1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright 2020 Tintri by DDN, Inc. All rights reserved. 25 * Copyright 2022 RackTop Systems, Inc. 26 */ 27 28 /* 29 * This module provides the common open functionality to the various 30 * open and create SMB interface functions. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/cmn_err.h> 35 #include <sys/fcntl.h> 36 #include <sys/nbmlock.h> 37 #include <smbsrv/string.h> 38 #include <smbsrv/smb2_kproto.h> 39 #include <smbsrv/smb_fsops.h> 40 #include <smbsrv/smbinfo.h> 41 42 extern uint32_t smb_is_executable(char *); 43 static void smb_delete_new_object(smb_request_t *); 44 static int smb_set_open_attributes(smb_request_t *, smb_ofile_t *); 45 46 /* 47 * smb_access_generic_to_file 48 * 49 * Search MSDN for IoCreateFile to see following mapping. 50 * 51 * GENERIC_READ STANDARD_RIGHTS_READ, FILE_READ_DATA, 52 * FILE_READ_ATTRIBUTES and FILE_READ_EA 53 * 54 * GENERIC_WRITE STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA, 55 * FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and FILE_APPEND_DATA 56 * 57 * GENERIC_EXECUTE STANDARD_RIGHTS_EXECUTE, SYNCHRONIZE, and FILE_EXECUTE. 58 */ 59 static uint32_t 60 smb_access_generic_to_file(uint32_t desired_access) 61 { 62 uint32_t access = 0; 63 64 if (desired_access & GENERIC_ALL) 65 return (FILE_ALL_ACCESS & ~SYNCHRONIZE); 66 67 if (desired_access & GENERIC_EXECUTE) { 68 desired_access &= ~GENERIC_EXECUTE; 69 access |= (STANDARD_RIGHTS_EXECUTE | 70 SYNCHRONIZE | FILE_EXECUTE); 71 } 72 73 if (desired_access & GENERIC_WRITE) { 74 desired_access &= ~GENERIC_WRITE; 75 access |= (FILE_GENERIC_WRITE & ~SYNCHRONIZE); 76 } 77 78 if (desired_access & GENERIC_READ) { 79 desired_access &= ~GENERIC_READ; 80 access |= FILE_GENERIC_READ; 81 } 82 83 return (access | desired_access); 84 } 85 86 /* 87 * smb_omode_to_amask 88 * 89 * This function converts open modes used by Open and Open AndX 90 * commands to desired access bits used by NT Create AndX command. 91 */ 92 uint32_t 93 smb_omode_to_amask(uint32_t desired_access) 94 { 95 switch (desired_access & SMB_DA_ACCESS_MASK) { 96 case SMB_DA_ACCESS_READ: 97 return (FILE_GENERIC_READ); 98 99 case SMB_DA_ACCESS_WRITE: 100 return (FILE_GENERIC_WRITE); 101 102 case SMB_DA_ACCESS_READ_WRITE: 103 return (FILE_GENERIC_READ | FILE_GENERIC_WRITE); 104 105 case SMB_DA_ACCESS_EXECUTE: 106 return (FILE_GENERIC_READ | FILE_GENERIC_EXECUTE); 107 108 default: 109 return (FILE_GENERIC_ALL); 110 } 111 } 112 113 /* 114 * smb_denymode_to_sharemode 115 * 116 * This function converts deny modes used by Open and Open AndX 117 * commands to share access bits used by NT Create AndX command. 118 */ 119 uint32_t 120 smb_denymode_to_sharemode(uint32_t desired_access, char *fname) 121 { 122 switch (desired_access & SMB_DA_SHARE_MASK) { 123 case SMB_DA_SHARE_COMPATIBILITY: 124 if (smb_is_executable(fname)) 125 return (FILE_SHARE_READ | FILE_SHARE_WRITE); 126 127 return (FILE_SHARE_ALL); 128 129 case SMB_DA_SHARE_EXCLUSIVE: 130 return (FILE_SHARE_NONE); 131 132 case SMB_DA_SHARE_DENY_WRITE: 133 return (FILE_SHARE_READ); 134 135 case SMB_DA_SHARE_DENY_READ: 136 return (FILE_SHARE_WRITE); 137 138 case SMB_DA_SHARE_DENY_NONE: 139 default: 140 return (FILE_SHARE_READ | FILE_SHARE_WRITE); 141 } 142 } 143 144 /* 145 * smb_ofun_to_crdisposition 146 * 147 * This function converts open function values used by Open and Open AndX 148 * commands to create disposition values used by NT Create AndX command. 149 */ 150 uint32_t 151 smb_ofun_to_crdisposition(uint16_t ofun) 152 { 153 static int ofun_cr_map[3][2] = 154 { 155 { -1, FILE_CREATE }, 156 { FILE_OPEN, FILE_OPEN_IF }, 157 { FILE_OVERWRITE, FILE_OVERWRITE_IF } 158 }; 159 160 int row = ofun & SMB_OFUN_OPEN_MASK; 161 int col = (ofun & SMB_OFUN_CREATE_MASK) >> 4; 162 163 if (row == 3) 164 return (FILE_MAXIMUM_DISPOSITION + 1); 165 166 return (ofun_cr_map[row][col]); 167 } 168 169 /* 170 * smb_common_open 171 * 172 * Notes on write-through behaviour. It looks like pre-LM0.12 versions 173 * of the protocol specify the write-through mode when a file is opened, 174 * (SmbOpen, SmbOpenAndX) so the write calls (SmbWrite, SmbWriteAndClose, 175 * SmbWriteAndUnlock) don't need to contain a write-through flag. 176 * 177 * With LM0.12, the open calls (SmbCreateAndX, SmbNtTransactCreate) 178 * don't indicate which write-through mode to use. Instead the write 179 * calls (SmbWriteAndX, SmbWriteRaw) specify the mode on a per call 180 * basis. 181 * 182 * We don't care which open call was used to get us here, we just need 183 * to ensure that the write-through mode flag is copied from the open 184 * parameters to the node. We test the omode write-through flag in all 185 * write functions. 186 * 187 * This function returns NT status codes. 188 * 189 * The following rules apply when processing a file open request: 190 * 191 * - Oplocks must be broken prior to share checking as the break may 192 * cause other clients to close the file, which would affect sharing 193 * checks. 194 * 195 * - Share checks must take place prior to access checks for correct 196 * Windows semantics and to prevent unnecessary NFS delegation recalls. 197 * 198 * - Oplocks must be acquired after open to ensure the correct 199 * synchronization with NFS delegation and FEM installation. 200 * 201 * DOS readonly bit rules 202 * 203 * 1. The creator of a readonly file can write to/modify the size of the file 204 * using the original create fid, even though the file will appear as readonly 205 * to all other fids and via a CIFS getattr call. 206 * 207 * 2. A setinfo operation (using either an open fid or a path) to set/unset 208 * readonly will be successful regardless of whether a creator of a readonly 209 * file has an open fid. 210 * 211 * 3. The DOS readonly bit affects only data and some metadata. 212 * The following metadata can be changed regardless of the readonly bit: 213 * - security descriptors 214 * - DOS attributes 215 * - timestamps 216 * 217 * In the current implementation, the file size cannot be changed (except for 218 * the exceptions in #1 and #2, above). 219 * 220 * 221 * DOS attribute rules 222 * 223 * These rules are specific to creating / opening files and directories. 224 * How the attribute value (specifically ZERO or FILE_ATTRIBUTE_NORMAL) 225 * should be interpreted may differ in other requests. 226 * 227 * - An attribute value equal to ZERO or FILE_ATTRIBUTE_NORMAL means that the 228 * file's attributes should be cleared. 229 * - If FILE_ATTRIBUTE_NORMAL is specified with any other attributes, 230 * FILE_ATTRIBUTE_NORMAL is ignored. 231 * 232 * 1. Creating a new file 233 * - The request attributes + FILE_ATTRIBUTE_ARCHIVE are applied to the file. 234 * 235 * 2. Creating a new directory 236 * - The request attributes + FILE_ATTRIBUTE_DIRECTORY are applied to the file. 237 * - FILE_ATTRIBUTE_ARCHIVE does not get set. 238 * 239 * 3. Overwriting an existing file 240 * - the request attributes are used as search attributes. If the existing 241 * file does not meet the search criteria access is denied. 242 * - otherwise, applies attributes + FILE_ATTRIBUTE_ARCHIVE. 243 * 244 * 4. Opening an existing file or directory 245 * The request attributes are ignored. 246 */ 247 uint32_t 248 smb_common_open(smb_request_t *sr) 249 { 250 smb_server_t *sv = sr->sr_server; 251 smb_tree_t *tree = sr->tid_tree; 252 smb_node_t *fnode = NULL; 253 smb_node_t *dnode = NULL; 254 smb_node_t *cur_node = NULL; 255 smb_node_t *tmp_node = NULL; 256 smb_arg_open_t *op = &sr->sr_open; 257 smb_pathname_t *pn = &op->fqi.fq_path; 258 smb_ofile_t *of = NULL; 259 smb_attr_t new_attr; 260 hrtime_t shrlock_t0; 261 int max_requested = 0; 262 uint32_t max_allowed; 263 uint32_t status = NT_STATUS_SUCCESS; 264 int is_dir; 265 int rc; 266 boolean_t is_stream = B_FALSE; 267 int lookup_flags = SMB_FOLLOW_LINKS; 268 uint32_t uniq_fid = 0; 269 uint16_t tree_fid = 0; 270 boolean_t created = B_FALSE; 271 boolean_t last_comp_found = B_FALSE; 272 boolean_t stream_found = B_FALSE; 273 boolean_t opening_incr = B_FALSE; 274 boolean_t dnode_held = B_FALSE; 275 boolean_t dnode_wlock = B_FALSE; 276 boolean_t fnode_held = B_FALSE; 277 boolean_t fnode_wlock = B_FALSE; 278 boolean_t fnode_shrlk = B_FALSE; 279 boolean_t did_open = B_FALSE; 280 boolean_t did_break_handle = B_FALSE; 281 boolean_t did_cleanup_orphans = B_FALSE; 282 char *sname = NULL; 283 284 /* Get out now if we've been cancelled. */ 285 mutex_enter(&sr->sr_mutex); 286 if (sr->sr_state != SMB_REQ_STATE_ACTIVE) { 287 mutex_exit(&sr->sr_mutex); 288 return (NT_STATUS_CANCELLED); 289 } 290 mutex_exit(&sr->sr_mutex); 291 292 is_dir = (op->create_options & FILE_DIRECTORY_FILE) ? 1 : 0; 293 294 /* 295 * If the object being created or opened is a directory 296 * the Disposition parameter must be one of FILE_CREATE, 297 * FILE_OPEN, or FILE_OPEN_IF 298 */ 299 if (is_dir) { 300 if ((op->create_disposition != FILE_CREATE) && 301 (op->create_disposition != FILE_OPEN_IF) && 302 (op->create_disposition != FILE_OPEN)) { 303 return (NT_STATUS_INVALID_PARAMETER); 304 } 305 } 306 307 if (op->desired_access & MAXIMUM_ALLOWED) { 308 max_requested = 1; 309 op->desired_access &= ~MAXIMUM_ALLOWED; 310 } 311 op->desired_access = smb_access_generic_to_file(op->desired_access); 312 313 if (sr->session->s_cfg.skc_max_opens != 0 && 314 sr->session->s_file_cnt >= sr->session->s_cfg.skc_max_opens) { 315 ASSERT(sr->uid_user); 316 cmn_err(CE_NOTE, "smbsrv[%s\\%s]: TOO_MANY_OPENED_FILES", 317 sr->uid_user->u_domain, sr->uid_user->u_name); 318 return (NT_STATUS_TOO_MANY_OPENED_FILES); 319 } 320 321 if (smb_idpool_alloc(&tree->t_fid_pool, &tree_fid)) 322 return (NT_STATUS_TOO_MANY_OPENED_FILES); 323 324 /* This must be NULL at this point */ 325 sr->fid_ofile = NULL; 326 327 op->devstate = 0; 328 329 switch (sr->tid_tree->t_res_type & STYPE_MASK) { 330 case STYPE_DISKTREE: 331 case STYPE_PRINTQ: 332 break; 333 334 case STYPE_IPC: 335 /* 336 * Security descriptors for pipes are not implemented, 337 * so just setup a reasonable access mask. 338 */ 339 op->desired_access = (READ_CONTROL | SYNCHRONIZE | 340 FILE_READ_DATA | FILE_READ_ATTRIBUTES | 341 FILE_WRITE_DATA | FILE_APPEND_DATA); 342 343 /* 344 * Limit the number of open pipe instances. 345 */ 346 if ((rc = smb_threshold_enter(&sv->sv_opipe_ct)) != 0) { 347 status = RPC_NT_SERVER_TOO_BUSY; 348 goto errout; 349 } 350 351 /* 352 * Most of IPC open is handled in smb_opipe_open() 353 */ 354 op->create_options = 0; 355 of = smb_ofile_alloc(sr, op, NULL, SMB_FTYPE_MESG_PIPE, 356 tree_fid); 357 tree_fid = 0; // given to the ofile 358 status = smb_opipe_open(sr, of); 359 smb_threshold_exit(&sv->sv_opipe_ct); 360 if (status != NT_STATUS_SUCCESS) 361 goto errout; 362 return (NT_STATUS_SUCCESS); 363 364 default: 365 status = NT_STATUS_BAD_DEVICE_TYPE; 366 goto errout; 367 } 368 369 smb_pathname_init(sr, pn, pn->pn_path); 370 if (!smb_pathname_validate(sr, pn)) { 371 status = sr->smb_error.status; 372 goto errout; 373 } 374 375 if (strlen(pn->pn_path) >= SMB_MAXPATHLEN) { 376 status = NT_STATUS_OBJECT_PATH_INVALID; 377 goto errout; 378 } 379 380 if (is_dir) { 381 if (!smb_validate_dirname(sr, pn)) { 382 status = sr->smb_error.status; 383 goto errout; 384 } 385 } else { 386 if (!smb_validate_object_name(sr, pn)) { 387 status = sr->smb_error.status; 388 goto errout; 389 } 390 } 391 392 cur_node = op->fqi.fq_dnode ? 393 op->fqi.fq_dnode : sr->tid_tree->t_snode; 394 395 rc = smb_pathname_reduce(sr, sr->user_cr, pn->pn_path, 396 sr->tid_tree->t_snode, cur_node, &op->fqi.fq_dnode, 397 op->fqi.fq_last_comp); 398 if (rc != 0) { 399 status = smb_errno2status(rc); 400 goto errout; 401 } 402 dnode = op->fqi.fq_dnode; 403 dnode_held = B_TRUE; 404 405 /* 406 * Lock the parent dir node in case another create 407 * request to the same parent directory comes in. 408 * Drop this once either lookup succeeds, or we've 409 * created the object in this directory. 410 */ 411 smb_node_wrlock(dnode); 412 dnode_wlock = B_TRUE; 413 414 /* 415 * If the access mask has only DELETE set (ignore 416 * FILE_READ_ATTRIBUTES), then assume that this 417 * is a request to delete the link (if a link) 418 * and do not follow links. Otherwise, follow 419 * the link to the target. 420 */ 421 if ((op->desired_access & ~FILE_READ_ATTRIBUTES) == DELETE) 422 lookup_flags &= ~SMB_FOLLOW_LINKS; 423 424 /* 425 * Lookup *just* the file portion of the name. 426 * Returns stream name in sname, which this allocates 427 */ 428 rc = smb_fsop_lookup_file(sr, zone_kcred(), lookup_flags, 429 sr->tid_tree->t_snode, op->fqi.fq_dnode, op->fqi.fq_last_comp, 430 &sname, &op->fqi.fq_fnode); 431 432 if (rc == 0) { 433 last_comp_found = B_TRUE; 434 fnode = op->fqi.fq_fnode; 435 fnode_held = B_TRUE; 436 437 /* 438 * Need the DOS attributes below, where we 439 * check the search attributes (sattr). 440 */ 441 op->fqi.fq_fattr.sa_mask = SMB_AT_DOSATTR; 442 rc = smb_node_getattr(sr, op->fqi.fq_fnode, zone_kcred(), 443 NULL, &op->fqi.fq_fattr); 444 if (rc != 0) { 445 status = NT_STATUS_INTERNAL_ERROR; 446 goto errout; 447 } 448 } else if (rc == ENOENT) { 449 last_comp_found = B_FALSE; 450 op->fqi.fq_fnode = NULL; 451 rc = 0; 452 } else { 453 status = smb_errno2status(rc); 454 goto errout; 455 } 456 457 if (last_comp_found) { 458 459 fnode = op->fqi.fq_fnode; 460 dnode = op->fqi.fq_dnode; 461 462 if (!smb_node_is_file(fnode) && 463 !smb_node_is_dir(fnode) && 464 !smb_node_is_symlink(fnode)) { 465 status = NT_STATUS_ACCESS_DENIED; 466 goto errout; 467 } 468 469 /* 470 * Reject this request if either: 471 * - the target IS a directory and the client requires that 472 * it must NOT be (required by Lotus Notes) 473 * - the target is NOT a directory and client requires that 474 * it MUST be. 475 * Streams are never directories. 476 */ 477 if (smb_node_is_dir(fnode) && sname == NULL) { 478 if (op->create_options & FILE_NON_DIRECTORY_FILE) { 479 status = NT_STATUS_FILE_IS_A_DIRECTORY; 480 goto errout; 481 } 482 } else { 483 if ((op->create_options & FILE_DIRECTORY_FILE) || 484 (op->nt_flags & NT_CREATE_FLAG_OPEN_TARGET_DIR)) { 485 status = NT_STATUS_NOT_A_DIRECTORY; 486 goto errout; 487 } 488 } 489 490 /* If we're given a stream name, look it up now */ 491 if (sname != NULL) { 492 tmp_node = fnode; 493 rc = smb_fsop_lookup_stream(sr, zone_kcred(), 494 lookup_flags, sr->tid_tree->t_snode, fnode, sname, 495 &fnode); 496 } else { 497 rc = 0; 498 } 499 500 if (rc == 0) { /* Stream Exists (including unnamed stream) */ 501 stream_found = B_TRUE; 502 smb_node_unlock(dnode); 503 dnode_wlock = B_FALSE; 504 505 if (tmp_node != NULL) 506 smb_node_release(tmp_node); 507 508 /* 509 * No more open should be accepted when 510 * "Delete on close" flag is set. 511 */ 512 if (fnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) { 513 status = NT_STATUS_DELETE_PENDING; 514 goto errout; 515 } 516 517 /* 518 * Specified file already exists 519 * so the operation should fail. 520 */ 521 if (op->create_disposition == FILE_CREATE) { 522 status = NT_STATUS_OBJECT_NAME_COLLISION; 523 goto errout; 524 } 525 526 if ((op->create_disposition == FILE_SUPERSEDE) || 527 (op->create_disposition == FILE_OVERWRITE_IF) || 528 (op->create_disposition == FILE_OVERWRITE)) { 529 530 if (sname == NULL) { 531 if (!smb_sattr_check( 532 op->fqi.fq_fattr.sa_dosattr, 533 op->dattr)) { 534 status = 535 NT_STATUS_ACCESS_DENIED; 536 goto errout; 537 } 538 op->desired_access |= 539 FILE_WRITE_ATTRIBUTES; 540 } 541 542 if (smb_node_is_dir(fnode)) { 543 status = NT_STATUS_ACCESS_DENIED; 544 goto errout; 545 } 546 } 547 548 /* MS-FSA 2.1.5.1.2 */ 549 if (op->create_disposition == FILE_SUPERSEDE) 550 op->desired_access |= DELETE; 551 if ((op->create_disposition == FILE_OVERWRITE_IF) || 552 (op->create_disposition == FILE_OVERWRITE)) 553 op->desired_access |= FILE_WRITE_DATA; 554 } else if (rc == ENOENT) { /* File Exists, but Stream doesn't */ 555 if (op->create_disposition == FILE_OPEN || 556 op->create_disposition == FILE_OVERWRITE) { 557 status = NT_STATUS_OBJECT_NAME_NOT_FOUND; 558 goto errout; 559 } 560 561 op->desired_access |= FILE_WRITE_DATA; 562 } else { /* Error looking up stream */ 563 status = smb_errno2status(rc); 564 fnode = tmp_node; 565 goto errout; 566 } 567 568 /* 569 * Windows seems to check read-only access before file 570 * sharing check. 571 * 572 * Check to see if the file is currently readonly (regardless 573 * of whether this open will make it readonly). 574 * Readonly is ignored on directories. 575 */ 576 if (SMB_PATHFILE_IS_READONLY(sr, fnode) && 577 !smb_node_is_dir(fnode)) { 578 if (op->desired_access & 579 (FILE_WRITE_DATA | FILE_APPEND_DATA)) { 580 status = NT_STATUS_ACCESS_DENIED; 581 goto errout; 582 } 583 if (op->create_options & FILE_DELETE_ON_CLOSE) { 584 status = NT_STATUS_CANNOT_DELETE; 585 goto errout; 586 } 587 } 588 589 /* Dataset roots can't be deleted, so don't set DOC */ 590 if ((op->create_options & FILE_DELETE_ON_CLOSE) != 0 && 591 (fnode->flags & NODE_FLAGS_VFSROOT) != 0) { 592 status = NT_STATUS_CANNOT_DELETE; 593 goto errout; 594 } 595 596 status = smb_fsop_access(sr, sr->user_cr, fnode, 597 op->desired_access); 598 599 if (status != NT_STATUS_SUCCESS) 600 goto errout; 601 602 if (max_requested) { 603 smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed); 604 op->desired_access |= max_allowed; 605 } 606 607 /* 608 * File owner should always get read control + read attr. 609 * Avoid asking for va_uid if we can (expensive) so 610 * only check if we don't already have access. 611 */ 612 if ((op->desired_access & 613 (READ_CONTROL | FILE_READ_ATTRIBUTES)) == 0) { 614 op->fqi.fq_fattr.sa_mask = SMB_AT_DOSATTR | SMB_AT_UID; 615 rc = smb_node_getattr(sr, op->fqi.fq_fnode, 616 zone_kcred(), NULL, &op->fqi.fq_fattr); 617 if (rc == 0 && crgetuid(sr->user_cr) == 618 op->fqi.fq_fattr.sa_vattr.va_uid) { 619 op->desired_access |= 620 (READ_CONTROL | FILE_READ_ATTRIBUTES); 621 } 622 } 623 624 /* 625 * According to MS "dochelp" mail in Mar 2015, any handle 626 * on which read or write access is granted implicitly 627 * gets "read attributes", even if it was not requested. 628 */ 629 if ((op->desired_access & FILE_DATA_ALL) != 0) 630 op->desired_access |= FILE_READ_ATTRIBUTES; 631 632 /* If the stream didn't exist, create it now */ 633 if (!stream_found) { 634 smb_node_t *tmp_node = fnode; 635 636 bzero(&new_attr, sizeof (new_attr)); 637 new_attr.sa_vattr.va_type = VREG; 638 new_attr.sa_vattr.va_mode = S_IRUSR; 639 new_attr.sa_mask |= SMB_AT_TYPE | SMB_AT_MODE; 640 641 rc = smb_fsop_create_stream(sr, sr->user_cr, dnode, 642 fnode, sname, lookup_flags, &new_attr, &fnode); 643 smb_node_release(tmp_node); 644 645 if (rc != 0) { 646 status = smb_errno2status(rc); 647 fnode_held = B_FALSE; 648 goto errout; 649 } 650 op->action_taken = SMB_OACT_CREATED; 651 created = B_TRUE; 652 653 smb_node_unlock(dnode); 654 dnode_wlock = B_FALSE; 655 } 656 657 /* 658 * Oplock break is done prior to sharing checks as the break 659 * may cause other clients to close the file which would 660 * affect the sharing checks, and may delete the file due to 661 * DELETE_ON_CLOSE. This may block, so set the file opening 662 * count before oplock stuff. 663 * 664 * Need the "proposed" ofile (and its TargetOplockKey) for 665 * correct oplock break semantics. 666 */ 667 of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK, 668 tree_fid); 669 tree_fid = 0; // given to the ofile 670 uniq_fid = of->f_uniqid; 671 672 smb_node_inc_opening_count(fnode); 673 opening_incr = B_TRUE; 674 675 if (!stream_found) { 676 /* 677 * Stake our Share Access claim. 678 */ 679 smb_node_wrlock(fnode); 680 fnode_wlock = B_TRUE; 681 682 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid, 683 op->desired_access, op->share_access); 684 if (status != 0) 685 goto errout; 686 687 fnode_shrlk = B_TRUE; 688 smb_node_unlock(fnode); 689 fnode_wlock = B_FALSE; 690 goto stream_created; 691 } 692 693 /* 694 * XXX Supposed to do share access checks next. 695 * [MS-FSA] describes that as part of access check: 696 * 2.1.5.1.2.1 Alg... Check Access to an Existing File 697 * 698 * If CreateDisposition is FILE_OPEN or FILE_OPEN_IF: 699 * If Open.Stream.Oplock is not empty and 700 * Open.Stream.Oplock.State contains BATCH_OPLOCK, 701 * the object store MUST check for an oplock 702 * break according to the algorithm in section 2.1.4.12, 703 * with input values as follows: 704 * Open equal to this operation's Open 705 * Oplock equal to Open.Stream.Oplock 706 * Operation equal to "OPEN" 707 * OpParams containing two members: 708 * DesiredAccess, CreateDisposition 709 * 710 * It's not clear how Windows would ask the FS layer if 711 * the file has a BATCH oplock. We'll use a call to the 712 * common oplock code, which calls smb_oplock_break_OPEN 713 * only if the oplock state contains BATCH_OPLOCK. 714 * See: smb_oplock_break_BATCH() 715 * 716 * Also note: There's a nearly identical section in the 717 * spec. at the start of the "else" part of the above 718 * "if (disposition is overwrite, overwrite_if)" so this 719 * section (oplock break, the share mode check, and the 720 * next oplock_break_HANDLE) are all factored out to be 721 * in all cases above that if/else from the spec. 722 */ 723 status = smb_oplock_break_BATCH(fnode, of, 724 op->desired_access, op->create_disposition); 725 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) { 726 if (sr->session->dialect >= SMB_VERS_2_BASE) 727 (void) smb2sr_go_async(sr); 728 status = smb_oplock_wait_break(sr, fnode, 0); 729 } 730 if (status != NT_STATUS_SUCCESS) 731 goto errout; 732 733 /* 734 * Check for sharing violations, and if any, 735 * do oplock break of handle caching. 736 * 737 * Need node_wrlock during shrlock checks, 738 * and not locked during oplock breaks etc. 739 */ 740 shrlock_t0 = gethrtime(); 741 shrlock_again: 742 smb_node_wrlock(fnode); 743 fnode_wlock = B_TRUE; 744 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid, 745 op->desired_access, op->share_access); 746 smb_node_unlock(fnode); 747 fnode_wlock = B_FALSE; 748 749 /* 750 * [MS-FSA] "OPEN_BREAK_H" 751 * If the (proposed) new open would violate sharing rules, 752 * indicate an oplock break with OPEN_BREAK_H (to break 753 * handle level caching rights) then try again. 754 */ 755 if (status == NT_STATUS_SHARING_VIOLATION && 756 did_break_handle == B_FALSE) { 757 did_break_handle = B_TRUE; 758 759 status = smb_oplock_break_HANDLE(fnode, of); 760 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) { 761 if (sr->session->dialect >= SMB_VERS_2_BASE) 762 (void) smb2sr_go_async(sr); 763 status = smb_oplock_wait_break(sr, fnode, 0); 764 } else { 765 /* 766 * Even when the oplock layer does NOT 767 * give us the special status indicating 768 * we should wait, it may have scheduled 769 * taskq jobs that may close handles. 770 * Give those a chance to run before we 771 * check again for sharing violations. 772 */ 773 delay(MSEC_TO_TICK(10)); 774 } 775 if (status != NT_STATUS_SUCCESS) 776 goto errout; 777 778 goto shrlock_again; 779 } 780 781 /* 782 * If we still have orphaned durable handles on this file, 783 * let's assume the client has lost interest in those and 784 * close them so they don't cause sharing violations. 785 * See longer comment at smb2_dh_close_my_orphans(). 786 */ 787 if (status == NT_STATUS_SHARING_VIOLATION && 788 sr->session->dialect >= SMB_VERS_2_BASE && 789 did_cleanup_orphans == B_FALSE) { 790 791 did_cleanup_orphans = B_TRUE; 792 smb2_dh_close_my_orphans(sr, of); 793 794 goto shrlock_again; 795 } 796 797 /* 798 * SMB1 expects a 1 sec. delay before returning a 799 * sharing violation error. If breaking oplocks 800 * above took less than a sec, wait some more. 801 * See: smbtorture base.defer_open 802 */ 803 if (status == NT_STATUS_SHARING_VIOLATION && 804 sr->session->dialect < SMB_VERS_2_BASE) { 805 hrtime_t t1 = shrlock_t0 + NANOSEC; 806 hrtime_t now = gethrtime(); 807 if (now < t1) { 808 delay(NSEC_TO_TICK_ROUNDUP(t1 - now)); 809 } 810 } 811 812 if (status != NT_STATUS_SUCCESS) 813 goto errout; 814 fnode_shrlk = B_TRUE; 815 816 /* 817 * The [MS-FSA] spec. describes this oplock break as 818 * part of the sharing access checks. See: 819 * 2.1.5.1.2.2 Algorithm to Check Sharing Access... 820 * At the end of the share mode tests described there, 821 * if it has not returned "sharing violation", it 822 * specifies a call to the alg. in sec. 2.1.4.12, 823 * that boils down to: smb_oplock_break_OPEN() 824 */ 825 status = smb_oplock_break_OPEN(fnode, of, 826 op->desired_access, 827 op->create_disposition); 828 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) { 829 if (sr->session->dialect >= SMB_VERS_2_BASE) 830 (void) smb2sr_go_async(sr); 831 status = smb_oplock_wait_break(sr, fnode, 0); 832 } 833 if (status != NT_STATUS_SUCCESS) 834 goto errout; 835 836 if ((fnode->flags & NODE_FLAGS_DELETE_COMMITTED) != 0) { 837 /* 838 * Breaking the oplock caused the file to be deleted, 839 * so let's bail and pretend the file wasn't found. 840 * Have to duplicate much of the logic found a the 841 * "errout" label here. 842 * 843 * This code path is exercised by smbtorture 844 * smb2.durable-open.delete_on_close1 845 */ 846 DTRACE_PROBE1(node_deleted, smb_node_t *, fnode); 847 tree_fid = of->f_fid; 848 of->f_fid = 0; 849 smb_ofile_free(of); 850 of = NULL; 851 last_comp_found = B_FALSE; 852 853 /* 854 * Get all the holds and locks into the state 855 * they would have if lookup had failed. 856 */ 857 fnode_shrlk = B_FALSE; 858 smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid); 859 860 opening_incr = B_FALSE; 861 smb_node_dec_opening_count(fnode); 862 863 fnode_held = B_FALSE; 864 smb_node_release(fnode); 865 866 dnode_wlock = B_TRUE; 867 smb_node_wrlock(dnode); 868 869 goto create; 870 } 871 872 /* 873 * Go ahead with modifications as necessary. 874 */ 875 switch (op->create_disposition) { 876 case FILE_SUPERSEDE: 877 case FILE_OVERWRITE_IF: 878 case FILE_OVERWRITE: 879 bzero(&new_attr, sizeof (new_attr)); 880 if (sname == NULL) { 881 op->dattr |= FILE_ATTRIBUTE_ARCHIVE; 882 /* 883 * Don't apply readonly until 884 * smb_set_open_attributes 885 */ 886 if (op->dattr & FILE_ATTRIBUTE_READONLY) { 887 op->dattr &= ~FILE_ATTRIBUTE_READONLY; 888 op->created_readonly = B_TRUE; 889 } 890 new_attr.sa_dosattr = op->dattr; 891 } else { 892 new_attr.sa_dosattr = FILE_ATTRIBUTE_ARCHIVE; 893 } 894 895 /* 896 * Truncate the file data here. 897 * We set alloc_size = op->dsize later, 898 * after we have an ofile. See: 899 * smb_set_open_attributes 900 */ 901 new_attr.sa_vattr.va_size = 0; 902 new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_SIZE; 903 rc = smb_fsop_setattr(sr, sr->user_cr, fnode, 904 &new_attr); 905 if (rc != 0) { 906 status = smb_errno2status(rc); 907 goto errout; 908 } 909 910 /* 911 * If file is being replaced, remove existing streams 912 */ 913 if (SMB_IS_STREAM(fnode) == 0) { 914 status = smb_fsop_remove_streams(sr, 915 sr->user_cr, fnode); 916 if (status != 0) 917 goto errout; 918 } 919 920 op->action_taken = SMB_OACT_TRUNCATED; 921 break; 922 923 default: 924 /* 925 * FILE_OPEN or FILE_OPEN_IF. 926 */ 927 /* 928 * Ignore any user-specified alloc_size for 929 * existing files, to avoid truncation in 930 * smb_set_open_attributes 931 */ 932 op->dsize = 0L; 933 op->action_taken = SMB_OACT_OPENED; 934 break; 935 } 936 } else { 937 create: 938 /* Last component was not found. */ 939 dnode = op->fqi.fq_dnode; 940 941 if (is_dir == 0) 942 is_stream = smb_is_stream_name(pn->pn_path); 943 944 if ((op->create_disposition == FILE_OPEN) || 945 (op->create_disposition == FILE_OVERWRITE)) { 946 status = NT_STATUS_OBJECT_NAME_NOT_FOUND; 947 goto errout; 948 } 949 950 if (is_dir != 0 && 951 (op->dattr & FILE_ATTRIBUTE_TEMPORARY) != 0) { 952 status = NT_STATUS_INVALID_PARAMETER; 953 goto errout; 954 } 955 956 if ((op->dattr & FILE_ATTRIBUTE_READONLY) != 0 && 957 (op->create_options & FILE_DELETE_ON_CLOSE) != 0) { 958 status = NT_STATUS_CANNOT_DELETE; 959 goto errout; 960 } 961 962 if ((op->desired_access & ACCESS_SYSTEM_SECURITY) != 0 && 963 !smb_user_has_security_priv(sr->uid_user, sr->user_cr)) { 964 status = NT_STATUS_ACCESS_DENIED; 965 goto errout; 966 } 967 968 if (pn->pn_fname && smb_is_invalid_filename(pn->pn_fname)) { 969 status = NT_STATUS_OBJECT_NAME_INVALID; 970 goto errout; 971 } 972 973 /* 974 * Don't create in directories marked "Delete on close". 975 */ 976 if (dnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) { 977 status = NT_STATUS_DELETE_PENDING; 978 goto errout; 979 } 980 981 /* 982 * Create always sets the DOS attributes, type, and mode 983 * in the if/else below (different for file vs directory). 984 * Don't set the readonly bit until smb_set_open_attributes 985 * or that would prevent this open. Note that op->dattr 986 * needs to be what smb_set_open_attributes will use, 987 * except for the readonly bit. 988 */ 989 bzero(&new_attr, sizeof (new_attr)); 990 new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_TYPE | SMB_AT_MODE; 991 if (op->dattr & FILE_ATTRIBUTE_READONLY) { 992 op->dattr &= ~FILE_ATTRIBUTE_READONLY; 993 op->created_readonly = B_TRUE; 994 } 995 996 /* 997 * SMB create can specify the create time. 998 */ 999 if ((op->crtime.tv_sec != 0) && 1000 (op->crtime.tv_sec != UINT_MAX)) { 1001 new_attr.sa_mask |= SMB_AT_CRTIME; 1002 new_attr.sa_crtime = op->crtime; 1003 } 1004 1005 if (is_dir == 0) { 1006 op->dattr |= FILE_ATTRIBUTE_ARCHIVE; 1007 new_attr.sa_dosattr = op->dattr; 1008 new_attr.sa_vattr.va_type = VREG; 1009 if (is_stream) 1010 new_attr.sa_vattr.va_mode = S_IRUSR | S_IWUSR; 1011 else 1012 new_attr.sa_vattr.va_mode = 1013 S_IRUSR | S_IRGRP | S_IROTH | 1014 S_IWUSR | S_IWGRP | S_IWOTH; 1015 1016 /* 1017 * We set alloc_size = op->dsize later, 1018 * (in smb_set_open_attributes) after we 1019 * have an ofile on which to save that. 1020 * 1021 * Legacy Open&X sets size to alloc_size 1022 * when creating a new file. 1023 */ 1024 if (sr->smb_com == SMB_COM_OPEN_ANDX) { 1025 new_attr.sa_vattr.va_size = op->dsize; 1026 new_attr.sa_mask |= SMB_AT_SIZE; 1027 } 1028 1029 rc = smb_fsop_create(sr, sr->user_cr, dnode, 1030 op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode); 1031 } else { 1032 op->dattr |= FILE_ATTRIBUTE_DIRECTORY; 1033 new_attr.sa_dosattr = op->dattr; 1034 new_attr.sa_vattr.va_type = VDIR; 1035 new_attr.sa_vattr.va_mode = 0777; 1036 1037 rc = smb_fsop_mkdir(sr, sr->user_cr, dnode, 1038 op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode); 1039 } 1040 if (rc != 0) { 1041 status = smb_errno2status(rc); 1042 goto errout; 1043 } 1044 1045 /* Create done. */ 1046 smb_node_unlock(dnode); 1047 dnode_wlock = B_FALSE; 1048 1049 created = B_TRUE; 1050 op->action_taken = SMB_OACT_CREATED; 1051 1052 /* Note: hold from create */ 1053 fnode = op->fqi.fq_fnode; 1054 fnode_held = B_TRUE; 1055 1056 if (max_requested) { 1057 smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed); 1058 op->desired_access |= max_allowed; 1059 } 1060 /* 1061 * We created this object (we own it) so grant 1062 * read_control + read_attributes on this handle, 1063 * even if that was not requested. This avoids 1064 * unexpected access failures later. 1065 */ 1066 op->desired_access |= (READ_CONTROL | FILE_READ_ATTRIBUTES); 1067 1068 /* Allocate the ofile and fill in most of it. */ 1069 of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK, 1070 tree_fid); 1071 tree_fid = 0; // given to the ofile 1072 uniq_fid = of->f_uniqid; 1073 1074 smb_node_inc_opening_count(fnode); 1075 opening_incr = B_TRUE; 1076 1077 /* 1078 * Share access checks... 1079 */ 1080 smb_node_wrlock(fnode); 1081 fnode_wlock = B_TRUE; 1082 1083 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid, 1084 op->desired_access, op->share_access); 1085 if (status != 0) 1086 goto errout; 1087 fnode_shrlk = B_TRUE; 1088 1089 /* 1090 * MS-FSA 2.1.5.1.1 1091 * If the Oplock member of the DirectoryStream in 1092 * Link.ParentFile.StreamList (ParentOplock) is 1093 * not empty ... oplock break on the parent... 1094 * (dnode is the parent directory) 1095 * 1096 * This compares of->ParentOplockKey with each 1097 * oplock of->TargetOplockKey and breaks... 1098 * so it's OK that we're passing an OF that's 1099 * NOT a member of dnode->n_ofile_list 1100 * 1101 * The break never blocks, so ignore the return. 1102 */ 1103 (void) smb_oplock_break_PARENT(dnode, of); 1104 } 1105 1106 stream_created: 1107 /* 1108 * We might have blocked in smb_oplock_break_OPEN long enough 1109 * so a tree disconnect might have happened. In that case, 1110 * we would be adding an ofile to a tree that's disconnecting, 1111 * which would interfere with tear-down. If so, error out. 1112 */ 1113 if (!smb_tree_is_connected(sr->tid_tree)) { 1114 status = NT_STATUS_INVALID_PARAMETER; 1115 goto errout; 1116 } 1117 1118 /* 1119 * Moved this up from smb_ofile_open() 1120 */ 1121 if ((rc = smb_fsop_open(fnode, of->f_mode, of->f_cr)) != 0) { 1122 status = smb_errno2status(rc); 1123 goto errout; 1124 } 1125 1126 /* 1127 * Complete this open (add to ofile lists) 1128 */ 1129 smb_ofile_open(sr, op, of); 1130 did_open = B_TRUE; 1131 1132 /* 1133 * This MUST be done after ofile creation, so that explicitly 1134 * set timestamps can be remembered on the ofile, and setting 1135 * the readonly flag won't affect access via this open. 1136 */ 1137 if ((rc = smb_set_open_attributes(sr, of)) != 0) { 1138 status = smb_errno2status(rc); 1139 goto errout; 1140 } 1141 1142 /* 1143 * We've already done access checks above, 1144 * and want this call to succeed even when 1145 * !(desired_access & FILE_READ_ATTRIBUTES), 1146 * so pass kcred here. 1147 */ 1148 op->fqi.fq_fattr.sa_mask = SMB_AT_ALL; 1149 (void) smb_node_getattr(sr, fnode, zone_kcred(), of, 1150 &op->fqi.fq_fattr); 1151 1152 /* 1153 * Propagate the write-through mode from the open params 1154 * to the node: see the notes in the function header. 1155 * XXX: write_through should be a flag on the ofile. 1156 */ 1157 if (sr->sr_cfg->skc_sync_enable || 1158 (op->create_options & FILE_WRITE_THROUGH)) 1159 fnode->flags |= NODE_FLAGS_WRITE_THROUGH; 1160 1161 /* 1162 * Set up the fileid and dosattr in open_param for response 1163 */ 1164 op->fileid = op->fqi.fq_fattr.sa_vattr.va_nodeid; 1165 op->dattr = op->fqi.fq_fattr.sa_dosattr; 1166 1167 /* 1168 * Set up the file type in open_param for the response 1169 */ 1170 op->ftype = SMB_FTYPE_DISK; 1171 sr->smb_fid = of->f_fid; 1172 sr->fid_ofile = of; 1173 1174 if (smb_node_is_file(fnode)) { 1175 op->dsize = op->fqi.fq_fattr.sa_vattr.va_size; 1176 } else { 1177 /* directory or symlink */ 1178 op->dsize = 0; 1179 } 1180 1181 /* 1182 * Note: oplock_acquire happens in callers, because 1183 * how that happens is protocol-specific. 1184 */ 1185 1186 if (sname != NULL) 1187 kmem_free(sname, MAXNAMELEN); 1188 if (fnode_wlock) 1189 smb_node_unlock(fnode); 1190 if (opening_incr) 1191 smb_node_dec_opening_count(fnode); 1192 if (fnode_held) 1193 smb_node_release(fnode); 1194 if (dnode_wlock) 1195 smb_node_unlock(dnode); 1196 if (dnode_held) 1197 smb_node_release(dnode); 1198 1199 return (NT_STATUS_SUCCESS); 1200 1201 errout: 1202 if (did_open) { 1203 smb_ofile_close(of, 0); 1204 /* rele via sr->fid_ofile */ 1205 } else if (of != NULL) { 1206 /* No other refs possible */ 1207 smb_ofile_free(of); 1208 } 1209 1210 if (fnode_shrlk) 1211 smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid); 1212 1213 if (created) { 1214 /* Try to roll-back create. */ 1215 smb_delete_new_object(sr); 1216 } 1217 1218 if (sname != NULL) 1219 kmem_free(sname, MAXNAMELEN); 1220 if (fnode_wlock) 1221 smb_node_unlock(fnode); 1222 if (opening_incr) 1223 smb_node_dec_opening_count(fnode); 1224 if (fnode_held) 1225 smb_node_release(fnode); 1226 if (dnode_wlock) 1227 smb_node_unlock(dnode); 1228 if (dnode_held) 1229 smb_node_release(dnode); 1230 1231 if (tree_fid != 0) 1232 smb_idpool_free(&tree->t_fid_pool, tree_fid); 1233 1234 return (status); 1235 } 1236 1237 /* 1238 * smb_set_open_attributes 1239 * 1240 * Last write time: 1241 * - If the last_write time specified in the open params is not 0 or -1, 1242 * use it as file's mtime. This will be considered an explicitly set 1243 * timestamps, not reset by subsequent writes. 1244 * 1245 * DOS attributes 1246 * - If we created_readonly, we now store the real DOS attributes 1247 * (including the readonly bit) so subsequent opens will see it. 1248 * 1249 * Returns: errno 1250 */ 1251 static int 1252 smb_set_open_attributes(smb_request_t *sr, smb_ofile_t *of) 1253 { 1254 smb_attr_t attr; 1255 smb_arg_open_t *op = &sr->sr_open; 1256 smb_node_t *node = of->f_node; 1257 int rc = 0; 1258 1259 bzero(&attr, sizeof (smb_attr_t)); 1260 1261 if (op->created_readonly) { 1262 attr.sa_dosattr = op->dattr | FILE_ATTRIBUTE_READONLY; 1263 attr.sa_mask |= SMB_AT_DOSATTR; 1264 } 1265 1266 if (op->dsize != 0) { 1267 attr.sa_allocsz = op->dsize; 1268 attr.sa_mask |= SMB_AT_ALLOCSZ; 1269 } 1270 1271 if ((op->mtime.tv_sec != 0) && (op->mtime.tv_sec != UINT_MAX)) { 1272 attr.sa_vattr.va_mtime = op->mtime; 1273 attr.sa_mask |= SMB_AT_MTIME; 1274 } 1275 1276 if (attr.sa_mask != 0) 1277 rc = smb_node_setattr(sr, node, of->f_cr, of, &attr); 1278 1279 return (rc); 1280 } 1281 1282 /* 1283 * This function is used to delete a newly created object (file or 1284 * directory) if an error occurs after creation of the object. 1285 */ 1286 static void 1287 smb_delete_new_object(smb_request_t *sr) 1288 { 1289 smb_arg_open_t *op = &sr->sr_open; 1290 smb_fqi_t *fqi = &(op->fqi); 1291 uint32_t flags = 0; 1292 1293 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1294 flags |= SMB_IGNORE_CASE; 1295 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1296 flags |= SMB_CATIA; 1297 1298 if (op->create_options & FILE_DIRECTORY_FILE) 1299 (void) smb_fsop_rmdir(sr, sr->user_cr, fqi->fq_dnode, 1300 fqi->fq_last_comp, flags); 1301 else 1302 (void) smb_fsop_remove(sr, sr->user_cr, fqi->fq_dnode, 1303 fqi->fq_last_comp, flags); 1304 } 1305