1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2016 by Delphix. All rights reserved. 25 */ 26 27 #ifndef _SMBSRV_NTIFS_H 28 #define _SMBSRV_NTIFS_H 29 30 /* 31 * This file provides definitions compatible with the NT Installable 32 * File System (IFS) interface. This header file also defines the Security 33 * Descriptor module from Windows. 34 */ 35 36 #ifdef __cplusplus 37 extern "C" { 38 #endif 39 40 #include <sys/acl.h> 41 #include <sys/list.h> 42 #include <smbsrv/smb_sid.h> 43 44 /* 45 * The Volume and Directory bits are for SMB rather than NT. 46 * NT has an explicit Normal bit; this bit is implied in SMB 47 * when the Hidden, System and Directory bits are not set. 48 * 49 * File attributes and creation flags share the same 32-bit 50 * space. 51 */ 52 #define FILE_ATTRIBUTE_READONLY 0x00000001 53 #define FILE_ATTRIBUTE_HIDDEN 0x00000002 54 #define FILE_ATTRIBUTE_SYSTEM 0x00000004 55 #define FILE_ATTRIBUTE_VOLUME 0x00000008 56 #define FILE_ATTRIBUTE_DIRECTORY 0x00000010 57 #define FILE_ATTRIBUTE_ARCHIVE 0x00000020 58 #define FILE_ATTRIBUTE_DEVICE 0x00000040 59 #define FILE_ATTRIBUTE_NORMAL 0x00000080 60 #define FILE_ATTRIBUTE_TEMPORARY 0x00000100 61 #define FILE_ATTRIBUTE_SPARSE_FILE 0x00000200 62 #define FILE_ATTRIBUTE_REPARSE_POINT 0x00000400 63 #define FILE_ATTRIBUTE_COMPRESSED 0x00000800 64 #define FILE_ATTRIBUTE_OFFLINE 0x00001000 65 #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000 66 #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000 67 #define FILE_ATTRIBUTE_VIRTUAL 0x00010000 68 #define FILE_FLAG_OPEN_NO_RECALL 0x00100000 69 #define FILE_FLAG_OPEN_REPARSE_POINT 0x00200000 70 #define FILE_FLAG_POSIX_SEMANTICS 0x01000000 71 #define FILE_FLAG_BACKUP_SEMANTICS 0x02000000 72 #define FILE_FLAG_DELETE_ON_CLOSE 0x04000000 73 #define FILE_FLAG_SEQUENTIAL_SCAN 0x08000000 74 #define FILE_FLAG_RANDOM_ACCESS 0x10000000 75 #define FILE_FLAG_NO_BUFFERING 0x20000000 76 #define FILE_FLAG_OVERLAPPED 0x40000000 77 #define FILE_FLAG_WRITE_THROUGH 0x80000000 78 79 #define FILE_ATTRIBUTE_VALID_FLAGS 0x00001fb7 80 #define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x00001fa7 81 #define FILE_ATTRIBUTE_MASK 0x00003FFF 82 83 /* 84 * The create/open option flags: used in NtCreateAndx and NtTransactCreate 85 * SMB requests. 86 * 87 * The CreateOptions specify the options to be applied when creating or 88 * opening the file, as a compatible combination of the following flags: 89 * 90 * FILE_DIRECTORY_FILE 91 * The file being created or opened is a directory file. With this 92 * flag, the Disposition parameter must be set to one of FILE_CREATE, 93 * FILE_OPEN, or FILE_OPEN_IF. With this flag, other compatible 94 * CreateOptions flags include only the following: 95 * FILE_SYNCHRONOUS_IO_ALERT 96 * FILE_SYNCHRONOUS_IO_NONALERT 97 * FILE_WRITE_THROUGH 98 * FILE_OPEN_FOR_BACKUP_INTENT 99 * FILE_OPEN_BY_FILE_ID 100 * 101 * FILE_NON_DIRECTORY_FILE 102 * The file being opened must not be a directory file or this call 103 * will fail. The file object being opened can represent a data file, 104 * a logical, virtual, or physical device, or a volume. 105 * 106 * FILE_WRITE_THROUGH 107 * System services, FSDs, and drivers that write data to the file must 108 * actually transfer the data into the file before any requested write 109 * operation is considered complete. This flag is automatically set if 110 * the CreateOptions flag FILE_NO_INTERMEDIATE _BUFFERING is set. 111 * 112 * FILE_SEQUENTIAL_ONLY 113 * All accesses to the file will be sequential. 114 * 115 * FILE_RANDOM_ACCESS 116 * Accesses to the file can be random, so no sequential read-ahead 117 * operations should be performed on the file by FSDs or the system. 118 * FILE_NO_INTERMEDIATE _BUFFERING The file cannot be cached or 119 * buffered in a driver's internal buffers. This flag is incompatible 120 * with the DesiredAccess FILE_APPEND_DATA flag. 121 * 122 * FILE_SYNCHRONOUS_IO_ALERT 123 * All operations on the file are performed synchronously. Any wait 124 * on behalf of the caller is subject to premature termination from 125 * alerts. This flag also causes the I/O system to maintain the file 126 * position context. If this flag is set, the DesiredAccess 127 * SYNCHRONIZE flag also must be set. 128 * 129 * FILE_SYNCHRONOUS_IO _NONALERT 130 * All operations on the file are performed synchronously. Waits in 131 * the system to synchronize I/O queuing and completion are not subject 132 * to alerts. This flag also causes the I/O system to maintain the file 133 * position context. If this flag is set, the DesiredAccess SYNCHRONIZE 134 * flag also must be set. 135 * 136 * FILE_CREATE_TREE _CONNECTION 137 * Create a tree connection for this file in order to open it over the 138 * network. This flag is irrelevant to device and intermediate drivers. 139 * 140 * FILE_COMPLETE_IF_OPLOCKED 141 * Complete this operation immediately with an alternate success code 142 * if the target file is oplocked, rather than blocking the caller's 143 * thread. If the file is oplocked, another caller already has access 144 * to the file over the network. This flag is irrelevant to device and 145 * intermediate drivers. 146 * 147 * FILE_NO_EA_KNOWLEDGE 148 * If the extended attributes on an existing file being opened indicate 149 * that the caller must understand EAs to properly interpret the file, 150 * fail this request because the caller does not understand how to deal 151 * with EAs. Device and intermediate drivers can ignore this flag. 152 * 153 * FILE_DELETE_ON_CLOSE 154 * Delete the file when the last reference to it is passed to close. 155 * 156 * FILE_OPEN_BY_FILE_ID 157 * The file name contains the name of a device and a 64-bit ID to 158 * be used to open the file. This flag is irrelevant to device and 159 * intermediate drivers. 160 * 161 * FILE_OPEN_FOR_BACKUP _INTENT 162 * The file is being opened for backup intent, hence, the system should 163 * check for certain access rights and grant the caller the appropriate 164 * accesses to the file before checking the input DesiredAccess against 165 * the file's security descriptor. This flag is irrelevant to device 166 * and intermediate drivers. 167 */ 168 #define FILE_DIRECTORY_FILE 0x00000001 169 #define FILE_WRITE_THROUGH 0x00000002 170 #define FILE_SEQUENTIAL_ONLY 0x00000004 171 #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 172 173 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 174 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 175 #define FILE_NON_DIRECTORY_FILE 0x00000040 176 #define FILE_CREATE_TREE_CONNECTION 0x00000080 177 178 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 179 #define FILE_NO_EA_KNOWLEDGE 0x00000200 180 /* UNUSED 0x00000400 */ 181 #define FILE_RANDOM_ACCESS 0x00000800 182 183 #define FILE_DELETE_ON_CLOSE 0x00001000 184 #define FILE_OPEN_BY_FILE_ID 0x00002000 185 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 186 #define FILE_NO_COMPRESSION 0x00008000 187 188 #define FILE_RESERVE_OPFILTER 0x00100000 189 #define FILE_RESERVED0 0x00200000 190 #define FILE_RESERVED1 0x00400000 191 #define FILE_RESERVED2 0x00800000 192 193 #define FILE_VALID_OPTION_FLAGS 0x007fffff 194 #define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 195 #define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 196 #define FILE_VALID_SET_FLAGS 0x00000036 197 198 /* 199 * Define the file information class values used by the NT DDK and HAL. 200 */ 201 typedef enum _FILE_INFORMATION_CLASS { 202 FileDirectoryInformation = 1, 203 FileFullDirectoryInformation, /* 2 */ 204 FileBothDirectoryInformation, /* 3 */ 205 FileBasicInformation, /* 4 */ 206 FileStandardInformation, /* 5 */ 207 FileInternalInformation, /* 6 */ 208 FileEaInformation, /* 7 */ 209 FileAccessInformation, /* 8 */ 210 FileNameInformation, /* 9 */ 211 FileRenameInformation, /* 10 */ 212 FileLinkInformation, /* 11 */ 213 FileNamesInformation, /* 12 */ 214 FileDispositionInformation, /* 13 */ 215 FilePositionInformation, /* 14 */ 216 FileFullEaInformation, /* 15 */ 217 FileModeInformation, /* 16 */ 218 FileAlignmentInformation, /* 17 */ 219 FileAllInformation, /* 18 */ 220 FileAllocationInformation, /* 19 */ 221 FileEndOfFileInformation, /* 20 */ 222 FileAlternateNameInformation, /* 21 */ 223 FileStreamInformation, /* 22 */ 224 FilePipeInformation, /* 23 */ 225 FilePipeLocalInformation, /* 24 */ 226 FilePipeRemoteInformation, /* 25 */ 227 FileMailslotQueryInformation, /* 26 */ 228 FileMailslotSetInformation, /* 27 */ 229 FileCompressionInformation, /* 28 */ 230 FileObjectIdInformation, /* 29 */ 231 FileCompletionInformation, /* 30 */ 232 FileMoveClusterInformation, /* 31 */ 233 FileQuotaInformation, /* 32 */ 234 FileReparsePointInformation, /* 33 */ 235 FileNetworkOpenInformation, /* 34 */ 236 FileAttributeTagInformation, /* 35 */ 237 FileTrackingInformation, /* 36 */ 238 FileIdBothDirectoryInformation, /* 37 */ 239 FileIdFullDirectoryInformation, /* 38 */ 240 FileValidDataLengthInformation, /* 39 */ 241 FileShortNameInformation, /* 40 */ 242 FileInformationReserved41, /* 41 */ 243 FileInformationReserved42, /* 42 */ 244 FileInformationReserved43, /* 43 */ 245 FileSfioReserveInformation, /* 44 */ 246 FileSfioVolumeInformation, /* 45 */ 247 FileHardLinkInformation, /* 46 */ 248 FileInformationReserved47, /* 47 */ 249 FileNormalizedNameInformation, /* 48 */ 250 FileInformationReserved49, /* 49 */ 251 FileIdGlobalTxDirectoryInformation, /* 50 */ 252 FileInformationReserved51, /* 51 */ 253 FileInformationReserved52, /* 52 */ 254 FileInformationReserved53, /* 53 */ 255 FileStandardLinkInformation, /* 54 */ 256 FileMaximumInformation 257 } FILE_INFORMATION_CLASS; 258 259 /* 260 * Define the file system information class values. 261 */ 262 typedef enum _FILE_FS_INFORMATION_CLASS { 263 FileFsVolumeInformation = 1, 264 FileFsLabelInformation, /* 2 */ 265 FileFsSizeInformation, /* 3 */ 266 FileFsDeviceInformation, /* 4 */ 267 FileFsAttributeInformation, /* 5 */ 268 FileFsControlInformation, /* 6 */ 269 FileFsFullSizeInformation, /* 7 */ 270 FileFsObjectIdInformation, /* 8 */ 271 FileFsDriverPathInformation /* 9 */ 272 } FILE_FS_INFORMATION_CLASS; 273 274 /* 275 * Discretionary Access Control List (DACL) 276 * 277 * A Discretionary Access Control List (DACL), often abbreviated to 278 * ACL, is a list of access controls which either allow or deny access 279 * for users or groups to a resource. There is a list header followed 280 * by a list of access control entries (ACE). Each ACE specifies the 281 * access allowed or denied to a single user or group (identified by 282 * a SID). 283 * 284 * There is another access control list object called a System Access 285 * Control List (SACL), which is used to control auditing, but no 286 * support is provideed for SACLs at this time. 287 * 288 * ACL header format: 289 * 290 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 291 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 292 * +-------------------------------+---------------+---------------+ 293 * | AclSize | Sbz1 | AclRevision | 294 * +-------------------------------+---------------+---------------+ 295 * | Sbz2 | AceCount | 296 * +-------------------------------+-------------------------------+ 297 * 298 * AclRevision specifies the revision level of the ACL. This value should 299 * be ACL_REVISION, unless the ACL contains an object-specific ACE, in which 300 * case this value must be ACL_REVISION_DS. All ACEs in an ACL must be at the 301 * same revision level. 302 * 303 * ACE header format: 304 * 305 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 306 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 307 * +---------------+-------+-------+---------------+---------------+ 308 * | AceSize | AceFlags | AceType | 309 * +---------------+-------+-------+---------------+---------------+ 310 * 311 * Access mask format: 312 * 313 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 314 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 315 * +---------------+---------------+-------------------------------+ 316 * |G|G|G|G|Res'd|A| StandardRights| SpecificRights | 317 * |R|W|E|A| |S| | | 318 * +-+-------------+---------------+-------------------------------+ 319 * 320 * typedef struct ACCESS_MASK { 321 * WORD SpecificRights; 322 * BYTE StandardRights; 323 * BYTE AccessSystemAcl : 1; 324 * BYTE Reserved : 3; 325 * BYTE GenericAll : 1; 326 * BYTE GenericExecute : 1; 327 * BYTE GenericWrite : 1; 328 * BYTE GenericRead : 1; 329 * } ACCESS_MASK; 330 * 331 */ 332 333 #define ACL_REVISION1 1 334 #define ACL_REVISION2 2 335 #define MIN_ACL_REVISION2 ACL_REVISION2 336 #define ACL_REVISION3 3 337 #define ACL_REVISION4 4 338 #define MAX_ACL_REVISION ACL_REVISION4 339 340 /* 341 * Current ACE and ACL revision Levels 342 */ 343 #define ACE_REVISION 1 344 #define ACL_REVISION ACL_REVISION2 345 #define ACL_REVISION_DS ACL_REVISION4 346 347 348 #define ACCESS_ALLOWED_ACE_TYPE 0 349 #define ACCESS_DENIED_ACE_TYPE 1 350 #define SYSTEM_AUDIT_ACE_TYPE 2 351 #define SYSTEM_ALARM_ACE_TYPE 3 352 353 /* 354 * se_flags 355 * ---------- 356 * Specifies a set of ACE type-specific control flags. This member can be a 357 * combination of the following values. 358 * 359 * CONTAINER_INHERIT_ACE: Child objects that are containers, such as 360 * directories, inherit the ACE as an effective ACE. The inherited 361 * ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag 362 * is also set. 363 * 364 * INHERIT_ONLY_ACE: Indicates an inherit-only ACE which does not control 365 * access to the object to which it is attached. 366 * If this flag is not set, 367 * the ACE is an effective ACE which controls access to the object 368 * to which it is attached. 369 * Both effective and inherit-only ACEs can be inherited 370 * depending on the state of the other inheritance flags. 371 * 372 * INHERITED_ACE: Windows 2000/XP: Indicates that the ACE was inherited. 373 * The system sets this bit when it propagates an 374 * inherited ACE to a child object. 375 * 376 * NO_PROPAGATE_INHERIT_ACE: If the ACE is inherited by a child object, the 377 * system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE 378 * flags in the inherited ACE. 379 * This prevents the ACE from being inherited by 380 * subsequent generations of objects. 381 * 382 * OBJECT_INHERIT_ACE: Noncontainer child objects inherit the ACE as an 383 * effective ACE. For child objects that are containers, 384 * the ACE is inherited as an inherit-only ACE unless the 385 * NO_PROPAGATE_INHERIT_ACE bit flag is also set. 386 */ 387 #define OBJECT_INHERIT_ACE 0x01 388 #define CONTAINER_INHERIT_ACE 0x02 389 #define NO_PROPOGATE_INHERIT_ACE 0x04 390 #define INHERIT_ONLY_ACE 0x08 391 #define INHERITED_ACE 0x10 392 #define INHERIT_MASK_ACE 0x1F 393 394 395 /* 396 * These flags are only used in system audit or alarm ACEs to 397 * indicate when an audit message should be generated, i.e. 398 * on successful access or on unsuccessful access. 399 */ 400 #define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 401 #define FAILED_ACCESS_ACE_FLAG 0x80 402 403 /* 404 * se_bsize is the size, in bytes, of ACE as it appears on the wire. 405 * se_sln is used to sort the ACL when it's required. 406 */ 407 typedef struct smb_acehdr { 408 uint8_t se_type; 409 uint8_t se_flags; 410 uint16_t se_bsize; 411 } smb_acehdr_t; 412 413 typedef struct smb_ace { 414 smb_acehdr_t se_hdr; 415 uint32_t se_mask; 416 list_node_t se_sln; 417 smb_sid_t *se_sid; 418 } smb_ace_t; 419 420 /* 421 * sl_bsize is the size of ACL in bytes as it appears on the wire. 422 */ 423 typedef struct smb_acl { 424 uint8_t sl_revision; 425 uint16_t sl_bsize; 426 uint16_t sl_acecnt; 427 smb_ace_t *sl_aces; 428 list_t sl_sorted; 429 } smb_acl_t; 430 431 /* 432 * ACE/ACL header size, in byte, as it appears on the wire 433 */ 434 #define SMB_ACE_HDRSIZE 4 435 #define SMB_ACL_HDRSIZE 8 436 437 /* 438 * Security Descriptor (SD) 439 * 440 * Security descriptors provide protection for objects, for example 441 * files and directories. It identifies the owner and primary group 442 * (SIDs) and contains an access control list. When a user tries to 443 * access an object their SID is compared to the permissions in the 444 * DACL to determine if access should be allowed or denied. Note that 445 * this is a simplification because there are other factors, such as 446 * default behavior and privileges to be taken into account (see also 447 * access tokens). 448 * 449 * The boolean flags have the following meanings when set: 450 * 451 * SE_OWNER_DEFAULTED indicates that the SID pointed to by the Owner 452 * field was provided by a defaulting mechanism rather than explicitly 453 * provided by the original provider of the security descriptor. This 454 * may affect the treatment of the SID with respect to inheritance of 455 * an owner. 456 * 457 * SE_GROUP_DEFAULTED indicates that the SID in the Group field was 458 * provided by a defaulting mechanism rather than explicitly provided 459 * by the original provider of the security descriptor. This may 460 * affect the treatment of the SID with respect to inheritance of a 461 * primary group. 462 * 463 * SE_DACL_PRESENT indicates that the security descriptor contains a 464 * discretionary ACL. If this flag is set and the Dacl field of the 465 * SECURITY_DESCRIPTOR is null, then a null ACL is explicitly being 466 * specified. 467 * 468 * SE_DACL_DEFAULTED indicates that the ACL pointed to by the Dacl 469 * field was provided by a defaulting mechanism rather than explicitly 470 * provided by the original provider of the security descriptor. This 471 * may affect the treatment of the ACL with respect to inheritance of 472 * an ACL. This flag is ignored if the DaclPresent flag is not set. 473 * 474 * SE_SACL_PRESENT indicates that the security descriptor contains a 475 * system ACL pointed to by the Sacl field. If this flag is set and 476 * the Sacl field of the SECURITY_DESCRIPTOR is null, then an empty 477 * (but present) ACL is being specified. 478 * 479 * SE_SACL_DEFAULTED indicates that the ACL pointed to by the Sacl 480 * field was provided by a defaulting mechanism rather than explicitly 481 * provided by the original provider of the security descriptor. This 482 * may affect the treatment of the ACL with respect to inheritance of 483 * an ACL. This flag is ignored if the SaclPresent flag is not set. 484 * 485 * SE_DACL_PROTECTED Prevents ACEs set on the DACL of the parent container 486 * (and any objects above the parent container in the directory hierarchy) 487 * from being applied to the object's DACL. 488 * 489 * SE_SACL_PROTECTED Prevents ACEs set on the SACL of the parent container 490 * (and any objects above the parent container in the directory hierarchy) 491 * from being applied to the object's SACL. 492 * 493 * Note that the SE_DACL_PRESENT flag needs to be present to set 494 * SE_DACL_PROTECTED and SE_SACL_PRESENT needs to be present to set 495 * SE_SACL_PROTECTED. 496 * 497 * SE_SELF_RELATIVE indicates that the security descriptor is in self- 498 * relative form. In this form, all fields of the security descriptor 499 * are contiguous in memory and all pointer fields are expressed as 500 * offsets from the beginning of the security descriptor. 501 * 502 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 503 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 504 * +---------------------------------------------------------------+ 505 * | Control |Reserved1 (SBZ)| Revision | 506 * +---------------------------------------------------------------+ 507 * | Owner | 508 * +---------------------------------------------------------------+ 509 * | Group | 510 * +---------------------------------------------------------------+ 511 * | Sacl | 512 * +---------------------------------------------------------------+ 513 * | Dacl | 514 * +---------------------------------------------------------------+ 515 * 516 */ 517 518 #define SMB_OWNER_SECINFO 0x0001 519 #define SMB_GROUP_SECINFO 0x0002 520 #define SMB_DACL_SECINFO 0x0004 521 #define SMB_SACL_SECINFO 0x0008 522 #define SMB_ALL_SECINFO 0x000F 523 #define SMB_ACL_SECINFO (SMB_DACL_SECINFO | SMB_SACL_SECINFO) 524 525 #define SECURITY_DESCRIPTOR_REVISION 1 526 527 528 #define SE_OWNER_DEFAULTED 0x0001 529 #define SE_GROUP_DEFAULTED 0x0002 530 #define SE_DACL_PRESENT 0x0004 531 #define SE_DACL_DEFAULTED 0x0008 532 #define SE_SACL_PRESENT 0x0010 533 #define SE_SACL_DEFAULTED 0x0020 534 #define SE_DACL_AUTO_INHERIT_REQ 0x0100 535 #define SE_SACL_AUTO_INHERIT_REQ 0x0200 536 #define SE_DACL_AUTO_INHERITED 0x0400 537 #define SE_SACL_AUTO_INHERITED 0x0800 538 #define SE_DACL_PROTECTED 0x1000 539 #define SE_SACL_PROTECTED 0x2000 540 #define SE_SELF_RELATIVE 0x8000 541 542 #define SE_DACL_INHERITANCE_MASK 0x1500 543 #define SE_SACL_INHERITANCE_MASK 0x2A00 544 545 /* 546 * Security descriptor structures: 547 * 548 * smb_sd_t SD in SMB pointer form 549 * smb_fssd_t SD in filesystem form 550 * 551 * Filesystems (e.g. ZFS/UFS) don't have something equivalent 552 * to SD. The items comprising a SMB SD are kept separately in 553 * filesystem. smb_fssd_t is introduced as a helper to provide 554 * the required abstraction for CIFS code. 555 */ 556 557 typedef struct smb_sd { 558 uint8_t sd_revision; 559 uint16_t sd_control; 560 smb_sid_t *sd_owner; /* SID file owner */ 561 smb_sid_t *sd_group; /* SID group (for POSIX) */ 562 smb_acl_t *sd_sacl; /* ACL System (audits) */ 563 smb_acl_t *sd_dacl; /* ACL Discretionary (perm) */ 564 } smb_sd_t; 565 566 /* 567 * SD header size as it appears on the wire 568 */ 569 #define SMB_SD_HDRSIZE 20 570 571 /* 572 * values for smb_fssd.sd_flags 573 */ 574 #define SMB_FSSD_FLAGS_DIR 0x01 575 576 typedef struct smb_fssd { 577 uint32_t sd_secinfo; 578 uint32_t sd_flags; 579 uid_t sd_uid; 580 gid_t sd_gid; 581 acl_t *sd_zdacl; 582 acl_t *sd_zsacl; 583 } smb_fssd_t; 584 585 void smb_sd_init(smb_sd_t *, uint8_t); 586 void smb_sd_term(smb_sd_t *); 587 uint32_t smb_sd_get_secinfo(smb_sd_t *); 588 uint32_t smb_sd_len(smb_sd_t *, uint32_t); 589 uint32_t smb_sd_tofs(smb_sd_t *, smb_fssd_t *); 590 591 void smb_fssd_init(smb_fssd_t *, uint32_t, uint32_t); 592 void smb_fssd_term(smb_fssd_t *); 593 594 void smb_acl_sort(smb_acl_t *); 595 void smb_acl_free(smb_acl_t *); 596 smb_acl_t *smb_acl_alloc(uint8_t, uint16_t, uint16_t); 597 smb_acl_t *smb_acl_from_zfs(acl_t *); 598 uint32_t smb_acl_to_zfs(smb_acl_t *, uint32_t, int, acl_t **); 599 uint16_t smb_acl_len(smb_acl_t *); 600 boolean_t smb_acl_isvalid(smb_acl_t *, int); 601 602 void smb_fsacl_free(acl_t *); 603 acl_t *smb_fsacl_alloc(int, int); 604 605 #ifdef __cplusplus 606 } 607 #endif 608 609 #endif /* _SMBSRV_NTIFS_H */ 610