xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision e38a713ad4e0a9c42f8cccd9350412b2c6ccccdb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/sid.h>
29 #include <sys/nbmlock.h>
30 #include <smbsrv/smb_fsops.h>
31 #include <smbsrv/smb_kproto.h>
32 #include <smbsrv/smbvar.h>
33 #include <smbsrv/ntstatus.h>
34 #include <smbsrv/ntaccess.h>
35 #include <smbsrv/smb_incl.h>
36 #include <acl/acl_common.h>
37 #include <sys/fcntl.h>
38 #include <sys/flock.h>
39 #include <fs/fs_subr.h>
40 
41 static int smb_fsop_amask_to_omode(uint32_t granted_access);
42 static int smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode,
43     smb_fssd_t *fs_sd);
44 
45 static callb_cpr_t *smb_fsop_frlock_callback(flk_cb_when_t when, void *error);
46 
47 /*
48  * The smb_fsop_* functions have knowledge of CIFS semantics.
49  *
50  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
51  * serve as an interface to the VFS layer.
52  *
53  * Hence, smb_request_t and smb_node_t structures should not be passed
54  * from the smb_fsop_* layer to the smb_vop_* layer.
55  *
56  * In general, CIFS service code should only ever call smb_fsop_*
57  * functions directly, and never smb_vop_* functions directly.
58  *
59  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
60  * of their smb_fsop_* counterparts.  However, there are times when
61  * this cannot be avoided.
62  */
63 
64 /*
65  * Note: Stream names cannot be mangled.
66  */
67 
68 int
69 smb_fsop_start()
70 {
71 	int error;
72 
73 	smb_vop_start();
74 
75 	error = smb_node_root_init();
76 
77 	if (error == 0)
78 		error = smb_fem_init();
79 
80 	return (error);
81 }
82 
83 void
84 smb_fsop_stop()
85 {
86 	smb_fem_shutdown();
87 	smb_vfs_rele_all();
88 	smb_node_root_fini();
89 }
90 
91 int
92 smb_fsop_open(smb_ofile_t *of)
93 {
94 	int mode;
95 
96 	mode = smb_fsop_amask_to_omode(of->f_granted_access);
97 
98 	/*
99 	 * Assuming that same vnode is returned as we had before
100 	 * (i.e. no special vnodes)
101 	 */
102 
103 	return (smb_vop_open(&of->f_node->vp, mode, of->f_cr));
104 }
105 
106 int
107 smb_fsop_close(smb_ofile_t *of)
108 {
109 	int mode;
110 
111 	mode = smb_fsop_amask_to_omode(of->f_granted_access);
112 
113 	return (smb_vop_close(of->f_node->vp, mode, of->f_cr));
114 }
115 
116 static int
117 smb_fsop_amask_to_omode(uint32_t granted_access)
118 {
119 	int mode = 0;
120 
121 	if (granted_access & (ACE_READ_DATA | ACE_EXECUTE))
122 		mode |= FREAD;
123 
124 	if (granted_access & (ACE_WRITE_DATA | ACE_APPEND_DATA))
125 		mode |= FWRITE;
126 
127 	if (granted_access & ACE_APPEND_DATA)
128 		mode |= FAPPEND;
129 
130 	return (mode);
131 }
132 
133 static int
134 smb_fsop_create_with_sd(
135 	struct smb_request *sr,
136 	cred_t *cr,
137 	smb_node_t *snode,
138 	char *name,
139 	smb_attr_t *attr,
140 	smb_node_t **ret_snode,
141 	smb_attr_t *ret_attr,
142 	smb_fssd_t *fs_sd)
143 {
144 	vsecattr_t *vsap;
145 	vsecattr_t vsecattr;
146 	acl_t *acl, *dacl, *sacl;
147 	smb_attr_t set_attr;
148 	vnode_t *vp;
149 	int aclbsize = 0;	/* size of acl list in bytes */
150 	int flags = 0;
151 	int is_dir;
152 	int rc;
153 	boolean_t no_xvattr = B_FALSE;
154 
155 	ASSERT(fs_sd);
156 
157 	if (SMB_TREE_CASE_INSENSITIVE(sr))
158 		flags = SMB_IGNORE_CASE;
159 
160 	ASSERT(cr);
161 
162 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
163 
164 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACLONCREATE) {
165 		if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
166 			dacl = fs_sd->sd_zdacl;
167 			sacl = fs_sd->sd_zsacl;
168 			ASSERT(dacl || sacl);
169 			if (dacl && sacl) {
170 				acl = smb_fsacl_merge(dacl, sacl);
171 			} else if (dacl) {
172 				acl = dacl;
173 			} else {
174 				acl = sacl;
175 			}
176 
177 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
178 
179 			if (dacl && sacl)
180 				acl_free(acl);
181 
182 			if (rc)
183 				return (rc);
184 
185 			vsap = &vsecattr;
186 		}
187 		else
188 			vsap = NULL;
189 
190 		if (is_dir) {
191 			rc = smb_vop_mkdir(snode->vp, name, attr, &vp, flags,
192 			    cr, vsap);
193 		} else {
194 			rc = smb_vop_create(snode->vp, name, attr, &vp, flags,
195 			    cr, vsap);
196 		}
197 
198 		if (vsap != NULL)
199 			kmem_free(vsap->vsa_aclentp, aclbsize);
200 
201 		if (rc != 0)
202 			return (rc);
203 
204 		set_attr.sa_mask = 0;
205 
206 		/*
207 		 * Ideally we should be able to specify the owner and owning
208 		 * group at create time along with the ACL. Since we cannot
209 		 * do that right now, kcred is passed to smb_vop_setattr so it
210 		 * doesn't fail due to lack of permission.
211 		 */
212 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
213 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
214 			set_attr.sa_mask |= SMB_AT_UID;
215 		}
216 
217 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
218 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
219 			set_attr.sa_mask |= SMB_AT_GID;
220 		}
221 
222 		if (set_attr.sa_mask) {
223 			if (sr && sr->tid_tree)
224 				if (sr->tid_tree->t_flags & SMB_TREE_FLAG_UFS)
225 					no_xvattr = B_TRUE;
226 			rc = smb_vop_setattr(snode->vp, NULL, &set_attr,
227 			    0, kcred, no_xvattr);
228 		}
229 
230 	} else {
231 		/*
232 		 * For filesystems that don't support ACL-on-create, try
233 		 * to set the specified SD after create, which could actually
234 		 * fail because of conflicts between inherited security
235 		 * attributes upon creation and the specified SD.
236 		 *
237 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
238 		 */
239 
240 		if (is_dir) {
241 			rc = smb_vop_mkdir(snode->vp, name, attr, &vp, flags,
242 			    cr, NULL);
243 		} else {
244 			rc = smb_vop_create(snode->vp, name, attr, &vp, flags,
245 			    cr, NULL);
246 		}
247 
248 		if (rc != 0)
249 			return (rc);
250 
251 		if ((sr->tid_tree->t_flags & SMB_TREE_FLAG_NFS_MOUNTED) == 0)
252 			rc = smb_fsop_sdwrite(sr, kcred, snode, fs_sd, 1);
253 	}
254 
255 	if (rc == 0) {
256 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, name,
257 		    snode, NULL, ret_attr);
258 
259 		if (*ret_snode == NULL) {
260 			VN_RELE(vp);
261 			rc = ENOMEM;
262 		}
263 	}
264 
265 	if (rc != 0) {
266 		if (is_dir) {
267 			(void) smb_vop_rmdir(snode->vp, name, flags, cr);
268 		} else {
269 			(void) smb_vop_remove(snode->vp, name, flags, cr);
270 		}
271 	}
272 
273 	return (rc);
274 }
275 
276 
277 /*
278  * smb_fsop_create
279  *
280  * All SMB functions should use this wrapper to ensure that
281  * all the smb_vop_creates are performed with the appropriate credentials.
282  * Please document any direct calls to explain the reason
283  * for avoiding this wrapper.
284  *
285  * It is assumed that a reference exists on snode coming into this routine.
286  *
287  * *ret_snode is returned with a reference upon success.  No reference is
288  * taken if an error is returned.
289  */
290 
291 int
292 smb_fsop_create(
293     struct smb_request *sr,
294     cred_t *cr,
295     smb_node_t *dir_snode,
296     char *name,
297     smb_attr_t *attr,
298     smb_node_t **ret_snode,
299     smb_attr_t *ret_attr)
300 {
301 	struct open_param *op = &sr->arg.open;
302 	smb_node_t *fnode;
303 	smb_attr_t file_attr;
304 	vnode_t *xattrdirvp;
305 	vnode_t *vp;
306 	char *longname = NULL;
307 	char *namep;
308 	char *fname;
309 	char *sname;
310 	int is_stream;
311 	int flags = 0;
312 	int rc = 0;
313 	smb_fssd_t fs_sd;
314 	uint32_t secinfo;
315 	uint32_t status;
316 
317 	ASSERT(cr);
318 	ASSERT(dir_snode);
319 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
320 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
321 
322 	ASSERT(ret_snode);
323 	*ret_snode = 0;
324 
325 	ASSERT(name);
326 	if (*name == 0)
327 		return (EINVAL);
328 
329 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
330 		return (EACCES);
331 
332 	ASSERT(sr);
333 	ASSERT(sr->tid_tree);
334 	if (SMB_TREE_IS_READ_ONLY(sr))
335 		return (EROFS);
336 
337 	if (SMB_TREE_CASE_INSENSITIVE(sr))
338 		flags = SMB_IGNORE_CASE;
339 
340 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
341 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
342 
343 	is_stream = smb_stream_parse_name(name, fname, sname);
344 
345 	if (is_stream)
346 		namep = fname;
347 	else
348 		namep = name;
349 
350 	if (smb_maybe_mangled_name(namep)) {
351 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
352 
353 		rc = smb_unmangle_name(sr, cr, dir_snode, namep, longname,
354 		    MAXNAMELEN, NULL, NULL, 1);
355 
356 		if ((is_stream == 0) && (rc == 0))
357 			rc = EEXIST;
358 
359 		if ((is_stream && rc) ||
360 		    ((is_stream == 0) && (rc != ENOENT))) {
361 			kmem_free(longname, MAXNAMELEN);
362 			kmem_free(fname, MAXNAMELEN);
363 			kmem_free(sname, MAXNAMELEN);
364 			return (rc);
365 		}
366 
367 		if (is_stream)
368 			namep = longname;
369 		else
370 			kmem_free(longname, MAXNAMELEN);
371 	}
372 
373 	if (is_stream) {
374 		/*
375 		 * Look up the unnamed stream.
376 		 *
377 		 * Mangle processing in smb_fsop_lookup() for the unnamed
378 		 * stream won't be needed (as it was done above), but
379 		 * it may be needed on any link target (which
380 		 * smb_fsop_lookup() will provide).
381 		 */
382 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
383 		    sr->tid_tree->t_snode, dir_snode, namep, &fnode, &file_attr,
384 		    0, 0);
385 
386 		if (longname) {
387 			kmem_free(longname, MAXNAMELEN);
388 			namep = NULL;
389 		}
390 
391 		if (rc != 0) {
392 			kmem_free(fname, MAXNAMELEN);
393 			kmem_free(sname, MAXNAMELEN);
394 			return (rc);
395 		}
396 
397 		rc = smb_vop_stream_create(fnode->vp, sname, attr, &vp,
398 		    &xattrdirvp, flags, cr);
399 
400 		if (rc != 0) {
401 			smb_node_release(fnode);
402 			kmem_free(fname, MAXNAMELEN);
403 			kmem_free(sname, MAXNAMELEN);
404 			return (rc);
405 		}
406 
407 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
408 		    vp, sname, ret_attr);
409 
410 		smb_node_release(fnode);
411 
412 		if (*ret_snode == NULL) {
413 			VN_RELE(xattrdirvp);
414 			VN_RELE(vp);
415 			kmem_free(fname, MAXNAMELEN);
416 			kmem_free(sname, MAXNAMELEN);
417 			return (ENOMEM);
418 		}
419 	} else {
420 		if (op->sd) {
421 			/*
422 			 * SD sent by client in Windows format. Needs to be
423 			 * converted to FS format. No inheritance.
424 			 */
425 			secinfo = smb_sd_get_secinfo(op->sd);
426 			smb_fssd_init(&fs_sd, secinfo, 0);
427 
428 			status = smb_sd_tofs(op->sd, &fs_sd);
429 			if (status == NT_STATUS_SUCCESS) {
430 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
431 				    name, attr, ret_snode, ret_attr, &fs_sd);
432 			}
433 			else
434 				rc = EINVAL;
435 			smb_fssd_term(&fs_sd);
436 		} else if (sr->tid_tree->t_acltype == ACE_T) {
437 			/*
438 			 * No incoming SD and filesystem is ZFS
439 			 * Server applies Windows inheritance rules,
440 			 * see smb_fsop_sdinherit() comments as to why.
441 			 */
442 			smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0);
443 			rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
444 			if (rc == 0) {
445 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
446 				    name, attr, ret_snode, ret_attr, &fs_sd);
447 			}
448 
449 			smb_fssd_term(&fs_sd);
450 		} else {
451 			/*
452 			 * No incoming SD and filesystem is not ZFS
453 			 * let the filesystem handles the inheritance.
454 			 */
455 			rc = smb_vop_create(dir_snode->vp, name, attr, &vp,
456 			    flags, cr, NULL);
457 
458 			if (rc == 0) {
459 				*ret_snode = smb_node_lookup(sr, op, cr, vp,
460 				    name, dir_snode, NULL, ret_attr);
461 
462 				if (*ret_snode == NULL) {
463 					VN_RELE(vp);
464 					rc = ENOMEM;
465 				}
466 			}
467 
468 		}
469 	}
470 
471 	kmem_free(fname, MAXNAMELEN);
472 	kmem_free(sname, MAXNAMELEN);
473 	return (rc);
474 }
475 
476 /*
477  * smb_fsop_mkdir
478  *
479  * All SMB functions should use this wrapper to ensure that
480  * the the calls are performed with the appropriate credentials.
481  * Please document any direct call to explain the reason
482  * for avoiding this wrapper.
483  *
484  * It is assumed that a reference exists on snode coming into this routine.
485  *
486  * *ret_snode is returned with a reference upon success.  No reference is
487  * taken if an error is returned.
488  */
489 int
490 smb_fsop_mkdir(
491     struct smb_request *sr,
492     cred_t *cr,
493     smb_node_t *dir_snode,
494     char *name,
495     smb_attr_t *attr,
496     smb_node_t **ret_snode,
497     smb_attr_t *ret_attr)
498 {
499 	struct open_param *op = &sr->arg.open;
500 	char *longname;
501 	vnode_t *vp;
502 	int flags = 0;
503 	smb_fssd_t fs_sd;
504 	uint32_t secinfo;
505 	uint32_t status;
506 	int rc;
507 	ASSERT(cr);
508 	ASSERT(dir_snode);
509 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
510 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
511 
512 	ASSERT(ret_snode);
513 	*ret_snode = 0;
514 
515 	ASSERT(name);
516 	if (*name == 0)
517 		return (EINVAL);
518 
519 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
520 		return (EACCES);
521 
522 	ASSERT(sr);
523 	ASSERT(sr->tid_tree);
524 	if (SMB_TREE_IS_READ_ONLY(sr))
525 		return (EROFS);
526 
527 	if (smb_maybe_mangled_name(name)) {
528 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
529 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
530 		    MAXNAMELEN, NULL, NULL, 1);
531 
532 		kmem_free(longname, MAXNAMELEN);
533 
534 		/*
535 		 * If the name passed in by the client has an unmangled
536 		 * equivalent that is found in the specified directory,
537 		 * then the mkdir cannot succeed.  Return EEXIST.
538 		 *
539 		 * Only if ENOENT is returned will a mkdir be attempted.
540 		 */
541 
542 		if (rc == 0)
543 			rc = EEXIST;
544 
545 		if (rc != ENOENT)
546 			return (rc);
547 	}
548 
549 	if (SMB_TREE_CASE_INSENSITIVE(sr))
550 		flags = SMB_IGNORE_CASE;
551 
552 	if (op->sd) {
553 		/*
554 		 * SD sent by client in Windows format. Needs to be
555 		 * converted to FS format. No inheritance.
556 		 */
557 		secinfo = smb_sd_get_secinfo(op->sd);
558 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
559 
560 		status = smb_sd_tofs(op->sd, &fs_sd);
561 		if (status == NT_STATUS_SUCCESS) {
562 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
563 			    name, attr, ret_snode, ret_attr, &fs_sd);
564 		}
565 		else
566 			rc = EINVAL;
567 		smb_fssd_term(&fs_sd);
568 	} else if (sr->tid_tree->t_acltype == ACE_T) {
569 		/*
570 		 * No incoming SD and filesystem is ZFS
571 		 * Server applies Windows inheritance rules,
572 		 * see smb_fsop_sdinherit() comments as to why.
573 		 */
574 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR);
575 		rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
576 		if (rc == 0) {
577 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
578 			    name, attr, ret_snode, ret_attr, &fs_sd);
579 		}
580 
581 		smb_fssd_term(&fs_sd);
582 
583 	} else {
584 		rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, flags, cr,
585 		    NULL);
586 
587 		if (rc == 0) {
588 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
589 			    dir_snode, NULL, ret_attr);
590 
591 			if (*ret_snode == NULL) {
592 				VN_RELE(vp);
593 				rc = ENOMEM;
594 			}
595 		}
596 	}
597 
598 	return (rc);
599 }
600 
601 /*
602  * smb_fsop_remove
603  *
604  * All SMB functions should use this wrapper to ensure that
605  * the the calls are performed with the appropriate credentials.
606  * Please document any direct call to explain the reason
607  * for avoiding this wrapper.
608  *
609  * It is assumed that a reference exists on snode coming into this routine.
610  *
611  * od: This means that the name passed in is an on-disk name.
612  * A null smb_request might be passed to this function.
613  */
614 
615 int
616 smb_fsop_remove(
617     struct smb_request *sr,
618     cred_t *cr,
619     smb_node_t *dir_snode,
620     char *name,
621     int od)
622 {
623 	smb_node_t *fnode;
624 	smb_attr_t file_attr;
625 	char *longname;
626 	char *fname;
627 	char *sname;
628 	int flags = 0;
629 	int rc;
630 
631 	ASSERT(cr);
632 	/*
633 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
634 	 * function is called during the deletion of the node (because of
635 	 * DELETE_ON_CLOSE).
636 	 */
637 	ASSERT(dir_snode);
638 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
639 
640 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
641 		return (EACCES);
642 
643 	if (SMB_TREE_IS_READ_ONLY(sr))
644 		return (EROFS);
645 
646 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
647 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
648 
649 	if (smb_stream_parse_name(name, fname, sname)) {
650 
651 		ASSERT(od == 0);
652 
653 		if (SMB_TREE_CASE_INSENSITIVE(sr))
654 			flags = SMB_IGNORE_CASE;
655 
656 		/*
657 		 * Look up the unnamed stream (i.e. fname).
658 		 * Unmangle processing will be done on fname
659 		 * as well as any link target.
660 		 */
661 
662 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
663 		    sr->tid_tree->t_snode, dir_snode, fname, &fnode, &file_attr,
664 		    0, 0);
665 
666 		if (rc != 0) {
667 			kmem_free(fname, MAXNAMELEN);
668 			kmem_free(sname, MAXNAMELEN);
669 			return (rc);
670 		}
671 
672 		/*
673 		 * XXX
674 		 * Need to find out what permission is required by NTFS
675 		 * to remove a stream.
676 		 */
677 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr);
678 
679 		smb_node_release(fnode);
680 	} else {
681 		/*
682 		 * If the passed-in name is an on-disk name,
683 		 * then we need to do a case-sensitive remove.
684 		 * This is important if the on-disk name
685 		 * corresponds to a mangled name passed in by
686 		 * the client.  We want to make sure to remove
687 		 * the exact file specified by the client,
688 		 * instead of letting the underlying file system
689 		 * do a remove on the "first match."
690 		 */
691 
692 		if ((od == 0) && SMB_TREE_CASE_INSENSITIVE(sr))
693 			flags = SMB_IGNORE_CASE;
694 
695 		rc = smb_vop_remove(dir_snode->vp, name, flags, cr);
696 
697 		if (rc == ENOENT) {
698 			if (smb_maybe_mangled_name(name) == 0) {
699 				kmem_free(fname, MAXNAMELEN);
700 				kmem_free(sname, MAXNAMELEN);
701 				return (rc);
702 			}
703 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
704 
705 			rc = smb_unmangle_name(sr, cr, dir_snode, name,
706 			    longname, MAXNAMELEN, NULL, NULL, 1);
707 
708 			if (rc == 0) {
709 				/*
710 				 * We passed "1" as the "od" parameter
711 				 * to smb_unmangle_name(), such that longname
712 				 * is the real (case-sensitive) on-disk name.
713 				 * We make sure we do a remove on this exact
714 				 * name, as the name was mangled and denotes
715 				 * a unique file.
716 				 */
717 				flags &= ~SMB_IGNORE_CASE;
718 				rc = smb_vop_remove(dir_snode->vp, longname,
719 				    flags, cr);
720 			}
721 
722 			kmem_free(longname, MAXNAMELEN);
723 		}
724 	}
725 
726 	kmem_free(fname, MAXNAMELEN);
727 	kmem_free(sname, MAXNAMELEN);
728 	return (rc);
729 }
730 
731 /*
732  * smb_fsop_remove_streams
733  *
734  * This function removes a file's streams without removing the
735  * file itself.
736  *
737  * It is assumed that snode is not a link.
738  */
739 int
740 smb_fsop_remove_streams(struct smb_request *sr, cred_t *cr,
741     smb_node_t *fnode)
742 {
743 	struct fs_stream_info stream_info;
744 	uint32_t cookie = 0;
745 	int flags = 0;
746 	int rc;
747 
748 	ASSERT(cr);
749 	ASSERT(fnode);
750 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
751 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
752 
753 	if (SMB_TREE_ROOT_FS(sr, fnode) == 0)
754 		return (EACCES);
755 
756 	if (SMB_TREE_IS_READ_ONLY(sr))
757 		return (EROFS);
758 
759 	if (SMB_TREE_CASE_INSENSITIVE(sr))
760 		flags = SMB_IGNORE_CASE;
761 
762 	for (;;) {
763 		rc = smb_vop_stream_readdir(fnode->vp, &cookie, &stream_info,
764 		    NULL, NULL, flags, cr);
765 
766 		if ((rc != 0) || (cookie == SMB_EOF))
767 			break;
768 
769 		(void) smb_vop_stream_remove(fnode->vp, stream_info.name, flags,
770 		    cr);
771 	}
772 	return (rc);
773 }
774 
775 /*
776  * smb_fsop_rmdir
777  *
778  * All SMB functions should use this wrapper to ensure that
779  * the the calls are performed with the appropriate credentials.
780  * Please document any direct call to explain the reason
781  * for avoiding this wrapper.
782  *
783  * It is assumed that a reference exists on snode coming into this routine.
784  *
785  * od: This means that the name passed in is an on-disk name.
786  */
787 
788 int
789 smb_fsop_rmdir(
790     struct smb_request *sr,
791     cred_t *cr,
792     smb_node_t *dir_snode,
793     char *name,
794     int od)
795 {
796 	int rc;
797 	int flags = 0;
798 	char *longname;
799 
800 	ASSERT(cr);
801 	/*
802 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
803 	 * function is called during the deletion of the node (because of
804 	 * DELETE_ON_CLOSE).
805 	 */
806 	ASSERT(dir_snode);
807 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
808 
809 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
810 		return (EACCES);
811 
812 	if (SMB_TREE_IS_READ_ONLY(sr))
813 		return (EROFS);
814 
815 	/*
816 	 * If the passed-in name is an on-disk name,
817 	 * then we need to do a case-sensitive rmdir.
818 	 * This is important if the on-disk name
819 	 * corresponds to a mangled name passed in by
820 	 * the client.  We want to make sure to remove
821 	 * the exact directory specified by the client,
822 	 * instead of letting the underlying file system
823 	 * do a rmdir on the "first match."
824 	 */
825 
826 	if ((od == 0) && SMB_TREE_CASE_INSENSITIVE(sr))
827 		flags = SMB_IGNORE_CASE;
828 
829 	rc = smb_vop_rmdir(dir_snode->vp, name, flags, cr);
830 
831 	if (rc == ENOENT) {
832 		if (smb_maybe_mangled_name(name) == 0)
833 			return (rc);
834 
835 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
836 
837 		rc = smb_unmangle_name(sr, cr, dir_snode,
838 		    name, longname, MAXNAMELEN, NULL,
839 		    NULL, 1);
840 
841 		if (rc == 0) {
842 			/*
843 			 * We passed "1" as the "od" parameter
844 			 * to smb_unmangle_name(), such that longname
845 			 * is the real (case-sensitive) on-disk name.
846 			 * We make sure we do a rmdir on this exact
847 			 * name, as the name was mangled and denotes
848 			 * a unique directory.
849 			 */
850 			flags &= ~SMB_IGNORE_CASE;
851 			rc = smb_vop_rmdir(dir_snode->vp, longname, flags, cr);
852 		}
853 
854 		kmem_free(longname, MAXNAMELEN);
855 	}
856 
857 	return (rc);
858 }
859 
860 /*
861  * smb_fsop_getattr
862  *
863  * All SMB functions should use this wrapper to ensure that
864  * the the calls are performed with the appropriate credentials.
865  * Please document any direct call to explain the reason
866  * for avoiding this wrapper.
867  *
868  * It is assumed that a reference exists on snode coming into this routine.
869  */
870 int
871 smb_fsop_getattr(struct smb_request *sr, cred_t *cr, smb_node_t *snode,
872     smb_attr_t *attr)
873 {
874 	smb_node_t *unnamed_node;
875 	vnode_t *unnamed_vp = NULL;
876 	uint32_t status;
877 	uint32_t access = 0;
878 	int flags = 0;
879 	int rc;
880 
881 	ASSERT(cr);
882 	ASSERT(snode);
883 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
884 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
885 
886 	if (SMB_TREE_ROOT_FS(sr, snode) == 0)
887 		return (EACCES);
888 
889 	if (sr->fid_ofile) {
890 		/* if uid and/or gid is requested */
891 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
892 			access |= READ_CONTROL;
893 
894 		/* if anything else is also requested */
895 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
896 			access |= FILE_READ_ATTRIBUTES;
897 
898 		status = smb_ofile_access(sr->fid_ofile, cr, access);
899 		if (status != NT_STATUS_SUCCESS)
900 			return (EACCES);
901 
902 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
903 			flags = ATTR_NOACLCHECK;
904 	}
905 
906 	unnamed_node = SMB_IS_STREAM(snode);
907 
908 	if (unnamed_node) {
909 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
910 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
911 		unnamed_vp = unnamed_node->vp;
912 	}
913 
914 	rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr);
915 	if (rc == 0)
916 		snode->attr = *attr;
917 
918 	return (rc);
919 }
920 
921 /*
922  * smb_fsop_readdir
923  *
924  * All SMB functions should use this smb_fsop_readdir wrapper to ensure that
925  * the smb_vop_readdir is performed with the appropriate credentials.
926  * Please document any direct call to smb_vop_readdir to explain the reason
927  * for avoiding this wrapper.
928  *
929  * It is assumed that a reference exists on snode coming into this routine.
930  */
931 int
932 smb_fsop_readdir(
933     struct smb_request *sr,
934     cred_t *cr,
935     smb_node_t *dir_snode,
936     uint32_t *cookie,
937     char *name,
938     int *namelen,
939     ino64_t *fileid,
940     struct fs_stream_info *stream_info,
941     smb_node_t **ret_snode,
942     smb_attr_t *ret_attr)
943 {
944 	smb_node_t *ret_snodep;
945 	smb_node_t *fnode;
946 	smb_attr_t tmp_attr;
947 	vnode_t *xattrdirvp;
948 	vnode_t *fvp;
949 	vnode_t *vp = NULL;
950 	char *od_name;
951 	int rc;
952 	int flags = 0;
953 
954 	ASSERT(cr);
955 	ASSERT(dir_snode);
956 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
957 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
958 
959 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
960 		return (EACCES);
961 
962 	if (*cookie == SMB_EOF) {
963 		*namelen = 0;
964 		return (0);
965 	}
966 
967 	if (SMB_TREE_CASE_INSENSITIVE(sr))
968 		flags = SMB_IGNORE_CASE;
969 
970 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
971 
972 	if (stream_info) {
973 		rc = smb_vop_lookup(dir_snode->vp, name, &fvp, od_name,
974 		    SMB_FOLLOW_LINKS, sr->tid_tree->t_snode->vp, cr);
975 
976 		if (rc != 0) {
977 			kmem_free(od_name, MAXNAMELEN);
978 			return (rc);
979 		}
980 
981 		fnode = smb_node_lookup(sr, NULL, cr, fvp, od_name, dir_snode,
982 		    NULL, ret_attr);
983 
984 		kmem_free(od_name, MAXNAMELEN);
985 
986 		if (fnode == NULL) {
987 			VN_RELE(fvp);
988 			return (ENOMEM);
989 		}
990 
991 		/*
992 		 * XXX
993 		 * Need to find out what permission(s) NTFS requires for getting
994 		 * a file's streams list.
995 		 *
996 		 * Might have to use kcred.
997 		 */
998 		rc = smb_vop_stream_readdir(fvp, cookie, stream_info, &vp,
999 		    &xattrdirvp, flags, cr);
1000 
1001 		if ((rc != 0) || (*cookie == SMB_EOF)) {
1002 			smb_node_release(fnode);
1003 			return (rc);
1004 		}
1005 
1006 		ret_snodep = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1007 		    vp, stream_info->name, &tmp_attr);
1008 
1009 		smb_node_release(fnode);
1010 
1011 		if (ret_snodep == NULL) {
1012 			VN_RELE(xattrdirvp);
1013 			VN_RELE(vp);
1014 			return (ENOMEM);
1015 		}
1016 
1017 		stream_info->size = tmp_attr.sa_vattr.va_size;
1018 
1019 		if (ret_attr)
1020 			*ret_attr = tmp_attr;
1021 
1022 		if (ret_snode)
1023 			*ret_snode = ret_snodep;
1024 		else
1025 			smb_node_release(ret_snodep);
1026 
1027 	} else {
1028 		rc = smb_vop_readdir(dir_snode->vp, cookie, name, namelen,
1029 		    fileid, &vp, od_name, flags, cr);
1030 
1031 		if (rc != 0) {
1032 			kmem_free(od_name, MAXNAMELEN);
1033 			return (rc);
1034 		}
1035 
1036 		if (*namelen) {
1037 			ASSERT(vp);
1038 			if (ret_attr || ret_snode) {
1039 				ret_snodep = smb_node_lookup(sr, NULL, cr, vp,
1040 				    od_name, dir_snode, NULL, &tmp_attr);
1041 
1042 				if (ret_snodep == NULL) {
1043 					kmem_free(od_name, MAXNAMELEN);
1044 					VN_RELE(vp);
1045 					return (ENOMEM);
1046 				}
1047 
1048 				if (ret_attr)
1049 					*ret_attr = tmp_attr;
1050 
1051 				if (ret_snode)
1052 					*ret_snode = ret_snodep;
1053 				else
1054 					smb_node_release(ret_snodep);
1055 			}
1056 		}
1057 
1058 		kmem_free(od_name, MAXNAMELEN);
1059 	}
1060 
1061 	return (rc);
1062 }
1063 
1064 /*
1065  * smb_fsop_getdents
1066  *
1067  * All SMB functions should use this smb_vop_getdents wrapper to ensure that
1068  * the smb_vop_getdents is performed with the appropriate credentials.
1069  * Please document any direct call to smb_vop_getdents to explain the reason
1070  * for avoiding this wrapper.
1071  *
1072  * It is assumed that a reference exists on snode coming into this routine.
1073  */
1074 /*ARGSUSED*/
1075 int
1076 smb_fsop_getdents(
1077     struct smb_request *sr,
1078     cred_t *cr,
1079     smb_node_t *dir_snode,
1080     uint32_t *cookie,
1081     uint64_t *verifierp,
1082     int32_t	*maxcnt,
1083     char *args,
1084     char *pattern)
1085 {
1086 	int flags = 0;
1087 
1088 	ASSERT(cr);
1089 	ASSERT(dir_snode);
1090 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1091 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1092 
1093 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
1094 		return (EACCES);
1095 
1096 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1097 		flags = SMB_IGNORE_CASE;
1098 
1099 	return (smb_vop_getdents(dir_snode, cookie, 0, maxcnt, args, pattern,
1100 	    flags, sr, cr));
1101 }
1102 
1103 /*
1104  * smb_fsop_rename
1105  *
1106  * All SMB functions should use this smb_vop_rename wrapper to ensure that
1107  * the smb_vop_rename is performed with the appropriate credentials.
1108  * Please document any direct call to smb_vop_rename to explain the reason
1109  * for avoiding this wrapper.
1110  *
1111  * It is assumed that references exist on from_dir_snode and to_dir_snode coming
1112  * into this routine.
1113  */
1114 int
1115 smb_fsop_rename(
1116     struct smb_request *sr,
1117     cred_t *cr,
1118     smb_node_t *from_dir_snode,
1119     char *from_name,
1120     smb_node_t *to_dir_snode,
1121     char *to_name)
1122 {
1123 	smb_node_t *from_snode;
1124 	smb_attr_t tmp_attr;
1125 	vnode_t *from_vp;
1126 	int flags = 0;
1127 	int rc;
1128 
1129 	ASSERT(cr);
1130 	ASSERT(from_dir_snode);
1131 	ASSERT(from_dir_snode->n_magic == SMB_NODE_MAGIC);
1132 	ASSERT(from_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1133 
1134 	ASSERT(to_dir_snode);
1135 	ASSERT(to_dir_snode->n_magic == SMB_NODE_MAGIC);
1136 	ASSERT(to_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1137 
1138 	if (SMB_TREE_ROOT_FS(sr, from_dir_snode) == 0)
1139 		return (EACCES);
1140 
1141 	if (SMB_TREE_ROOT_FS(sr, to_dir_snode) == 0)
1142 		return (EACCES);
1143 
1144 	ASSERT(sr);
1145 	ASSERT(sr->tid_tree);
1146 	if (SMB_TREE_IS_READ_ONLY(sr))
1147 		return (EROFS);
1148 
1149 	/*
1150 	 * Note: There is no need to check SMB_TREE_CASE_INSENSITIVE(sr)
1151 	 * here.
1152 	 *
1153 	 * A case-sensitive rename is always done in this routine
1154 	 * because we are using the on-disk name from an earlier lookup.
1155 	 * If a mangled name was passed in by the caller (denoting a
1156 	 * deterministic lookup), then the exact file must be renamed
1157 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1158 	 * else the underlying file system might return a "first-match"
1159 	 * on this on-disk name, possibly resulting in the wrong file).
1160 	 */
1161 
1162 	/*
1163 	 * XXX: Lock required through smb_node_release() below?
1164 	 */
1165 
1166 	rc = smb_vop_lookup(from_dir_snode->vp, from_name, &from_vp, NULL, 0,
1167 	    NULL, cr);
1168 
1169 	if (rc != 0)
1170 		return (rc);
1171 
1172 	rc = smb_vop_rename(from_dir_snode->vp, from_name, to_dir_snode->vp,
1173 	    to_name, flags, cr);
1174 
1175 	if (rc == 0) {
1176 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1177 		    from_dir_snode, NULL, &tmp_attr);
1178 
1179 		if (from_snode == NULL) {
1180 			VN_RELE(from_vp);
1181 			return (ENOMEM);
1182 		}
1183 
1184 		(void) smb_node_rename(from_dir_snode, from_snode, to_dir_snode,
1185 		    to_name);
1186 
1187 		smb_node_release(from_snode);
1188 	} else {
1189 		VN_RELE(from_vp);
1190 	}
1191 
1192 	/* XXX: unlock */
1193 
1194 	return (rc);
1195 }
1196 
1197 /*
1198  * smb_fsop_setattr
1199  *
1200  * All SMB functions should use this wrapper to ensure that
1201  * the the calls are performed with the appropriate credentials.
1202  * Please document any direct call to explain the reason
1203  * for avoiding this wrapper.
1204  *
1205  * It is assumed that a reference exists on snode coming into this routine.
1206  * A null smb_request might be passed to this function.
1207  */
1208 int
1209 smb_fsop_setattr(
1210     smb_request_t *sr,
1211     cred_t *cr,
1212     smb_node_t *snode,
1213     smb_attr_t *set_attr,
1214     smb_attr_t *ret_attr)
1215 {
1216 	smb_node_t *unnamed_node;
1217 	vnode_t *unnamed_vp = NULL;
1218 	uint32_t status;
1219 	uint32_t access = 0;
1220 	int rc = 0;
1221 	int flags = 0;
1222 	boolean_t no_xvattr = B_FALSE;
1223 
1224 	ASSERT(cr);
1225 	ASSERT(snode);
1226 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1227 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1228 
1229 	if (SMB_TREE_ROOT_FS(sr, snode) == 0)
1230 		return (EACCES);
1231 
1232 	if (SMB_TREE_IS_READ_ONLY(sr))
1233 		return (EROFS);
1234 
1235 	/* sr could be NULL in some cases */
1236 	if (sr && sr->fid_ofile) {
1237 		/* if uid and/or gid is requested */
1238 		if (set_attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
1239 			access |= WRITE_OWNER;
1240 
1241 		/* if anything else is also requested */
1242 		if (set_attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
1243 			access |= FILE_WRITE_ATTRIBUTES;
1244 
1245 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1246 		if (status != NT_STATUS_SUCCESS)
1247 			return (EACCES);
1248 
1249 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
1250 			flags = ATTR_NOACLCHECK;
1251 	}
1252 
1253 	unnamed_node = SMB_IS_STREAM(snode);
1254 
1255 	if (unnamed_node) {
1256 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1257 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1258 		unnamed_vp = unnamed_node->vp;
1259 	}
1260 	if (sr && sr->tid_tree)
1261 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_UFS)
1262 			no_xvattr = B_TRUE;
1263 
1264 	rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr,
1265 	    no_xvattr);
1266 
1267 	if ((rc == 0) && ret_attr) {
1268 		/*
1269 		 * Use kcred to update the node attr because this
1270 		 * call is not being made on behalf of the user.
1271 		 */
1272 		ret_attr->sa_mask = SMB_AT_ALL;
1273 		rc = smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0, kcred);
1274 		if (rc == 0)
1275 			snode->attr = *ret_attr;
1276 	}
1277 
1278 	return (rc);
1279 }
1280 
1281 /*
1282  * smb_fsop_read
1283  *
1284  * All SMB functions should use this wrapper to ensure that
1285  * the the calls are performed with the appropriate credentials.
1286  * Please document any direct call to explain the reason
1287  * for avoiding this wrapper.
1288  *
1289  * It is assumed that a reference exists on snode coming into this routine.
1290  */
1291 int
1292 smb_fsop_read(
1293     struct smb_request *sr,
1294     cred_t *cr,
1295     smb_node_t *snode,
1296     uio_t *uio,
1297     smb_attr_t *ret_attr)
1298 {
1299 	smb_node_t *unnamed_node;
1300 	vnode_t *unnamed_vp = NULL;
1301 	int svmand;
1302 	int rc;
1303 
1304 	ASSERT(cr);
1305 	ASSERT(snode);
1306 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1307 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1308 
1309 	ASSERT(sr);
1310 	ASSERT(sr->fid_ofile);
1311 
1312 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA);
1313 	if (rc != NT_STATUS_SUCCESS) {
1314 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE);
1315 		if (rc != NT_STATUS_SUCCESS)
1316 			return (EACCES);
1317 	}
1318 
1319 	unnamed_node = SMB_IS_STREAM(snode);
1320 	if (unnamed_node) {
1321 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1322 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1323 		unnamed_vp = unnamed_node->vp;
1324 		/*
1325 		 * Streams permission are checked against the unnamed stream,
1326 		 * but in FS level they have their own permissions. To avoid
1327 		 * rejection by FS due to lack of permission on the actual
1328 		 * extended attr kcred is passed for streams.
1329 		 */
1330 		cr = kcred;
1331 	}
1332 
1333 	smb_node_start_crit(snode, RW_READER);
1334 	rc = nbl_svmand(snode->vp, cr, &svmand);
1335 	if (rc) {
1336 		smb_node_end_crit(snode);
1337 		return (rc);
1338 	}
1339 
1340 	rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset,
1341 	    uio->uio_iov->iov_len, svmand, &smb_ct);
1342 
1343 	if (rc) {
1344 		smb_node_end_crit(snode);
1345 		return (rc);
1346 	}
1347 	rc = smb_vop_read(snode->vp, uio, cr);
1348 
1349 	if (rc == 0 && ret_attr) {
1350 		/*
1351 		 * Use kcred to update the node attr because this
1352 		 * call is not being made on behalf of the user.
1353 		 */
1354 		ret_attr->sa_mask = SMB_AT_ALL;
1355 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1356 		    kcred) == 0) {
1357 			snode->attr = *ret_attr;
1358 		}
1359 	}
1360 
1361 	smb_node_end_crit(snode);
1362 
1363 	return (rc);
1364 }
1365 
1366 /*
1367  * smb_fsop_write
1368  *
1369  * This is a wrapper function used for smb_write and smb_write_raw operations.
1370  *
1371  * It is assumed that a reference exists on snode coming into this routine.
1372  */
1373 int
1374 smb_fsop_write(
1375     struct smb_request *sr,
1376     cred_t *cr,
1377     smb_node_t *snode,
1378     uio_t *uio,
1379     uint32_t *lcount,
1380     smb_attr_t *ret_attr,
1381     uint32_t *flag)
1382 {
1383 	smb_node_t *unnamed_node;
1384 	vnode_t *unnamed_vp = NULL;
1385 	int svmand;
1386 	int rc;
1387 
1388 	ASSERT(cr);
1389 	ASSERT(snode);
1390 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1391 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1392 
1393 	ASSERT(sr);
1394 	ASSERT(sr->tid_tree);
1395 	ASSERT(sr->fid_ofile);
1396 
1397 	if (SMB_TREE_IS_READ_ONLY(sr))
1398 		return (EROFS);
1399 
1400 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA);
1401 	if (rc != NT_STATUS_SUCCESS) {
1402 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA);
1403 		if (rc != NT_STATUS_SUCCESS)
1404 			return (EACCES);
1405 	}
1406 
1407 	unnamed_node = SMB_IS_STREAM(snode);
1408 
1409 	if (unnamed_node) {
1410 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1411 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1412 		unnamed_vp = unnamed_node->vp;
1413 		/*
1414 		 * Streams permission are checked against the unnamed stream,
1415 		 * but in FS level they have their own permissions. To avoid
1416 		 * rejection by FS due to lack of permission on the actual
1417 		 * extended attr kcred is passed for streams.
1418 		 */
1419 		cr = kcred;
1420 	}
1421 
1422 	smb_node_start_crit(snode, RW_READER);
1423 	rc = nbl_svmand(snode->vp, cr, &svmand);
1424 	if (rc) {
1425 		smb_node_end_crit(snode);
1426 		return (rc);
1427 	}
1428 	rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset,
1429 	    uio->uio_iov->iov_len, svmand, &smb_ct);
1430 
1431 	if (rc) {
1432 		smb_node_end_crit(snode);
1433 		return (rc);
1434 	}
1435 	rc = smb_vop_write(snode->vp, uio, flag, lcount, cr);
1436 
1437 	if (rc == 0 && ret_attr) {
1438 		/*
1439 		 * Use kcred to update the node attr because this
1440 		 * call is not being made on behalf of the user.
1441 		 */
1442 		ret_attr->sa_mask = SMB_AT_ALL;
1443 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1444 		    kcred) == 0) {
1445 			snode->attr = *ret_attr;
1446 		}
1447 	}
1448 
1449 	smb_node_end_crit(snode);
1450 
1451 	return (rc);
1452 }
1453 
1454 /*
1455  * smb_fsop_statfs
1456  *
1457  * This is a wrapper function used for stat operations.
1458  */
1459 int
1460 smb_fsop_statfs(
1461     cred_t *cr,
1462     smb_node_t *snode,
1463     struct statvfs64 *statp)
1464 {
1465 	ASSERT(cr);
1466 	ASSERT(snode);
1467 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1468 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1469 
1470 	return (smb_vop_statfs(snode->vp, statp, cr));
1471 }
1472 
1473 /*
1474  * smb_fsop_access
1475  */
1476 int
1477 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1478     uint32_t faccess)
1479 {
1480 	int access = 0;
1481 	int error;
1482 	vnode_t *dir_vp;
1483 	boolean_t acl_check = B_TRUE;
1484 	smb_node_t *unnamed_node;
1485 
1486 	ASSERT(cr);
1487 	ASSERT(snode);
1488 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1489 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1490 
1491 	if (faccess == 0)
1492 		return (NT_STATUS_SUCCESS);
1493 
1494 	if (SMB_TREE_IS_READ_ONLY(sr)) {
1495 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1496 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1497 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1498 			return (NT_STATUS_ACCESS_DENIED);
1499 		}
1500 	}
1501 
1502 	unnamed_node = SMB_IS_STREAM(snode);
1503 	if (unnamed_node) {
1504 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1505 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1506 		/*
1507 		 * Streams authorization should be performed against the
1508 		 * unnamed stream.
1509 		 */
1510 		snode = unnamed_node;
1511 	}
1512 
1513 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1514 		/*
1515 		 * This permission is required for reading/writing SACL and
1516 		 * it's not part of DACL. It's only granted via proper
1517 		 * privileges.
1518 		 */
1519 		if ((sr->uid_user->u_privileges &
1520 		    (SMB_USER_PRIV_BACKUP |
1521 		    SMB_USER_PRIV_RESTORE |
1522 		    SMB_USER_PRIV_SECURITY)) == 0)
1523 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1524 
1525 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1526 	}
1527 
1528 	/* Links don't have ACL */
1529 	if (((sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS) == 0) ||
1530 	    (snode->attr.sa_vattr.va_type == VLNK))
1531 		acl_check = B_FALSE;
1532 
1533 	if (acl_check) {
1534 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
1535 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1536 		    cr);
1537 	} else {
1538 		/*
1539 		 * FS doesn't understand 32-bit mask, need to map
1540 		 */
1541 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1542 			access |= VWRITE;
1543 
1544 		if (faccess & FILE_READ_DATA)
1545 			access |= VREAD;
1546 
1547 		if (faccess & FILE_EXECUTE)
1548 			access |= VEXEC;
1549 
1550 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1551 	}
1552 
1553 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1554 }
1555 
1556 /*
1557  * smb_fsop_lookup_name()
1558  *
1559  * Sanity checks on dir_snode done in smb_fsop_lookup().
1560  *
1561  * Note: This function is called only from the open path.
1562  * It will check if the file is a stream.
1563  * It will also return an error if the looked-up file is in
1564  * a child mount.
1565  */
1566 
1567 int
1568 smb_fsop_lookup_name(
1569     struct smb_request *sr,
1570     cred_t	*cr,
1571     int		flags,
1572     smb_node_t	*root_node,
1573     smb_node_t	*dir_snode,
1574     char	*name,
1575     smb_node_t	**ret_snode,
1576     smb_attr_t	*ret_attr)
1577 {
1578 	smb_node_t *fnode;
1579 	smb_attr_t file_attr;
1580 	vnode_t *xattrdirvp;
1581 	vnode_t *vp;
1582 	char *od_name;
1583 	char *fname;
1584 	char *sname;
1585 	int rc;
1586 
1587 	ASSERT(cr);
1588 	ASSERT(dir_snode);
1589 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1590 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1591 
1592 	/*
1593 	 * The following check is required for streams processing, below
1594 	 */
1595 
1596 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1597 		flags |= SMB_IGNORE_CASE;
1598 
1599 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1600 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1601 
1602 	if (smb_stream_parse_name(name, fname, sname)) {
1603 		/*
1604 		 * Look up the unnamed stream (i.e. fname).
1605 		 * Unmangle processing will be done on fname
1606 		 * as well as any link target.
1607 		 */
1608 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, fname,
1609 		    &fnode, &file_attr, NULL, NULL);
1610 
1611 		if (rc != 0) {
1612 			kmem_free(fname, MAXNAMELEN);
1613 			kmem_free(sname, MAXNAMELEN);
1614 			return (rc);
1615 		}
1616 
1617 		od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1618 
1619 		/*
1620 		 * od_name is the on-disk name of the stream, except
1621 		 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1622 		 */
1623 
1624 		/*
1625 		 * XXX
1626 		 * What permissions NTFS requires for stream lookup if any?
1627 		 */
1628 		rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1629 		    &xattrdirvp, flags, root_node->vp, cr);
1630 
1631 		if (rc != 0) {
1632 			smb_node_release(fnode);
1633 			kmem_free(fname, MAXNAMELEN);
1634 			kmem_free(sname, MAXNAMELEN);
1635 			kmem_free(od_name, MAXNAMELEN);
1636 			return (rc);
1637 		}
1638 
1639 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1640 		    vp, od_name, ret_attr);
1641 
1642 		kmem_free(od_name, MAXNAMELEN);
1643 		smb_node_release(fnode);
1644 
1645 		if (*ret_snode == NULL) {
1646 			VN_RELE(xattrdirvp);
1647 			VN_RELE(vp);
1648 			kmem_free(fname, MAXNAMELEN);
1649 			kmem_free(sname, MAXNAMELEN);
1650 			return (ENOMEM);
1651 		}
1652 	} else {
1653 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, name,
1654 		    ret_snode, ret_attr, NULL, NULL);
1655 	}
1656 
1657 	if (rc == 0) {
1658 		ASSERT(ret_snode);
1659 		if (SMB_TREE_ROOT_FS(sr, *ret_snode) == 0) {
1660 			smb_node_release(*ret_snode);
1661 			*ret_snode = NULL;
1662 			rc = EACCES;
1663 		}
1664 	}
1665 
1666 	kmem_free(fname, MAXNAMELEN);
1667 	kmem_free(sname, MAXNAMELEN);
1668 
1669 	return (rc);
1670 }
1671 
1672 /*
1673  * smb_fsop_lookup
1674  *
1675  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1676  * the smb_vop_lookup is performed with the appropriate credentials and using
1677  * case insensitive compares. Please document any direct call to smb_vop_lookup
1678  * to explain the reason for avoiding this wrapper.
1679  *
1680  * It is assumed that a reference exists on dir_snode coming into this routine
1681  * (and that it is safe from deallocation).
1682  *
1683  * Same with the root_node.
1684  *
1685  * *ret_snode is returned with a reference upon success.  No reference is
1686  * taken if an error is returned.
1687  *
1688  * Note: The returned ret_snode may be in a child mount.  This is ok for
1689  * readdir and getdents.
1690  *
1691  * Other smb_fsop_* routines will call SMB_TREE_ROOT_FS() to prevent
1692  * operations on files not in the parent mount.
1693  */
1694 int
1695 smb_fsop_lookup(
1696     struct smb_request *sr,
1697     cred_t	*cr,
1698     int		flags,
1699     smb_node_t	*root_node,
1700     smb_node_t	*dir_snode,
1701     char	*name,
1702     smb_node_t	**ret_snode,
1703     smb_attr_t	*ret_attr,
1704     char	*ret_shortname, /* Must be at least MANGLE_NAMELEN chars */
1705     char	*ret_name83)    /* Must be at least MANGLE_NAMELEN chars */
1706 {
1707 	smb_node_t *lnk_target_node;
1708 	smb_node_t *lnk_dnode;
1709 	char *longname;
1710 	char *od_name;
1711 	vnode_t *vp;
1712 	int rc;
1713 
1714 	ASSERT(cr);
1715 	ASSERT(dir_snode);
1716 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1717 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1718 
1719 	if (name == NULL)
1720 		return (EINVAL);
1721 
1722 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
1723 		return (EACCES);
1724 
1725 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1726 		flags |= SMB_IGNORE_CASE;
1727 
1728 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1729 
1730 	rc = smb_vop_lookup(dir_snode->vp, name, &vp, od_name, flags,
1731 	    root_node ? root_node->vp : NULL, cr);
1732 
1733 	if (rc != 0) {
1734 		if (smb_maybe_mangled_name(name) == 0) {
1735 			kmem_free(od_name, MAXNAMELEN);
1736 			return (rc);
1737 		}
1738 
1739 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1740 
1741 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
1742 		    MAXNAMELEN, ret_shortname, ret_name83, 1);
1743 
1744 		if (rc != 0) {
1745 			kmem_free(od_name, MAXNAMELEN);
1746 			kmem_free(longname, MAXNAMELEN);
1747 			return (rc);
1748 		}
1749 
1750 		/*
1751 		 * We passed "1" as the "od" parameter
1752 		 * to smb_unmangle_name(), such that longname
1753 		 * is the real (case-sensitive) on-disk name.
1754 		 * We make sure we do a lookup on this exact
1755 		 * name, as the name was mangled and denotes
1756 		 * a unique file.
1757 		 */
1758 
1759 		if (flags & SMB_IGNORE_CASE)
1760 			flags &= ~SMB_IGNORE_CASE;
1761 
1762 		rc = smb_vop_lookup(dir_snode->vp, longname, &vp, od_name,
1763 		    flags, root_node ? root_node->vp : NULL, cr);
1764 
1765 		kmem_free(longname, MAXNAMELEN);
1766 
1767 		if (rc != 0) {
1768 			kmem_free(od_name, MAXNAMELEN);
1769 			return (rc);
1770 		}
1771 	}
1772 
1773 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) {
1774 
1775 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dir_snode,
1776 		    &lnk_dnode, &lnk_target_node, cr);
1777 
1778 		if (rc != 0) {
1779 			/*
1780 			 * The link is assumed to be for the last component
1781 			 * of a path.  Hence any ENOTDIR error will be returned
1782 			 * as ENOENT.
1783 			 */
1784 			if (rc == ENOTDIR)
1785 				rc = ENOENT;
1786 
1787 			VN_RELE(vp);
1788 			kmem_free(od_name, MAXNAMELEN);
1789 			return (rc);
1790 		}
1791 
1792 		/*
1793 		 * Release the original VLNK vnode
1794 		 */
1795 
1796 		VN_RELE(vp);
1797 		vp = lnk_target_node->vp;
1798 
1799 		rc = smb_vop_traverse_check(&vp);
1800 
1801 		if (rc != 0) {
1802 			smb_node_release(lnk_dnode);
1803 			smb_node_release(lnk_target_node);
1804 			kmem_free(od_name, MAXNAMELEN);
1805 			return (rc);
1806 		}
1807 
1808 		/*
1809 		 * smb_vop_traverse_check() may have returned a different vnode
1810 		 */
1811 
1812 		if (lnk_target_node->vp == vp) {
1813 			*ret_snode = lnk_target_node;
1814 			*ret_attr = (*ret_snode)->attr;
1815 		} else {
1816 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
1817 			    lnk_target_node->od_name, lnk_dnode, NULL,
1818 			    ret_attr);
1819 
1820 			if (*ret_snode == NULL) {
1821 				VN_RELE(vp);
1822 				rc = ENOMEM;
1823 			}
1824 			smb_node_release(lnk_target_node);
1825 		}
1826 
1827 		smb_node_release(lnk_dnode);
1828 
1829 	} else {
1830 
1831 		rc = smb_vop_traverse_check(&vp);
1832 		if (rc) {
1833 			VN_RELE(vp);
1834 			kmem_free(od_name, MAXNAMELEN);
1835 			return (rc);
1836 		}
1837 
1838 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
1839 		    dir_snode, NULL, ret_attr);
1840 
1841 		if (*ret_snode == NULL) {
1842 			VN_RELE(vp);
1843 			rc = ENOMEM;
1844 		}
1845 	}
1846 
1847 	kmem_free(od_name, MAXNAMELEN);
1848 	return (rc);
1849 }
1850 
1851 /*
1852  * smb_fsop_stream_readdir()
1853  *
1854  * ret_snode and ret_attr are optional parameters (i.e. NULL may be passed in)
1855  *
1856  * This routine will return only NTFS streams.  If an NTFS stream is not
1857  * found at the offset specified, the directory will be read until an NTFS
1858  * stream is found or until EOF.
1859  *
1860  * Note: Sanity checks done in caller
1861  * (smb_fsop_readdir(), smb_fsop_remove_streams())
1862  */
1863 
1864 int
1865 smb_fsop_stream_readdir(struct smb_request *sr, cred_t *cr, smb_node_t *fnode,
1866     uint32_t *cookiep, struct fs_stream_info *stream_info,
1867     smb_node_t **ret_snode, smb_attr_t *ret_attr)
1868 {
1869 	smb_node_t *ret_snodep = NULL;
1870 	smb_attr_t tmp_attr;
1871 	vnode_t *xattrdirvp;
1872 	vnode_t *vp;
1873 	int rc = 0;
1874 	int flags = 0;
1875 
1876 	/*
1877 	 * XXX NTFS permission requirements if any?
1878 	 */
1879 	ASSERT(cr);
1880 	ASSERT(fnode);
1881 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
1882 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
1883 
1884 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1885 		flags = SMB_IGNORE_CASE;
1886 
1887 	rc = smb_vop_stream_readdir(fnode->vp, cookiep, stream_info, &vp,
1888 	    &xattrdirvp, flags, cr);
1889 
1890 	if ((rc != 0) || *cookiep == SMB_EOF)
1891 		return (rc);
1892 
1893 	ret_snodep = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, vp,
1894 	    stream_info->name, &tmp_attr);
1895 
1896 	if (ret_snodep == NULL) {
1897 		VN_RELE(xattrdirvp);
1898 		VN_RELE(vp);
1899 		return (ENOMEM);
1900 	}
1901 
1902 	stream_info->size = tmp_attr.sa_vattr.va_size;
1903 
1904 	if (ret_attr)
1905 		*ret_attr = tmp_attr;
1906 
1907 	if (ret_snode)
1908 		*ret_snode = ret_snodep;
1909 	else
1910 		smb_node_release(ret_snodep);
1911 
1912 	return (rc);
1913 }
1914 
1915 int /*ARGSUSED*/
1916 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
1917 {
1918 	ASSERT(cr);
1919 	ASSERT(snode);
1920 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1921 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1922 
1923 	ASSERT(sr);
1924 	ASSERT(sr->tid_tree);
1925 	if (SMB_TREE_IS_READ_ONLY(sr))
1926 		return (EROFS);
1927 
1928 	return (smb_vop_commit(snode->vp, cr));
1929 }
1930 
1931 /*
1932  * smb_fsop_aclread
1933  *
1934  * Retrieve filesystem ACL. Depends on requested ACLs in
1935  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
1936  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
1937  * the corresponding field in fs_sd should be non-NULL upon
1938  * return, since the target ACL might not contain that type of
1939  * entries.
1940  *
1941  * Returned ACL is always in ACE_T (aka ZFS) format.
1942  * If successful the allocated memory for the ACL should be freed
1943  * using smb_fsacl_free() or smb_fssd_term()
1944  */
1945 int
1946 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1947     smb_fssd_t *fs_sd)
1948 {
1949 	int error = 0;
1950 	int flags = 0;
1951 	int access = 0;
1952 	acl_t *acl;
1953 	smb_node_t *unnamed_node;
1954 
1955 	ASSERT(cr);
1956 
1957 	if (sr->fid_ofile) {
1958 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1959 			access = READ_CONTROL;
1960 
1961 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1962 			access |= ACCESS_SYSTEM_SECURITY;
1963 
1964 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1965 		if (error != NT_STATUS_SUCCESS) {
1966 			return (EACCES);
1967 		}
1968 	}
1969 
1970 	unnamed_node = SMB_IS_STREAM(snode);
1971 	if (unnamed_node) {
1972 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1973 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1974 		/*
1975 		 * Streams don't have ACL, any read ACL attempt on a stream
1976 		 * should be performed on the unnamed stream.
1977 		 */
1978 		snode = unnamed_node;
1979 	}
1980 
1981 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
1982 		flags = ATTR_NOACLCHECK;
1983 
1984 	error = smb_vop_acl_read(snode->vp, &acl, flags,
1985 	    sr->tid_tree->t_acltype, cr);
1986 	if (error != 0) {
1987 		return (error);
1988 	}
1989 
1990 	error = acl_translate(acl, _ACL_ACE_ENABLED,
1991 	    (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid);
1992 
1993 	if (error == 0) {
1994 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
1995 		    fs_sd->sd_secinfo);
1996 	}
1997 
1998 	acl_free(acl);
1999 	return (error);
2000 }
2001 
2002 /*
2003  * smb_fsop_aclwrite
2004  *
2005  * Stores the filesystem ACL provided in fs_sd->sd_acl.
2006  */
2007 int
2008 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2009     smb_fssd_t *fs_sd)
2010 {
2011 	int target_flavor;
2012 	int error = 0;
2013 	int flags = 0;
2014 	int access = 0;
2015 	acl_t *acl, *dacl, *sacl;
2016 	smb_node_t *unnamed_node;
2017 
2018 	ASSERT(cr);
2019 
2020 	ASSERT(sr);
2021 	ASSERT(sr->tid_tree);
2022 	if (SMB_TREE_IS_READ_ONLY(sr))
2023 		return (EROFS);
2024 
2025 	if (sr->fid_ofile) {
2026 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2027 			access = WRITE_DAC;
2028 
2029 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2030 			access |= ACCESS_SYSTEM_SECURITY;
2031 
2032 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2033 		if (error != NT_STATUS_SUCCESS)
2034 			return (EACCES);
2035 	}
2036 
2037 	switch (sr->tid_tree->t_acltype) {
2038 	case ACLENT_T:
2039 		target_flavor = _ACL_ACLENT_ENABLED;
2040 		break;
2041 
2042 	case ACE_T:
2043 		target_flavor = _ACL_ACE_ENABLED;
2044 		break;
2045 	default:
2046 		return (EINVAL);
2047 	}
2048 
2049 	unnamed_node = SMB_IS_STREAM(snode);
2050 	if (unnamed_node) {
2051 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2052 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2053 		/*
2054 		 * Streams don't have ACL, any write ACL attempt on a stream
2055 		 * should be performed on the unnamed stream.
2056 		 */
2057 		snode = unnamed_node;
2058 	}
2059 
2060 	dacl = fs_sd->sd_zdacl;
2061 	sacl = fs_sd->sd_zsacl;
2062 
2063 	ASSERT(dacl || sacl);
2064 	if ((dacl == NULL) && (sacl == NULL))
2065 		return (EINVAL);
2066 
2067 	if (dacl && sacl)
2068 		acl = smb_fsacl_merge(dacl, sacl);
2069 	else if (dacl)
2070 		acl = dacl;
2071 	else
2072 		acl = sacl;
2073 
2074 	error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR),
2075 	    fs_sd->sd_uid, fs_sd->sd_gid);
2076 	if (error == 0) {
2077 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
2078 			flags = ATTR_NOACLCHECK;
2079 
2080 		error = smb_vop_acl_write(snode->vp, acl, flags, cr);
2081 	}
2082 
2083 	if (dacl && sacl)
2084 		acl_free(acl);
2085 
2086 	return (error);
2087 }
2088 
2089 acl_type_t
2090 smb_fsop_acltype(smb_node_t *snode)
2091 {
2092 	return (smb_vop_acl_type(snode->vp));
2093 }
2094 
2095 /*
2096  * smb_fsop_sdread
2097  *
2098  * Read the requested security descriptor items from filesystem.
2099  * The items are specified in fs_sd->sd_secinfo.
2100  */
2101 int
2102 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2103     smb_fssd_t *fs_sd)
2104 {
2105 	int error = 0;
2106 	int getowner = 0;
2107 	cred_t *ga_cred;
2108 	smb_attr_t attr;
2109 
2110 	ASSERT(cr);
2111 	ASSERT(fs_sd);
2112 
2113 	/*
2114 	 * File's uid/gid is fetched in two cases:
2115 	 *
2116 	 * 1. it's explicitly requested
2117 	 *
2118 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
2119 	 *    owner@/group@ entries. In this case kcred should be used
2120 	 *    because uid/gid are fetched on behalf of smb server.
2121 	 */
2122 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
2123 		getowner = 1;
2124 		ga_cred = cr;
2125 	} else if (sr->tid_tree->t_acltype == ACE_T) {
2126 		getowner = 1;
2127 		ga_cred = kcred;
2128 	}
2129 
2130 	if (getowner) {
2131 		/*
2132 		 * Windows require READ_CONTROL to read owner/group SID since
2133 		 * they're part of Security Descriptor.
2134 		 * ZFS only requires read_attribute. Need to have a explicit
2135 		 * access check here.
2136 		 */
2137 		if (sr->fid_ofile == NULL) {
2138 			error = smb_fsop_access(sr, ga_cred, snode,
2139 			    READ_CONTROL);
2140 			if (error)
2141 				return (error);
2142 		}
2143 
2144 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2145 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2146 		if (error == 0) {
2147 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2148 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2149 		} else {
2150 			return (error);
2151 		}
2152 	}
2153 
2154 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2155 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2156 	}
2157 
2158 	return (error);
2159 }
2160 
2161 /*
2162  * smb_fsop_sdmerge
2163  *
2164  * From SMB point of view DACL and SACL are two separate list
2165  * which can be manipulated independently without one affecting
2166  * the other, but entries for both DACL and SACL will end up
2167  * in the same ACL if target filesystem supports ACE_T ACLs.
2168  *
2169  * So, if either DACL or SACL is present in the client set request
2170  * the entries corresponding to the non-present ACL shouldn't
2171  * be touched in the FS ACL.
2172  *
2173  * fs_sd parameter contains DACL and SACL specified by SMB
2174  * client to be set on a file/directory. The client could
2175  * specify both or one of these ACLs (if none is specified
2176  * we don't get this far). When both DACL and SACL are given
2177  * by client the existing ACL should be overwritten. If only
2178  * one of them is specified the entries corresponding to the other
2179  * ACL should not be touched. For example, if only DACL
2180  * is specified in input fs_sd, the function reads audit entries
2181  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2182  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2183  * function is called the passed fs_sd would point to the specified
2184  * DACL by client and fetched SACL from filesystem, so the file
2185  * will end up with correct ACL.
2186  */
2187 static int
2188 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2189 {
2190 	smb_fssd_t cur_sd;
2191 	int error = 0;
2192 
2193 	if (sr->tid_tree->t_acltype != ACE_T)
2194 		/* Don't bother if target FS doesn't support ACE_T */
2195 		return (0);
2196 
2197 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2198 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2199 			/*
2200 			 * Don't overwrite existing audit entries
2201 			 */
2202 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2203 			    fs_sd->sd_flags);
2204 
2205 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2206 			if (error == 0) {
2207 				ASSERT(fs_sd->sd_zsacl == NULL);
2208 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2209 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2210 					fs_sd->sd_zsacl->acl_flags =
2211 					    fs_sd->sd_zdacl->acl_flags;
2212 			}
2213 		} else {
2214 			/*
2215 			 * Don't overwrite existing access entries
2216 			 */
2217 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2218 			    fs_sd->sd_flags);
2219 
2220 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2221 			if (error == 0) {
2222 				ASSERT(fs_sd->sd_zdacl == NULL);
2223 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2224 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2225 					fs_sd->sd_zdacl->acl_flags =
2226 					    fs_sd->sd_zsacl->acl_flags;
2227 			}
2228 		}
2229 
2230 		if (error)
2231 			smb_fssd_term(&cur_sd);
2232 	}
2233 
2234 	return (error);
2235 }
2236 
2237 /*
2238  * smb_fsop_sdwrite
2239  *
2240  * Stores the given uid, gid and acl in filesystem.
2241  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2242  *
2243  * A SMB security descriptor could contain owner, primary group,
2244  * DACL and SACL. Setting an SD should be atomic but here it has to
2245  * be done via two separate FS operations: VOP_SETATTR and
2246  * VOP_SETSECATTR. Therefore, this function has to simulate the
2247  * atomicity as well as it can.
2248  */
2249 int
2250 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2251     smb_fssd_t *fs_sd, int overwrite)
2252 {
2253 	int error = 0;
2254 	int access = 0;
2255 	smb_attr_t set_attr;
2256 	smb_attr_t orig_attr;
2257 
2258 	ASSERT(cr);
2259 	ASSERT(fs_sd);
2260 
2261 	ASSERT(sr);
2262 	ASSERT(sr->tid_tree);
2263 	if (SMB_TREE_IS_READ_ONLY(sr))
2264 		return (EROFS);
2265 
2266 	bzero(&set_attr, sizeof (smb_attr_t));
2267 
2268 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2269 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2270 		set_attr.sa_mask |= SMB_AT_UID;
2271 	}
2272 
2273 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2274 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2275 		set_attr.sa_mask |= SMB_AT_GID;
2276 	}
2277 
2278 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2279 		access |= WRITE_DAC;
2280 
2281 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2282 		access |= ACCESS_SYSTEM_SECURITY;
2283 
2284 	if (sr->fid_ofile)
2285 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2286 	else
2287 		error = smb_fsop_access(sr, cr, snode, access);
2288 
2289 	if (error)
2290 		return (EACCES);
2291 
2292 	if (set_attr.sa_mask) {
2293 		/*
2294 		 * Get the current uid, gid so if smb_fsop_aclwrite fails
2295 		 * we can revert uid, gid changes.
2296 		 *
2297 		 * We use root cred here so the operation doesn't fail
2298 		 * due to lack of permission for the user to read the attrs
2299 		 */
2300 
2301 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2302 		error = smb_fsop_getattr(sr, kcred, snode, &orig_attr);
2303 		if (error == 0)
2304 			error = smb_fsop_setattr(sr, cr, snode, &set_attr,
2305 			    NULL);
2306 
2307 		if (error)
2308 			return (error);
2309 	}
2310 
2311 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2312 		if (overwrite == 0) {
2313 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2314 			if (error)
2315 				return (error);
2316 		}
2317 
2318 		error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2319 		if (error) {
2320 			/*
2321 			 * Revert uid/gid changes if required.
2322 			 */
2323 			if (set_attr.sa_mask) {
2324 				orig_attr.sa_mask = set_attr.sa_mask;
2325 				(void) smb_fsop_setattr(sr, kcred, snode,
2326 				    &orig_attr, NULL);
2327 			}
2328 		}
2329 	}
2330 
2331 	return (error);
2332 }
2333 
2334 /*
2335  * smb_fsop_sdinherit
2336  *
2337  * Inherit the security descriptor from the parent container.
2338  * This function is called after FS has created the file/folder
2339  * so if this doesn't do anything it means FS inheritance is
2340  * in place.
2341  *
2342  * Do inheritance for ZFS internally.
2343  *
2344  * If we want to let ZFS does the inheritance the
2345  * following setting should be true:
2346  *
2347  *  - aclinherit = passthrough
2348  *  - aclmode = passthrough
2349  *  - smbd umask = 0777
2350  *
2351  * This will result in right effective permissions but
2352  * ZFS will always add 6 ACEs for owner, owning group
2353  * and others to be POSIX compliant. This is not what
2354  * Windows clients/users expect, so we decided that CIFS
2355  * implements Windows rules and overwrite whatever ZFS
2356  * comes up with. This way we also don't have to care
2357  * about ZFS aclinherit and aclmode settings.
2358  */
2359 static int
2360 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2361 {
2362 	int is_dir;
2363 	acl_t *dacl = NULL;
2364 	acl_t *sacl = NULL;
2365 	ksid_t *owner_sid;
2366 	int error;
2367 
2368 	ASSERT(fs_sd);
2369 
2370 	if (sr->tid_tree->t_acltype != ACE_T) {
2371 		/*
2372 		 * No forced inheritance for non-ZFS filesystems.
2373 		 */
2374 		fs_sd->sd_secinfo = 0;
2375 		return (0);
2376 	}
2377 
2378 
2379 	/* Fetch parent directory's ACL */
2380 	error = smb_fsop_sdread(sr, kcred, dnode, fs_sd);
2381 	if (error) {
2382 		return (error);
2383 	}
2384 
2385 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2386 	owner_sid = crgetsid(sr->user_cr, KSID_OWNER);
2387 	ASSERT(owner_sid);
2388 	dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO,
2389 	    owner_sid->ks_id);
2390 	sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO,
2391 	    (uid_t)-1);
2392 
2393 	if (sacl == NULL)
2394 		fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO;
2395 
2396 	smb_fsacl_free(fs_sd->sd_zdacl);
2397 	smb_fsacl_free(fs_sd->sd_zsacl);
2398 
2399 	fs_sd->sd_zdacl = dacl;
2400 	fs_sd->sd_zsacl = sacl;
2401 
2402 	return (0);
2403 }
2404 
2405 /*
2406  * smb_fsop_eaccess
2407  *
2408  * Returns the effective permission of the given credential for the
2409  * specified object.
2410  *
2411  * This is just a workaround. We need VFS/FS support for this.
2412  */
2413 void
2414 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2415     uint32_t *eaccess)
2416 {
2417 	int access = 0;
2418 	vnode_t *dir_vp;
2419 	smb_node_t *unnamed_node;
2420 
2421 	ASSERT(cr);
2422 	ASSERT(snode);
2423 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2424 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2425 
2426 	unnamed_node = SMB_IS_STREAM(snode);
2427 	if (unnamed_node) {
2428 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2429 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2430 		/*
2431 		 * Streams authorization should be performed against the
2432 		 * unnamed stream.
2433 		 */
2434 		snode = unnamed_node;
2435 	}
2436 
2437 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS) {
2438 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
2439 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2440 		    cr);
2441 		return;
2442 	}
2443 
2444 	/*
2445 	 * FS doesn't understand 32-bit mask
2446 	 */
2447 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2448 
2449 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2450 
2451 	if (access & VREAD)
2452 		*eaccess |= FILE_READ_DATA;
2453 
2454 	if (access & VEXEC)
2455 		*eaccess |= FILE_EXECUTE;
2456 
2457 	if (access & VWRITE)
2458 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2459 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2460 }
2461 
2462 /*
2463  * smb_fsop_shrlock
2464  *
2465  * For the current open request, check file sharing rules
2466  * against existing opens.
2467  *
2468  * Returns NT_STATUS_SHARING_VIOLATION if there is any
2469  * sharing conflict.  Returns NT_STATUS_SUCCESS otherwise.
2470  *
2471  * Full system-wide share reservation synchronization is available
2472  * when the nbmand (non-blocking mandatory) mount option is set
2473  * (i.e. nbl_need_crit() is true) and nbmand critical regions are used.
2474  * This provides synchronization with NFS and local processes.  The
2475  * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called
2476  * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well
2477  * as the CIFS rename and delete paths.
2478  *
2479  * The CIFS server will also enter the nbl critical region in the open,
2480  * rename, and delete paths when nbmand is not set.  There is limited
2481  * coordination with local and VFS share reservations in this case.
2482  * Note that when the nbmand mount option is not set, the VFS layer
2483  * only processes advisory reservations and the delete mode is not checked.
2484  *
2485  * Whether or not the nbmand mount option is set, intra-CIFS share
2486  * checking is done in the open, delete, and rename paths using a CIFS
2487  * critical region (node->n_share_lock).
2488  */
2489 
2490 uint32_t
2491 smb_fsop_shrlock(cred_t *cr, struct smb_node *node, uint32_t uniq_fid,
2492     uint32_t desired_access, uint32_t share_access)
2493 {
2494 	int rc;
2495 
2496 	if (node->attr.sa_vattr.va_type == VDIR)
2497 		return (NT_STATUS_SUCCESS);
2498 
2499 	/* Allow access if the request is just for meta data */
2500 	if ((desired_access & FILE_DATA_ALL) == 0)
2501 		return (NT_STATUS_SUCCESS);
2502 
2503 	rc = smb_node_open_check(node, cr, desired_access, share_access);
2504 	if (rc)
2505 		return (NT_STATUS_SHARING_VIOLATION);
2506 
2507 	rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access,
2508 	    cr);
2509 	if (rc)
2510 		return (NT_STATUS_SHARING_VIOLATION);
2511 
2512 	return (NT_STATUS_SUCCESS);
2513 }
2514 
2515 void
2516 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid)
2517 {
2518 	if (node->attr.sa_vattr.va_type == VDIR)
2519 		return;
2520 
2521 	(void) smb_vop_unshrlock(node->vp, uniq_fid, cr);
2522 }
2523 
2524 /*
2525  * smb_fsop_frlock_callback
2526  *
2527  * smb wrapper function for fs_frlock
2528  * this should never happen, as we are not attempting
2529  * to set Mandatory Locks, cmd = F_SETLK_NBMAND
2530  *
2531  */
2532 
2533 static callb_cpr_t *
2534 /* ARGSUSED */
2535 smb_fsop_frlock_callback(flk_cb_when_t when, void *error)
2536 {
2537 	return (0);
2538 }
2539 
2540 /*
2541  * smb_fs_frlock
2542  *
2543  * smb wrapper function for fs_frlock
2544  */
2545 
2546 int
2547 smb_fsop_frlock(smb_request_t *sr, smb_node_t *node, smb_lock_t *lock,
2548     boolean_t unlock)
2549 {
2550 	vnode_t *vp;
2551 	flock64_t bf;
2552 	cred_t *cr;
2553 	caller_context_t *ct;
2554 	int cmd;
2555 	flk_callback_t flk_cb;
2556 	offset_t offset = 0;
2557 	int flag;
2558 	int error;
2559 	int i;
2560 
2561 	flk_init_callback(&flk_cb, smb_fsop_frlock_callback, &error);
2562 	cr = sr->user_cr;
2563 	ct = &smb_ct;
2564 	vp = node->vp;
2565 	cmd = F_SETLK;
2566 
2567 	if (unlock == B_TRUE) {
2568 		bf.l_type = F_UNLCK;
2569 		flag = 0;
2570 	} else if (lock->l_type == SMB_LOCK_TYPE_READONLY) {
2571 		bf.l_type = F_RDLCK;
2572 		flag = FREAD;
2573 	} else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) {
2574 		bf.l_type = F_WRLCK;
2575 		flag = FWRITE;
2576 	}
2577 
2578 	bf.l_start = lock->l_start;
2579 	bf.l_len = lock->l_length;
2580 	bf.l_whence = 0;  /* SEEK_SET */
2581 	bf.l_pid = lock->l_pid;
2582 	bf.l_sysid = 0;
2583 
2584 	for (i = 0; i < 4; i++)
2585 		bf.l_pad[i] = 0;
2586 
2587 	error = fs_frlock(vp, cmd, &bf, flag, offset, &flk_cb, cr, ct);
2588 	return (error);
2589 }
2590