xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision 9a5d73e03cd3312ddb571a748c40a63c58bd66e5)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/sid.h>
27 #include <sys/nbmlock.h>
28 #include <smbsrv/smb_fsops.h>
29 #include <smbsrv/smb_kproto.h>
30 #include <smbsrv/ntstatus.h>
31 #include <smbsrv/ntaccess.h>
32 #include <smbsrv/smb_incl.h>
33 #include <acl/acl_common.h>
34 #include <sys/fcntl.h>
35 #include <sys/flock.h>
36 #include <fs/fs_subr.h>
37 
38 extern caller_context_t smb_ct;
39 
40 extern int smb_fem_oplock_install(smb_node_t *);
41 extern void smb_fem_oplock_uninstall(smb_node_t *);
42 
43 extern int smb_vop_other_opens(vnode_t *, int);
44 
45 static int smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode,
46     smb_fssd_t *fs_sd);
47 
48 /*
49  * The smb_fsop_* functions have knowledge of CIFS semantics.
50  *
51  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
52  * serve as an interface to the VFS layer.
53  *
54  * Hence, smb_request_t and smb_node_t structures should not be passed
55  * from the smb_fsop_* layer to the smb_vop_* layer.
56  *
57  * In general, CIFS service code should only ever call smb_fsop_*
58  * functions directly, and never smb_vop_* functions directly.
59  *
60  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
61  * of their smb_fsop_* counterparts.  However, there are times when
62  * this cannot be avoided.
63  */
64 
65 /*
66  * Note: Stream names cannot be mangled.
67  */
68 
69 /*
70  * smb_fsop_amask_to_omode
71  *
72  * Convert the access mask to the open mode (for use
73  * with the VOP_OPEN call).
74  *
75  * Note that opening a file for attribute only access
76  * will also translate into an FREAD or FWRITE open mode
77  * (i.e., it's not just for data).
78  *
79  * This is needed so that opens are tracked appropriately
80  * for oplock processing.
81  */
82 
83 int
84 smb_fsop_amask_to_omode(uint32_t access)
85 {
86 	int mode = 0;
87 
88 	if (access & (FILE_READ_DATA | FILE_EXECUTE |
89 	    FILE_READ_ATTRIBUTES | FILE_READ_EA))
90 		mode |= FREAD;
91 
92 	if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA |
93 	    FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA))
94 		mode |= FWRITE;
95 
96 	if (access & FILE_APPEND_DATA)
97 		mode |= FAPPEND;
98 
99 	return (mode);
100 }
101 
102 int
103 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred)
104 {
105 	/*
106 	 * Assuming that the same vnode is returned as we had before.
107 	 * (I.e., with certain types of files or file systems, a
108 	 * different vnode might be returned by VOP_OPEN)
109 	 */
110 	return (smb_vop_open(&node->vp, mode, cred));
111 }
112 
113 void
114 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred)
115 {
116 	smb_vop_close(node->vp, mode, cred);
117 }
118 
119 int
120 smb_fsop_oplock_install(smb_node_t *node, int mode)
121 {
122 	int rc;
123 
124 	if (smb_vop_other_opens(node->vp, mode))
125 		return (EMFILE);
126 
127 	if ((rc = smb_fem_oplock_install(node)))
128 		return (rc);
129 
130 	if (smb_vop_other_opens(node->vp, mode)) {
131 		(void) smb_fem_oplock_uninstall(node);
132 		return (EMFILE);
133 	}
134 
135 	return (0);
136 }
137 
138 void
139 smb_fsop_oplock_uninstall(smb_node_t *node)
140 {
141 	smb_fem_oplock_uninstall(node);
142 }
143 
144 static int
145 smb_fsop_create_with_sd(
146 	smb_request_t *sr,
147 	cred_t *cr,
148 	smb_node_t *dir_snode,
149 	char *name,
150 	smb_attr_t *attr,
151 	smb_node_t **ret_snode,
152 	smb_attr_t *ret_attr,
153 	smb_fssd_t *fs_sd)
154 {
155 	vsecattr_t *vsap;
156 	vsecattr_t vsecattr;
157 	acl_t *acl, *dacl, *sacl;
158 	smb_attr_t set_attr;
159 	vnode_t *vp;
160 	int aclbsize = 0;	/* size of acl list in bytes */
161 	int flags = 0;
162 	int rc;
163 	boolean_t is_dir;
164 
165 	ASSERT(fs_sd);
166 
167 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
168 		flags = SMB_IGNORE_CASE;
169 
170 	ASSERT(cr);
171 
172 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
173 
174 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) {
175 		if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
176 			dacl = fs_sd->sd_zdacl;
177 			sacl = fs_sd->sd_zsacl;
178 			ASSERT(dacl || sacl);
179 			if (dacl && sacl) {
180 				acl = smb_fsacl_merge(dacl, sacl);
181 			} else if (dacl) {
182 				acl = dacl;
183 			} else {
184 				acl = sacl;
185 			}
186 
187 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
188 
189 			if (dacl && sacl)
190 				acl_free(acl);
191 
192 			if (rc != 0)
193 				return (rc);
194 
195 			vsap = &vsecattr;
196 		} else {
197 			vsap = NULL;
198 		}
199 
200 		/* The tree ACEs may prevent a create */
201 		rc = EACCES;
202 		if (is_dir) {
203 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0)
204 				rc = smb_vop_mkdir(dir_snode->vp, name, attr,
205 				    &vp, flags, cr, vsap);
206 		} else {
207 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0)
208 				rc = smb_vop_create(dir_snode->vp, name, attr,
209 				    &vp, flags, cr, vsap);
210 		}
211 
212 		if (vsap != NULL)
213 			kmem_free(vsap->vsa_aclentp, aclbsize);
214 
215 		if (rc != 0)
216 			return (rc);
217 
218 		set_attr.sa_mask = 0;
219 
220 		/*
221 		 * Ideally we should be able to specify the owner and owning
222 		 * group at create time along with the ACL. Since we cannot
223 		 * do that right now, kcred is passed to smb_vop_setattr so it
224 		 * doesn't fail due to lack of permission.
225 		 */
226 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
227 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
228 			set_attr.sa_mask |= SMB_AT_UID;
229 		}
230 
231 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
232 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
233 			set_attr.sa_mask |= SMB_AT_GID;
234 		}
235 
236 		if (set_attr.sa_mask)
237 			rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred);
238 
239 		if (rc == 0) {
240 			*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
241 			    name, dir_snode, NULL, ret_attr);
242 
243 			if (*ret_snode == NULL)
244 				rc = ENOMEM;
245 
246 			VN_RELE(vp);
247 		}
248 	} else {
249 		/*
250 		 * For filesystems that don't support ACL-on-create, try
251 		 * to set the specified SD after create, which could actually
252 		 * fail because of conflicts between inherited security
253 		 * attributes upon creation and the specified SD.
254 		 *
255 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
256 		 */
257 
258 		if (is_dir) {
259 			rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp,
260 			    flags, cr, NULL);
261 		} else {
262 			rc = smb_vop_create(dir_snode->vp, name, attr, &vp,
263 			    flags, cr, NULL);
264 		}
265 
266 		if (rc != 0)
267 			return (rc);
268 
269 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
270 		    name, dir_snode, NULL, ret_attr);
271 
272 		if (*ret_snode != NULL) {
273 			if (!smb_tree_has_feature(sr->tid_tree,
274 			    SMB_TREE_NFS_MOUNTED))
275 				rc = smb_fsop_sdwrite(sr, kcred, *ret_snode,
276 				    fs_sd, 1);
277 		} else {
278 			rc = ENOMEM;
279 		}
280 
281 		VN_RELE(vp);
282 	}
283 
284 	if (rc != 0) {
285 		if (is_dir)
286 			(void) smb_vop_rmdir(dir_snode->vp, name, flags, cr);
287 		else
288 			(void) smb_vop_remove(dir_snode->vp, name, flags, cr);
289 	}
290 
291 	return (rc);
292 }
293 
294 /*
295  * smb_fsop_create
296  *
297  * All SMB functions should use this wrapper to ensure that
298  * all the smb_vop_creates are performed with the appropriate credentials.
299  * Please document any direct calls to explain the reason
300  * for avoiding this wrapper.
301  *
302  * It is assumed that a reference exists on snode coming into this routine.
303  *
304  * *ret_snode is returned with a reference upon success.  No reference is
305  * taken if an error is returned.
306  */
307 int
308 smb_fsop_create(
309     smb_request_t	*sr,
310     cred_t		*cr,
311     smb_node_t		*dir_snode,
312     char		*name,
313     smb_attr_t		*attr,
314     smb_node_t		**ret_snode,
315     smb_attr_t		*ret_attr)
316 {
317 	struct open_param *op = &sr->arg.open;
318 	smb_node_t	*fnode;
319 	smb_attr_t	file_attr;
320 	vnode_t		*xattrdirvp;
321 	vnode_t		*vp;
322 	char		*longname = NULL;
323 	char		*namep;
324 	char		*fname;
325 	char		*sname;
326 	int		is_stream;
327 	int		flags = 0;
328 	int		rc = 0;
329 	smb_fssd_t	fs_sd;
330 	uint32_t	secinfo;
331 	uint32_t	status;
332 
333 	ASSERT(cr);
334 	ASSERT(dir_snode);
335 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
336 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
337 
338 	ASSERT(ret_snode);
339 	*ret_snode = 0;
340 
341 	ASSERT(name);
342 	if (*name == 0)
343 		return (EINVAL);
344 
345 	ASSERT(sr);
346 	ASSERT(sr->tid_tree);
347 
348 	if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0)
349 		return (EACCES);
350 
351 	if (SMB_TREE_IS_READONLY(sr))
352 		return (EROFS);
353 
354 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
355 		flags = SMB_IGNORE_CASE;
356 
357 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
358 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
359 
360 	is_stream = smb_stream_parse_name(name, fname, sname);
361 	if (is_stream == -1) {
362 		kmem_free(fname, MAXNAMELEN);
363 		kmem_free(sname, MAXNAMELEN);
364 		return (EINVAL);
365 	}
366 
367 	if (is_stream)
368 		namep = fname;
369 	else
370 		namep = name;
371 
372 	if (smb_maybe_mangled_name(namep)) {
373 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
374 
375 		rc = smb_unmangle_name(sr, cr, dir_snode, namep, longname,
376 		    MAXNAMELEN, NULL, NULL, 1);
377 
378 		if ((is_stream == 0) && (rc == 0))
379 			rc = EEXIST;
380 
381 		if ((is_stream && rc) ||
382 		    ((is_stream == 0) && (rc != ENOENT))) {
383 			kmem_free(longname, MAXNAMELEN);
384 			kmem_free(fname, MAXNAMELEN);
385 			kmem_free(sname, MAXNAMELEN);
386 			return (rc);
387 		}
388 
389 		if (is_stream)
390 			namep = longname;
391 		else
392 			kmem_free(longname, MAXNAMELEN);
393 	}
394 
395 	if (is_stream) {
396 		/*
397 		 * Look up the unnamed stream.
398 		 *
399 		 * Mangle processing in smb_fsop_lookup() for the unnamed
400 		 * stream won't be needed (as it was done above), but
401 		 * it may be needed on any link target (which
402 		 * smb_fsop_lookup() will provide).
403 		 */
404 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
405 		    sr->tid_tree->t_snode, dir_snode, namep, &fnode, &file_attr,
406 		    0, 0);
407 
408 		if (longname) {
409 			kmem_free(longname, MAXNAMELEN);
410 			namep = NULL;
411 		}
412 
413 		if (rc != 0) {
414 			kmem_free(fname, MAXNAMELEN);
415 			kmem_free(sname, MAXNAMELEN);
416 			return (rc);
417 		}
418 
419 		rc = smb_vop_stream_create(fnode->vp, sname, attr, &vp,
420 		    &xattrdirvp, flags, cr);
421 
422 		if (rc != 0) {
423 			smb_node_release(fnode);
424 			kmem_free(fname, MAXNAMELEN);
425 			kmem_free(sname, MAXNAMELEN);
426 			return (rc);
427 		}
428 
429 		attr->sa_vattr.va_uid = file_attr.sa_vattr.va_uid;
430 		attr->sa_vattr.va_gid = file_attr.sa_vattr.va_gid;
431 		attr->sa_mask = SMB_AT_UID | SMB_AT_GID;
432 
433 		/*
434 		 * The second parameter of smb_vop_setattr() is set to
435 		 * NULL, even though an unnamed stream exists.  This is
436 		 * because we want to set the UID and GID on the named
437 		 * stream in this case for consistency with the (unnamed
438 		 * stream) file (see comments for smb_vop_setattr()).
439 		 */
440 
441 		rc = smb_vop_setattr(vp, NULL, attr, 0, kcred);
442 
443 		if (rc != 0) {
444 			smb_node_release(fnode);
445 			kmem_free(fname, MAXNAMELEN);
446 			kmem_free(sname, MAXNAMELEN);
447 			return (rc);
448 		}
449 
450 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
451 		    vp, sname, ret_attr);
452 
453 		smb_node_release(fnode);
454 		VN_RELE(xattrdirvp);
455 		VN_RELE(vp);
456 
457 		if (*ret_snode == NULL) {
458 			kmem_free(fname, MAXNAMELEN);
459 			kmem_free(sname, MAXNAMELEN);
460 			return (ENOMEM);
461 		}
462 	} else {
463 		if (op->sd) {
464 			/*
465 			 * SD sent by client in Windows format. Needs to be
466 			 * converted to FS format. No inheritance.
467 			 */
468 			secinfo = smb_sd_get_secinfo(op->sd);
469 			smb_fssd_init(&fs_sd, secinfo, 0);
470 
471 			status = smb_sd_tofs(op->sd, &fs_sd);
472 			if (status == NT_STATUS_SUCCESS) {
473 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
474 				    name, attr, ret_snode, ret_attr, &fs_sd);
475 			}
476 			else
477 				rc = EINVAL;
478 			smb_fssd_term(&fs_sd);
479 		} else if (sr->tid_tree->t_acltype == ACE_T) {
480 			/*
481 			 * No incoming SD and filesystem is ZFS
482 			 * Server applies Windows inheritance rules,
483 			 * see smb_fsop_sdinherit() comments as to why.
484 			 */
485 			smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0);
486 			rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
487 			if (rc == 0) {
488 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
489 				    name, attr, ret_snode, ret_attr, &fs_sd);
490 			}
491 
492 			smb_fssd_term(&fs_sd);
493 		} else {
494 			/*
495 			 * No incoming SD and filesystem is not ZFS
496 			 * let the filesystem handles the inheritance.
497 			 */
498 			rc = smb_vop_create(dir_snode->vp, name, attr, &vp,
499 			    flags, cr, NULL);
500 
501 			if (rc == 0) {
502 				*ret_snode = smb_node_lookup(sr, op, cr, vp,
503 				    name, dir_snode, NULL, ret_attr);
504 
505 				if (*ret_snode == NULL)
506 					rc = ENOMEM;
507 
508 				VN_RELE(vp);
509 			}
510 
511 		}
512 	}
513 
514 	kmem_free(fname, MAXNAMELEN);
515 	kmem_free(sname, MAXNAMELEN);
516 	return (rc);
517 }
518 
519 /*
520  * smb_fsop_mkdir
521  *
522  * All SMB functions should use this wrapper to ensure that
523  * the the calls are performed with the appropriate credentials.
524  * Please document any direct call to explain the reason
525  * for avoiding this wrapper.
526  *
527  * It is assumed that a reference exists on snode coming into this routine.
528  *
529  * *ret_snode is returned with a reference upon success.  No reference is
530  * taken if an error is returned.
531  */
532 int
533 smb_fsop_mkdir(
534     smb_request_t *sr,
535     cred_t *cr,
536     smb_node_t *dir_snode,
537     char *name,
538     smb_attr_t *attr,
539     smb_node_t **ret_snode,
540     smb_attr_t *ret_attr)
541 {
542 	struct open_param *op = &sr->arg.open;
543 	char *longname;
544 	vnode_t *vp;
545 	int flags = 0;
546 	smb_fssd_t fs_sd;
547 	uint32_t secinfo;
548 	uint32_t status;
549 	int rc;
550 	ASSERT(cr);
551 	ASSERT(dir_snode);
552 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
553 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
554 
555 	ASSERT(ret_snode);
556 	*ret_snode = 0;
557 
558 	ASSERT(name);
559 	if (*name == 0)
560 		return (EINVAL);
561 
562 	ASSERT(sr);
563 	ASSERT(sr->tid_tree);
564 
565 	if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0)
566 		return (EACCES);
567 
568 	if (SMB_TREE_IS_READONLY(sr))
569 		return (EROFS);
570 
571 	if (smb_maybe_mangled_name(name)) {
572 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
573 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
574 		    MAXNAMELEN, NULL, NULL, 1);
575 
576 		kmem_free(longname, MAXNAMELEN);
577 
578 		/*
579 		 * If the name passed in by the client has an unmangled
580 		 * equivalent that is found in the specified directory,
581 		 * then the mkdir cannot succeed.  Return EEXIST.
582 		 *
583 		 * Only if ENOENT is returned will a mkdir be attempted.
584 		 */
585 
586 		if (rc == 0)
587 			rc = EEXIST;
588 
589 		if (rc != ENOENT)
590 			return (rc);
591 	}
592 
593 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
594 		flags = SMB_IGNORE_CASE;
595 
596 	if (op->sd) {
597 		/*
598 		 * SD sent by client in Windows format. Needs to be
599 		 * converted to FS format. No inheritance.
600 		 */
601 		secinfo = smb_sd_get_secinfo(op->sd);
602 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
603 
604 		status = smb_sd_tofs(op->sd, &fs_sd);
605 		if (status == NT_STATUS_SUCCESS) {
606 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
607 			    name, attr, ret_snode, ret_attr, &fs_sd);
608 		}
609 		else
610 			rc = EINVAL;
611 		smb_fssd_term(&fs_sd);
612 	} else if (sr->tid_tree->t_acltype == ACE_T) {
613 		/*
614 		 * No incoming SD and filesystem is ZFS
615 		 * Server applies Windows inheritance rules,
616 		 * see smb_fsop_sdinherit() comments as to why.
617 		 */
618 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR);
619 		rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
620 		if (rc == 0) {
621 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
622 			    name, attr, ret_snode, ret_attr, &fs_sd);
623 		}
624 
625 		smb_fssd_term(&fs_sd);
626 
627 	} else {
628 		rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, flags, cr,
629 		    NULL);
630 
631 		if (rc == 0) {
632 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
633 			    dir_snode, NULL, ret_attr);
634 
635 			if (*ret_snode == NULL)
636 				rc = ENOMEM;
637 
638 			VN_RELE(vp);
639 		}
640 	}
641 
642 	return (rc);
643 }
644 
645 /*
646  * smb_fsop_remove
647  *
648  * All SMB functions should use this wrapper to ensure that
649  * the the calls are performed with the appropriate credentials.
650  * Please document any direct call to explain the reason
651  * for avoiding this wrapper.
652  *
653  * It is assumed that a reference exists on snode coming into this routine.
654  *
655  * od: This means that the name passed in is an on-disk name.
656  * A null smb_request might be passed to this function.
657  */
658 
659 int
660 smb_fsop_remove(
661     smb_request_t	*sr,
662     cred_t		*cr,
663     smb_node_t		*dir_snode,
664     char		*name,
665     int			od)
666 {
667 	smb_node_t	*fnode;
668 	smb_attr_t	file_attr;
669 	char		*longname;
670 	char		*fname;
671 	char		*sname;
672 	int		flags = 0;
673 	int		rc;
674 
675 	ASSERT(cr);
676 	/*
677 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
678 	 * function is called during the deletion of the node (because of
679 	 * DELETE_ON_CLOSE).
680 	 */
681 	ASSERT(dir_snode);
682 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
683 
684 	if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0 ||
685 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0)
686 		return (EACCES);
687 
688 	if (SMB_TREE_IS_READONLY(sr))
689 		return (EROFS);
690 
691 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
692 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
693 
694 	/*
695 	 * If the passed-in name is an on-disk name,
696 	 * then we need to do a case-sensitive remove.
697 	 * This is important if the on-disk name
698 	 * corresponds to a mangled name passed in by
699 	 * the client.  We want to make sure to remove
700 	 * the exact file specified by the client,
701 	 * instead of letting the underlying file system
702 	 * do a remove on the "first match."
703 	 */
704 
705 	if ((od == 0) && SMB_TREE_IS_CASEINSENSITIVE(sr))
706 		flags = SMB_IGNORE_CASE;
707 
708 	if (dir_snode->flags & NODE_XATTR_DIR) {
709 		rc = smb_vop_stream_remove(dir_snode->dir_snode->vp,
710 		    name, flags, cr);
711 	} else if ((rc = smb_stream_parse_name(name, fname, sname)) != 0) {
712 		if (rc == -1) {
713 			kmem_free(fname, MAXNAMELEN);
714 			kmem_free(sname, MAXNAMELEN);
715 			return (EINVAL);
716 		}
717 
718 		/*
719 		 * It is assumed that "name" corresponds to the path
720 		 * passed in by the client, and no need of suppressing
721 		 * case-insensitive lookups is needed.
722 		 */
723 
724 		ASSERT(od == 0);
725 
726 		/*
727 		 * Look up the unnamed stream (i.e. fname).
728 		 * Unmangle processing will be done on fname
729 		 * as well as any link target.
730 		 */
731 
732 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
733 		    sr->tid_tree->t_snode, dir_snode, fname, &fnode, &file_attr,
734 		    0, 0);
735 
736 		if (rc != 0) {
737 			kmem_free(fname, MAXNAMELEN);
738 			kmem_free(sname, MAXNAMELEN);
739 			return (rc);
740 		}
741 
742 		/*
743 		 * XXX
744 		 * Need to find out what permission is required by NTFS
745 		 * to remove a stream.
746 		 */
747 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr);
748 
749 		smb_node_release(fnode);
750 	} else {
751 		rc = smb_vop_remove(dir_snode->vp, name, flags, cr);
752 
753 		if (rc == ENOENT) {
754 			if (smb_maybe_mangled_name(name) == 0) {
755 				kmem_free(fname, MAXNAMELEN);
756 				kmem_free(sname, MAXNAMELEN);
757 				return (rc);
758 			}
759 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
760 
761 			rc = smb_unmangle_name(sr, cr, dir_snode, name,
762 			    longname, MAXNAMELEN, NULL, NULL, 1);
763 
764 			if (rc == 0) {
765 				/*
766 				 * We passed "1" as the "od" parameter
767 				 * to smb_unmangle_name(), such that longname
768 				 * is the real (case-sensitive) on-disk name.
769 				 * We make sure we do a remove on this exact
770 				 * name, as the name was mangled and denotes
771 				 * a unique file.
772 				 */
773 				flags &= ~SMB_IGNORE_CASE;
774 				rc = smb_vop_remove(dir_snode->vp, longname,
775 				    flags, cr);
776 			}
777 
778 			kmem_free(longname, MAXNAMELEN);
779 		}
780 	}
781 
782 	kmem_free(fname, MAXNAMELEN);
783 	kmem_free(sname, MAXNAMELEN);
784 	return (rc);
785 }
786 
787 /*
788  * smb_fsop_remove_streams
789  *
790  * This function removes a file's streams without removing the
791  * file itself.
792  *
793  * It is assumed that fnode is not a link.
794  */
795 int
796 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode)
797 {
798 	int rc, flags = 0;
799 	uint16_t odid;
800 	smb_odir_t *od;
801 	smb_odirent_t *odirent;
802 	boolean_t eos;
803 
804 	ASSERT(sr);
805 	ASSERT(cr);
806 	ASSERT(fnode);
807 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
808 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
809 
810 	if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0)
811 		return (EACCES);
812 
813 	if (SMB_TREE_IS_READONLY(sr))
814 		return (EROFS);
815 
816 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
817 		flags = SMB_IGNORE_CASE;
818 
819 	/* TBD - error codes */
820 	if ((odid = smb_odir_openat(sr, fnode)) == 0)
821 		return (ENOENT);
822 	if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL)
823 		return (ENOENT);
824 
825 	odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP);
826 	for (;;) {
827 		rc = smb_odir_read(sr, od, odirent, &eos);
828 		if ((rc != 0) || (eos))
829 			break;
830 		(void) smb_vop_remove(od->d_dnode->vp, odirent->od_name,
831 		    flags, cr);
832 	}
833 	kmem_free(odirent, sizeof (smb_odirent_t));
834 
835 	smb_odir_release(od);
836 	smb_odir_close(od);
837 	return (rc);
838 }
839 
840 /*
841  * smb_fsop_rmdir
842  *
843  * All SMB functions should use this wrapper to ensure that
844  * the the calls are performed with the appropriate credentials.
845  * Please document any direct call to explain the reason
846  * for avoiding this wrapper.
847  *
848  * It is assumed that a reference exists on snode coming into this routine.
849  *
850  * od: This means that the name passed in is an on-disk name.
851  */
852 
853 int
854 smb_fsop_rmdir(
855     smb_request_t	*sr,
856     cred_t		*cr,
857     smb_node_t		*dir_snode,
858     char		*name,
859     int			od)
860 {
861 	int		rc;
862 	int		flags = 0;
863 	char		*longname;
864 
865 	ASSERT(cr);
866 	/*
867 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
868 	 * function is called during the deletion of the node (because of
869 	 * DELETE_ON_CLOSE).
870 	 */
871 	ASSERT(dir_snode);
872 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
873 
874 	if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0 ||
875 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0)
876 		return (EACCES);
877 
878 	if (SMB_TREE_IS_READONLY(sr))
879 		return (EROFS);
880 
881 	/*
882 	 * If the passed-in name is an on-disk name,
883 	 * then we need to do a case-sensitive rmdir.
884 	 * This is important if the on-disk name
885 	 * corresponds to a mangled name passed in by
886 	 * the client.  We want to make sure to remove
887 	 * the exact directory specified by the client,
888 	 * instead of letting the underlying file system
889 	 * do a rmdir on the "first match."
890 	 */
891 
892 	if ((od == 0) && SMB_TREE_IS_CASEINSENSITIVE(sr))
893 		flags = SMB_IGNORE_CASE;
894 
895 	rc = smb_vop_rmdir(dir_snode->vp, name, flags, cr);
896 
897 	if (rc == ENOENT) {
898 		if (smb_maybe_mangled_name(name) == 0)
899 			return (rc);
900 
901 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
902 
903 		rc = smb_unmangle_name(sr, cr, dir_snode,
904 		    name, longname, MAXNAMELEN, NULL,
905 		    NULL, 1);
906 
907 		if (rc == 0) {
908 			/*
909 			 * We passed "1" as the "od" parameter
910 			 * to smb_unmangle_name(), such that longname
911 			 * is the real (case-sensitive) on-disk name.
912 			 * We make sure we do a rmdir on this exact
913 			 * name, as the name was mangled and denotes
914 			 * a unique directory.
915 			 */
916 			flags &= ~SMB_IGNORE_CASE;
917 			rc = smb_vop_rmdir(dir_snode->vp, longname, flags, cr);
918 		}
919 
920 		kmem_free(longname, MAXNAMELEN);
921 	}
922 
923 	return (rc);
924 }
925 
926 /*
927  * smb_fsop_getattr
928  *
929  * All SMB functions should use this wrapper to ensure that
930  * the the calls are performed with the appropriate credentials.
931  * Please document any direct call to explain the reason
932  * for avoiding this wrapper.
933  *
934  * It is assumed that a reference exists on snode coming into this routine.
935  */
936 int
937 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
938     smb_attr_t *attr)
939 {
940 	smb_node_t *unnamed_node;
941 	vnode_t *unnamed_vp = NULL;
942 	uint32_t status;
943 	uint32_t access = 0;
944 	int flags = 0;
945 	int rc;
946 
947 	ASSERT(cr);
948 	ASSERT(snode);
949 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
950 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
951 
952 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 ||
953 	    SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0)
954 		return (EACCES);
955 
956 	if (sr->fid_ofile) {
957 		/* if uid and/or gid is requested */
958 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
959 			access |= READ_CONTROL;
960 
961 		/* if anything else is also requested */
962 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
963 			access |= FILE_READ_ATTRIBUTES;
964 
965 		status = smb_ofile_access(sr->fid_ofile, cr, access);
966 		if (status != NT_STATUS_SUCCESS)
967 			return (EACCES);
968 
969 		if (smb_tree_has_feature(sr->tid_tree,
970 		    SMB_TREE_ACEMASKONACCESS))
971 			flags = ATTR_NOACLCHECK;
972 	}
973 
974 	unnamed_node = SMB_IS_STREAM(snode);
975 
976 	if (unnamed_node) {
977 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
978 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
979 		unnamed_vp = unnamed_node->vp;
980 	}
981 
982 	rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr);
983 	if (rc == 0)
984 		snode->attr = *attr;
985 
986 	return (rc);
987 }
988 
989 /*
990  * smb_fsop_rename
991  *
992  * All SMB functions should use this smb_vop_rename wrapper to ensure that
993  * the smb_vop_rename is performed with the appropriate credentials.
994  * Please document any direct call to smb_vop_rename to explain the reason
995  * for avoiding this wrapper.
996  *
997  * It is assumed that references exist on from_dir_snode and to_dir_snode coming
998  * into this routine.
999  */
1000 int
1001 smb_fsop_rename(
1002     smb_request_t *sr,
1003     cred_t *cr,
1004     smb_node_t *from_dir_snode,
1005     char *from_name,
1006     smb_node_t *to_dir_snode,
1007     char *to_name)
1008 {
1009 	smb_node_t *from_snode;
1010 	smb_attr_t tmp_attr;
1011 	vnode_t *from_vp;
1012 	int flags = 0;
1013 	int rc;
1014 	boolean_t isdir;
1015 
1016 	ASSERT(cr);
1017 	ASSERT(from_dir_snode);
1018 	ASSERT(from_dir_snode->n_magic == SMB_NODE_MAGIC);
1019 	ASSERT(from_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1020 
1021 	ASSERT(to_dir_snode);
1022 	ASSERT(to_dir_snode->n_magic == SMB_NODE_MAGIC);
1023 	ASSERT(to_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1024 
1025 	if (SMB_TREE_CONTAINS_NODE(sr, from_dir_snode) == 0)
1026 		return (EACCES);
1027 
1028 	if (SMB_TREE_CONTAINS_NODE(sr, to_dir_snode) == 0)
1029 		return (EACCES);
1030 
1031 	ASSERT(sr);
1032 	ASSERT(sr->tid_tree);
1033 	if (SMB_TREE_IS_READONLY(sr))
1034 		return (EROFS);
1035 
1036 	/*
1037 	 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE
1038 	 * here.
1039 	 *
1040 	 * A case-sensitive rename is always done in this routine
1041 	 * because we are using the on-disk name from an earlier lookup.
1042 	 * If a mangled name was passed in by the caller (denoting a
1043 	 * deterministic lookup), then the exact file must be renamed
1044 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1045 	 * else the underlying file system might return a "first-match"
1046 	 * on this on-disk name, possibly resulting in the wrong file).
1047 	 */
1048 
1049 	/*
1050 	 * XXX: Lock required through smb_node_release() below?
1051 	 */
1052 
1053 	rc = smb_vop_lookup(from_dir_snode->vp, from_name, &from_vp, NULL, 0,
1054 	    NULL, cr);
1055 
1056 	if (rc != 0)
1057 		return (rc);
1058 
1059 	isdir = from_vp->v_type == VDIR;
1060 
1061 	if ((isdir && SMB_TREE_HAS_ACCESS(sr,
1062 	    ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) !=
1063 	    (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) ||
1064 	    (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) !=
1065 	    (ACE_DELETE | ACE_ADD_FILE)))
1066 		return (EACCES);
1067 
1068 	rc = smb_vop_rename(from_dir_snode->vp, from_name, to_dir_snode->vp,
1069 	    to_name, flags, cr);
1070 
1071 	if (rc == 0) {
1072 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1073 		    from_dir_snode, NULL, &tmp_attr);
1074 
1075 		if (from_snode == NULL) {
1076 			rc = ENOMEM;
1077 		} else {
1078 			(void) smb_node_rename(from_dir_snode, from_snode,
1079 			    to_dir_snode, to_name);
1080 			smb_node_release(from_snode);
1081 		}
1082 	}
1083 	VN_RELE(from_vp);
1084 
1085 	/* XXX: unlock */
1086 
1087 	return (rc);
1088 }
1089 
1090 /*
1091  * smb_fsop_setattr
1092  *
1093  * All SMB functions should use this wrapper to ensure that
1094  * the the calls are performed with the appropriate credentials.
1095  * Please document any direct call to explain the reason
1096  * for avoiding this wrapper.
1097  *
1098  * It is assumed that a reference exists on snode coming into this routine.
1099  * A null smb_request might be passed to this function.
1100  */
1101 int
1102 smb_fsop_setattr(
1103     smb_request_t	*sr,
1104     cred_t		*cr,
1105     smb_node_t		*snode,
1106     smb_attr_t		*set_attr,
1107     smb_attr_t		*ret_attr)
1108 {
1109 	smb_node_t *unnamed_node;
1110 	vnode_t *unnamed_vp = NULL;
1111 	uint32_t status;
1112 	uint32_t access;
1113 	int rc = 0;
1114 	int flags = 0;
1115 	uint_t sa_mask;
1116 
1117 	ASSERT(cr);
1118 	ASSERT(snode);
1119 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1120 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1121 
1122 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0)
1123 		return (EACCES);
1124 
1125 	if (SMB_TREE_IS_READONLY(sr))
1126 		return (EROFS);
1127 
1128 	if (SMB_TREE_HAS_ACCESS(sr,
1129 	    ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0)
1130 		return (EACCES);
1131 
1132 	if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) {
1133 		if (sr->fid_ofile) {
1134 			if (SMB_OFILE_IS_READONLY(sr->fid_ofile))
1135 				return (EACCES);
1136 		} else {
1137 			if (SMB_PATHFILE_IS_READONLY(sr, snode))
1138 				return (EACCES);
1139 		}
1140 	}
1141 
1142 	/* sr could be NULL in some cases */
1143 	if (sr && sr->fid_ofile) {
1144 		sa_mask = set_attr->sa_mask;
1145 		access = 0;
1146 
1147 		if (sa_mask & SMB_AT_SIZE) {
1148 			access |= FILE_WRITE_DATA;
1149 			sa_mask &= ~SMB_AT_SIZE;
1150 		}
1151 
1152 		if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) {
1153 			access |= WRITE_OWNER;
1154 			sa_mask &= ~(SMB_AT_UID|SMB_AT_GID);
1155 		}
1156 
1157 		if (sa_mask)
1158 			access |= FILE_WRITE_ATTRIBUTES;
1159 
1160 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1161 		if (status != NT_STATUS_SUCCESS)
1162 			return (EACCES);
1163 
1164 		if (smb_tree_has_feature(sr->tid_tree,
1165 		    SMB_TREE_ACEMASKONACCESS))
1166 			flags = ATTR_NOACLCHECK;
1167 	}
1168 
1169 	unnamed_node = SMB_IS_STREAM(snode);
1170 
1171 	if (unnamed_node) {
1172 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1173 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1174 		unnamed_vp = unnamed_node->vp;
1175 	}
1176 
1177 	rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr);
1178 
1179 	if ((rc == 0) && ret_attr) {
1180 		/*
1181 		 * Use kcred to update the node attr because this
1182 		 * call is not being made on behalf of the user.
1183 		 */
1184 		ret_attr->sa_mask = SMB_AT_ALL;
1185 		rc = smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, flags,
1186 		    kcred);
1187 		if (rc == 0)
1188 			snode->attr = *ret_attr;
1189 	}
1190 
1191 	return (rc);
1192 }
1193 
1194 /*
1195  * smb_fsop_read
1196  *
1197  * All SMB functions should use this wrapper to ensure that
1198  * the the calls are performed with the appropriate credentials.
1199  * Please document any direct call to explain the reason
1200  * for avoiding this wrapper.
1201  *
1202  * It is assumed that a reference exists on snode coming into this routine.
1203  */
1204 int
1205 smb_fsop_read(
1206     struct smb_request *sr,
1207     cred_t *cr,
1208     smb_node_t *snode,
1209     uio_t *uio,
1210     smb_attr_t *ret_attr)
1211 {
1212 	smb_node_t *unnamed_node;
1213 	vnode_t *unnamed_vp = NULL;
1214 	caller_context_t ct;
1215 	int svmand;
1216 	int rc;
1217 
1218 	ASSERT(cr);
1219 	ASSERT(snode);
1220 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1221 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1222 
1223 	ASSERT(sr);
1224 	ASSERT(sr->fid_ofile);
1225 
1226 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0)
1227 		return (EACCES);
1228 
1229 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA);
1230 	if (rc != NT_STATUS_SUCCESS) {
1231 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE);
1232 		if (rc != NT_STATUS_SUCCESS)
1233 			return (EACCES);
1234 	}
1235 
1236 	unnamed_node = SMB_IS_STREAM(snode);
1237 	if (unnamed_node) {
1238 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1239 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1240 		unnamed_vp = unnamed_node->vp;
1241 		/*
1242 		 * Streams permission are checked against the unnamed stream,
1243 		 * but in FS level they have their own permissions. To avoid
1244 		 * rejection by FS due to lack of permission on the actual
1245 		 * extended attr kcred is passed for streams.
1246 		 */
1247 		cr = kcred;
1248 	}
1249 
1250 	smb_node_start_crit(snode, RW_READER);
1251 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1252 	if (rc) {
1253 		smb_node_end_crit(snode);
1254 		return (rc);
1255 	}
1256 
1257 	ct = smb_ct;
1258 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1259 	rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset,
1260 	    uio->uio_iov->iov_len, svmand, &ct);
1261 
1262 	if (rc) {
1263 		smb_node_end_crit(snode);
1264 		return (ERANGE);
1265 	}
1266 	rc = smb_vop_read(snode->vp, uio, cr);
1267 
1268 	if (rc == 0 && ret_attr) {
1269 		/*
1270 		 * Use kcred to update the node attr because this
1271 		 * call is not being made on behalf of the user.
1272 		 */
1273 		ret_attr->sa_mask = SMB_AT_ALL;
1274 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1275 		    kcred) == 0) {
1276 			snode->attr = *ret_attr;
1277 		}
1278 	}
1279 
1280 	smb_node_end_crit(snode);
1281 
1282 	return (rc);
1283 }
1284 
1285 /*
1286  * smb_fsop_write
1287  *
1288  * This is a wrapper function used for smb_write and smb_write_raw operations.
1289  *
1290  * It is assumed that a reference exists on snode coming into this routine.
1291  */
1292 int
1293 smb_fsop_write(
1294     smb_request_t *sr,
1295     cred_t *cr,
1296     smb_node_t *snode,
1297     uio_t *uio,
1298     uint32_t *lcount,
1299     smb_attr_t *ret_attr,
1300     int ioflag)
1301 {
1302 	smb_node_t *unnamed_node;
1303 	vnode_t *unnamed_vp = NULL;
1304 	caller_context_t ct;
1305 	int svmand;
1306 	int rc;
1307 
1308 	ASSERT(cr);
1309 	ASSERT(snode);
1310 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1311 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1312 
1313 	ASSERT(sr);
1314 	ASSERT(sr->tid_tree);
1315 	ASSERT(sr->fid_ofile);
1316 
1317 	if (SMB_TREE_IS_READONLY(sr))
1318 		return (EROFS);
1319 
1320 	if (SMB_OFILE_IS_READONLY(sr->fid_ofile) ||
1321 	    SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0)
1322 		return (EACCES);
1323 
1324 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA);
1325 	if (rc != NT_STATUS_SUCCESS) {
1326 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA);
1327 		if (rc != NT_STATUS_SUCCESS)
1328 			return (EACCES);
1329 	}
1330 
1331 	unnamed_node = SMB_IS_STREAM(snode);
1332 
1333 	if (unnamed_node) {
1334 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1335 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1336 		unnamed_vp = unnamed_node->vp;
1337 		/*
1338 		 * Streams permission are checked against the unnamed stream,
1339 		 * but in FS level they have their own permissions. To avoid
1340 		 * rejection by FS due to lack of permission on the actual
1341 		 * extended attr kcred is passed for streams.
1342 		 */
1343 		cr = kcred;
1344 	}
1345 
1346 	smb_node_start_crit(snode, RW_READER);
1347 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1348 	if (rc) {
1349 		smb_node_end_crit(snode);
1350 		return (rc);
1351 	}
1352 
1353 	ct = smb_ct;
1354 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1355 	rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset,
1356 	    uio->uio_iov->iov_len, svmand, &ct);
1357 
1358 	if (rc) {
1359 		smb_node_end_crit(snode);
1360 		return (ERANGE);
1361 	}
1362 	rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr);
1363 
1364 	if (rc == 0 && ret_attr) {
1365 		/*
1366 		 * Use kcred to update the node attr because this
1367 		 * call is not being made on behalf of the user.
1368 		 */
1369 		ret_attr->sa_mask = SMB_AT_ALL;
1370 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1371 		    kcred) == 0) {
1372 			snode->attr = *ret_attr;
1373 		}
1374 	}
1375 
1376 	smb_node_end_crit(snode);
1377 
1378 	return (rc);
1379 }
1380 
1381 /*
1382  * smb_fsop_statfs
1383  *
1384  * This is a wrapper function used for stat operations.
1385  */
1386 int
1387 smb_fsop_statfs(
1388     cred_t *cr,
1389     smb_node_t *snode,
1390     struct statvfs64 *statp)
1391 {
1392 	ASSERT(cr);
1393 	ASSERT(snode);
1394 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1395 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1396 
1397 	return (smb_vop_statfs(snode->vp, statp, cr));
1398 }
1399 
1400 /*
1401  * smb_fsop_access
1402  *
1403  * Named streams do not have separate permissions from the associated
1404  * unnamed stream.  Thus, if node is a named stream, the permissions
1405  * check will be performed on the associated unnamed stream.
1406  *
1407  * However, our named streams do have their own quarantine attribute,
1408  * separate from that on the unnamed stream. If READ or EXECUTE
1409  * access has been requested on a named stream, an additional access
1410  * check is performed on the named stream in case it has been
1411  * quarantined.  kcred is used to avoid issues with the permissions
1412  * set on the extended attribute file representing the named stream.
1413  */
1414 int
1415 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1416     uint32_t faccess)
1417 {
1418 	int access = 0;
1419 	int error;
1420 	vnode_t *dir_vp;
1421 	boolean_t acl_check = B_TRUE;
1422 	smb_node_t *unnamed_node;
1423 
1424 	ASSERT(sr);
1425 	ASSERT(cr);
1426 	ASSERT(snode);
1427 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1428 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1429 
1430 	if (faccess == 0)
1431 		return (NT_STATUS_SUCCESS);
1432 
1433 	if (SMB_TREE_IS_READONLY(sr)) {
1434 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1435 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1436 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1437 			return (NT_STATUS_ACCESS_DENIED);
1438 		}
1439 	}
1440 
1441 	unnamed_node = SMB_IS_STREAM(snode);
1442 	if (unnamed_node) {
1443 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1444 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1445 
1446 		/*
1447 		 * Perform VREAD access check on the named stream in case it
1448 		 * is quarantined. kcred is passed to smb_vop_access so it
1449 		 * doesn't fail due to lack of permission.
1450 		 */
1451 		if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) {
1452 			error = smb_vop_access(snode->vp, VREAD,
1453 			    0, NULL, kcred);
1454 			if (error)
1455 				return (NT_STATUS_ACCESS_DENIED);
1456 		}
1457 
1458 		/*
1459 		 * Streams authorization should be performed against the
1460 		 * unnamed stream.
1461 		 */
1462 		snode = unnamed_node;
1463 	}
1464 
1465 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1466 		/*
1467 		 * This permission is required for reading/writing SACL and
1468 		 * it's not part of DACL. It's only granted via proper
1469 		 * privileges.
1470 		 */
1471 		if ((sr->uid_user->u_privileges &
1472 		    (SMB_USER_PRIV_BACKUP |
1473 		    SMB_USER_PRIV_RESTORE |
1474 		    SMB_USER_PRIV_SECURITY)) == 0)
1475 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1476 
1477 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1478 	}
1479 
1480 	/* Links don't have ACL */
1481 	if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) ||
1482 	    (snode->attr.sa_vattr.va_type == VLNK))
1483 		acl_check = B_FALSE;
1484 
1485 	/*
1486 	 * Use the most restrictive parts of both faccess and the
1487 	 * share access.  An AND of the two value masks gives us that
1488 	 * since we've already converted to a mask of what we "can"
1489 	 * do.
1490 	 */
1491 	faccess &= sr->tid_tree->t_access;
1492 
1493 	if (acl_check) {
1494 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
1495 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1496 		    cr);
1497 	} else {
1498 		/*
1499 		 * FS doesn't understand 32-bit mask, need to map
1500 		 */
1501 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1502 			access |= VWRITE;
1503 
1504 		if (faccess & FILE_READ_DATA)
1505 			access |= VREAD;
1506 
1507 		if (faccess & FILE_EXECUTE)
1508 			access |= VEXEC;
1509 
1510 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1511 	}
1512 
1513 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1514 }
1515 
1516 /*
1517  * smb_fsop_lookup_name()
1518  *
1519  * If name indicates that the file is a stream file, perform
1520  * stream specific lookup, otherwise call smb_fsop_lookup.
1521  *
1522  * Return an error if the looked-up file is in outside the tree.
1523  * (Required when invoked from open path.)
1524  */
1525 
1526 int
1527 smb_fsop_lookup_name(
1528     smb_request_t *sr,
1529     cred_t	*cr,
1530     int		flags,
1531     smb_node_t	*root_node,
1532     smb_node_t	*dir_snode,
1533     char	*name,
1534     smb_node_t	**ret_snode,
1535     smb_attr_t	*ret_attr)
1536 {
1537 	smb_node_t	*fnode;
1538 	smb_attr_t	file_attr;
1539 	vnode_t		*xattrdirvp;
1540 	vnode_t		*vp;
1541 	char		*od_name;
1542 	char		*fname;
1543 	char		*sname;
1544 	int		rc;
1545 
1546 	ASSERT(cr);
1547 	ASSERT(dir_snode);
1548 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1549 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1550 
1551 	/*
1552 	 * The following check is required for streams processing, below
1553 	 */
1554 
1555 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1556 		flags |= SMB_IGNORE_CASE;
1557 
1558 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1559 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1560 
1561 	if ((rc = smb_stream_parse_name(name, fname, sname)) != 0) {
1562 		if (rc == -1) {
1563 			kmem_free(fname, MAXNAMELEN);
1564 			kmem_free(sname, MAXNAMELEN);
1565 			return (EINVAL);
1566 		}
1567 
1568 		/*
1569 		 * Look up the unnamed stream (i.e. fname).
1570 		 * Unmangle processing will be done on fname
1571 		 * as well as any link target.
1572 		 */
1573 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, fname,
1574 		    &fnode, &file_attr, NULL, NULL);
1575 
1576 		if (rc != 0) {
1577 			kmem_free(fname, MAXNAMELEN);
1578 			kmem_free(sname, MAXNAMELEN);
1579 			return (rc);
1580 		}
1581 
1582 		od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1583 
1584 		/*
1585 		 * od_name is the on-disk name of the stream, except
1586 		 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1587 		 */
1588 
1589 		/*
1590 		 * XXX
1591 		 * What permissions NTFS requires for stream lookup if any?
1592 		 */
1593 		rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1594 		    &xattrdirvp, flags, root_node->vp, cr);
1595 
1596 		if (rc != 0) {
1597 			smb_node_release(fnode);
1598 			kmem_free(fname, MAXNAMELEN);
1599 			kmem_free(sname, MAXNAMELEN);
1600 			kmem_free(od_name, MAXNAMELEN);
1601 			return (rc);
1602 		}
1603 
1604 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1605 		    vp, od_name, ret_attr);
1606 
1607 		kmem_free(od_name, MAXNAMELEN);
1608 		smb_node_release(fnode);
1609 		VN_RELE(xattrdirvp);
1610 		VN_RELE(vp);
1611 
1612 		if (*ret_snode == NULL) {
1613 			kmem_free(fname, MAXNAMELEN);
1614 			kmem_free(sname, MAXNAMELEN);
1615 			return (ENOMEM);
1616 		}
1617 	} else {
1618 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, name,
1619 		    ret_snode, ret_attr, NULL, NULL);
1620 	}
1621 
1622 	if (rc == 0) {
1623 		ASSERT(ret_snode);
1624 		if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) {
1625 			smb_node_release(*ret_snode);
1626 			*ret_snode = NULL;
1627 			rc = EACCES;
1628 		}
1629 	}
1630 
1631 	kmem_free(fname, MAXNAMELEN);
1632 	kmem_free(sname, MAXNAMELEN);
1633 
1634 	return (rc);
1635 }
1636 
1637 /*
1638  * smb_fsop_lookup
1639  *
1640  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1641  * the smb_vop_lookup is performed with the appropriate credentials and using
1642  * case insensitive compares. Please document any direct call to smb_vop_lookup
1643  * to explain the reason for avoiding this wrapper.
1644  *
1645  * It is assumed that a reference exists on dir_snode coming into this routine
1646  * (and that it is safe from deallocation).
1647  *
1648  * Same with the root_node.
1649  *
1650  * *ret_snode is returned with a reference upon success.  No reference is
1651  * taken if an error is returned.
1652  *
1653  * Note: The returned ret_snode may be in a child mount.  This is ok for
1654  * readdir.
1655  *
1656  * ret_shortname and ret_name83 must each point to buffers of at least
1657  * SMB_SHORTNAMELEN bytes.
1658  *
1659  * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent
1660  * operations on files not in the parent mount.
1661  */
1662 int
1663 smb_fsop_lookup(
1664     smb_request_t *sr,
1665     cred_t	*cr,
1666     int		flags,
1667     smb_node_t	*root_node,
1668     smb_node_t	*dir_snode,
1669     char	*name,
1670     smb_node_t	**ret_snode,
1671     smb_attr_t	*ret_attr,
1672     char	*ret_shortname,
1673     char	*ret_name83)
1674 {
1675 	smb_node_t *lnk_target_node;
1676 	smb_node_t *lnk_dnode;
1677 	char *longname;
1678 	char *od_name;
1679 	vnode_t *vp;
1680 	int rc;
1681 
1682 	ASSERT(cr);
1683 	ASSERT(dir_snode);
1684 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1685 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1686 
1687 	if (name == NULL)
1688 		return (EINVAL);
1689 
1690 	if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0)
1691 		return (EACCES);
1692 
1693 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1694 		flags |= SMB_IGNORE_CASE;
1695 
1696 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1697 
1698 	rc = smb_vop_lookup(dir_snode->vp, name, &vp, od_name, flags,
1699 	    root_node ? root_node->vp : NULL, cr);
1700 
1701 	if (rc != 0) {
1702 		if (smb_maybe_mangled_name(name) == 0) {
1703 			kmem_free(od_name, MAXNAMELEN);
1704 			return (rc);
1705 		}
1706 
1707 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1708 
1709 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
1710 		    MAXNAMELEN, ret_shortname, ret_name83, 1);
1711 
1712 		if (rc != 0) {
1713 			kmem_free(od_name, MAXNAMELEN);
1714 			kmem_free(longname, MAXNAMELEN);
1715 			return (rc);
1716 		}
1717 
1718 		/*
1719 		 * We passed "1" as the "od" parameter
1720 		 * to smb_unmangle_name(), such that longname
1721 		 * is the real (case-sensitive) on-disk name.
1722 		 * We make sure we do a lookup on this exact
1723 		 * name, as the name was mangled and denotes
1724 		 * a unique file.
1725 		 */
1726 
1727 		if (flags & SMB_IGNORE_CASE)
1728 			flags &= ~SMB_IGNORE_CASE;
1729 
1730 		rc = smb_vop_lookup(dir_snode->vp, longname, &vp, od_name,
1731 		    flags, root_node ? root_node->vp : NULL, cr);
1732 
1733 		kmem_free(longname, MAXNAMELEN);
1734 
1735 		if (rc != 0) {
1736 			kmem_free(od_name, MAXNAMELEN);
1737 			return (rc);
1738 		}
1739 	}
1740 
1741 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) {
1742 
1743 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dir_snode,
1744 		    &lnk_dnode, &lnk_target_node, cr);
1745 
1746 		if (rc != 0) {
1747 			/*
1748 			 * The link is assumed to be for the last component
1749 			 * of a path.  Hence any ENOTDIR error will be returned
1750 			 * as ENOENT.
1751 			 */
1752 			if (rc == ENOTDIR)
1753 				rc = ENOENT;
1754 
1755 			VN_RELE(vp);
1756 			kmem_free(od_name, MAXNAMELEN);
1757 			return (rc);
1758 		}
1759 
1760 		/*
1761 		 * Release the original VLNK vnode
1762 		 */
1763 
1764 		VN_RELE(vp);
1765 		vp = lnk_target_node->vp;
1766 
1767 		rc = smb_vop_traverse_check(&vp);
1768 
1769 		if (rc != 0) {
1770 			smb_node_release(lnk_dnode);
1771 			smb_node_release(lnk_target_node);
1772 			kmem_free(od_name, MAXNAMELEN);
1773 			return (rc);
1774 		}
1775 
1776 		/*
1777 		 * smb_vop_traverse_check() may have returned a different vnode
1778 		 */
1779 
1780 		if (lnk_target_node->vp == vp) {
1781 			*ret_snode = lnk_target_node;
1782 			*ret_attr = (*ret_snode)->attr;
1783 		} else {
1784 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
1785 			    lnk_target_node->od_name, lnk_dnode, NULL,
1786 			    ret_attr);
1787 			VN_RELE(vp);
1788 
1789 			if (*ret_snode == NULL)
1790 				rc = ENOMEM;
1791 			smb_node_release(lnk_target_node);
1792 		}
1793 
1794 		smb_node_release(lnk_dnode);
1795 
1796 	} else {
1797 
1798 		rc = smb_vop_traverse_check(&vp);
1799 		if (rc) {
1800 			VN_RELE(vp);
1801 			kmem_free(od_name, MAXNAMELEN);
1802 			return (rc);
1803 		}
1804 
1805 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
1806 		    dir_snode, NULL, ret_attr);
1807 		VN_RELE(vp);
1808 
1809 		if (*ret_snode == NULL)
1810 			rc = ENOMEM;
1811 	}
1812 
1813 	kmem_free(od_name, MAXNAMELEN);
1814 	return (rc);
1815 }
1816 
1817 int /*ARGSUSED*/
1818 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
1819 {
1820 	ASSERT(cr);
1821 	ASSERT(snode);
1822 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1823 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1824 
1825 	ASSERT(sr);
1826 	ASSERT(sr->tid_tree);
1827 	if (SMB_TREE_IS_READONLY(sr))
1828 		return (EROFS);
1829 
1830 	return (smb_vop_commit(snode->vp, cr));
1831 }
1832 
1833 /*
1834  * smb_fsop_aclread
1835  *
1836  * Retrieve filesystem ACL. Depends on requested ACLs in
1837  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
1838  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
1839  * the corresponding field in fs_sd should be non-NULL upon
1840  * return, since the target ACL might not contain that type of
1841  * entries.
1842  *
1843  * Returned ACL is always in ACE_T (aka ZFS) format.
1844  * If successful the allocated memory for the ACL should be freed
1845  * using smb_fsacl_free() or smb_fssd_term()
1846  */
1847 int
1848 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1849     smb_fssd_t *fs_sd)
1850 {
1851 	int error = 0;
1852 	int flags = 0;
1853 	int access = 0;
1854 	acl_t *acl;
1855 	smb_node_t *unnamed_node;
1856 
1857 	ASSERT(cr);
1858 
1859 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0)
1860 		return (EACCES);
1861 
1862 	if (sr->fid_ofile) {
1863 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1864 			access = READ_CONTROL;
1865 
1866 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1867 			access |= ACCESS_SYSTEM_SECURITY;
1868 
1869 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1870 		if (error != NT_STATUS_SUCCESS) {
1871 			return (EACCES);
1872 		}
1873 	}
1874 
1875 	unnamed_node = SMB_IS_STREAM(snode);
1876 	if (unnamed_node) {
1877 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1878 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1879 		/*
1880 		 * Streams don't have ACL, any read ACL attempt on a stream
1881 		 * should be performed on the unnamed stream.
1882 		 */
1883 		snode = unnamed_node;
1884 	}
1885 
1886 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS))
1887 		flags = ATTR_NOACLCHECK;
1888 
1889 	error = smb_vop_acl_read(snode->vp, &acl, flags,
1890 	    sr->tid_tree->t_acltype, cr);
1891 	if (error != 0) {
1892 		return (error);
1893 	}
1894 
1895 	error = acl_translate(acl, _ACL_ACE_ENABLED,
1896 	    (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid);
1897 
1898 	if (error == 0) {
1899 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
1900 		    fs_sd->sd_secinfo);
1901 	}
1902 
1903 	acl_free(acl);
1904 	return (error);
1905 }
1906 
1907 /*
1908  * smb_fsop_aclwrite
1909  *
1910  * Stores the filesystem ACL provided in fs_sd->sd_acl.
1911  */
1912 int
1913 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1914     smb_fssd_t *fs_sd)
1915 {
1916 	int target_flavor;
1917 	int error = 0;
1918 	int flags = 0;
1919 	int access = 0;
1920 	acl_t *acl, *dacl, *sacl;
1921 	smb_node_t *unnamed_node;
1922 
1923 	ASSERT(cr);
1924 
1925 	ASSERT(sr);
1926 	ASSERT(sr->tid_tree);
1927 	if (SMB_TREE_IS_READONLY(sr))
1928 		return (EROFS);
1929 
1930 	if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0)
1931 		return (EACCES);
1932 
1933 	if (sr->fid_ofile) {
1934 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1935 			access = WRITE_DAC;
1936 
1937 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1938 			access |= ACCESS_SYSTEM_SECURITY;
1939 
1940 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1941 		if (error != NT_STATUS_SUCCESS)
1942 			return (EACCES);
1943 	}
1944 
1945 	switch (sr->tid_tree->t_acltype) {
1946 	case ACLENT_T:
1947 		target_flavor = _ACL_ACLENT_ENABLED;
1948 		break;
1949 
1950 	case ACE_T:
1951 		target_flavor = _ACL_ACE_ENABLED;
1952 		break;
1953 	default:
1954 		return (EINVAL);
1955 	}
1956 
1957 	unnamed_node = SMB_IS_STREAM(snode);
1958 	if (unnamed_node) {
1959 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1960 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1961 		/*
1962 		 * Streams don't have ACL, any write ACL attempt on a stream
1963 		 * should be performed on the unnamed stream.
1964 		 */
1965 		snode = unnamed_node;
1966 	}
1967 
1968 	dacl = fs_sd->sd_zdacl;
1969 	sacl = fs_sd->sd_zsacl;
1970 
1971 	ASSERT(dacl || sacl);
1972 	if ((dacl == NULL) && (sacl == NULL))
1973 		return (EINVAL);
1974 
1975 	if (dacl && sacl)
1976 		acl = smb_fsacl_merge(dacl, sacl);
1977 	else if (dacl)
1978 		acl = dacl;
1979 	else
1980 		acl = sacl;
1981 
1982 	error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR),
1983 	    fs_sd->sd_uid, fs_sd->sd_gid);
1984 	if (error == 0) {
1985 		if (smb_tree_has_feature(sr->tid_tree,
1986 		    SMB_TREE_ACEMASKONACCESS))
1987 			flags = ATTR_NOACLCHECK;
1988 
1989 		error = smb_vop_acl_write(snode->vp, acl, flags, cr);
1990 	}
1991 
1992 	if (dacl && sacl)
1993 		acl_free(acl);
1994 
1995 	return (error);
1996 }
1997 
1998 acl_type_t
1999 smb_fsop_acltype(smb_node_t *snode)
2000 {
2001 	return (smb_vop_acl_type(snode->vp));
2002 }
2003 
2004 /*
2005  * smb_fsop_sdread
2006  *
2007  * Read the requested security descriptor items from filesystem.
2008  * The items are specified in fs_sd->sd_secinfo.
2009  */
2010 int
2011 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2012     smb_fssd_t *fs_sd)
2013 {
2014 	int error = 0;
2015 	int getowner = 0;
2016 	cred_t *ga_cred;
2017 	smb_attr_t attr;
2018 
2019 	ASSERT(cr);
2020 	ASSERT(fs_sd);
2021 
2022 	/*
2023 	 * File's uid/gid is fetched in two cases:
2024 	 *
2025 	 * 1. it's explicitly requested
2026 	 *
2027 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
2028 	 *    owner@/group@ entries. In this case kcred should be used
2029 	 *    because uid/gid are fetched on behalf of smb server.
2030 	 */
2031 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
2032 		getowner = 1;
2033 		ga_cred = cr;
2034 	} else if (sr->tid_tree->t_acltype == ACE_T) {
2035 		getowner = 1;
2036 		ga_cred = kcred;
2037 	}
2038 
2039 	if (getowner) {
2040 		/*
2041 		 * Windows require READ_CONTROL to read owner/group SID since
2042 		 * they're part of Security Descriptor.
2043 		 * ZFS only requires read_attribute. Need to have a explicit
2044 		 * access check here.
2045 		 */
2046 		if (sr->fid_ofile == NULL) {
2047 			error = smb_fsop_access(sr, ga_cred, snode,
2048 			    READ_CONTROL);
2049 			if (error)
2050 				return (error);
2051 		}
2052 
2053 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2054 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2055 		if (error == 0) {
2056 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2057 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2058 		} else {
2059 			return (error);
2060 		}
2061 	}
2062 
2063 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2064 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2065 	}
2066 
2067 	return (error);
2068 }
2069 
2070 /*
2071  * smb_fsop_sdmerge
2072  *
2073  * From SMB point of view DACL and SACL are two separate list
2074  * which can be manipulated independently without one affecting
2075  * the other, but entries for both DACL and SACL will end up
2076  * in the same ACL if target filesystem supports ACE_T ACLs.
2077  *
2078  * So, if either DACL or SACL is present in the client set request
2079  * the entries corresponding to the non-present ACL shouldn't
2080  * be touched in the FS ACL.
2081  *
2082  * fs_sd parameter contains DACL and SACL specified by SMB
2083  * client to be set on a file/directory. The client could
2084  * specify both or one of these ACLs (if none is specified
2085  * we don't get this far). When both DACL and SACL are given
2086  * by client the existing ACL should be overwritten. If only
2087  * one of them is specified the entries corresponding to the other
2088  * ACL should not be touched. For example, if only DACL
2089  * is specified in input fs_sd, the function reads audit entries
2090  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2091  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2092  * function is called the passed fs_sd would point to the specified
2093  * DACL by client and fetched SACL from filesystem, so the file
2094  * will end up with correct ACL.
2095  */
2096 static int
2097 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2098 {
2099 	smb_fssd_t cur_sd;
2100 	int error = 0;
2101 
2102 	if (sr->tid_tree->t_acltype != ACE_T)
2103 		/* Don't bother if target FS doesn't support ACE_T */
2104 		return (0);
2105 
2106 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2107 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2108 			/*
2109 			 * Don't overwrite existing audit entries
2110 			 */
2111 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2112 			    fs_sd->sd_flags);
2113 
2114 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2115 			if (error == 0) {
2116 				ASSERT(fs_sd->sd_zsacl == NULL);
2117 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2118 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2119 					fs_sd->sd_zsacl->acl_flags =
2120 					    fs_sd->sd_zdacl->acl_flags;
2121 			}
2122 		} else {
2123 			/*
2124 			 * Don't overwrite existing access entries
2125 			 */
2126 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2127 			    fs_sd->sd_flags);
2128 
2129 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2130 			if (error == 0) {
2131 				ASSERT(fs_sd->sd_zdacl == NULL);
2132 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2133 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2134 					fs_sd->sd_zdacl->acl_flags =
2135 					    fs_sd->sd_zsacl->acl_flags;
2136 			}
2137 		}
2138 
2139 		if (error)
2140 			smb_fssd_term(&cur_sd);
2141 	}
2142 
2143 	return (error);
2144 }
2145 
2146 /*
2147  * smb_fsop_sdwrite
2148  *
2149  * Stores the given uid, gid and acl in filesystem.
2150  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2151  *
2152  * A SMB security descriptor could contain owner, primary group,
2153  * DACL and SACL. Setting an SD should be atomic but here it has to
2154  * be done via two separate FS operations: VOP_SETATTR and
2155  * VOP_SETSECATTR. Therefore, this function has to simulate the
2156  * atomicity as well as it can.
2157  *
2158  * Get the current uid, gid before setting the new uid/gid
2159  * so if smb_fsop_aclwrite fails they can be restored. root cred is
2160  * used to get currend uid/gid since this operation is performed on
2161  * behalf of the server not the user.
2162  *
2163  * If setting uid/gid fails with EPERM it means that and invalid
2164  * owner has been specified. Callers should translate this to
2165  * STATUS_INVALID_OWNER which is not the normal mapping for EPERM
2166  * in upper layers, so EPERM is mapped to EBADE.
2167  */
2168 int
2169 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2170     smb_fssd_t *fs_sd, int overwrite)
2171 {
2172 	int error = 0;
2173 	int access = 0;
2174 	smb_attr_t set_attr;
2175 	smb_attr_t orig_attr;
2176 
2177 	ASSERT(cr);
2178 	ASSERT(fs_sd);
2179 
2180 	ASSERT(sr);
2181 	ASSERT(sr->tid_tree);
2182 	if (SMB_TREE_IS_READONLY(sr))
2183 		return (EROFS);
2184 
2185 	bzero(&set_attr, sizeof (smb_attr_t));
2186 
2187 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2188 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2189 		set_attr.sa_mask |= SMB_AT_UID;
2190 		access |= WRITE_OWNER;
2191 	}
2192 
2193 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2194 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2195 		set_attr.sa_mask |= SMB_AT_GID;
2196 		access |= WRITE_OWNER;
2197 	}
2198 
2199 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2200 		access |= WRITE_DAC;
2201 
2202 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2203 		access |= ACCESS_SYSTEM_SECURITY;
2204 
2205 	if (sr->fid_ofile)
2206 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2207 	else
2208 		error = smb_fsop_access(sr, cr, snode, access);
2209 
2210 	if (error)
2211 		return (EACCES);
2212 
2213 	if (set_attr.sa_mask) {
2214 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2215 		error = smb_fsop_getattr(sr, kcred, snode, &orig_attr);
2216 		if (error == 0) {
2217 			error = smb_fsop_setattr(sr, cr, snode, &set_attr,
2218 			    NULL);
2219 			if (error == EPERM)
2220 				error = EBADE;
2221 		}
2222 
2223 		if (error)
2224 			return (error);
2225 	}
2226 
2227 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2228 		if (overwrite == 0) {
2229 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2230 			if (error)
2231 				return (error);
2232 		}
2233 
2234 		error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2235 		if (error) {
2236 			/*
2237 			 * Revert uid/gid changes if required.
2238 			 */
2239 			if (set_attr.sa_mask) {
2240 				orig_attr.sa_mask = set_attr.sa_mask;
2241 				(void) smb_fsop_setattr(sr, kcred, snode,
2242 				    &orig_attr, NULL);
2243 			}
2244 		}
2245 	}
2246 
2247 	return (error);
2248 }
2249 
2250 /*
2251  * smb_fsop_sdinherit
2252  *
2253  * Inherit the security descriptor from the parent container.
2254  * This function is called after FS has created the file/folder
2255  * so if this doesn't do anything it means FS inheritance is
2256  * in place.
2257  *
2258  * Do inheritance for ZFS internally.
2259  *
2260  * If we want to let ZFS does the inheritance the
2261  * following setting should be true:
2262  *
2263  *  - aclinherit = passthrough
2264  *  - aclmode = passthrough
2265  *  - smbd umask = 0777
2266  *
2267  * This will result in right effective permissions but
2268  * ZFS will always add 6 ACEs for owner, owning group
2269  * and others to be POSIX compliant. This is not what
2270  * Windows clients/users expect, so we decided that CIFS
2271  * implements Windows rules and overwrite whatever ZFS
2272  * comes up with. This way we also don't have to care
2273  * about ZFS aclinherit and aclmode settings.
2274  */
2275 static int
2276 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2277 {
2278 	int is_dir;
2279 	acl_t *dacl = NULL;
2280 	acl_t *sacl = NULL;
2281 	ksid_t *owner_sid;
2282 	int error;
2283 
2284 	ASSERT(fs_sd);
2285 
2286 	if (sr->tid_tree->t_acltype != ACE_T) {
2287 		/*
2288 		 * No forced inheritance for non-ZFS filesystems.
2289 		 */
2290 		fs_sd->sd_secinfo = 0;
2291 		return (0);
2292 	}
2293 
2294 
2295 	/* Fetch parent directory's ACL */
2296 	error = smb_fsop_sdread(sr, kcred, dnode, fs_sd);
2297 	if (error) {
2298 		return (error);
2299 	}
2300 
2301 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2302 	owner_sid = crgetsid(sr->user_cr, KSID_OWNER);
2303 	ASSERT(owner_sid);
2304 	dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO,
2305 	    owner_sid->ks_id);
2306 	sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO,
2307 	    (uid_t)-1);
2308 
2309 	if (sacl == NULL)
2310 		fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO;
2311 
2312 	smb_fsacl_free(fs_sd->sd_zdacl);
2313 	smb_fsacl_free(fs_sd->sd_zsacl);
2314 
2315 	fs_sd->sd_zdacl = dacl;
2316 	fs_sd->sd_zsacl = sacl;
2317 
2318 	return (0);
2319 }
2320 
2321 /*
2322  * smb_fsop_eaccess
2323  *
2324  * Returns the effective permission of the given credential for the
2325  * specified object.
2326  *
2327  * This is just a workaround. We need VFS/FS support for this.
2328  */
2329 void
2330 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2331     uint32_t *eaccess)
2332 {
2333 	int access = 0;
2334 	vnode_t *dir_vp;
2335 	smb_node_t *unnamed_node;
2336 
2337 	ASSERT(cr);
2338 	ASSERT(snode);
2339 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2340 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2341 
2342 	unnamed_node = SMB_IS_STREAM(snode);
2343 	if (unnamed_node) {
2344 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2345 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2346 		/*
2347 		 * Streams authorization should be performed against the
2348 		 * unnamed stream.
2349 		 */
2350 		snode = unnamed_node;
2351 	}
2352 
2353 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) {
2354 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
2355 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2356 		    cr);
2357 		return;
2358 	}
2359 
2360 	/*
2361 	 * FS doesn't understand 32-bit mask
2362 	 */
2363 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2364 	access &= sr->tid_tree->t_access;
2365 
2366 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2367 
2368 	if (access & VREAD)
2369 		*eaccess |= FILE_READ_DATA;
2370 
2371 	if (access & VEXEC)
2372 		*eaccess |= FILE_EXECUTE;
2373 
2374 	if (access & VWRITE)
2375 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2376 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2377 }
2378 
2379 /*
2380  * smb_fsop_shrlock
2381  *
2382  * For the current open request, check file sharing rules
2383  * against existing opens.
2384  *
2385  * Returns NT_STATUS_SHARING_VIOLATION if there is any
2386  * sharing conflict.  Returns NT_STATUS_SUCCESS otherwise.
2387  *
2388  * Full system-wide share reservation synchronization is available
2389  * when the nbmand (non-blocking mandatory) mount option is set
2390  * (i.e. nbl_need_crit() is true) and nbmand critical regions are used.
2391  * This provides synchronization with NFS and local processes.  The
2392  * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called
2393  * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well
2394  * as the CIFS rename and delete paths.
2395  *
2396  * The CIFS server will also enter the nbl critical region in the open,
2397  * rename, and delete paths when nbmand is not set.  There is limited
2398  * coordination with local and VFS share reservations in this case.
2399  * Note that when the nbmand mount option is not set, the VFS layer
2400  * only processes advisory reservations and the delete mode is not checked.
2401  *
2402  * Whether or not the nbmand mount option is set, intra-CIFS share
2403  * checking is done in the open, delete, and rename paths using a CIFS
2404  * critical region (node->n_share_lock).
2405  */
2406 
2407 uint32_t
2408 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid,
2409     uint32_t desired_access, uint32_t share_access)
2410 {
2411 	int rc;
2412 
2413 	if (node->attr.sa_vattr.va_type == VDIR)
2414 		return (NT_STATUS_SUCCESS);
2415 
2416 	/* Allow access if the request is just for meta data */
2417 	if ((desired_access & FILE_DATA_ALL) == 0)
2418 		return (NT_STATUS_SUCCESS);
2419 
2420 	rc = smb_node_open_check(node, cr, desired_access, share_access);
2421 	if (rc)
2422 		return (NT_STATUS_SHARING_VIOLATION);
2423 
2424 	rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access,
2425 	    cr);
2426 	if (rc)
2427 		return (NT_STATUS_SHARING_VIOLATION);
2428 
2429 	return (NT_STATUS_SUCCESS);
2430 }
2431 
2432 void
2433 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid)
2434 {
2435 	if (node->attr.sa_vattr.va_type == VDIR)
2436 		return;
2437 
2438 	(void) smb_vop_unshrlock(node->vp, uniq_fid, cr);
2439 }
2440 
2441 int
2442 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock,
2443     cred_t *cr)
2444 {
2445 	flock64_t bf;
2446 	int flag = F_REMOTELOCK;
2447 
2448 	/*
2449 	 * VOP_FRLOCK() will not be called if:
2450 	 *
2451 	 * 1) The lock has a range of zero bytes. The semantics of Windows and
2452 	 *    POSIX are different. In the case of POSIX it asks for the locking
2453 	 *    of all the bytes from the offset provided until the end of the
2454 	 *    file. In the case of Windows a range of zero locks nothing and
2455 	 *    doesn't conflict with any other lock.
2456 	 *
2457 	 * 2) The lock rolls over (start + lenght < start). Solaris will assert
2458 	 *    if such a request is submitted. This will not create
2459 	 *    incompatibilities between POSIX and Windows. In the Windows world,
2460 	 *    if a client submits such a lock, the server will not lock any
2461 	 *    bytes. Interestingly if the same lock (same offset and length) is
2462 	 *    resubmitted Windows will consider that there is an overlap and
2463 	 *    the granting rules will then apply.
2464 	 */
2465 	if ((lock->l_length == 0) ||
2466 	    ((lock->l_start + lock->l_length - 1) < lock->l_start))
2467 		return (0);
2468 
2469 	bzero(&bf, sizeof (bf));
2470 
2471 	if (unlock) {
2472 		bf.l_type = F_UNLCK;
2473 	} else if (lock->l_type == SMB_LOCK_TYPE_READONLY) {
2474 		bf.l_type = F_RDLCK;
2475 		flag |= FREAD;
2476 	} else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) {
2477 		bf.l_type = F_WRLCK;
2478 		flag |= FWRITE;
2479 	}
2480 
2481 	bf.l_start = lock->l_start;
2482 	bf.l_len = lock->l_length;
2483 	bf.l_pid = lock->l_file->f_uniqid;
2484 	bf.l_sysid = smb_ct.cc_sysid;
2485 
2486 	return (smb_vop_frlock(node->vp, cr, flag, &bf));
2487 }
2488