_DEFAULTED 0x0001 558 #define SE_GROUP_DEFAULTED 0x0002 559 #define SE_DACL_PRESENT 0x0004 560 #define SE_DACL_DEFAULTED 0x0008 561 #define SE_SACL_PRESENT 0x0010 562 #define SE_SACL_DEFAULTED 0x0020 563 #define SE_DACL_AUTO_INHERIT_REQ 0x0100 564 #define SE_SACL_AUTO_INHERIT_REQ 0x0200 565 #define SE_DACL_AUTO_INHERITED 0x0400 566 #define SE_SACL_AUTO_INHERITED 0x0800 567 #define SE_DACL_PROTECTED 0x1000 568 #define SE_SACL_PROTECTED 0x2000 569 #define SE_SELF_RELATIVE 0x8000 570 571 #define SE_DACL_INHERITANCE_MASK 0x1500 572 #define SE_SACL_INHERITANCE_MASK 0x2A00 573 574 /* 575 * Security descriptor structures: 576 * 577 * smb_sd_t SD in SMB pointer form 578 * smb_fssd_t SD in filesystem form 579 * 580 * Filesystems (e.g. ZFS/UFS) don't have something equivalent 581 * to SD. The items comprising a SMB SD are kept separately in 582 * filesystem. smb_fssd_t is introduced as a helper to provide 583 * the required abstraction for CIFS code. 584 */ 585 586 typedef struct smb_sd { 587 uint8_t sd_revision; 588 uint16_t sd_control; 589 smb_sid_t *sd_owner; /* SID file owner */ 590 smb_sid_t *sd_group; /* SID group (for POSIX) */ 591 smb_acl_t *sd_sacl; /* ACL System (audits) */ 592 smb_acl_t *sd_dacl; /* ACL Discretionary (perm) */ 593 } smb_sd_t; 594 595 /* 596 * SD header size as it appears on the wire 597 */ 598 #define SMB_SD_HDRSIZE 20 599 600 /* 601 * values for smb_fssd.sd_flags 602 */ 603 #define SMB_FSSD_FLAGS_DIR 0x01 604 605 typedef struct smb_fssd { 606 uint32_t sd_secinfo; 607 uint32_t sd_flags; 608 uid_t sd_uid; 609 gid_t sd_gid; 610 acl_t *sd_zdacl; 611 acl_t *sd_zsacl; 612 } smb_fssd_t; 613 614 void smb_sd_init(smb_sd_t *, uint8_t); 615 void smb_sd_term(smb_sd_t *); 616 uint32_t smb_sd_get_secinfo(smb_sd_t *); 617 uint32_t smb_sd_len(smb_sd_t *, uint32_t); 618 uint32_t smb_sd_tofs(smb_sd_t *, smb_fssd_t *); 619 620 void smb_fssd_init(smb_fssd_t *, uint32_t, uint32_t); 621 void smb_fssd_term(smb_fssd_t *); 622 623 void smb_acl_sort(smb_acl_t *); 624 void smb_acl_free(smb_acl_t *); 625 smb_acl_t *smb_acl_alloc(uint8_t, uint16_t, uint16_t); 626 smb_acl_t *smb_acl_from_zfs(acl_t *); 627 uint32_t smb_acl_to_zfs(smb_acl_t *, uint32_t, int, acl_t **); 628 uint16_t smb_acl_len(smb_acl_t *); 629 boolean_t smb_acl_isvalid(smb_acl_t *, int); 630 631 void smb_fsacl_free(acl_t *); 632 acl_t *smb_fsacl_alloc(int, int); 633 634 #ifdef __cplusplus 635 } 636 #endif 637 638 #endif /* _SMBSRV_NTIFS_H */ 639