xref: /illumos-gate/usr/src/lib/libsmbfs/smb/acl_api.c (revision e5803b76927480e8f9b67b22201c484ccf4c2bcf)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * ACL API for smbfs
29  */
30 
31 #include <sys/types.h>
32 #include <sys/errno.h>
33 #include <sys/cred.h>
34 #include <sys/cmn_err.h>
35 #include <sys/kmem.h>
36 #include <sys/sunddi.h>
37 #include <sys/acl.h>
38 #include <sys/vnode.h>
39 #include <sys/vfs.h>
40 #include <sys/byteorder.h>
41 
42 #include <errno.h>
43 #include <stdio.h>
44 #include <strings.h>
45 #include <unistd.h>
46 
47 #include <umem.h>
48 #include <idmap.h>
49 
50 #include <sys/fs/smbfs_ioctl.h>
51 
52 #include <netsmb/smb.h>
53 #include <netsmb/smb_lib.h>
54 #include <netsmb/smbfs_acl.h>
55 
56 #include "smbfs_ntacl.h"
57 #include "private.h"
58 
59 /* Sanity check SD sizes */
60 #define	MAX_RAW_SD_SIZE	32768
61 
62 /* XXX: acl_common.h */
63 acl_t *acl_alloc(enum acl_type);
64 void acl_free(acl_t *);
65 
66 
67 /*
68  * Get/set a Windows security descriptor (SD)
69  * using the (private) smbfs ioctl mechanism.
70  * Note: Get allocates mbp->mb_top
71  */
72 
73 /* ARGSUSED */
74 int
75 smbfs_acl_iocget(int fd, uint32_t selector, mbdata_t *mbp)
76 {
77 	ioc_sdbuf_t	iocb;
78 	struct mbuf	*m;
79 	int		error;
80 
81 	error = mb_init_sz(mbp, MAX_RAW_SD_SIZE);
82 	if (error)
83 		return (error);
84 
85 	m = mbp->mb_top;
86 	iocb.addr = mtod(m, uintptr_t);
87 	iocb.alloc = m->m_maxlen;
88 	iocb.used = 0;
89 	iocb.selector = selector;
90 
91 	/*
92 	 * This does the OTW Get.
93 	 */
94 	if (ioctl(fd, SMBFSIO_GETSD, &iocb) < 0) {
95 		error = errno;
96 		goto errout;
97 	}
98 
99 	m->m_len = iocb.used;
100 	return (0);
101 
102 errout:
103 	mb_done(mbp);
104 	return (error);
105 }
106 
107 /* ARGSUSED */
108 int
109 smbfs_acl_iocset(int fd, uint32_t selector, mbdata_t *mbp)
110 {
111 	ioc_sdbuf_t	iocb;
112 	struct mbuf	*m;
113 	int		error;
114 
115 	/* Make the data contiguous. */
116 	error = m_lineup(mbp->mb_top, &m);
117 	if (error)
118 		return (error);
119 
120 	if (mbp->mb_top != m)
121 		mb_initm(mbp, m);
122 
123 	iocb.addr = mtod(m, uintptr_t);
124 	iocb.alloc = m->m_maxlen;
125 	iocb.used  = m->m_len;
126 	iocb.selector = selector;
127 
128 	/*
129 	 * This does the OTW Set.
130 	 */
131 	if (ioctl(fd, SMBFSIO_SETSD, &iocb) < 0)
132 		error = errno;
133 
134 	return (error);
135 }
136 
137 /*
138  * Get an NT SD from the open file via ioctl.
139  */
140 int
141 smbfs_acl_getsd(int fd, uint32_t selector, i_ntsd_t **sdp)
142 {
143 	mbdata_t *mbp, mb_store;
144 	int error;
145 
146 	mbp = &mb_store;
147 	bzero(mbp, sizeof (*mbp));
148 
149 	/*
150 	 * Get the raw Windows SD via ioctl.
151 	 * Returns allocated mbchain in mbp.
152 	 */
153 	error = smbfs_acl_iocget(fd, selector, mbp);
154 	if (error == 0) {
155 		/*
156 		 * Import the raw SD into "internal" form.
157 		 * (like "absolute" form per. NT docs)
158 		 * Returns allocated data in sdp
159 		 */
160 		error = md_get_ntsd(mbp, sdp);
161 	}
162 
163 	mb_done(mbp);
164 	return (error);
165 }
166 
167 /*
168  * Set an NT SD onto the open file via ioctl.
169  */
170 int
171 smbfs_acl_setsd(int fd, uint32_t selector, i_ntsd_t *sd)
172 {
173 	mbdata_t *mbp, mb_store;
174 	int error;
175 
176 	mbp = &mb_store;
177 	error = mb_init_sz(mbp, MAX_RAW_SD_SIZE);
178 	if (error)
179 		return (error);
180 
181 	/*
182 	 * Export the "internal" SD into an mb chain.
183 	 * (a.k.a "self-relative" form per. NT docs)
184 	 * Returns allocated mbchain in mbp.
185 	 */
186 	error = mb_put_ntsd(mbp, sd);
187 	if (error == 0) {
188 		/*
189 		 * Set the raw Windows SD via ioctl.
190 		 */
191 		error = smbfs_acl_iocset(fd, selector, mbp);
192 	}
193 
194 	mb_done(mbp);
195 
196 	return (error);
197 }
198 
199 
200 
201 /*
202  * Convenience function to Get security using a
203  * ZFS-style ACL (libsec acl, type=ACE_T)
204  * Intentionally similar to: facl_get(3SEC)
205  */
206 int
207 smbfs_acl_get(int fd, acl_t **aclp, uid_t *uidp, gid_t *gidp)
208 {
209 	i_ntsd_t *sd = NULL;
210 	acl_t *acl = NULL;
211 	uint32_t selector;
212 	int error;
213 
214 	/*
215 	 * Which parts of the SD are being requested?
216 	 * XXX: Should we request the SACL too?  If so,
217 	 * might that cause this access to be denied?
218 	 * Or maybe: if we get access denied, try the
219 	 * open/fetch again without the SACL bit.
220 	 */
221 	selector = 0;
222 	if (aclp)
223 		selector |= DACL_SECURITY_INFORMATION;
224 	if (uidp)
225 		selector |= OWNER_SECURITY_INFORMATION;
226 	if (gidp)
227 		selector |= GROUP_SECURITY_INFORMATION;
228 
229 	if (selector == 0)
230 		return (0);
231 
232 	/*
233 	 * Get the Windows SD via ioctl, in
234 	 * "internal" (absolute) form.
235 	 */
236 	error = smbfs_acl_getsd(fd, selector, &sd);
237 	if (error)
238 		return (error);
239 	/* Note: sd now holds allocated data. */
240 
241 	/*
242 	 * Convert the internal SD to a ZFS ACL.
243 	 * Get uid/gid too if pointers != NULL.
244 	 */
245 	if (aclp) {
246 		acl = acl_alloc(ACE_T);
247 		if (acl == NULL) {
248 			error = ENOMEM;
249 			goto out;
250 		}
251 	}
252 	error = smbfs_acl_sd2zfs(sd, acl, uidp, gidp);
253 	if (error)
254 		goto out;
255 
256 	/* Success! */
257 	if (aclp) {
258 		*aclp = acl;
259 		acl = NULL;
260 	}
261 
262 out:
263 	if (acl)
264 		acl_free(acl);
265 	smbfs_acl_free_sd(sd);
266 	return (error);
267 }
268 
269 /*
270  * Convenience function to Set security using a
271  * ZFS-style ACL (libsec acl, type=ACE_T)
272  * Intentionally similar to: facl_set(3SEC)
273  */
274 int
275 smbfs_acl_set(int fd, acl_t *acl, uid_t uid, gid_t gid)
276 {
277 	struct stat st;
278 	i_ntsd_t *sd = NULL;
279 	uint32_t selector;
280 	int error;
281 
282 	if (acl && acl->acl_type != ACE_T)
283 		return (EINVAL);
284 
285 	/*
286 	 * Which parts of the SD are being modified?
287 	 * XXX: Ditto comments above re. SACL.
288 	 */
289 	selector = 0;
290 	if (acl)
291 		selector |= DACL_SECURITY_INFORMATION;
292 	if (uid != (uid_t)-1)
293 		selector |= OWNER_SECURITY_INFORMATION;
294 	if (gid != (gid_t)-1)
295 		selector |= GROUP_SECURITY_INFORMATION;
296 	if (selector == 0)
297 		return (0);
298 
299 	if (uid == (uid_t)-1 || gid == (gid_t)-1) {
300 		/*
301 		 * If not setting owner or group, we need the
302 		 * current owner and group for translating
303 		 * references via owner@ or group@ ACEs.
304 		 */
305 		if (fstat(fd, &st) != 0)
306 			return (errno);
307 		if (uid == (uid_t)-1)
308 			uid = st.st_uid;
309 		if (gid == (gid_t)-1)
310 			gid = st.st_gid;
311 	}
312 
313 	/*
314 	 * Convert the ZFS ACL to an internal SD.
315 	 * Returns allocated data in sd
316 	 */
317 	error = smbfs_acl_zfs2sd(acl, uid, gid, selector, &sd);
318 	if (error == 0)
319 		error = smbfs_acl_setsd(fd, selector, sd);
320 
321 	smbfs_acl_free_sd(sd);
322 
323 	return (error);
324 }
325