1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* 3 * All NTFS associated on-disk structures. 4 * 5 * Copyright (c) 2001-2005 Anton Altaparmakov 6 * Copyright (c) 2002 Richard Russon 7 */ 8 9 #ifndef _LINUX_NTFS_LAYOUT_H 10 #define _LINUX_NTFS_LAYOUT_H 11 12 #include <linux/types.h> 13 #include <linux/bitops.h> 14 #include <linux/list.h> 15 #include <asm/byteorder.h> 16 17 /* The NTFS oem_id "NTFS " */ 18 #define magicNTFS cpu_to_le64(0x202020205346544eULL) 19 20 /* 21 * Location of bootsector on partition: 22 * The standard NTFS_BOOT_SECTOR is on sector 0 of the partition. 23 * On NT4 and above there is one backup copy of the boot sector to 24 * be found on the last sector of the partition (not normally accessible 25 * from within Windows as the bootsector contained number of sectors 26 * value is one less than the actual value!). 27 * On versions of NT 3.51 and earlier, the backup copy was located at 28 * number of sectors/2 (integer divide), i.e. in the middle of the volume. 29 */ 30 31 /* 32 * BIOS parameter block (bpb) structure. 33 * 34 * @bytes_per_sector: Size of a sector in bytes (usually 512). 35 * Matches the logical sector size of the underlying device. 36 * @sectors_per_cluster: Size of a cluster in sectors (NTFS cluster size / sector size). 37 * @reserved_sectors: Number of reserved sectors at the beginning of the volume. 38 * Always set to 0 in NTFS. 39 * @fats: Number of FAT tables. 40 * Always 0 in NTFS (no FAT tables exist). 41 * @root_entries: Number of entries in the root directory. 42 * Always 0 in NTFS. 43 * @sectors: Total number of sectors on the volume. 44 * Always 0 in NTFS (use @large_sectors instead). 45 * @media_type: Media descriptor byte. 46 * 0xF8 for hard disk (fixed media) in NTFS. 47 * @sectors_per_fat: Number of sectors per FAT table. 48 * Always 0 in NTFS. 49 * @sectors_per_track: Number of sectors per track. 50 * Irrelevant for NTFS. 51 * @heads: Number of heads (CHS geometry). 52 * Irrelevant for NTFS. 53 * @hidden_sectors: Number of hidden sectors before the start of the partition. 54 * Always 0 in NTFS boot sector. 55 * @large_sectors: Total number of sectors on the volume. 56 */ 57 struct bios_parameter_block { 58 __le16 bytes_per_sector; 59 u8 sectors_per_cluster; 60 __le16 reserved_sectors; 61 u8 fats; 62 __le16 root_entries; 63 __le16 sectors; 64 u8 media_type; 65 __le16 sectors_per_fat; 66 __le16 sectors_per_track; 67 __le16 heads; 68 __le32 hidden_sectors; 69 __le32 large_sectors; 70 } __packed; 71 72 /* 73 * NTFS boot sector structure. 74 * 75 * @jump: 3-byte jump instruction to boot code (irrelevant for NTFS). 76 * Typically 0xEB 0x52 0x90 or similar. 77 * @oem_id: OEM identifier string (8 bytes). 78 * Always "NTFS " (with trailing spaces) in NTFS volumes. 79 * @bpb: Legacy BIOS Parameter Block (see struct bios_parameter_block). 80 * Mostly zeroed or set to fixed values for NTFS compatibility. 81 * @unused: 4 bytes, reserved/unused. 82 * NTFS disk editors show it as: 83 * - physical_drive (0x80 for fixed disk) 84 * - current_head (0) 85 * - extended_boot_signature (0x80 or 0x28) 86 * - unused (0) 87 * Always zero in practice for NTFS. 88 * @number_of_sectors: Number of sectors in volume. Gives maximum volume 89 * size of 2^63 sectors. Assuming standard sector 90 * size of 512 bytes, the maximum byte size is 91 * approx. 4.7x10^21 bytes. (-; 92 * @mft_lcn: Logical cluster number (LCN) of the $MFT data attribute. 93 * Location of the Master File Table. 94 * @mftmirr_lcn: LCN of the $MFTMirr (first 3-4 MFT records copy). 95 * Mirror for boot-time recovery. 96 * @clusters_per_mft_record: 97 * Size of each MFT record in clusters. 98 * @reserved0: 3 bytes, reserved/zero. 99 * @clusters_per_index_record: 100 * Size of each index block/record in clusters. 101 * @reserved1: 3 bytes, reserved/zero. 102 * @volume_serial_number: 103 * 64-bit volume serial number. 104 * Used for identification (irrelevant for NTFS operation). 105 * @checksum: 32-bit checksum of the boot sector (excluding this field). 106 * Used to detect boot sector corruption. 107 * @bootstrap: 426 bytes of bootstrap code. 108 * Irrelevant for NTFS (contains x86 boot loader stub). 109 * @end_of_sector_marker: 110 * 2-byte end-of-sector signature. 111 * Always 0xAA55 (little-endian magic number). 112 */ 113 struct ntfs_boot_sector { 114 u8 jump[3]; 115 __le64 oem_id; 116 struct bios_parameter_block bpb; 117 u8 unused[4]; 118 __le64 number_of_sectors; 119 __le64 mft_lcn; 120 __le64 mftmirr_lcn; 121 s8 clusters_per_mft_record; 122 u8 reserved0[3]; 123 s8 clusters_per_index_record; 124 u8 reserved1[3]; 125 __le64 volume_serial_number; 126 __le32 checksum; 127 u8 bootstrap[426]; 128 __le16 end_of_sector_marker; 129 } __packed; 130 131 static_assert(sizeof(struct ntfs_boot_sector) == 512); 132 133 /* 134 * Magic identifiers present at the beginning of all ntfs record containing 135 * records (like mft records for example). 136 * 137 * magic_FILE: MFT entry header ("FILE" in ASCII). 138 * Used in $MFT/$DATA for all master file table records. 139 * magic_INDX: Index buffer header ("INDX" in ASCII). 140 * Used in $INDEX_ALLOCATION attributes (directories, $I30 indexes). 141 * magic_HOLE: Hole marker ("HOLE" in ASCII). 142 * Introduced in NTFS 3.0+, used for sparse/hole regions in some contexts. 143 * magic_RSTR: Restart page header ("RSTR" in ASCII). 144 * Used in LogFile for restart pages (transaction log recovery). 145 * magic_RCRD: Log record page header ("RCRD" in ASCII). 146 * Used in LogFile for individual log record pages. 147 * magic_CHKD: Chkdsk modified marker ("CHKD" in ASCII). 148 * Set by chkdsk when it modifies a record; indicates repair was done. 149 * magic_BAAD: Bad record marker ("BAAD" in ASCII). 150 * Indicates a multi-sector transfer failure was detected. 151 * The record is corrupted/unusable; often set during I/O errors. 152 * magic_empty: Empty/uninitialized page marker (0xffffffff). 153 * Used in LogFile when a page is filled with 0xff bytes 154 * and has not yet been initialized. Must be formatted before use. 155 */ 156 enum { 157 magic_FILE = cpu_to_le32(0x454c4946), 158 magic_INDX = cpu_to_le32(0x58444e49), 159 magic_HOLE = cpu_to_le32(0x454c4f48), 160 magic_RSTR = cpu_to_le32(0x52545352), 161 magic_RCRD = cpu_to_le32(0x44524352), 162 magic_CHKD = cpu_to_le32(0x444b4843), 163 magic_BAAD = cpu_to_le32(0x44414142), 164 magic_empty = cpu_to_le32(0xffffffff) 165 }; 166 167 /* 168 * Generic magic comparison macros. Finally found a use for the ## preprocessor 169 * operator! (-8 170 */ 171 172 static inline bool __ntfs_is_magic(__le32 x, __le32 r) 173 { 174 return (x == r); 175 } 176 #define ntfs_is_magic(x, m) __ntfs_is_magic(x, magic_##m) 177 178 static inline bool __ntfs_is_magicp(__le32 *p, __le32 r) 179 { 180 return (*p == r); 181 } 182 #define ntfs_is_magicp(p, m) __ntfs_is_magicp(p, magic_##m) 183 184 /* 185 * Specialised magic comparison macros for the NTFS_RECORD_TYPEs defined above. 186 */ 187 #define ntfs_is_file_record(x) (ntfs_is_magic(x, FILE)) 188 #define ntfs_is_file_recordp(p) (ntfs_is_magicp(p, FILE)) 189 #define ntfs_is_mft_record(x) (ntfs_is_file_record(x)) 190 #define ntfs_is_mft_recordp(p) (ntfs_is_file_recordp(p)) 191 #define ntfs_is_indx_record(x) (ntfs_is_magic(x, INDX)) 192 #define ntfs_is_indx_recordp(p) (ntfs_is_magicp(p, INDX)) 193 #define ntfs_is_hole_record(x) (ntfs_is_magic(x, HOLE)) 194 #define ntfs_is_hole_recordp(p) (ntfs_is_magicp(p, HOLE)) 195 196 #define ntfs_is_rstr_record(x) (ntfs_is_magic(x, RSTR)) 197 #define ntfs_is_rstr_recordp(p) (ntfs_is_magicp(p, RSTR)) 198 #define ntfs_is_rcrd_record(x) (ntfs_is_magic(x, RCRD)) 199 #define ntfs_is_rcrd_recordp(p) (ntfs_is_magicp(p, RCRD)) 200 201 #define ntfs_is_chkd_record(x) (ntfs_is_magic(x, CHKD)) 202 #define ntfs_is_chkd_recordp(p) (ntfs_is_magicp(p, CHKD)) 203 204 #define ntfs_is_baad_record(x) (ntfs_is_magic(x, BAAD)) 205 #define ntfs_is_baad_recordp(p) (ntfs_is_magicp(p, BAAD)) 206 207 #define ntfs_is_empty_record(x) (ntfs_is_magic(x, empty)) 208 #define ntfs_is_empty_recordp(p) (ntfs_is_magicp(p, empty)) 209 210 /* 211 * struct ntfs_record - Common header for all multi-sector protected NTFS records 212 * 213 * @magic: 4-byte magic identifier for the record type and/or status. 214 * Common values are defined in the magic_* enum (FILE, INDX, RSTR, 215 * RCRD, CHKD, BAAD, HOLE, empty). 216 * - "FILE" = MFT record 217 * - "INDX" = Index allocation block 218 * - "BAAD" = Record corrupted (multi-sector fixup failed) 219 * - 0xffffffff = Uninitialized/empty page 220 * @usa_ofs: Offset (in bytes) from the start of this record to the Update 221 * Sequence Array (USA). 222 * The USA is located at record + usa_ofs. 223 * @usa_count: Number of 16-bit entries in the USA array (including the Update 224 * Sequence Number itself). 225 * - Number of fixup locations = usa_count - 1 226 * - Each fixup location is a 16-bit value in the record that needs 227 * protection against torn writes. 228 * 229 * The Update Sequence Array (usa) is an array of the __le16 values which belong 230 * to the end of each sector protected by the update sequence record in which 231 * this array is contained. Note that the first entry is the Update Sequence 232 * Number (usn), a cyclic counter of how many times the protected record has 233 * been written to disk. The values 0 and -1 (ie. 0xffff) are not used. All 234 * last le16's of each sector have to be equal to the usn (during reading) or 235 * are set to it (during writing). If they are not, an incomplete multi sector 236 * transfer has occurred when the data was written. 237 * The maximum size for the update sequence array is fixed to: 238 * maximum size = usa_ofs + (usa_count * 2) = 510 bytes 239 * The 510 bytes comes from the fact that the last __le16 in the array has to 240 * (obviously) finish before the last __le16 of the first 512-byte sector. 241 * This formula can be used as a consistency check in that usa_ofs + 242 * (usa_count * 2) has to be less than or equal to 510. 243 */ 244 struct ntfs_record { 245 __le32 magic; 246 __le16 usa_ofs; 247 __le16 usa_count; 248 } __packed; 249 250 /* 251 * System files mft record numbers. All these files are always marked as used 252 * in the bitmap attribute of the mft; presumably in order to avoid accidental 253 * allocation for random other mft records. Also, the sequence number for each 254 * of the system files is always equal to their mft record number and it is 255 * never modified. 256 * 257 * FILE_MFT: Master File Table (MFT) itself. 258 * Data attribute contains all MFT entries; 259 * Bitmap attribute tracks which records are in use (bit==1). 260 * FILE_MFTMirr: MFT mirror: copy of the first four (or more) MFT records 261 * in its data attribute. 262 * If cluster size > 4 KiB, copies first N records where 263 * N = cluster_size / mft_record_size. 264 * FILE_LogFile: Journaling log (LogFile) in data attribute. 265 * Used for transaction logging and recovery. 266 * FILE_Volume: Volume information and name. 267 * Contains $VolumeName (label) and $VolumeInformation 268 * (flags, NTFS version). Windows calls this the volume DASD. 269 * FILE_AttrDef: Attribute definitions array in data attribute. 270 * Defines all possible attribute types and their properties. 271 * FILE_root: Root directory ($Root). 272 * The top-level directory of the filesystem. 273 * FILE_Bitmap: Cluster allocation bitmap ($Bitmap) in data attribute. 274 * Tracks free/used clusters (LCNs) on the volume. 275 * FILE_Boot: Boot sector ($Boot) in data attribute. 276 * Always located at cluster 0; contains BPB and NTFS parameters. 277 * FILE_BadClus: Bad cluster list ($BadClus) in non-resident data attribute. 278 * Marks all known bad clusters. 279 * FILE_Secure: Security descriptors ($Secure). 280 * Contains shared $SDS (security descriptors) and two indexes 281 * ($SDH, $SII). Introduced in Windows 2000. 282 * Before that, it was called $Quota but was unused. 283 * FILE_UpCase: Uppercase table ($UpCase) in data attribute. 284 * Maps all 65536 Unicode characters to their uppercase forms. 285 * FILE_Extend: System directory ($Extend). 286 * Contains additional system files ($ObjId, $Quota, $Reparse, 287 * $UsnJrnl, etc.). Introduced in NTFS 3.0 (Windows 2000). 288 * FILE_reserved12: Reserved for future use (MFT records 12–15). 289 * FILE_reserved13: Reserved. 290 * FILE_reserved14: Reserved. 291 * FILE_reserved15: Reserved. 292 * FILE_first_user: First possible user-created file MFT record number. 293 * Used as a boundary to distinguish system files from user files. 294 */ 295 enum { 296 FILE_MFT = 0, 297 FILE_MFTMirr = 1, 298 FILE_LogFile = 2, 299 FILE_Volume = 3, 300 FILE_AttrDef = 4, 301 FILE_root = 5, 302 FILE_Bitmap = 6, 303 FILE_Boot = 7, 304 FILE_BadClus = 8, 305 FILE_Secure = 9, 306 FILE_UpCase = 10, 307 FILE_Extend = 11, 308 FILE_reserved12 = 12, 309 FILE_reserved13 = 13, 310 FILE_reserved14 = 14, 311 FILE_reserved15 = 15, 312 FILE_first_user = 16, 313 }; 314 315 /* 316 * enum - Flags for MFT record header 317 * 318 * These are the so far known MFT_RECORD_* flags (16-bit) which contain 319 * information about the mft record in which they are present. 320 * 321 * MFT_RECORD_IN_USE: This MFT record is allocated and in use. 322 * (bit set = record is valid/used; clear = free) 323 * MFT_RECORD_IS_DIRECTORY: This MFT record represents a directory. 324 * (Used to quickly distinguish files from directories) 325 * MFT_RECORD_IS_4: Indicates the record is a special "record 4" type. 326 * (Rarely used; related to NTFS internal special cases, 327 * often for $AttrDef or early system files) 328 * MFT_RECORD_IS_VIEW_INDEX: This MFT record is used as a view index. 329 * (Specific to NTFS indexed views or object ID indexes) 330 * MFT_REC_SPACE_FILLER: Dummy value to force the enum to be 16-bit wide. 331 * (Not a real flag; just a sentinel to ensure the type 332 * is __le16 and no higher bits are accidentally used) 333 */ 334 enum { 335 MFT_RECORD_IN_USE = cpu_to_le16(0x0001), 336 MFT_RECORD_IS_DIRECTORY = cpu_to_le16(0x0002), 337 MFT_RECORD_IS_4 = cpu_to_le16(0x0004), 338 MFT_RECORD_IS_VIEW_INDEX = cpu_to_le16(0x0008), 339 MFT_REC_SPACE_FILLER = cpu_to_le16(0xffff), /*Just to make flags 16-bit.*/ 340 } __packed; 341 342 /* 343 * mft references (aka file references or file record segment references) are 344 * used whenever a structure needs to refer to a record in the mft. 345 * 346 * A reference consists of a 48-bit index into the mft and a 16-bit sequence 347 * number used to detect stale references. 348 * 349 * For error reporting purposes we treat the 48-bit index as a signed quantity. 350 * 351 * The sequence number is a circular counter (skipping 0) describing how many 352 * times the referenced mft record has been (re)used. This has to match the 353 * sequence number of the mft record being referenced, otherwise the reference 354 * is considered stale and removed. 355 * 356 * If the sequence number is zero it is assumed that no sequence number 357 * consistency checking should be performed. 358 */ 359 360 /* 361 * Define two unpacking macros to get to the reference (MREF) and 362 * sequence number (MSEQNO) respectively. 363 * The _LE versions are to be applied on little endian MFT_REFs. 364 * Note: The _LE versions will return a CPU endian formatted value! 365 */ 366 #define MFT_REF_MASK_CPU 0x0000ffffffffffffULL 367 #define MFT_REF_MASK_LE cpu_to_le64(MFT_REF_MASK_CPU) 368 369 #define MK_MREF(m, s) ((u64)(((u64)(s) << 48) | \ 370 ((u64)(m) & MFT_REF_MASK_CPU))) 371 #define MK_LE_MREF(m, s) cpu_to_le64(MK_MREF(m, s)) 372 373 #define MREF(x) ((unsigned long)((x) & MFT_REF_MASK_CPU)) 374 #define MSEQNO(x) ((u16)(((x) >> 48) & 0xffff)) 375 #define MREF_LE(x) ((unsigned long)(le64_to_cpu(x) & MFT_REF_MASK_CPU)) 376 #define MREF_INO(x) ((unsigned long)MREF_LE(x)) 377 #define MSEQNO_LE(x) ((u16)((le64_to_cpu(x) >> 48) & 0xffff)) 378 379 #define IS_ERR_MREF(x) (((x) & 0x0000800000000000ULL) ? true : false) 380 #define ERR_MREF(x) ((u64)((s64)(x))) 381 #define MREF_ERR(x) ((int)((s64)(x))) 382 383 /* 384 * struct mft_record - NTFS Master File Table (MFT) record header 385 * 386 * The mft record header present at the beginning of every record in the mft. 387 * This is followed by a sequence of variable length attribute records which 388 * is terminated by an attribute of type AT_END which is a truncated attribute 389 * in that it only consists of the attribute type code AT_END and none of the 390 * other members of the attribute structure are present. 391 * 392 * magic: Record magic ("FILE" for valid MFT entries). 393 * See ntfs_record magic enum for other values. 394 * usa_ofs: Offset to Update Sequence Array (see ntfs_record). 395 * usa_count: Number of entries in USA (see ntfs_record). 396 * lsn: Log sequence number (LSN) from LogFile. 397 * Incremented on every modification to this record. 398 * sequence_number: Reuse count of this MFT record slot. 399 * Incremented (skipping zero) when the file is deleted. 400 * Zero means never reused or special case. 401 * Part of MFT reference (together with record number). 402 * link_count: Number of hard links (directory entries) to this file. 403 * Only meaningful in base MFT records. 404 * When deleting a directory entry: 405 * - If link_count == 1, delete the whole file 406 * - Else remove only the $FILE_NAME attribute and decrement 407 * attrs_offset: Byte offset from start of MFT record to first attribute. 408 * Must be 8-byte aligned. 409 * flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum). 410 * MFT_RECORD_IN_USE cleared when record is freed/deleted. 411 * bytes_in_use: Number of bytes actually used in this MFT record. 412 * Must be 8-byte aligned. 413 * Includes header + all attributes + padding. 414 * bytes_allocated: Total allocated size of this MFT record. 415 * Usually equal to MFT record size (1024 bytes or cluster size). 416 * base_mft_record: MFT reference to the base record. 417 * 0 for base records. 418 * Non-zero for extension records → points to base record 419 * containing the $ATTRIBUTE_LIST that describes this extension. 420 * next_attr_instance: Next attribute instance number to assign. 421 * Incremented after each use. 422 * Reset to 0 when MFT record is reused. 423 * First instance is always 0. 424 * reserved: Reserved for alignment (NTFS 3.1+). 425 * mft_record_number: This MFT record's number (index in $MFT). 426 * Only present in NTFS 3.1+ (Windows XP and above). 427 */ 428 struct mft_record { 429 __le32 magic; 430 __le16 usa_ofs; 431 __le16 usa_count; 432 433 __le64 lsn; 434 __le16 sequence_number; 435 __le16 link_count; 436 __le16 attrs_offset; 437 __le16 flags; 438 __le32 bytes_in_use; 439 __le32 bytes_allocated; 440 __le64 base_mft_record; 441 __le16 next_attr_instance; 442 __le16 reserved; 443 __le32 mft_record_number; 444 } __packed; 445 446 static_assert(sizeof(struct mft_record) == 48); 447 448 /**x 449 * struct mft_record_old - Old NTFS MFT record header (pre-NTFS 3.1 / Windows XP) 450 * 451 * This is the older version of the MFT record header used in NTFS versions 452 * prior to 3.1 (Windows XP and later). It lacks the additional fields 453 * @reserved and @mft_record_number that were added in NTFS 3.1+. 454 * 455 * @magic: Record magic ("FILE" for valid MFT entries). 456 * See ntfs_record magic enum for other values. 457 * @usa_ofs: Offset to Update Sequence Array (see ntfs_record). 458 * @usa_count: Number of entries in USA (see ntfs_record). 459 * @lsn: Log sequence number (LSN) from LogFile. 460 * Incremented on every modification to this record. 461 * @sequence_number: Reuse count of this MFT record slot. 462 * Incremented (skipping zero) when the file is deleted. 463 * Zero means never reused or special case. 464 * Part of MFT reference (together with record number). 465 * @link_count: Number of hard links (directory entries) to this file. 466 * Only meaningful in base MFT records. 467 * When deleting a directory entry: 468 * - If link_count == 1, delete the whole file 469 * - Else remove only the $FILE_NAME attribute and decrement 470 * @attrs_offset: Byte offset from start of MFT record to first attribute. 471 * Must be 8-byte aligned. 472 * @flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum). 473 * MFT_RECORD_IN_USE cleared when record is freed/deleted. 474 * @bytes_in_use: Number of bytes actually used in this MFT record. 475 * Must be 8-byte aligned. 476 * Includes header + all attributes + padding. 477 * @bytes_allocated: Total allocated size of this MFT record. 478 * Usually equal to MFT record size (1024 bytes or cluster size). 479 * @base_mft_record: MFT reference to the base record. 480 * 0 for base records. 481 * Non-zero for extension records → points to base record 482 * containing the $ATTRIBUTE_LIST that describes this extension. 483 * @next_attr_instance: Next attribute instance number to assign. 484 * Incremented after each use. 485 * Reset to 0 when MFT record is reused. 486 * First instance is always 0. 487 */ 488 struct mft_record_old { 489 __le32 magic; 490 __le16 usa_ofs; 491 __le16 usa_count; 492 493 __le64 lsn; 494 __le16 sequence_number; 495 __le16 link_count; 496 __le16 attrs_offset; 497 __le16 flags; 498 __le32 bytes_in_use; 499 __le32 bytes_allocated; 500 __le64 base_mft_record; 501 __le16 next_attr_instance; 502 } __packed; 503 504 static_assert(sizeof(struct mft_record_old) == 42); 505 506 /* 507 * System defined attributes (32-bit). Each attribute type has a corresponding 508 * attribute name (Unicode string of maximum 64 character length) as described 509 * by the attribute definitions present in the data attribute of the $AttrDef 510 * system file. On NTFS 3.0 volumes the names are just as the types are named 511 * in the below defines exchanging AT_ for the dollar sign ($). If that is not 512 * a revealing choice of symbol I do not know what is... (-; 513 */ 514 enum { 515 AT_UNUSED = cpu_to_le32(0), 516 AT_STANDARD_INFORMATION = cpu_to_le32(0x10), 517 AT_ATTRIBUTE_LIST = cpu_to_le32(0x20), 518 AT_FILE_NAME = cpu_to_le32(0x30), 519 AT_OBJECT_ID = cpu_to_le32(0x40), 520 AT_SECURITY_DESCRIPTOR = cpu_to_le32(0x50), 521 AT_VOLUME_NAME = cpu_to_le32(0x60), 522 AT_VOLUME_INFORMATION = cpu_to_le32(0x70), 523 AT_DATA = cpu_to_le32(0x80), 524 AT_INDEX_ROOT = cpu_to_le32(0x90), 525 AT_INDEX_ALLOCATION = cpu_to_le32(0xa0), 526 AT_BITMAP = cpu_to_le32(0xb0), 527 AT_REPARSE_POINT = cpu_to_le32(0xc0), 528 AT_EA_INFORMATION = cpu_to_le32(0xd0), 529 AT_EA = cpu_to_le32(0xe0), 530 AT_PROPERTY_SET = cpu_to_le32(0xf0), 531 AT_LOGGED_UTILITY_STREAM = cpu_to_le32(0x100), 532 AT_FIRST_USER_DEFINED_ATTRIBUTE = cpu_to_le32(0x1000), 533 AT_END = cpu_to_le32(0xffffffff) 534 }; 535 536 /* 537 * The collation rules for sorting views/indexes/etc (32-bit). 538 * 539 * COLLATION_BINARY - Collate by binary compare where the first byte is most 540 * significant. 541 * COLLATION_UNICODE_STRING - Collate Unicode strings by comparing their binary 542 * Unicode values, except that when a character can be uppercased, the 543 * upper case value collates before the lower case one. 544 * COLLATION_FILE_NAME - Collate file names as Unicode strings. The collation 545 * is done very much like COLLATION_UNICODE_STRING. In fact I have no idea 546 * what the difference is. Perhaps the difference is that file names 547 * would treat some special characters in an odd way (see 548 * unistr.c::ntfs_collate_names() and unistr.c::legal_ansi_char_array[] 549 * for what I mean but COLLATION_UNICODE_STRING would not give any special 550 * treatment to any characters at all, but this is speculation. 551 * COLLATION_NTOFS_ULONG - Sorting is done according to ascending __le32 key 552 * values. E.g. used for $SII index in FILE_Secure, which sorts by 553 * security_id (le32). 554 * COLLATION_NTOFS_SID - Sorting is done according to ascending SID values. 555 * E.g. used for $O index in FILE_Extend/$Quota. 556 * COLLATION_NTOFS_SECURITY_HASH - Sorting is done first by ascending hash 557 * values and second by ascending security_id values. E.g. used for $SDH 558 * index in FILE_Secure. 559 * COLLATION_NTOFS_ULONGS - Sorting is done according to a sequence of ascending 560 * __le32 key values. E.g. used for $O index in FILE_Extend/$ObjId, which 561 * sorts by object_id (16-byte), by splitting up the object_id in four 562 * __le32 values and using them as individual keys. E.g. take the following 563 * two security_ids, stored as follows on disk: 564 * 1st: a1 61 65 b7 65 7b d4 11 9e 3d 00 e0 81 10 42 59 565 * 2nd: 38 14 37 d2 d2 f3 d4 11 a5 21 c8 6b 79 b1 97 45 566 * To compare them, they are split into four __le32 values each, like so: 567 * 1st: 0xb76561a1 0x11d47b65 0xe0003d9e 0x59421081 568 * 2nd: 0xd2371438 0x11d4f3d2 0x6bc821a5 0x4597b179 569 * Now, it is apparent why the 2nd object_id collates after the 1st: the 570 * first __le32 value of the 1st object_id is less than the first __le32 of 571 * the 2nd object_id. If the first __le32 values of both object_ids were 572 * equal then the second __le32 values would be compared, etc. 573 */ 574 enum { 575 COLLATION_BINARY = cpu_to_le32(0x00), 576 COLLATION_FILE_NAME = cpu_to_le32(0x01), 577 COLLATION_UNICODE_STRING = cpu_to_le32(0x02), 578 COLLATION_NTOFS_ULONG = cpu_to_le32(0x10), 579 COLLATION_NTOFS_SID = cpu_to_le32(0x11), 580 COLLATION_NTOFS_SECURITY_HASH = cpu_to_le32(0x12), 581 COLLATION_NTOFS_ULONGS = cpu_to_le32(0x13), 582 }; 583 584 /* 585 * enum - Attribute definition flags 586 * 587 * The flags (32-bit) describing attribute properties in the attribute 588 * definition structure. 589 * The INDEXABLE flag is fairly certainly correct as only the file 590 * name attribute has this flag set and this is the only attribute indexed in 591 * NT4. 592 * 593 * ATTR_DEF_INDEXABLE: Attribute can be indexed. 594 * (Used for creating indexes like $I30, $SDH, etc.) 595 * ATTR_DEF_MULTIPLE: Attribute type can be present multiple times 596 * in the MFT record of an inode. 597 * (e.g., multiple $FILE_NAME, $DATA streams) 598 * ATTR_DEF_NOT_ZERO: Attribute value must contain at least one non-zero byte. 599 * (Prevents empty or all-zero values) 600 * ATTR_DEF_INDEXED_UNIQUE: Attribute must be indexed and the value must be unique 601 * for this attribute type across all MFT records of an inode. 602 * (e.g., security descriptor IDs in $Secure) 603 * ATTR_DEF_NAMED_UNIQUE: Attribute must be named and the name must be unique 604 * for this attribute type across all MFT records of an inode. 605 * (e.g., named $DATA streams or alternate data streams) 606 * ATTR_DEF_RESIDENT: Attribute must be resident (stored in MFT record). 607 * (Cannot be non-resident/sparse/compressed) 608 * ATTR_DEF_ALWAYS_LOG: Always log modifications to this attribute in LogFile, 609 * regardless of whether it is resident or non-resident. 610 * Without this flag, modifications are logged only if resident. 611 * (Used for critical metadata attributes) 612 */ 613 enum { 614 ATTR_DEF_INDEXABLE = cpu_to_le32(0x02), 615 ATTR_DEF_MULTIPLE = cpu_to_le32(0x04), 616 ATTR_DEF_NOT_ZERO = cpu_to_le32(0x08), 617 ATTR_DEF_INDEXED_UNIQUE = cpu_to_le32(0x10), 618 ATTR_DEF_NAMED_UNIQUE = cpu_to_le32(0x20), 619 ATTR_DEF_RESIDENT = cpu_to_le32(0x40), 620 ATTR_DEF_ALWAYS_LOG = cpu_to_le32(0x80), 621 }; 622 623 /* 624 * struct attr_def - Attribute definition entry ($AttrDef array) 625 * 626 * The data attribute of FILE_AttrDef contains a sequence of attribute 627 * definitions for the NTFS volume. With this, it is supposed to be safe for an 628 * older NTFS driver to mount a volume containing a newer NTFS version without 629 * damaging it (that's the theory. In practice it's: not damaging it too much). 630 * Entries are sorted by attribute type. The flags describe whether the 631 * attribute can be resident/non-resident and possibly other things, but the 632 * actual bits are unknown. 633 * 634 * @name: Unicode (UTF-16LE) name of the attribute (e.g. "$DATA", "$FILE_NAME"). 635 * Zero-terminated string, maximum 0x40 characters (128 bytes). 636 * Used for human-readable display and debugging. 637 * @type: Attribute type code (ATTR_TYPE_* constants). 638 * Defines which attribute this entry describes. 639 * @display_rule: Default display rule (usually 0; rarely used in modern NTFS). 640 * Controls how the attribute is displayed in tools (legacy). 641 * @collation_rule: Default collation rule for indexing this attribute. 642 * Determines sort order when indexed (e.g. CASE_SENSITIVE, UNICODE). 643 * Used in $I30, $SDH, $SII, etc. 644 * @flags: Bit array of attribute constraints (ATTR_DEF_* flags). 645 * See ATTR_DEF_INDEXABLE, ATTR_DEF_MULTIPLE, etc. 646 * Defines whether the attribute can be indexed, multiple, resident-only, etc. 647 * @min_size: Optional minimum size of the attribute value (in bytes). 648 * 0 means no minimum enforced. 649 * @max_size: Maximum allowed size of the attribute value (in bytes). 650 */ 651 struct attr_def { 652 __le16 name[0x40]; 653 __le32 type; 654 __le32 display_rule; 655 __le32 collation_rule; 656 __le32 flags; 657 __le64 min_size; 658 __le64 max_size; 659 } __packed; 660 661 static_assert(sizeof(struct attr_def) == 160); 662 663 /* 664 * enum - Attribute flags (16-bit) for non-resident attributes 665 * 666 * ATTR_IS_COMPRESSED: Attribute is compressed. 667 * If set, data is compressed using the method in 668 * ATTR_COMPRESSION_MASK. 669 * ATTR_COMPRESSION_MASK: Mask for compression method. 670 * Valid values are defined in NTFS compression types 671 * (e.g., 0x02 = LZNT1, etc.). 672 * Also serves as the first illegal value for method. 673 * ATTR_IS_ENCRYPTED: Attribute is encrypted. 674 * Data is encrypted using EFS (Encrypting File System). 675 * ATTR_IS_SPARSE: Attribute is sparse. 676 * Contains holes (unallocated regions) that read as zeros. 677 */ 678 enum { 679 ATTR_IS_COMPRESSED = cpu_to_le16(0x0001), 680 ATTR_COMPRESSION_MASK = cpu_to_le16(0x00ff), 681 ATTR_IS_ENCRYPTED = cpu_to_le16(0x4000), 682 ATTR_IS_SPARSE = cpu_to_le16(0x8000), 683 } __packed; 684 685 /* 686 * Attribute compression. 687 * 688 * Only the data attribute is ever compressed in the current ntfs driver in 689 * Windows. Further, compression is only applied when the data attribute is 690 * non-resident. Finally, to use compression, the maximum allowed cluster size 691 * on a volume is 4kib. 692 * 693 * The compression method is based on independently compressing blocks of X 694 * clusters, where X is determined from the compression_unit value found in the 695 * non-resident attribute record header (more precisely: X = 2^compression_unit 696 * clusters). On Windows NT/2k, X always is 16 clusters (compression_unit = 4). 697 * 698 * There are three different cases of how a compression block of X clusters 699 * can be stored: 700 * 701 * 1) The data in the block is all zero (a sparse block): 702 * This is stored as a sparse block in the runlist, i.e. the runlist 703 * entry has length = X and lcn = -1. The mapping pairs array actually 704 * uses a delta_lcn value length of 0, i.e. delta_lcn is not present at 705 * all, which is then interpreted by the driver as lcn = -1. 706 * NOTE: Even uncompressed files can be sparse on NTFS 3.0 volumes, then 707 * the same principles apply as above, except that the length is not 708 * restricted to being any particular value. 709 * 710 * 2) The data in the block is not compressed: 711 * This happens when compression doesn't reduce the size of the block 712 * in clusters. I.e. if compression has a small effect so that the 713 * compressed data still occupies X clusters, then the uncompressed data 714 * is stored in the block. 715 * This case is recognised by the fact that the runlist entry has 716 * length = X and lcn >= 0. The mapping pairs array stores this as 717 * normal with a run length of X and some specific delta_lcn, i.e. 718 * delta_lcn has to be present. 719 * 720 * 3) The data in the block is compressed: 721 * The common case. This case is recognised by the fact that the run 722 * list entry has length L < X and lcn >= 0. The mapping pairs array 723 * stores this as normal with a run length of X and some specific 724 * delta_lcn, i.e. delta_lcn has to be present. This runlist entry is 725 * immediately followed by a sparse entry with length = X - L and 726 * lcn = -1. The latter entry is to make up the vcn counting to the 727 * full compression block size X. 728 * 729 * In fact, life is more complicated because adjacent entries of the same type 730 * can be coalesced. This means that one has to keep track of the number of 731 * clusters handled and work on a basis of X clusters at a time being one 732 * block. An example: if length L > X this means that this particular runlist 733 * entry contains a block of length X and part of one or more blocks of length 734 * L - X. Another example: if length L < X, this does not necessarily mean that 735 * the block is compressed as it might be that the lcn changes inside the block 736 * and hence the following runlist entry describes the continuation of the 737 * potentially compressed block. The block would be compressed if the 738 * following runlist entry describes at least X - L sparse clusters, thus 739 * making up the compression block length as described in point 3 above. (Of 740 * course, there can be several runlist entries with small lengths so that the 741 * sparse entry does not follow the first data containing entry with 742 * length < X.) 743 * 744 * NOTE: At the end of the compressed attribute value, there most likely is not 745 * just the right amount of data to make up a compression block, thus this data 746 * is not even attempted to be compressed. It is just stored as is, unless 747 * the number of clusters it occupies is reduced when compressed in which case 748 * it is stored as a compressed compression block, complete with sparse 749 * clusters at the end. 750 */ 751 752 /* 753 * enum - Flags for resident attributes (8-bit) 754 * 755 * RESIDENT_ATTR_IS_INDEXED: Attribute is referenced in an index. 756 * (e.g., part of an index key or entry) 757 * Has implications for deletion and modification: 758 * - Cannot be freely removed if indexed 759 * - Index must be updated when value changes 760 * - Used for attributes like $FILE_NAME in directories 761 */ 762 enum { 763 RESIDENT_ATTR_IS_INDEXED = 0x01, 764 } __packed; 765 766 /* 767 * struct attr_record - NTFS attribute record header 768 * 769 * Common header for both resident and non-resident attributes. 770 * Always aligned to an 8-byte boundary on disk. 771 * Located at attrs_offset in the MFT record (see struct mft_record). 772 * 773 * @type: 32-bit attribute type (ATTR_TYPE_* constants). 774 * Identifies the attribute 775 * (e.g. 0x10 = $STANDARD_INFORMATION). 776 * @length: Total byte size of this attribute record (resident). 777 * 8-byte aligned; used to locate the next attribute. 778 * @non_resident: 0 = resident attribute 779 * 1 = non-resident attribute 780 * @name_length: Number of Unicode characters in the attribute name. 781 * 0 if unnamed (most system attributes are unnamed). 782 * @name_offset: Byte offset from start of attribute record to the name. 783 * 8-byte aligned; when creating, place at end of header. 784 * @flags: Attribute flags (see ATTR_IS_COMPRESSED, 785 * ATTR_IS_ENCRYPTED, etc.). 786 * For resident: see RESIDENT_ATTR_* flags. 787 * @instance: Unique instance number within this MFT record. 788 * Incremented via next_attr_instance; unique per record. 789 * 790 * Resident attributes (when @non_resident == 0): 791 * @data.resident.value_length: Byte size of the attribute value. 792 * @data.resident.value_offset: Byte offset from start of attribute 793 * record to the value data. 794 * 8-byte aligned if name present. 795 * @data.resident.flags: Resident-specific flags 796 * @data.resident.reserved: Reserved/alignment to 8 bytes. 797 * 798 * Non-resident attributes (when @non_resident == 1): 799 * @data.non_resident.lowest_vcn: Lowest valid VCN in this extent. 800 * Usually 0 unless attribute list is used. 801 * @data.non_resident.highest_vcn: Highest valid VCN in this extent. 802 * -1 for zero-length, 0 for single extent. 803 * @data.non_resident.mapping_pairs_offset: 804 * Byte offset to mapping pairs array 805 * (VCN → LCN mappings). 806 * 8-byte aligned when creating. 807 * @data.non_resident.compression_unit: 808 * Log2 of clusters per compression unit. 809 * 0 = not compressed. 810 * WinNT4 used 4; sparse files use 0 811 * on XP SP2+. 812 * @data.non_resident.reserved: 5 bytes for 8-byte alignment. 813 * @data.non_resident.allocated_size: 814 * Allocated disk space in bytes. 815 * For compressed: logical allocated size. 816 * @data.non_resident.data_size: Logical attribute value size in bytes. 817 * Can be larger than allocated_size if 818 * compressed/sparse. 819 * @data.non_resident.initialized_size: 820 * Initialized portion size in bytes. 821 * Usually equals data_size. 822 * @data.non_resident.compressed_size: 823 * Compressed on-disk size in bytes. 824 * Only present when compressed or sparse. 825 * Actual disk usage. 826 */ 827 struct attr_record { 828 __le32 type; 829 __le32 length; 830 u8 non_resident; 831 u8 name_length; 832 __le16 name_offset; 833 __le16 flags; 834 __le16 instance; 835 union { 836 struct { 837 __le32 value_length; 838 __le16 value_offset; 839 u8 flags; 840 s8 reserved; 841 } __packed resident; 842 struct { 843 __le64 lowest_vcn; 844 __le64 highest_vcn; 845 __le16 mapping_pairs_offset; 846 u8 compression_unit; 847 u8 reserved[5]; 848 __le64 allocated_size; 849 __le64 data_size; 850 __le64 initialized_size; 851 __le64 compressed_size; 852 } __packed non_resident; 853 } __packed data; 854 } __packed; 855 856 /* 857 * enum - NTFS file attribute flags (32-bit) 858 * 859 * File attribute flags (32-bit) appearing in the file_attributes fields of the 860 * STANDARD_INFORMATION attribute of MFT_RECORDs and the FILENAME_ATTR 861 * attributes of MFT_RECORDs and directory index entries. 862 * 863 * All of the below flags appear in the directory index entries but only some 864 * appear in the STANDARD_INFORMATION attribute whilst only some others appear 865 * in the FILENAME_ATTR attribute of MFT_RECORDs. Unless otherwise stated the 866 * flags appear in all of the above. 867 * 868 * FILE_ATTR_READONLY: File is read-only. 869 * FILE_ATTR_HIDDEN: File is hidden (not shown by default). 870 * FILE_ATTR_SYSTEM: System file (protected by OS). 871 * FILE_ATTR_DIRECTORY: Directory flag (reserved in NT; use MFT flag instead). 872 * FILE_ATTR_ARCHIVE: File needs archiving (backup flag). 873 * FILE_ATTR_DEVICE: Device file (rarely used). 874 * FILE_ATTR_NORMAL: Normal file (no special attributes). 875 * FILE_ATTR_TEMPORARY: Temporary file (delete on close). 876 * FILE_ATTR_SPARSE_FILE: Sparse file (contains holes). 877 * FILE_ATTR_REPARSE_POINT: Reparse point (junction, symlink, mount point). 878 * FILE_ATTR_COMPRESSED: File is compressed. 879 * FILE_ATTR_OFFLINE: File data is offline (not locally available). 880 * FILE_ATTR_NOT_CONTENT_INDEXED: 881 * File is excluded from content indexing. 882 * FILE_ATTR_ENCRYPTED: File is encrypted (EFS). 883 * FILE_ATTR_VALID_FLAGS: Mask of all valid flags for reading. 884 * FILE_ATTR_VALID_SET_FLAGS: Mask of flags that can be set by user. 885 * FILE_ATTRIBUTE_RECALL_ON_OPEN: 886 * Recall data on open (cloud/HSM related). 887 * FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT: 888 * $FILE_NAME has duplicate index entry. 889 * FILE_ATTR_DUP_VIEW_INDEX_PRESENT: 890 * Duplicate view index present (object ID, quota, etc.). 891 */ 892 enum { 893 FILE_ATTR_READONLY = cpu_to_le32(0x00000001), 894 FILE_ATTR_HIDDEN = cpu_to_le32(0x00000002), 895 FILE_ATTR_SYSTEM = cpu_to_le32(0x00000004), 896 /* Old DOS volid. Unused in NT. = cpu_to_le32(0x00000008), */ 897 FILE_ATTR_DIRECTORY = cpu_to_le32(0x00000010), 898 FILE_ATTR_ARCHIVE = cpu_to_le32(0x00000020), 899 FILE_ATTR_DEVICE = cpu_to_le32(0x00000040), 900 FILE_ATTR_NORMAL = cpu_to_le32(0x00000080), 901 902 FILE_ATTR_TEMPORARY = cpu_to_le32(0x00000100), 903 FILE_ATTR_SPARSE_FILE = cpu_to_le32(0x00000200), 904 FILE_ATTR_REPARSE_POINT = cpu_to_le32(0x00000400), 905 FILE_ATTR_COMPRESSED = cpu_to_le32(0x00000800), 906 907 FILE_ATTR_OFFLINE = cpu_to_le32(0x00001000), 908 FILE_ATTR_NOT_CONTENT_INDEXED = cpu_to_le32(0x00002000), 909 FILE_ATTR_ENCRYPTED = cpu_to_le32(0x00004000), 910 911 FILE_ATTR_VALID_FLAGS = cpu_to_le32(0x00007fb7), 912 FILE_ATTR_VALID_SET_FLAGS = cpu_to_le32(0x000031a7), 913 FILE_ATTRIBUTE_RECALL_ON_OPEN = cpu_to_le32(0x00040000), 914 FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT = cpu_to_le32(0x10000000), 915 FILE_ATTR_DUP_VIEW_INDEX_PRESENT = cpu_to_le32(0x20000000), 916 }; 917 918 /* 919 * NOTE on times in NTFS: All times are in MS standard time format, i.e. they 920 * are the number of 100-nanosecond intervals since 1st January 1601, 00:00:00 921 * universal coordinated time (UTC). (In Linux time starts 1st January 1970, 922 * 00:00:00 UTC and is stored as the number of 1-second intervals since then.) 923 */ 924 925 /* 926 * struct standard_information - $STANDARD_INFORMATION attribute content 927 * 928 * NOTE: Always resident. 929 * NOTE: Present in all base file records on a volume. 930 * NOTE: There is conflicting information about the meaning of each of the time 931 * fields but the meaning as defined below has been verified to be 932 * correct by practical experimentation on Windows NT4 SP6a and is hence 933 * assumed to be the one and only correct interpretation. 934 * 935 * @creation_time: File creation time (NTFS timestamp). 936 * Updated on filename change(?). 937 * @last_data_change_time: Last modification time of data streams. 938 * @last_mft_change_time: Last modification time of this MFT record. 939 * @last_access_time: Last access time (approximate). 940 * Not updated on read-only volumes; can be disabled. 941 * @file_attributes: File attribute flags (FILE_ATTR_* bits). 942 * 943 * Union (version-specific fields): 944 * @ver.v1.reserved12: 12 bytes reserved/alignment (NTFS 1.2 only). 945 * 946 * @ver.v3 (NTFS 3.x / Windows 2000+): 947 * @maximum_versions: Max allowed file versions (0 = disabled). 948 * @version_number: Current version number (0 if disabled). 949 * @class_id: Class ID (from bidirectional index?). 950 * @owner_id: Owner ID (maps to $Quota via $Q index). 951 * @security_id: Security ID (maps to $Secure $SII/$SDS). 952 * @quota_charged: Quota charge in bytes (0 if quotas disabled). 953 * @usn: Last USN from $UsnJrnl (0 if disabled). 954 */ 955 struct standard_information { 956 __le64 creation_time; 957 __le64 last_data_change_time; 958 __le64 last_mft_change_time; 959 __le64 last_access_time; 960 __le32 file_attributes; 961 union { 962 struct { 963 u8 reserved12[12]; 964 } __packed v1; 965 struct { 966 __le32 maximum_versions; 967 __le32 version_number; 968 __le32 class_id; 969 __le32 owner_id; 970 __le32 security_id; 971 __le64 quota_charged; 972 __le64 usn; 973 } __packed v3; 974 } __packed ver; 975 } __packed; 976 977 /* 978 * struct attr_list_entry - Entry in $ATTRIBUTE_LIST attribute. 979 * 980 * @type: Attribute type code (ATTR_TYPE_*). 981 * @length: Byte size of this entry (8-byte aligned). 982 * @name_length: Unicode char count of attribute name (0 if unnamed). 983 * @name_offset: Byte offset from start of entry to name (always set). 984 * @lowest_vcn: Lowest VCN of this attribute extent (usually 0). 985 * Signed value; non-zero when attribute spans extents. 986 * @mft_reference: MFT record reference holding this attribute extent. 987 * @instance: Attribute instance number (if lowest_vcn == 0); else 0. 988 * @name: Variable Unicode name (use @name_offset when reading). 989 * 990 * - Can be either resident or non-resident. 991 * - Value consists of a sequence of variable length, 8-byte aligned, 992 * ATTR_LIST_ENTRY records. 993 * - The list is not terminated by anything at all! The only way to know when 994 * the end is reached is to keep track of the current offset and compare it to 995 * the attribute value size. 996 * - The attribute list attribute contains one entry for each attribute of 997 * the file in which the list is located, except for the list attribute 998 * itself. The list is sorted: first by attribute type, second by attribute 999 * name (if present), third by instance number. The extents of one 1000 * non-resident attribute (if present) immediately follow after the initial 1001 * extent. They are ordered by lowest_vcn and have their instance set to zero. 1002 * It is not allowed to have two attributes with all sorting keys equal. 1003 * - Further restrictions: 1004 * - If not resident, the vcn to lcn mapping array has to fit inside the 1005 * base mft record. 1006 * - The attribute list attribute value has a maximum size of 256kb. This 1007 * is imposed by the Windows cache manager. 1008 * - Attribute lists are only used when the attributes of mft record do not 1009 * fit inside the mft record despite all attributes (that can be made 1010 * non-resident) having been made non-resident. This can happen e.g. when: 1011 * - File has a large number of hard links (lots of file name 1012 * attributes present). 1013 * - The mapping pairs array of some non-resident attribute becomes so 1014 * large due to fragmentation that it overflows the mft record. 1015 * - The security descriptor is very complex (not applicable to 1016 * NTFS 3.0 volumes). 1017 * - There are many named streams. 1018 */ 1019 struct attr_list_entry { 1020 __le32 type; 1021 __le16 length; 1022 u8 name_length; 1023 u8 name_offset; 1024 __le64 lowest_vcn; 1025 __le64 mft_reference; 1026 __le16 instance; 1027 __le16 name[]; 1028 } __packed; 1029 1030 /* 1031 * The maximum allowed length for a file name. 1032 */ 1033 #define MAXIMUM_FILE_NAME_LENGTH 255 1034 1035 /* 1036 * enum - Possible namespaces for filenames in ntfs (8-bit). 1037 * 1038 * FILE_NAME_POSIX POSIX namespace (case sensitive, most permissive). 1039 * Allows all Unicode except '\0' and '/'. 1040 * WinNT/2k/2003 default utilities ignore case 1041 * differences. SFU (Services For Unix) enables true 1042 * case sensitivity. 1043 * SFU restricts some chars: '"', '/', '<', '>', '\'. 1044 * FILE_NAME_WIN32 Standard WinNT/2k long filename namespace 1045 * (case insensitive). 1046 * Disallows '\0', '"', '*', '/', ':', '<', '>', '?', 1047 * '\', '|'. Names cannot end with '.' or space. 1048 * FILE_NAME_DOS DOS 8.3 namespace (uppercase only). 1049 * Allows 8-bit chars > space except '"', '*', '+', 1050 * ',', '/', ':', ';', '<', '=', '>', '?', '\'. 1051 * FILE_NAME_WIN32_AND_DOS 1052 * Win32 and DOS names are identical (single record). 1053 * Value 0x03 indicates both are stored in one entry. 1054 */ 1055 enum { 1056 FILE_NAME_POSIX = 0x00, 1057 FILE_NAME_WIN32 = 0x01, 1058 FILE_NAME_DOS = 0x02, 1059 FILE_NAME_WIN32_AND_DOS = 0x03, 1060 } __packed; 1061 1062 /* 1063 * struct file_name_attr - $FILE_NAME attribute content 1064 * 1065 * NOTE: Always resident. 1066 * NOTE: All fields, except the parent_directory, are only updated when the 1067 * filename is changed. Until then, they just become out of sync with 1068 * reality and the more up to date values are present in the standard 1069 * information attribute. 1070 * NOTE: There is conflicting information about the meaning of each of the time 1071 * fields but the meaning as defined below has been verified to be 1072 * correct by practical experimentation on Windows NT4 SP6a and is hence 1073 * assumed to be the one and only correct interpretation. 1074 * 1075 * @parent_directory: MFT reference to parent directory. 1076 * @creation_time: File creation time (NTFS timestamp). 1077 * @last_data_change_time: 1078 * Last data modification time. 1079 * @last_mft_change_time: 1080 * Last MFT record modification time. 1081 * @last_access_time: Last access time (approximate; may not 1082 * update always). 1083 * @allocated_size: On-disk allocated size for unnamed $DATA. 1084 * Equals compressed_size if compressed/sparse. 1085 * 0 for directories or no $DATA. 1086 * Multiple of cluster size. 1087 * @data_size: Logical size of unnamed $DATA. 1088 * 0 for directories or no $DATA. 1089 * @file_attributes: File attribute flags (FILE_ATTR_* bits). 1090 * @type.ea.packed_ea_size: 1091 * Size needed to pack EAs (if present). 1092 * @type.ea.reserved: Alignment padding. 1093 * @type.rp.reparse_point_tag: 1094 * Reparse point type (if reparse point, no EAs). 1095 * @file_name_length: Length of filename in Unicode characters. 1096 * @file_name_type: Namespace (FILE_NAME_POSIX, WIN32, DOS, etc.). 1097 * @file_name: Variable-length Unicode filename. 1098 */ 1099 struct file_name_attr { 1100 __le64 parent_directory; 1101 __le64 creation_time; 1102 __le64 last_data_change_time; 1103 __le64 last_mft_change_time; 1104 __le64 last_access_time; 1105 __le64 allocated_size; 1106 __le64 data_size; 1107 __le32 file_attributes; 1108 union { 1109 struct { 1110 __le16 packed_ea_size; 1111 __le16 reserved; 1112 } __packed ea; 1113 struct { 1114 __le32 reparse_point_tag; 1115 } __packed rp; 1116 } __packed type; 1117 u8 file_name_length; 1118 u8 file_name_type; 1119 __le16 file_name[]; 1120 } __packed; 1121 1122 /* 1123 * struct guid - Globally Unique Identifier (GUID) structure 1124 * 1125 * GUID structures store globally unique identifiers (GUID). A GUID is a 1126 * 128-bit value consisting of one group of eight hexadecimal digits, followed 1127 * by three groups of four hexadecimal digits each, followed by one group of 1128 * twelve hexadecimal digits. GUIDs are Microsoft's implementation of the 1129 * distributed computing environment (DCE) universally unique identifier (UUID). 1130 * Example of a GUID: 1131 * 1F010768-5A73-BC91-0010A52216A7 1132 * 1133 * @data1: First 32 bits (first 8 hex digits). 1134 * @data2: Next 16 bits (first group of 4 hex digits). 1135 * @data3: Next 16 bits (second group of 4 hex digits). 1136 * @data4: Final 64 bits (third group of 4 + last 12 hex digits). 1137 * data4[0-1]: third group; data4[2-7]: remaining part. 1138 */ 1139 struct guid { 1140 __le32 data1; 1141 __le16 data2; 1142 __le16 data3; 1143 u8 data4[8]; 1144 } __packed; 1145 1146 /* 1147 * struct object_id_attr - $OBJECT_ID attribute content (NTFS 3.0+) 1148 * 1149 * NOTE: Always resident. 1150 * 1151 * @object_id: Unique 128-bit GUID assigned to the file. 1152 * Core identifier; always present. 1153 * 1154 * Optional extended info (union; total value size 16–64 bytes): 1155 * @extended_info.birth_volume_id: 1156 * Birth volume GUID (where file was first created). 1157 * @extended_info.birth_object_id: 1158 * Birth object GUID (original ID before copy/move). 1159 * @extended_info.domain_id: 1160 * Domain GUID (usually zero; reserved). 1161 */ 1162 struct object_id_attr { 1163 struct guid object_id; 1164 union { 1165 struct { 1166 struct guid birth_volume_id; 1167 struct guid birth_object_id; 1168 struct guid domain_id; 1169 } __packed; 1170 u8 extended_info[48]; 1171 } __packed; 1172 } __packed; 1173 1174 /* 1175 * enum - RIDs (Relative Identifiers) in Windows/NTFS security 1176 * 1177 * These relative identifiers (RIDs) are used with the above identifier 1178 * authorities to make up universal well-known SIDs. 1179 * 1180 * SECURITY_NULL_RID S-1-0 (Null authority) 1181 * SECURITY_WORLD_RID S-1-1 (World/Everyone) 1182 * SECURITY_LOCAL_RID S-1-2 (Local) 1183 * SECURITY_CREATOR_OWNER_RID S-1-3-0 (Creator Owner) 1184 * SECURITY_CREATOR_GROUP_RID S-1-3-1 (Creator Group) 1185 * SECURITY_CREATOR_OWNER_SERVER_RID S-1-3-2 (Server Creator Owner) 1186 * SECURITY_CREATOR_GROUP_SERVER_RID S-1-3-3 (Server Creator Group) 1187 * SECURITY_DIALUP_RID S-1-5-1 (Dialup) 1188 * SECURITY_NETWORK_RID S-1-5-2 (Network) 1189 * SECURITY_BATCH_RID S-1-5-3 (Batch) 1190 * SECURITY_INTERACTIVE_RID S-1-5-4 (Interactive) 1191 * SECURITY_SERVICE_RID S-1-5-6 (Service) 1192 * SECURITY_ANONYMOUS_LOGON_RID S-1-5-7 (Anonymous Logon) 1193 * SECURITY_PROXY_RID S-1-5-8 (Proxy) 1194 * SECURITY_ENTERPRISE_CONTROLLERS_RID S-1-5-9 (Enterprise DCs) 1195 * SECURITY_SERVER_LOGON_RID S-1-5-9 (Server Logon alias) 1196 * SECURITY_PRINCIPAL_SELF_RID S-1-5-10 (Self/PrincipalSelf) 1197 * SECURITY_AUTHENTICATED_USER_RID S-1-5-11 (Authenticated Users) 1198 * SECURITY_RESTRICTED_CODE_RID S-1-5-12 (Restricted Code) 1199 * SECURITY_TERMINAL_SERVER_RID S-1-5-13 (Terminal Server) 1200 * SECURITY_LOGON_IDS_RID S-1-5-5 (Logon session IDs base) 1201 * SECURITY_LOCAL_SYSTEM_RID S-1-5-18 (Local System) 1202 * SECURITY_NT_NON_UNIQUE S-1-5-21 (NT non-unique authority) 1203 * SECURITY_BUILTIN_DOMAIN_RID S-1-5-32 (Built-in domain) 1204 * 1205 * Built-in domain relative RIDs (S-1-5-32-...): 1206 * Users: 1207 * DOMAIN_USER_RID_ADMIN Administrator 1208 * DOMAIN_USER_RID_GUEST Guest 1209 * DOMAIN_USER_RID_KRBTGT krbtgt (Kerberos ticket-granting) 1210 * 1211 * Groups: 1212 * DOMAIN_GROUP_RID_ADMINS Administrators 1213 * DOMAIN_GROUP_RID_USERS Users 1214 * DOMAIN_GROUP_RID_GUESTS Guests 1215 * DOMAIN_GROUP_RID_COMPUTERS Computers 1216 * DOMAIN_GROUP_RID_CONTROLLERS Domain Controllers 1217 * DOMAIN_GROUP_RID_CERT_ADMINS Cert Publishers 1218 * DOMAIN_GROUP_RID_SCHEMA_ADMINS Schema Admins 1219 * DOMAIN_GROUP_RID_ENTERPRISE_ADMINS Enterprise Admins 1220 * DOMAIN_GROUP_RID_POLICY_ADMINS Policy Admins (if present) 1221 * 1222 * Aliases: 1223 * DOMAIN_ALIAS_RID_ADMINS Administrators alias 1224 * DOMAIN_ALIAS_RID_USERS Users alias 1225 * DOMAIN_ALIAS_RID_GUESTS Guests alias 1226 * DOMAIN_ALIAS_RID_POWER_USERS Power Users 1227 * DOMAIN_ALIAS_RID_ACCOUNT_OPS Account Operators 1228 * DOMAIN_ALIAS_RID_SYSTEM_OPS Server Operators 1229 * DOMAIN_ALIAS_RID_PRINT_OPS Print Operators 1230 * DOMAIN_ALIAS_RID_BACKUP_OPS Backup Operators 1231 * DOMAIN_ALIAS_RID_REPLICATOR Replicator 1232 * DOMAIN_ALIAS_RID_RAS_SERVERS RAS Servers 1233 * DOMAIN_ALIAS_RID_PREW2KCOMPACCESS Pre-Windows 2000 Compatible Access 1234 * 1235 * Note: The relative identifier (RID) refers to the portion of a SID, which 1236 * identifies a user or group in relation to the authority that issued the SID. 1237 * For example, the universal well-known SID Creator Owner ID (S-1-3-0) is 1238 * made up of the identifier authority SECURITY_CREATOR_SID_AUTHORITY (3) and 1239 * the relative identifier SECURITY_CREATOR_OWNER_RID (0). 1240 */ 1241 enum { /* Identifier authority. */ 1242 SECURITY_NULL_RID = 0, /* S-1-0 */ 1243 SECURITY_WORLD_RID = 0, /* S-1-1 */ 1244 SECURITY_LOCAL_RID = 0, /* S-1-2 */ 1245 1246 SECURITY_CREATOR_OWNER_RID = 0, /* S-1-3 */ 1247 SECURITY_CREATOR_GROUP_RID = 1, /* S-1-3 */ 1248 1249 SECURITY_CREATOR_OWNER_SERVER_RID = 2, /* S-1-3 */ 1250 SECURITY_CREATOR_GROUP_SERVER_RID = 3, /* S-1-3 */ 1251 1252 SECURITY_DIALUP_RID = 1, 1253 SECURITY_NETWORK_RID = 2, 1254 SECURITY_BATCH_RID = 3, 1255 SECURITY_INTERACTIVE_RID = 4, 1256 SECURITY_SERVICE_RID = 6, 1257 SECURITY_ANONYMOUS_LOGON_RID = 7, 1258 SECURITY_PROXY_RID = 8, 1259 SECURITY_ENTERPRISE_CONTROLLERS_RID = 9, 1260 SECURITY_SERVER_LOGON_RID = 9, 1261 SECURITY_PRINCIPAL_SELF_RID = 0xa, 1262 SECURITY_AUTHENTICATED_USER_RID = 0xb, 1263 SECURITY_RESTRICTED_CODE_RID = 0xc, 1264 SECURITY_TERMINAL_SERVER_RID = 0xd, 1265 1266 SECURITY_LOGON_IDS_RID = 5, 1267 SECURITY_LOGON_IDS_RID_COUNT = 3, 1268 1269 SECURITY_LOCAL_SYSTEM_RID = 0x12, 1270 1271 SECURITY_NT_NON_UNIQUE = 0x15, 1272 1273 SECURITY_BUILTIN_DOMAIN_RID = 0x20, 1274 1275 /* 1276 * Well-known domain relative sub-authority values (RIDs). 1277 */ 1278 1279 /* Users. */ 1280 DOMAIN_USER_RID_ADMIN = 0x1f4, 1281 DOMAIN_USER_RID_GUEST = 0x1f5, 1282 DOMAIN_USER_RID_KRBTGT = 0x1f6, 1283 1284 /* Groups. */ 1285 DOMAIN_GROUP_RID_ADMINS = 0x200, 1286 DOMAIN_GROUP_RID_USERS = 0x201, 1287 DOMAIN_GROUP_RID_GUESTS = 0x202, 1288 DOMAIN_GROUP_RID_COMPUTERS = 0x203, 1289 DOMAIN_GROUP_RID_CONTROLLERS = 0x204, 1290 DOMAIN_GROUP_RID_CERT_ADMINS = 0x205, 1291 DOMAIN_GROUP_RID_SCHEMA_ADMINS = 0x206, 1292 DOMAIN_GROUP_RID_ENTERPRISE_ADMINS = 0x207, 1293 DOMAIN_GROUP_RID_POLICY_ADMINS = 0x208, 1294 1295 /* Aliases. */ 1296 DOMAIN_ALIAS_RID_ADMINS = 0x220, 1297 DOMAIN_ALIAS_RID_USERS = 0x221, 1298 DOMAIN_ALIAS_RID_GUESTS = 0x222, 1299 DOMAIN_ALIAS_RID_POWER_USERS = 0x223, 1300 1301 DOMAIN_ALIAS_RID_ACCOUNT_OPS = 0x224, 1302 DOMAIN_ALIAS_RID_SYSTEM_OPS = 0x225, 1303 DOMAIN_ALIAS_RID_PRINT_OPS = 0x226, 1304 DOMAIN_ALIAS_RID_BACKUP_OPS = 0x227, 1305 1306 DOMAIN_ALIAS_RID_REPLICATOR = 0x228, 1307 DOMAIN_ALIAS_RID_RAS_SERVERS = 0x229, 1308 DOMAIN_ALIAS_RID_PREW2KCOMPACCESS = 0x22a, 1309 }; 1310 1311 /* 1312 * The universal well-known SIDs: 1313 * 1314 * NULL_SID S-1-0-0 1315 * WORLD_SID S-1-1-0 1316 * LOCAL_SID S-1-2-0 1317 * CREATOR_OWNER_SID S-1-3-0 1318 * CREATOR_GROUP_SID S-1-3-1 1319 * CREATOR_OWNER_SERVER_SID S-1-3-2 1320 * CREATOR_GROUP_SERVER_SID S-1-3-3 1321 * 1322 * (Non-unique IDs) S-1-4 1323 * 1324 * NT well-known SIDs: 1325 * 1326 * NT_AUTHORITY_SID S-1-5 1327 * DIALUP_SID S-1-5-1 1328 * 1329 * NETWORD_SID S-1-5-2 1330 * BATCH_SID S-1-5-3 1331 * INTERACTIVE_SID S-1-5-4 1332 * SERVICE_SID S-1-5-6 1333 * ANONYMOUS_LOGON_SID S-1-5-7 (aka null logon session) 1334 * PROXY_SID S-1-5-8 1335 * SERVER_LOGON_SID S-1-5-9 (aka domain controller account) 1336 * SELF_SID S-1-5-10 (self RID) 1337 * AUTHENTICATED_USER_SID S-1-5-11 1338 * RESTRICTED_CODE_SID S-1-5-12 (running restricted code) 1339 * TERMINAL_SERVER_SID S-1-5-13 (running on terminal server) 1340 * 1341 * (Logon IDs) S-1-5-5-X-Y 1342 * 1343 * (NT non-unique IDs) S-1-5-0x15-... 1344 * 1345 * (Built-in domain) S-1-5-0x20 1346 */ 1347 1348 /* 1349 * struct ntfs_sid - Security Identifier (SID) structure 1350 * 1351 * @revision: SID revision level (usually 1). 1352 * @sub_authority_count: Number of sub-authorities (1 or more). 1353 * @identifier_authority: 1354 * 48-bit identifier authority (S-1-x-...). 1355 * @parts.high_part: high 16 bits. 1356 * @parts.low_part: low 32 bits. 1357 * @value: raw 6-byte array. 1358 * @sub_authority: Variable array of 32-bit RIDs. 1359 * At least one; defines the SID relative to authority. 1360 * 1361 * The SID structure is a variable-length structure used to uniquely identify 1362 * users or groups. SID stands for security identifier. 1363 * 1364 * The standard textual representation of the SID is of the form: 1365 * S-R-I-S-S... 1366 * Where: 1367 * - The first "S" is the literal character 'S' identifying the following 1368 * digits as a SID. 1369 * - R is the revision level of the SID expressed as a sequence of digits 1370 * either in decimal or hexadecimal (if the later, prefixed by "0x"). 1371 * - I is the 48-bit identifier_authority, expressed as digits as R above. 1372 * - S... is one or more sub_authority values, expressed as digits as above. 1373 * 1374 * Example SID; the domain-relative SID of the local Administrators group on 1375 * Windows NT/2k: 1376 * S-1-5-32-544 1377 * This translates to a SID with: 1378 * revision = 1, 1379 * sub_authority_count = 2, 1380 * identifier_authority = {0,0,0,0,0,5}, // SECURITY_NT_AUTHORITY 1381 * sub_authority[0] = 32, // SECURITY_BUILTIN_DOMAIN_RID 1382 * sub_authority[1] = 544 // DOMAIN_ALIAS_RID_ADMINS 1383 */ 1384 struct ntfs_sid { 1385 u8 revision; 1386 u8 sub_authority_count; 1387 union { 1388 struct { 1389 u16 high_part; 1390 u32 low_part; 1391 } __packed parts; 1392 u8 value[6]; 1393 } identifier_authority; 1394 __le32 sub_authority[]; 1395 } __packed; 1396 1397 /* 1398 * enum - Predefined ACE types (8-bit) for NTFS security descriptors 1399 * 1400 * ACCESS_MIN_MS_ACE_TYPE: Minimum MS ACE type (0). 1401 * ACCESS_ALLOWED_ACE_TYPE: Allow access (standard ACE). 1402 * ACCESS_DENIED_ACE_TYPE: Deny access (standard ACE). 1403 * SYSTEM_AUDIT_ACE_TYPE: Audit successful/failed access. 1404 * SYSTEM_ALARM_ACE_TYPE: Alarm on access (not in Win2k+). 1405 * ACCESS_MAX_MS_V2_ACE_TYPE: Max for V2 ACE types. 1406 * ACCESS_ALLOWED_COMPOUND_ACE_TYPE: 1407 * Compound ACE (legacy). 1408 * ACCESS_MAX_MS_V3_ACE_TYPE: Max for V3 ACE types. 1409 * ACCESS_MIN_MS_OBJECT_ACE_TYPE: Min for object ACE types (Win2k+). 1410 * ACCESS_ALLOWED_OBJECT_ACE_TYPE: Allow with object-specific rights. 1411 * ACCESS_DENIED_OBJECT_ACE_TYPE: Deny with object-specific rights. 1412 * SYSTEM_AUDIT_OBJECT_ACE_TYPE: Audit with object-specific rights. 1413 * SYSTEM_ALARM_OBJECT_ACE_TYPE: Alarm with object-specific rights. 1414 * ACCESS_MAX_MS_OBJECT_ACE_TYPE: Max for object ACE types. 1415 * ACCESS_MAX_MS_V4_ACE_TYPE: Max for V4 ACE types. 1416 * ACCESS_MAX_MS_ACE_TYPE: Overall max ACE type (WinNT/2k). 1417 */ 1418 enum { 1419 ACCESS_MIN_MS_ACE_TYPE = 0, 1420 ACCESS_ALLOWED_ACE_TYPE = 0, 1421 ACCESS_DENIED_ACE_TYPE = 1, 1422 SYSTEM_AUDIT_ACE_TYPE = 2, 1423 SYSTEM_ALARM_ACE_TYPE = 3, 1424 ACCESS_MAX_MS_V2_ACE_TYPE = 3, 1425 1426 ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 4, 1427 ACCESS_MAX_MS_V3_ACE_TYPE = 4, 1428 ACCESS_MIN_MS_OBJECT_ACE_TYPE = 5, 1429 ACCESS_ALLOWED_OBJECT_ACE_TYPE = 5, 1430 ACCESS_DENIED_OBJECT_ACE_TYPE = 6, 1431 SYSTEM_AUDIT_OBJECT_ACE_TYPE = 7, 1432 SYSTEM_ALARM_OBJECT_ACE_TYPE = 8, 1433 ACCESS_MAX_MS_OBJECT_ACE_TYPE = 8, 1434 1435 ACCESS_MAX_MS_V4_ACE_TYPE = 8, 1436 ACCESS_MAX_MS_ACE_TYPE = 8, 1437 } __packed; 1438 1439 /* 1440 * enum - ACE inheritance and audit flags (8-bit) 1441 * 1442 * OBJECT_INHERIT_ACE: Object inherit (files inherit this ACE). 1443 * CONTAINER_INHERIT_ACE: Container inherit (subdirectories inherit). 1444 * NO_PROPAGATE_INHERIT_ACE: No propagation (stop inheritance after this level). 1445 * INHERIT_ONLY_ACE: Inherit only (not applied to current object). 1446 * INHERITED_ACE: ACE was inherited (Win2k+ only). 1447 * VALID_INHERIT_FLAGS: Mask of all valid inheritance flags (0x1f). 1448 * SUCCESSFUL_ACCESS_ACE_FLAG: Audit successful access (system audit ACE). 1449 * FAILED_ACCESS_ACE_FLAG: Audit failed access (system audit ACE). 1450 * 1451 * SUCCESSFUL_ACCESS_ACE_FLAG is only used with system audit and alarm ACE 1452 * types to indicate that a message is generated (in Windows!) for successful 1453 * accesses. 1454 * 1455 * FAILED_ACCESS_ACE_FLAG is only used with system audit and alarm ACE types 1456 * to indicate that a message is generated (in Windows!) for failed accesses. 1457 */ 1458 enum { 1459 OBJECT_INHERIT_ACE = 0x01, 1460 CONTAINER_INHERIT_ACE = 0x02, 1461 NO_PROPAGATE_INHERIT_ACE = 0x04, 1462 INHERIT_ONLY_ACE = 0x08, 1463 INHERITED_ACE = 0x10, 1464 VALID_INHERIT_FLAGS = 0x1f, 1465 SUCCESSFUL_ACCESS_ACE_FLAG = 0x40, 1466 FAILED_ACCESS_ACE_FLAG = 0x80, 1467 } __packed; 1468 1469 /* 1470 * enum - NTFS access rights masks (32-bit) 1471 * 1472 * FILE_READ_DATA / FILE_LIST_DIRECTORY: Read file data / list dir contents. 1473 * FILE_WRITE_DATA / FILE_ADD_FILE: Write file data / create file in dir. 1474 * FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY: Append data / create subdir. 1475 * FILE_READ_EA: Read extended attributes. 1476 * FILE_WRITE_EA: Write extended attributes. 1477 * FILE_EXECUTE / FILE_TRAVERSE: Execute file / traverse dir. 1478 * FILE_DELETE_CHILD: Delete children in dir. 1479 * FILE_READ_ATTRIBUTES: Read attributes. 1480 * FILE_WRITE_ATTRIBUTES: Write attributes. 1481 * 1482 * Standard rights (object-independent): 1483 * DELETE: Delete object. 1484 * READ_CONTROL: Read security descriptor/owner. 1485 * WRITE_DAC: Modify DACL. 1486 * WRITE_OWNER: Change owner. 1487 * SYNCHRONIZE: Wait on object signal state. 1488 * 1489 * Combinations: 1490 * STANDARD_RIGHTS_READ / WRITE / EXECUTE: Aliases for READ_CONTROL. 1491 * STANDARD_RIGHTS_REQUIRED: DELETE + READ_CONTROL + 1492 * WRITE_DAC + WRITE_OWNER. 1493 * STANDARD_RIGHTS_ALL: Above + SYNCHRONIZE. 1494 * 1495 * System/access types: 1496 * ACCESS_SYSTEM_SECURITY: Access system ACL. 1497 * MAXIMUM_ALLOWED: Maximum allowed access. 1498 * 1499 * Generic rights (high bits, map to specific/standard): 1500 * GENERIC_ALL: Full access. 1501 * GENERIC_EXECUTE: Execute/traverse. 1502 * GENERIC_WRITE: Write (append, attrs, data, EA, etc.). 1503 * GENERIC_READ: Read (attrs, data, EA, etc.). 1504 * 1505 * The specific rights (bits 0 to 15). These depend on the type of the object 1506 * being secured by the ACE. 1507 */ 1508 enum { 1509 FILE_READ_DATA = cpu_to_le32(0x00000001), 1510 FILE_LIST_DIRECTORY = cpu_to_le32(0x00000001), 1511 FILE_WRITE_DATA = cpu_to_le32(0x00000002), 1512 FILE_ADD_FILE = cpu_to_le32(0x00000002), 1513 FILE_APPEND_DATA = cpu_to_le32(0x00000004), 1514 FILE_ADD_SUBDIRECTORY = cpu_to_le32(0x00000004), 1515 FILE_READ_EA = cpu_to_le32(0x00000008), 1516 FILE_WRITE_EA = cpu_to_le32(0x00000010), 1517 FILE_EXECUTE = cpu_to_le32(0x00000020), 1518 FILE_TRAVERSE = cpu_to_le32(0x00000020), 1519 FILE_DELETE_CHILD = cpu_to_le32(0x00000040), 1520 FILE_READ_ATTRIBUTES = cpu_to_le32(0x00000080), 1521 FILE_WRITE_ATTRIBUTES = cpu_to_le32(0x00000100), 1522 DELETE = cpu_to_le32(0x00010000), 1523 READ_CONTROL = cpu_to_le32(0x00020000), 1524 WRITE_DAC = cpu_to_le32(0x00040000), 1525 WRITE_OWNER = cpu_to_le32(0x00080000), 1526 SYNCHRONIZE = cpu_to_le32(0x00100000), 1527 STANDARD_RIGHTS_READ = cpu_to_le32(0x00020000), 1528 STANDARD_RIGHTS_WRITE = cpu_to_le32(0x00020000), 1529 STANDARD_RIGHTS_EXECUTE = cpu_to_le32(0x00020000), 1530 STANDARD_RIGHTS_REQUIRED = cpu_to_le32(0x000f0000), 1531 STANDARD_RIGHTS_ALL = cpu_to_le32(0x001f0000), 1532 ACCESS_SYSTEM_SECURITY = cpu_to_le32(0x01000000), 1533 MAXIMUM_ALLOWED = cpu_to_le32(0x02000000), 1534 GENERIC_ALL = cpu_to_le32(0x10000000), 1535 GENERIC_EXECUTE = cpu_to_le32(0x20000000), 1536 GENERIC_WRITE = cpu_to_le32(0x40000000), 1537 GENERIC_READ = cpu_to_le32(0x80000000), 1538 }; 1539 1540 /* 1541 * struct ntfs_ace - Access Control Entry (ACE) structure 1542 * 1543 * @type: ACE type (ACCESS_ALLOWED_ACE_TYPE, ACCESS_DENIED_ACE_TYPE, etc.). 1544 * @flags: Inheritance and audit flags (OBJECT_INHERIT_ACE, etc.). 1545 * @size: Total byte size of this ACE (header + SID + variable data). 1546 * @mask: Access rights mask (FILE_READ_DATA, DELETE, GENERIC_ALL, etc.). 1547 * @sid: Security Identifier (SID) this ACE applies to. 1548 */ 1549 struct ntfs_ace { 1550 u8 type; 1551 u8 flags; 1552 __le16 size; 1553 __le32 mask; 1554 struct ntfs_sid sid; 1555 } __packed; 1556 1557 /* 1558 * The object ACE flags (32-bit). 1559 */ 1560 enum { 1561 ACE_OBJECT_TYPE_PRESENT = cpu_to_le32(1), 1562 ACE_INHERITED_OBJECT_TYPE_PRESENT = cpu_to_le32(2), 1563 }; 1564 1565 /* 1566 * struct ntfs_acl - NTFS Access Control List (ACL) header 1567 * 1568 * An ACL is an access-control list (ACL). 1569 * An ACL starts with an ACL header structure, which specifies the size of 1570 * the ACL and the number of ACEs it contains. The ACL header is followed by 1571 * zero or more access control entries (ACEs). The ACL as well as each ACE 1572 * are aligned on 4-byte boundaries. 1573 * 1574 * @revision: ACL revision level (usually 2 or 4). 1575 * @alignment1: Padding/alignment byte (zero). 1576 * @size: Total allocated size in bytes (header + all ACEs + 1577 * free space). 1578 * @ace_count: Number of ACE entries following the header. 1579 * @alignment2: Padding/alignment (zero). 1580 */ 1581 struct ntfs_acl { 1582 u8 revision; 1583 u8 alignment1; 1584 __le16 size; 1585 __le16 ace_count; 1586 __le16 alignment2; 1587 } __packed; 1588 1589 static_assert(sizeof(struct ntfs_acl) == 8); 1590 1591 /* 1592 * The security descriptor control flags (16-bit). 1593 * 1594 * SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the SID 1595 * pointed to by the Owner field was provided by a defaulting mechanism 1596 * rather than explicitly provided by the original provider of the 1597 * security descriptor. This may affect the treatment of the SID with 1598 * respect to inheritance of an owner. 1599 * 1600 * SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the SID in 1601 * the Group field was provided by a defaulting mechanism rather than 1602 * explicitly provided by the original provider of the security 1603 * descriptor. This may affect the treatment of the SID with respect to 1604 * inheritance of a primary group. 1605 * 1606 * SE_DACL_PRESENT - This boolean flag, when set, indicates that the security 1607 * descriptor contains a discretionary ACL. If this flag is set and the 1608 * Dacl field of the SECURITY_DESCRIPTOR is null, then a null ACL is 1609 * explicitly being specified. 1610 * 1611 * SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the ACL 1612 * pointed to by the Dacl field was provided by a defaulting mechanism 1613 * rather than explicitly provided by the original provider of the 1614 * security descriptor. This may affect the treatment of the ACL with 1615 * respect to inheritance of an ACL. This flag is ignored if the 1616 * DaclPresent flag is not set. 1617 * 1618 * SE_SACL_PRESENT - This boolean flag, when set, indicates that the security 1619 * descriptor contains a system ACL pointed to by the Sacl field. If this 1620 * flag is set and the Sacl field of the SECURITY_DESCRIPTOR is null, then 1621 * an empty (but present) ACL is being specified. 1622 * 1623 * SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the ACL 1624 * pointed to by the Sacl field was provided by a defaulting mechanism 1625 * rather than explicitly provided by the original provider of the 1626 * security descriptor. This may affect the treatment of the ACL with 1627 * respect to inheritance of an ACL. This flag is ignored if the 1628 * SaclPresent flag is not set. 1629 * 1630 * SE_SELF_RELATIVE - This boolean flag, when set, indicates that the security 1631 * descriptor is in self-relative form. In this form, all fields of the 1632 * security descriptor are contiguous in memory and all pointer fields are 1633 * expressed as offsets from the beginning of the security descriptor. 1634 */ 1635 enum { 1636 SE_OWNER_DEFAULTED = cpu_to_le16(0x0001), 1637 SE_GROUP_DEFAULTED = cpu_to_le16(0x0002), 1638 SE_DACL_PRESENT = cpu_to_le16(0x0004), 1639 SE_DACL_DEFAULTED = cpu_to_le16(0x0008), 1640 1641 SE_SACL_PRESENT = cpu_to_le16(0x0010), 1642 SE_SACL_DEFAULTED = cpu_to_le16(0x0020), 1643 1644 SE_DACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0100), 1645 SE_SACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0200), 1646 SE_DACL_AUTO_INHERITED = cpu_to_le16(0x0400), 1647 SE_SACL_AUTO_INHERITED = cpu_to_le16(0x0800), 1648 1649 SE_DACL_PROTECTED = cpu_to_le16(0x1000), 1650 SE_SACL_PROTECTED = cpu_to_le16(0x2000), 1651 SE_RM_CONTROL_VALID = cpu_to_le16(0x4000), 1652 SE_SELF_RELATIVE = cpu_to_le16(0x8000) 1653 } __packed; 1654 1655 /* 1656 * struct security_descriptor_relative - Relative security descriptor 1657 * 1658 * Self-relative security descriptor. Contains the owner and group SIDs as well 1659 * as the sacl and dacl ACLs inside the security descriptor itself. 1660 * 1661 * @revision: Security descriptor revision (usually 1). 1662 * @alignment: Padding/alignment byte (zero). 1663 * @control: Control flags (SE_OWNER_DEFAULTED, SE_DACL_PRESENT, 1664 * SE_SACL_PRESENT, SE_SACL_AUTO_INHERITED, etc.). 1665 * @owner: Byte offset to owner SID (from start of descriptor). 1666 * 0 if no owner SID present. 1667 * @group: Byte offset to primary group SID. 1668 * 0 if no group SID present. 1669 * @sacl: Byte offset to System ACL (SACL). 1670 * Valid only if SE_SACL_PRESENT in @control. 1671 * 0 means NULL SACL. 1672 * @dacl: Byte offset to Discretionary ACL (DACL). 1673 * Valid only if SE_DACL_PRESENT in @control. 1674 * 0 means NULL DACL (full access granted). 1675 */ 1676 struct security_descriptor_relative { 1677 u8 revision; 1678 u8 alignment; 1679 __le16 control; 1680 __le32 owner; 1681 __le32 group; 1682 __le32 sacl; 1683 __le32 dacl; 1684 } __packed; 1685 1686 static_assert(sizeof(struct security_descriptor_relative) == 20); 1687 1688 /* 1689 * On NTFS 3.0+, all security descriptors are stored in FILE_Secure. Only one 1690 * referenced instance of each unique security descriptor is stored. 1691 * 1692 * FILE_Secure contains no unnamed data attribute, i.e. it has zero length. It 1693 * does, however, contain two indexes ($SDH and $SII) as well as a named data 1694 * stream ($SDS). 1695 * 1696 * Every unique security descriptor is assigned a unique security identifier 1697 * (security_id, not to be confused with a SID). The security_id is unique for 1698 * the NTFS volume and is used as an index into the $SII index, which maps 1699 * security_ids to the security descriptor's storage location within the $SDS 1700 * data attribute. The $SII index is sorted by ascending security_id. 1701 * 1702 * A simple hash is computed from each security descriptor. This hash is used 1703 * as an index into the $SDH index, which maps security descriptor hashes to 1704 * the security descriptor's storage location within the $SDS data attribute. 1705 * The $SDH index is sorted by security descriptor hash and is stored in a B+ 1706 * tree. When searching $SDH (with the intent of determining whether or not a 1707 * new security descriptor is already present in the $SDS data stream), if a 1708 * matching hash is found, but the security descriptors do not match, the 1709 * search in the $SDH index is continued, searching for a next matching hash. 1710 * 1711 * When a precise match is found, the security_id coresponding to the security 1712 * descriptor in the $SDS attribute is read from the found $SDH index entry and 1713 * is stored in the $STANDARD_INFORMATION attribute of the file/directory to 1714 * which the security descriptor is being applied. The $STANDARD_INFORMATION 1715 * attribute is present in all base mft records (i.e. in all files and 1716 * directories). 1717 * 1718 * If a match is not found, the security descriptor is assigned a new unique 1719 * security_id and is added to the $SDS data attribute. Then, entries 1720 * referencing the this security descriptor in the $SDS data attribute are 1721 * added to the $SDH and $SII indexes. 1722 * 1723 * Note: Entries are never deleted from FILE_Secure, even if nothing 1724 * references an entry any more. 1725 */ 1726 1727 /* 1728 * struct sii_index_key - Key for $SII index in $Secure file 1729 * 1730 * The index entry key used in the $SII index. The collation type is 1731 * COLLATION_NTOFS_ULONG. 1732 * 1733 * @security_id: 32-bit security identifier. 1734 * Unique ID assigned to a security descriptor. 1735 */ 1736 struct sii_index_key { 1737 __le32 security_id; 1738 } __packed; 1739 1740 /* 1741 * struct sdh_index_key - Key for $SDH index in $Secure file 1742 * 1743 * The index entry key used in the $SDH index. The keys are sorted first by 1744 * hash and then by security_id. The collation rule is 1745 * COLLATION_NTOFS_SECURITY_HASH. 1746 * 1747 * @hash: 32-bit hash of the security descriptor. 1748 * Used for quick collision checks and indexing. 1749 * @security_id: 32-bit security identifier. 1750 * Unique ID assigned to the descriptor. 1751 */ 1752 struct sdh_index_key { 1753 __le32 hash; 1754 __le32 security_id; 1755 } __packed; 1756 1757 /* 1758 * enum - NTFS volume flags (16-bit) 1759 * 1760 * These flags are stored in $VolumeInformation attribute. 1761 * They indicate volume state and required actions. 1762 * 1763 * VOLUME_IS_DIRTY: Volume is dirty (needs chkdsk). 1764 * VOLUME_RESIZE_LOG_FILE: Resize LogFile on next mount. 1765 * VOLUME_UPGRADE_ON_MOUNT: Upgrade volume on mount (old NTFS). 1766 * VOLUME_MOUNTED_ON_NT4: Mounted on NT4 (compatibility flag). 1767 * VOLUME_DELETE_USN_UNDERWAY: USN journal deletion in progress. 1768 * VOLUME_REPAIR_OBJECT_ID: Repair $ObjId on next mount. 1769 * VOLUME_CHKDSK_UNDERWAY: Chkdsk is running. 1770 * VOLUME_MODIFIED_BY_CHKDSK: Modified by chkdsk. 1771 * VOLUME_FLAGS_MASK: Mask of all valid flags (0xc03f). 1772 * VOLUME_MUST_MOUNT_RO_MASK: Flags forcing read-only mount (0xc027). 1773 * If any set, mount read-only. 1774 */ 1775 enum { 1776 VOLUME_IS_DIRTY = cpu_to_le16(0x0001), 1777 VOLUME_RESIZE_LOG_FILE = cpu_to_le16(0x0002), 1778 VOLUME_UPGRADE_ON_MOUNT = cpu_to_le16(0x0004), 1779 VOLUME_MOUNTED_ON_NT4 = cpu_to_le16(0x0008), 1780 1781 VOLUME_DELETE_USN_UNDERWAY = cpu_to_le16(0x0010), 1782 VOLUME_REPAIR_OBJECT_ID = cpu_to_le16(0x0020), 1783 1784 VOLUME_CHKDSK_UNDERWAY = cpu_to_le16(0x4000), 1785 VOLUME_MODIFIED_BY_CHKDSK = cpu_to_le16(0x8000), 1786 1787 VOLUME_FLAGS_MASK = cpu_to_le16(0xc03f), 1788 1789 VOLUME_MUST_MOUNT_RO_MASK = cpu_to_le16(0xc027), 1790 } __packed; 1791 1792 /* 1793 * struct volume_information - $VOLUME_INFORMATION (0x70) 1794 * 1795 * @reserved: Reserved 64-bit field (currently unused). 1796 * @major_ver: Major NTFS version number (e.g., 3 for NTFS 3.1). 1797 * @minor_ver: Minor NTFS version number (e.g., 1 for NTFS 3.1). 1798 * @flags: Volume flags (VOLUME_IS_DIRTY, VOLUME_CHKDSK_UNDERWAY, etc.). 1799 * See volume flags enum for details. 1800 * 1801 * NOTE: Always resident. 1802 * NOTE: Present only in FILE_Volume. 1803 * NOTE: Windows 2000 uses NTFS 3.0 while Windows NT4 service pack 6a uses 1804 * NTFS 1.2. I haven't personally seen other values yet. 1805 */ 1806 struct volume_information { 1807 __le64 reserved; 1808 u8 major_ver; 1809 u8 minor_ver; 1810 __le16 flags; 1811 } __packed; 1812 1813 /* 1814 * enum - Index header flags 1815 * 1816 * These flags are stored in the index header (INDEX_HEADER.flags) for both 1817 * index root ($INDEX_ROOT) and index allocation blocks ($INDEX_ALLOCATION). 1818 * 1819 * For index root ($INDEX_ROOT attribute): 1820 * SMALL_INDEX: Index fits entirely in root attribute (no $INDEX_ALLOCATION). 1821 * LARGE_INDEX: Index too large for root; $INDEX_ALLOCATION present. 1822 * 1823 * For index blocks ($INDEX_ALLOCATION): 1824 * LEAF_NODE: Leaf node (no child nodes; contains actual entries). 1825 * INDEX_NODE: Internal node (indexes other nodes; contains keys/pointers). 1826 * 1827 * NODE_MASK: Mask to extract node type bits (0x01). 1828 */ 1829 enum { 1830 SMALL_INDEX = 0, 1831 LARGE_INDEX = 1, 1832 LEAF_NODE = 0, 1833 INDEX_NODE = 1, 1834 NODE_MASK = 1, 1835 } __packed; 1836 1837 /* 1838 * struct index_header - Common header for index root and index blocks 1839 * 1840 * entries_offset: Byte offset to first INDEX_ENTRY (8-byte aligned). 1841 * index_length: Bytes used by index entries (8-byte aligned). 1842 * From entries_offset to end of used data. 1843 * allocated_size: Total allocated bytes for this index block. 1844 * Fixed size in index allocation; dynamic in root. 1845 * flags: Index flags (SMALL_INDEX, LARGE_INDEX, LEAF_NODE, etc.). 1846 * See INDEX_HEADER_FLAGS enum. 1847 * reserved: 3 bytes reserved/padding (zero, 8-byte aligned). 1848 * 1849 * This is the header for indexes, describing the INDEX_ENTRY records, which 1850 * follow the index_header. Together the index header and the index entries 1851 * make up a complete index. 1852 * 1853 * IMPORTANT NOTE: The offset, length and size structure members are counted 1854 * relative to the start of the index header structure and not relative to the 1855 * start of the index root or index allocation structures themselves. 1856 * 1857 * For the index root attribute, the above two numbers are always 1858 * equal, as the attribute is resident and it is resized as needed. In 1859 * the case of the index allocation attribute the attribute is not 1860 * resident and hence the allocated_size is a fixed value and must 1861 * equal the index_block_size specified by the INDEX_ROOT attribute 1862 * corresponding to the INDEX_ALLOCATION attribute this INDEX_BLOCK 1863 * belongs to. 1864 */ 1865 struct index_header { 1866 __le32 entries_offset; 1867 __le32 index_length; 1868 __le32 allocated_size; 1869 u8 flags; 1870 u8 reserved[3]; 1871 } __packed; 1872 1873 /* 1874 * struct index_root - $INDEX_ROOT attribute (0x90). 1875 * 1876 * @type: Indexed attribute type ($FILE_NAME for dirs, 1877 * 0 for view indexes). 1878 * @collation_rule: Collation rule for sorting entries 1879 * (COLLATION_FILE_NAME for $FILE_NAME). 1880 * @index_block_size: Size of each index block in bytes 1881 * (in $INDEX_ALLOCATION). 1882 * @clusters_per_index_block: 1883 * Clusters per index block (or log2(bytes) 1884 * if < cluster). 1885 * Power of 2; used for encoding block size. 1886 * @reserved: 3 bytes reserved/alignment (zero). 1887 * @index: Index header for root entries (entries follow 1888 * immediately). 1889 * 1890 * NOTE: Always resident. 1891 * 1892 * This is followed by a sequence of index entries (INDEX_ENTRY structures) 1893 * as described by the index header. 1894 * 1895 * When a directory is small enough to fit inside the index root then this 1896 * is the only attribute describing the directory. When the directory is too 1897 * large to fit in the index root, on the other hand, two additional attributes 1898 * are present: an index allocation attribute, containing sub-nodes of the B+ 1899 * directory tree (see below), and a bitmap attribute, describing which virtual 1900 * cluster numbers (vcns) in the index allocation attribute are in use by an 1901 * index block. 1902 * 1903 * NOTE: The root directory (FILE_root) contains an entry for itself. Other 1904 * directories do not contain entries for themselves, though. 1905 */ 1906 struct index_root { 1907 __le32 type; 1908 __le32 collation_rule; 1909 __le32 index_block_size; 1910 u8 clusters_per_index_block; 1911 u8 reserved[3]; 1912 struct index_header index; 1913 } __packed; 1914 1915 /* 1916 * struct index_block - Index allocation (0xa0). 1917 * 1918 * @magic: Magic value "INDX" (see magic_INDX). 1919 * @usa_ofs: Offset to Update Sequence Array (see ntfs_record). 1920 * @usa_count: Number of USA entries (see ntfs_record). 1921 * @lsn: Log sequence number of last modification. 1922 * @index_block_vcn: VCN of this index block. 1923 * Units: clusters if cluster_size <= index_block_size; 1924 * sectors otherwise. 1925 * @index: Index header describing entries in this block. 1926 * 1927 * When creating the index block, we place the update sequence array at this 1928 * offset, i.e. before we start with the index entries. This also makes sense, 1929 * otherwise we could run into problems with the update sequence array 1930 * containing in itself the last two bytes of a sector which would mean that 1931 * multi sector transfer protection wouldn't work. As you can't protect data 1932 * by overwriting it since you then can't get it back... 1933 * When reading use the data from the ntfs record header. 1934 * 1935 * NOTE: Always non-resident (doesn't make sense to be resident anyway!). 1936 * 1937 * This is an array of index blocks. Each index block starts with an 1938 * index_block structure containing an index header, followed by a sequence of 1939 * index entries (INDEX_ENTRY structures), as described by the struct index_header. 1940 */ 1941 struct index_block { 1942 __le32 magic; 1943 __le16 usa_ofs; 1944 __le16 usa_count; 1945 __le64 lsn; 1946 __le64 index_block_vcn; 1947 struct index_header index; 1948 } __packed; 1949 1950 static_assert(sizeof(struct index_block) == 40); 1951 1952 /* 1953 * struct reparse_index_key - Key for $R reparse index in $Extend/$Reparse 1954 * 1955 * @reparse_tag: Reparse point type (including flags, REPARSE_TAG_*). 1956 * @file_id: MFT record number of the file with $REPARSE_POINT 1957 * attribute. 1958 * 1959 * The system file FILE_Extend/$Reparse contains an index named $R listing 1960 * all reparse points on the volume. The index entry keys are as defined 1961 * below. Note, that there is no index data associated with the index entries. 1962 * 1963 * The index entries are sorted by the index key file_id. The collation rule is 1964 * COLLATION_NTOFS_ULONGS. 1965 */ 1966 struct reparse_index_key { 1967 __le32 reparse_tag; 1968 __le64 file_id; 1969 } __packed; 1970 1971 /* 1972 * enum - Quota entry flags (32-bit) in $Quota/$Q 1973 * 1974 * These flags are stored in quota control entries ($Quota file). 1975 * They control quota tracking, limits, and state. 1976 * 1977 * User quota flags (mask 0x00000007): 1978 * @QUOTA_FLAG_DEFAULT_LIMITS: Use default limits. 1979 * @QUOTA_FLAG_LIMIT_REACHED: Quota limit reached. 1980 * @QUOTA_FLAG_ID_DELETED: Quota ID deleted. 1981 * @QUOTA_FLAG_USER_MASK: Mask for user quota flags (0x00000007). 1982 * 1983 * Default entry flags (owner_id = QUOTA_DEFAULTS_ID): 1984 * @QUOTA_FLAG_TRACKING_ENABLED: Quota tracking enabled. 1985 * @QUOTA_FLAG_ENFORCEMENT_ENABLED: Quota enforcement enabled. 1986 * @QUOTA_FLAG_TRACKING_REQUESTED: Tracking requested (pending). 1987 * @QUOTA_FLAG_LOG_THRESHOLD: Log when threshold reached. 1988 * @QUOTA_FLAG_LOG_LIMIT: Log when limit reached. 1989 * @QUOTA_FLAG_OUT_OF_DATE: Quota data out of date. 1990 * @QUOTA_FLAG_CORRUPT: Quota entry corrupt. 1991 * @QUOTA_FLAG_PENDING_DELETES: Pending quota deletes. 1992 * 1993 */ 1994 enum { 1995 QUOTA_FLAG_DEFAULT_LIMITS = cpu_to_le32(0x00000001), 1996 QUOTA_FLAG_LIMIT_REACHED = cpu_to_le32(0x00000002), 1997 QUOTA_FLAG_ID_DELETED = cpu_to_le32(0x00000004), 1998 1999 QUOTA_FLAG_USER_MASK = cpu_to_le32(0x00000007), 2000 QUOTA_FLAG_TRACKING_ENABLED = cpu_to_le32(0x00000010), 2001 QUOTA_FLAG_ENFORCEMENT_ENABLED = cpu_to_le32(0x00000020), 2002 QUOTA_FLAG_TRACKING_REQUESTED = cpu_to_le32(0x00000040), 2003 QUOTA_FLAG_LOG_THRESHOLD = cpu_to_le32(0x00000080), 2004 2005 QUOTA_FLAG_LOG_LIMIT = cpu_to_le32(0x00000100), 2006 QUOTA_FLAG_OUT_OF_DATE = cpu_to_le32(0x00000200), 2007 QUOTA_FLAG_CORRUPT = cpu_to_le32(0x00000400), 2008 QUOTA_FLAG_PENDING_DELETES = cpu_to_le32(0x00000800), 2009 }; 2010 2011 /* 2012 * struct quota_control_entry - Quota entry in $Quota/$Q 2013 * 2014 * @version: Currently 2. 2015 * @flags: Quota flags (QUOTA_FLAG_* bits). 2016 * @bytes_used: Current quota usage in bytes. 2017 * @change_time: Last modification time (NTFS timestamp). 2018 * @threshold: Soft quota limit (-1 = unlimited). 2019 * @limit: Hard quota limit (-1 = unlimited). 2020 * @exceeded_time: Time soft quota has been exceeded. 2021 * @sid: SID of user/object (zero for defaults entry). 2022 * 2023 * The system file FILE_Extend/$Quota contains two indexes $O and $Q. Quotas 2024 * are on a per volume and per user basis. 2025 * 2026 * The $Q index contains one entry for each existing user_id on the volume. The 2027 * index key is the user_id of the user/group owning this quota control entry, 2028 * i.e. the key is the owner_id. The user_id of the owner of a file, i.e. the 2029 * owner_id, is found in the standard information attribute. The collation rule 2030 * for $Q is COLLATION_NTOFS_ULONG. 2031 * 2032 * The $O index contains one entry for each user/group who has been assigned 2033 * a quota on that volume. The index key holds the SID of the user_id the 2034 * entry belongs to, i.e. the owner_id. The collation rule for $O is 2035 * COLLATION_NTOFS_SID. 2036 * 2037 * The $O index entry data is the user_id of the user corresponding to the SID. 2038 * This user_id is used as an index into $Q to find the quota control entry 2039 * associated with the SID. 2040 * 2041 * The $Q index entry data is the quota control entry and is defined below. 2042 */ 2043 struct quota_control_entry { 2044 __le32 version; 2045 __le32 flags; 2046 __le64 bytes_used; 2047 __le64 change_time; 2048 __le64 threshold; 2049 __le64 limit; 2050 __le64 exceeded_time; 2051 struct ntfs_sid sid; 2052 } __packed; 2053 2054 /* 2055 * Predefined owner_id values (32-bit). 2056 */ 2057 enum { 2058 QUOTA_INVALID_ID = cpu_to_le32(0x00000000), 2059 QUOTA_DEFAULTS_ID = cpu_to_le32(0x00000001), 2060 QUOTA_FIRST_USER_ID = cpu_to_le32(0x00000100), 2061 }; 2062 2063 /* 2064 * Current constants for quota control entries. 2065 */ 2066 enum { 2067 /* Current version. */ 2068 QUOTA_VERSION = 2, 2069 }; 2070 2071 /* 2072 * enum - Index entry flags (16-bit) 2073 * 2074 * These flags are in INDEX_ENTRY.flags (after key data). 2075 * They describe entry type and status in index blocks/root. 2076 * 2077 * @INDEX_ENTRY_NODE: Entry points to a sub-node (index block VCN). 2078 * (Not a leaf entry; internal node reference.) 2079 * i.e. a reference to an index block in form of 2080 * a virtual cluster number 2081 * @INDEX_ENTRY_END: Last entry in index block/root. 2082 * Does not represent a real file; can point to sub-node. 2083 * @INDEX_ENTRY_SPACE_FILLER: 2084 * Dummy value to force enum to 16-bit width. 2085 */ 2086 enum { 2087 INDEX_ENTRY_NODE = cpu_to_le16(1), 2088 INDEX_ENTRY_END = cpu_to_le16(2), 2089 INDEX_ENTRY_SPACE_FILLER = cpu_to_le16(0xffff), 2090 } __packed; 2091 2092 /* 2093 * struct index_entry_header - Common header for all NTFS index entries 2094 * 2095 * This is the fixed header at the start of every INDEX_ENTRY in index 2096 * blocks or index root. It is followed by the variable key, data, and 2097 * sub-node VCN. 2098 * 2099 * Union @data: 2100 * - When INDEX_ENTRY_END is not set: 2101 * @data.dir.indexed_file: MFT reference of the file described by 2102 * this entry. Used in directory indexes ($I30). 2103 * - When INDEX_ENTRY_END is set or for view indexes: 2104 * @data.vi.data_offset: Byte offset from end of this header to 2105 * entry data. 2106 * @data.vi.data_length: Length of data in bytes. 2107 * @data.vi.reservedV: Reserved (zero). 2108 * 2109 * @length: Total byte size of this index entry 2110 * (multiple of 8 bytes). 2111 * @key_length: Byte size of the key (not multiple of 8 bytes). 2112 * Key follows the header immediately. 2113 * @flags: Bit field of INDEX_ENTRY_* flags (INDEX_ENTRY_NODE, etc.). 2114 * @reserved: Reserved/padding (zero; align to 8 bytes). 2115 */ 2116 struct index_entry_header { 2117 union { 2118 struct { 2119 __le64 indexed_file; 2120 } __packed dir; 2121 struct { 2122 __le16 data_offset; 2123 __le16 data_length; 2124 __le32 reservedV; 2125 } __packed vi; 2126 } __packed data; 2127 __le16 length; 2128 __le16 key_length; 2129 __le16 flags; 2130 __le16 reserved; 2131 } __packed; 2132 2133 static_assert(sizeof(struct index_entry_header) == 16); 2134 2135 /* 2136 * struct index_entry - NTFS index entry structure 2137 * 2138 * This is an index entry. A sequence of such entries follows each index_header 2139 * structure. Together they make up a complete index. The index follows either 2140 * an index root attribute or an index allocation attribute. 2141 * 2142 * Union @data (valid when INDEX_ENTRY_END not set): 2143 * @data.dir.indexed_file: MFT ref of file (for directory indexes). 2144 * @data.vi.data_offset: Offset to data after key. 2145 * @data.vi.data_length: Length of data in bytes. 2146 * @data.vi.reservedV: Reserved (zero). 2147 * 2148 * Fields: 2149 * @length: Total byte size of entry (multiple of 8 bytes). 2150 * @key_length: Byte size of key (not multiple of 8). 2151 * @flags: INDEX_ENTRY_* flags (NODE, END, etc.). 2152 * @reserved: Reserved/padding (zero). 2153 * 2154 * Union @key (valid when INDEX_ENTRY_END not set) 2155 * The key of the indexed attribute. NOTE: Only present 2156 * if INDEX_ENTRY_END bit in flags is not set. NOTE: On 2157 * NTFS versions before 3.0 the only valid key is the 2158 * struct file_name_attr. On NTFS 3.0+ the following 2159 * additional index keys are defined: 2160 * @key.file_name: $FILE_NAME attr (for $I30 directory indexes). 2161 * @key.sii: $SII key (for $Secure $SII index). 2162 * @key.sdh: $SDH key (for $Secure $SDH index). 2163 * @key.object_id: GUID (for $ObjId $O index). 2164 * @key.reparse: Reparse tag + file ID (for $Reparse $R). 2165 * @key.sid: SID (for $Quota $O index). 2166 * @key.owner_id: User ID (for $Quota $Q index). 2167 * 2168 * The (optional) index data is inserted here when creating. 2169 * __le64 vcn; If INDEX_ENTRY_NODE bit in flags is set, the last 2170 * eight bytes of this index entry contain the virtual 2171 * cluster number of the index block that holds the 2172 * entries immediately preceding the current entry (the 2173 * vcn references the corresponding cluster in the data 2174 * of the non-resident index allocation attribute). If 2175 * the key_length is zero, then the vcn immediately 2176 * follows the INDEX_ENTRY_HEADER. Regardless of 2177 * key_length, the address of the 8-byte boundary 2178 * aligned vcn of INDEX_ENTRY{_HEADER} *ie is given by 2179 * (char*)ie + le16_to_cpu(ie*)->length) - sizeof(VCN), 2180 * where sizeof(VCN) can be hardcoded as 8 if wanted. 2181 * 2182 * NOTE: Before NTFS 3.0 only filename attributes were indexed. 2183 */ 2184 struct index_entry { 2185 union { 2186 struct { 2187 __le64 indexed_file; 2188 } __packed dir; 2189 struct { 2190 __le16 data_offset; 2191 __le16 data_length; 2192 __le32 reservedV; 2193 } __packed vi; 2194 } __packed data; 2195 __le16 length; 2196 __le16 key_length; 2197 __le16 flags; 2198 __le16 reserved; 2199 union { 2200 struct file_name_attr file_name; 2201 struct sii_index_key sii; 2202 struct sdh_index_key sdh; 2203 struct guid object_id; 2204 struct reparse_index_key reparse; 2205 struct ntfs_sid sid; 2206 __le32 owner_id; 2207 } __packed key; 2208 } __packed; 2209 2210 /* 2211 * The reparse point tag defines the type of the reparse point. It also 2212 * includes several flags, which further describe the reparse point. 2213 * 2214 * The reparse point tag is an unsigned 32-bit value divided in three parts: 2215 * 2216 * 1. The least significant 16 bits (i.e. bits 0 to 15) specify the type of 2217 * the reparse point. 2218 * 2. The 12 bits after this (i.e. bits 16 to 27) are reserved for future use. 2219 * 3. The most significant four bits are flags describing the reparse point. 2220 * They are defined as follows: 2221 * bit 28: Directory bit. If set, the directory is not a surrogate 2222 * and can be used the usual way. 2223 * bit 29: Name surrogate bit. If set, the filename is an alias for 2224 * another object in the system. 2225 * bit 30: High-latency bit. If set, accessing the first byte of data will 2226 * be slow. (E.g. the data is stored on a tape drive.) 2227 * bit 31: Microsoft bit. If set, the tag is owned by Microsoft. User 2228 * defined tags have to use zero here. 2229 * 4. Moreover, on Windows 10 : 2230 * Some flags may be used in bits 12 to 15 to further describe the 2231 * reparse point. 2232 */ 2233 enum { 2234 IO_REPARSE_TAG_DIRECTORY = cpu_to_le32(0x10000000), 2235 IO_REPARSE_TAG_IS_ALIAS = cpu_to_le32(0x20000000), 2236 IO_REPARSE_TAG_IS_HIGH_LATENCY = cpu_to_le32(0x40000000), 2237 IO_REPARSE_TAG_IS_MICROSOFT = cpu_to_le32(0x80000000), 2238 2239 IO_REPARSE_TAG_RESERVED_ZERO = cpu_to_le32(0x00000000), 2240 IO_REPARSE_TAG_RESERVED_ONE = cpu_to_le32(0x00000001), 2241 IO_REPARSE_TAG_RESERVED_RANGE = cpu_to_le32(0x00000001), 2242 2243 IO_REPARSE_TAG_CSV = cpu_to_le32(0x80000009), 2244 IO_REPARSE_TAG_DEDUP = cpu_to_le32(0x80000013), 2245 IO_REPARSE_TAG_DFS = cpu_to_le32(0x8000000A), 2246 IO_REPARSE_TAG_DFSR = cpu_to_le32(0x80000012), 2247 IO_REPARSE_TAG_HSM = cpu_to_le32(0xC0000004), 2248 IO_REPARSE_TAG_HSM2 = cpu_to_le32(0x80000006), 2249 IO_REPARSE_TAG_MOUNT_POINT = cpu_to_le32(0xA0000003), 2250 IO_REPARSE_TAG_NFS = cpu_to_le32(0x80000014), 2251 IO_REPARSE_TAG_SIS = cpu_to_le32(0x80000007), 2252 IO_REPARSE_TAG_SYMLINK = cpu_to_le32(0xA000000C), 2253 IO_REPARSE_TAG_WIM = cpu_to_le32(0x80000008), 2254 IO_REPARSE_TAG_DFM = cpu_to_le32(0x80000016), 2255 IO_REPARSE_TAG_WOF = cpu_to_le32(0x80000017), 2256 IO_REPARSE_TAG_WCI = cpu_to_le32(0x80000018), 2257 IO_REPARSE_TAG_CLOUD = cpu_to_le32(0x9000001A), 2258 IO_REPARSE_TAG_APPEXECLINK = cpu_to_le32(0x8000001B), 2259 IO_REPARSE_TAG_GVFS = cpu_to_le32(0x9000001C), 2260 IO_REPARSE_TAG_LX_SYMLINK = cpu_to_le32(0xA000001D), 2261 IO_REPARSE_TAG_AF_UNIX = cpu_to_le32(0x80000023), 2262 IO_REPARSE_TAG_LX_FIFO = cpu_to_le32(0x80000024), 2263 IO_REPARSE_TAG_LX_CHR = cpu_to_le32(0x80000025), 2264 IO_REPARSE_TAG_LX_BLK = cpu_to_le32(0x80000026), 2265 2266 IO_REPARSE_TAG_VALID_VALUES = cpu_to_le32(0xf000ffff), 2267 IO_REPARSE_PLUGIN_SELECT = cpu_to_le32(0xffff0fff), 2268 }; 2269 2270 /* 2271 * struct reparse_point - $REPARSE_POINT attribute content (0xc0)\ 2272 * 2273 * @reparse_tag: Reparse point type (with flags; REPARSE_TAG_*). 2274 * @reparse_data_length: Byte size of @reparse_data. 2275 * @reserved: Reserved/padding (zero; 8-byte alignment). 2276 * @reparse_data: Variable reparse data (meaning depends on @reparse_tag). 2277 * - Symbolic link/junction: struct reparse_symlink 2278 * - Mount point: similar symlink structure 2279 * - Other tags: vendor-specific or extended data 2280 * 2281 * NOTE: Can be resident or non-resident. 2282 */ 2283 struct reparse_point { 2284 __le32 reparse_tag; 2285 __le16 reparse_data_length; 2286 __le16 reserved; 2287 u8 reparse_data[]; 2288 } __packed; 2289 2290 /* 2291 * struct ea_information - $EA_INFORMATION attribute content (0xd0) 2292 * 2293 * @ea_length: Byte size of packed EAs. 2294 * @need_ea_count: Number of EAs with NEED_EA bit set. 2295 * @ea_query_length: Byte size needed to unpack/query EAs via ZwQueryEaFile(). 2296 * (Unpacked format size.) 2297 * 2298 * NOTE: Always resident. (Is this true???) 2299 */ 2300 struct ea_information { 2301 __le16 ea_length; 2302 __le16 need_ea_count; 2303 __le32 ea_query_length; 2304 } __packed; 2305 2306 /* 2307 * enum - Extended attribute flags (8-bit) 2308 * 2309 * These flags are stored in the EA header of each extended attribute 2310 * (in $EA attribute, type 0xe0). 2311 * 2312 * @NEED_EA: If set, the file cannot be properly interpreted 2313 * without understanding its associated EAs. 2314 * (Critical EA; applications must process it.) 2315 */ 2316 enum { 2317 NEED_EA = 0x80 2318 } __packed; 2319 2320 /* 2321 * struct ea_attr - Extended attribute (EA) entry (0xe0) 2322 * 2323 * @next_entry_offset: Byte offset to the next EA_ATTR entry. 2324 * (From start of current entry.) 2325 * @flags: EA flags (NEED_EA = 0x80 if critical). 2326 * @ea_name_length: Length of @ea_name in bytes (excluding '\0'). 2327 * @ea_value_length: Byte size of the EA value. 2328 * @ea_name: ASCII name of the EA (zero-terminated). 2329 * Value immediately follows the name. 2330 * u8 ea_value[]; The value of the EA. Immediately follows the name. 2331 * 2332 * This is one variable-length record in the $EA attribute value. 2333 * The attribute can be resident or non-resident. 2334 * Sequence of these entries forms the packed EA list. 2335 * 2336 * NOTE: Can be resident or non-resident. 2337 */ 2338 struct ea_attr { 2339 __le32 next_entry_offset; 2340 u8 flags; 2341 u8 ea_name_length; 2342 __le16 ea_value_length; 2343 u8 ea_name[]; 2344 } __packed; 2345 2346 #endif /* _LINUX_NTFS_LAYOUT_H */ 2347