11e9ea7e0SNamjae Jeon /* SPDX-License-Identifier: GPL-2.0-or-later */ 21e9ea7e0SNamjae Jeon /* 3*40796051SNamjae Jeon * All NTFS associated on-disk structures. 41e9ea7e0SNamjae Jeon * 51e9ea7e0SNamjae Jeon * Copyright (c) 2001-2005 Anton Altaparmakov 61e9ea7e0SNamjae Jeon * Copyright (c) 2002 Richard Russon 71e9ea7e0SNamjae Jeon */ 81e9ea7e0SNamjae Jeon 91e9ea7e0SNamjae Jeon #ifndef _LINUX_NTFS_LAYOUT_H 101e9ea7e0SNamjae Jeon #define _LINUX_NTFS_LAYOUT_H 111e9ea7e0SNamjae Jeon 121e9ea7e0SNamjae Jeon #include <linux/types.h> 131e9ea7e0SNamjae Jeon #include <linux/bitops.h> 141e9ea7e0SNamjae Jeon #include <linux/list.h> 151e9ea7e0SNamjae Jeon #include <asm/byteorder.h> 161e9ea7e0SNamjae Jeon 171e9ea7e0SNamjae Jeon /* The NTFS oem_id "NTFS " */ 181e9ea7e0SNamjae Jeon #define magicNTFS cpu_to_le64(0x202020205346544eULL) 191e9ea7e0SNamjae Jeon 201e9ea7e0SNamjae Jeon /* 211e9ea7e0SNamjae Jeon * Location of bootsector on partition: 221e9ea7e0SNamjae Jeon * The standard NTFS_BOOT_SECTOR is on sector 0 of the partition. 231e9ea7e0SNamjae Jeon * On NT4 and above there is one backup copy of the boot sector to 241e9ea7e0SNamjae Jeon * be found on the last sector of the partition (not normally accessible 251e9ea7e0SNamjae Jeon * from within Windows as the bootsector contained number of sectors 261e9ea7e0SNamjae Jeon * value is one less than the actual value!). 271e9ea7e0SNamjae Jeon * On versions of NT 3.51 and earlier, the backup copy was located at 281e9ea7e0SNamjae Jeon * number of sectors/2 (integer divide), i.e. in the middle of the volume. 291e9ea7e0SNamjae Jeon */ 301e9ea7e0SNamjae Jeon 311e9ea7e0SNamjae Jeon /* 321e9ea7e0SNamjae Jeon * BIOS parameter block (bpb) structure. 33*40796051SNamjae Jeon * 34*40796051SNamjae Jeon * @bytes_per_sector: Size of a sector in bytes (usually 512). 35*40796051SNamjae Jeon * Matches the logical sector size of the underlying device. 36*40796051SNamjae Jeon * @sectors_per_cluster: Size of a cluster in sectors (NTFS cluster size / sector size). 37*40796051SNamjae Jeon * @reserved_sectors: Number of reserved sectors at the beginning of the volume. 38*40796051SNamjae Jeon * Always set to 0 in NTFS. 39*40796051SNamjae Jeon * @fats: Number of FAT tables. 40*40796051SNamjae Jeon * Always 0 in NTFS (no FAT tables exist). 41*40796051SNamjae Jeon * @root_entries: Number of entries in the root directory. 42*40796051SNamjae Jeon * Always 0 in NTFS. 43*40796051SNamjae Jeon * @sectors: Total number of sectors on the volume. 44*40796051SNamjae Jeon * Always 0 in NTFS (use @large_sectors instead). 45*40796051SNamjae Jeon * @media_type: Media descriptor byte. 46*40796051SNamjae Jeon * 0xF8 for hard disk (fixed media) in NTFS. 47*40796051SNamjae Jeon * @sectors_per_fat: Number of sectors per FAT table. 48*40796051SNamjae Jeon * Always 0 in NTFS. 49*40796051SNamjae Jeon * @sectors_per_track: Number of sectors per track. 50*40796051SNamjae Jeon * Irrelevant for NTFS. 51*40796051SNamjae Jeon * @heads: Number of heads (CHS geometry). 52*40796051SNamjae Jeon * Irrelevant for NTFS. 53*40796051SNamjae Jeon * @hidden_sectors: Number of hidden sectors before the start of the partition. 54*40796051SNamjae Jeon * Always 0 in NTFS boot sector. 55*40796051SNamjae Jeon * @large_sectors: Total number of sectors on the volume. 561e9ea7e0SNamjae Jeon */ 57*40796051SNamjae Jeon struct bios_parameter_block { 58*40796051SNamjae Jeon __le16 bytes_per_sector; 59*40796051SNamjae Jeon u8 sectors_per_cluster; 60*40796051SNamjae Jeon __le16 reserved_sectors; 61*40796051SNamjae Jeon u8 fats; 62*40796051SNamjae Jeon __le16 root_entries; 63*40796051SNamjae Jeon __le16 sectors; 64*40796051SNamjae Jeon u8 media_type; 65*40796051SNamjae Jeon __le16 sectors_per_fat; 66*40796051SNamjae Jeon __le16 sectors_per_track; 67*40796051SNamjae Jeon __le16 heads; 68*40796051SNamjae Jeon __le32 hidden_sectors; 69*40796051SNamjae Jeon __le32 large_sectors; 70*40796051SNamjae Jeon } __packed; 711e9ea7e0SNamjae Jeon 721e9ea7e0SNamjae Jeon /* 731e9ea7e0SNamjae Jeon * NTFS boot sector structure. 74*40796051SNamjae Jeon * 75*40796051SNamjae Jeon * @jump: 3-byte jump instruction to boot code (irrelevant for NTFS). 76*40796051SNamjae Jeon * Typically 0xEB 0x52 0x90 or similar. 77*40796051SNamjae Jeon * @oem_id: OEM identifier string (8 bytes). 78*40796051SNamjae Jeon * Always "NTFS " (with trailing spaces) in NTFS volumes. 79*40796051SNamjae Jeon * @bpb: Legacy BIOS Parameter Block (see struct bios_parameter_block). 80*40796051SNamjae Jeon * Mostly zeroed or set to fixed values for NTFS compatibility. 81*40796051SNamjae Jeon * @unused: 4 bytes, reserved/unused. 82*40796051SNamjae Jeon * NTFS disk editors show it as: 83*40796051SNamjae Jeon * - physical_drive (0x80 for fixed disk) 84*40796051SNamjae Jeon * - current_head (0) 85*40796051SNamjae Jeon * - extended_boot_signature (0x80 or 0x28) 86*40796051SNamjae Jeon * - unused (0) 87*40796051SNamjae Jeon * Always zero in practice for NTFS. 88*40796051SNamjae Jeon * @number_of_sectors: Number of sectors in volume. Gives maximum volume 89*40796051SNamjae Jeon * size of 2^63 sectors. Assuming standard sector 90*40796051SNamjae Jeon * size of 512 bytes, the maximum byte size is 91*40796051SNamjae Jeon * approx. 4.7x10^21 bytes. (-; 92*40796051SNamjae Jeon * @mft_lcn: Logical cluster number (LCN) of the $MFT data attribute. 93*40796051SNamjae Jeon * Location of the Master File Table. 94*40796051SNamjae Jeon * @mftmirr_lcn: LCN of the $MFTMirr (first 3-4 MFT records copy). 95*40796051SNamjae Jeon * Mirror for boot-time recovery. 96*40796051SNamjae Jeon * @clusters_per_mft_record: 97*40796051SNamjae Jeon * Size of each MFT record in clusters. 98*40796051SNamjae Jeon * @reserved0: 3 bytes, reserved/zero. 99*40796051SNamjae Jeon * @clusters_per_index_record: 100*40796051SNamjae Jeon * Size of each index block/record in clusters. 101*40796051SNamjae Jeon * @reserved1: 3 bytes, reserved/zero. 102*40796051SNamjae Jeon * @volume_serial_number: 103*40796051SNamjae Jeon * 64-bit volume serial number. 104*40796051SNamjae Jeon * Used for identification (irrelevant for NTFS operation). 105*40796051SNamjae Jeon * @checksum: 32-bit checksum of the boot sector (excluding this field). 106*40796051SNamjae Jeon * Used to detect boot sector corruption. 107*40796051SNamjae Jeon * @bootstrap: 426 bytes of bootstrap code. 108*40796051SNamjae Jeon * Irrelevant for NTFS (contains x86 boot loader stub). 109*40796051SNamjae Jeon * @end_of_sector_marker: 110*40796051SNamjae Jeon * 2-byte end-of-sector signature. 111*40796051SNamjae Jeon * Always 0xAA55 (little-endian magic number). 1121e9ea7e0SNamjae Jeon */ 113*40796051SNamjae Jeon struct ntfs_boot_sector { 114*40796051SNamjae Jeon u8 jump[3]; 115*40796051SNamjae Jeon __le64 oem_id; 116*40796051SNamjae Jeon struct bios_parameter_block bpb; 117*40796051SNamjae Jeon u8 unused[4]; 118*40796051SNamjae Jeon __le64 number_of_sectors; 119*40796051SNamjae Jeon __le64 mft_lcn; 120*40796051SNamjae Jeon __le64 mftmirr_lcn; 121*40796051SNamjae Jeon s8 clusters_per_mft_record; 122*40796051SNamjae Jeon u8 reserved0[3]; 123*40796051SNamjae Jeon s8 clusters_per_index_record; 124*40796051SNamjae Jeon u8 reserved1[3]; 125*40796051SNamjae Jeon __le64 volume_serial_number; 126*40796051SNamjae Jeon __le32 checksum; 127*40796051SNamjae Jeon u8 bootstrap[426]; 128*40796051SNamjae Jeon __le16 end_of_sector_marker; 129*40796051SNamjae Jeon } __packed; 130*40796051SNamjae Jeon 131*40796051SNamjae Jeon static_assert(sizeof(struct ntfs_boot_sector) == 512); 1321e9ea7e0SNamjae Jeon 1331e9ea7e0SNamjae Jeon /* 1341e9ea7e0SNamjae Jeon * Magic identifiers present at the beginning of all ntfs record containing 1351e9ea7e0SNamjae Jeon * records (like mft records for example). 136*40796051SNamjae Jeon * 137*40796051SNamjae Jeon * magic_FILE: MFT entry header ("FILE" in ASCII). 138*40796051SNamjae Jeon * Used in $MFT/$DATA for all master file table records. 139*40796051SNamjae Jeon * magic_INDX: Index buffer header ("INDX" in ASCII). 140*40796051SNamjae Jeon * Used in $INDEX_ALLOCATION attributes (directories, $I30 indexes). 141*40796051SNamjae Jeon * magic_HOLE: Hole marker ("HOLE" in ASCII). 142*40796051SNamjae Jeon * Introduced in NTFS 3.0+, used for sparse/hole regions in some contexts. 143*40796051SNamjae Jeon * magic_RSTR: Restart page header ("RSTR" in ASCII). 144*40796051SNamjae Jeon * Used in LogFile for restart pages (transaction log recovery). 145*40796051SNamjae Jeon * magic_RCRD: Log record page header ("RCRD" in ASCII). 146*40796051SNamjae Jeon * Used in LogFile for individual log record pages. 147*40796051SNamjae Jeon * magic_CHKD: Chkdsk modified marker ("CHKD" in ASCII). 148*40796051SNamjae Jeon * Set by chkdsk when it modifies a record; indicates repair was done. 149*40796051SNamjae Jeon * magic_BAAD: Bad record marker ("BAAD" in ASCII). 150*40796051SNamjae Jeon * Indicates a multi-sector transfer failure was detected. 151*40796051SNamjae Jeon * The record is corrupted/unusable; often set during I/O errors. 152*40796051SNamjae Jeon * magic_empty: Empty/uninitialized page marker (0xffffffff). 153*40796051SNamjae Jeon * Used in LogFile when a page is filled with 0xff bytes 154*40796051SNamjae Jeon * and has not yet been initialized. Must be formatted before use. 1551e9ea7e0SNamjae Jeon */ 1561e9ea7e0SNamjae Jeon enum { 157*40796051SNamjae Jeon magic_FILE = cpu_to_le32(0x454c4946), 158*40796051SNamjae Jeon magic_INDX = cpu_to_le32(0x58444e49), 159*40796051SNamjae Jeon magic_HOLE = cpu_to_le32(0x454c4f48), 160*40796051SNamjae Jeon magic_RSTR = cpu_to_le32(0x52545352), 161*40796051SNamjae Jeon magic_RCRD = cpu_to_le32(0x44524352), 162*40796051SNamjae Jeon magic_CHKD = cpu_to_le32(0x444b4843), 163*40796051SNamjae Jeon magic_BAAD = cpu_to_le32(0x44414142), 164*40796051SNamjae Jeon magic_empty = cpu_to_le32(0xffffffff) 1651e9ea7e0SNamjae Jeon }; 1661e9ea7e0SNamjae Jeon 1671e9ea7e0SNamjae Jeon /* 1681e9ea7e0SNamjae Jeon * Generic magic comparison macros. Finally found a use for the ## preprocessor 1691e9ea7e0SNamjae Jeon * operator! (-8 1701e9ea7e0SNamjae Jeon */ 1711e9ea7e0SNamjae Jeon 172*40796051SNamjae Jeon static inline bool __ntfs_is_magic(__le32 x, __le32 r) 1731e9ea7e0SNamjae Jeon { 1741e9ea7e0SNamjae Jeon return (x == r); 1751e9ea7e0SNamjae Jeon } 1761e9ea7e0SNamjae Jeon #define ntfs_is_magic(x, m) __ntfs_is_magic(x, magic_##m) 1771e9ea7e0SNamjae Jeon 178*40796051SNamjae Jeon static inline bool __ntfs_is_magicp(__le32 *p, __le32 r) 1791e9ea7e0SNamjae Jeon { 1801e9ea7e0SNamjae Jeon return (*p == r); 1811e9ea7e0SNamjae Jeon } 1821e9ea7e0SNamjae Jeon #define ntfs_is_magicp(p, m) __ntfs_is_magicp(p, magic_##m) 1831e9ea7e0SNamjae Jeon 1841e9ea7e0SNamjae Jeon /* 1851e9ea7e0SNamjae Jeon * Specialised magic comparison macros for the NTFS_RECORD_TYPEs defined above. 1861e9ea7e0SNamjae Jeon */ 1871e9ea7e0SNamjae Jeon #define ntfs_is_file_record(x) (ntfs_is_magic(x, FILE)) 1881e9ea7e0SNamjae Jeon #define ntfs_is_file_recordp(p) (ntfs_is_magicp(p, FILE)) 1891e9ea7e0SNamjae Jeon #define ntfs_is_mft_record(x) (ntfs_is_file_record(x)) 1901e9ea7e0SNamjae Jeon #define ntfs_is_mft_recordp(p) (ntfs_is_file_recordp(p)) 1911e9ea7e0SNamjae Jeon #define ntfs_is_indx_record(x) (ntfs_is_magic(x, INDX)) 1921e9ea7e0SNamjae Jeon #define ntfs_is_indx_recordp(p) (ntfs_is_magicp(p, INDX)) 1931e9ea7e0SNamjae Jeon #define ntfs_is_hole_record(x) (ntfs_is_magic(x, HOLE)) 1941e9ea7e0SNamjae Jeon #define ntfs_is_hole_recordp(p) (ntfs_is_magicp(p, HOLE)) 1951e9ea7e0SNamjae Jeon 1961e9ea7e0SNamjae Jeon #define ntfs_is_rstr_record(x) (ntfs_is_magic(x, RSTR)) 1971e9ea7e0SNamjae Jeon #define ntfs_is_rstr_recordp(p) (ntfs_is_magicp(p, RSTR)) 1981e9ea7e0SNamjae Jeon #define ntfs_is_rcrd_record(x) (ntfs_is_magic(x, RCRD)) 1991e9ea7e0SNamjae Jeon #define ntfs_is_rcrd_recordp(p) (ntfs_is_magicp(p, RCRD)) 2001e9ea7e0SNamjae Jeon 2011e9ea7e0SNamjae Jeon #define ntfs_is_chkd_record(x) (ntfs_is_magic(x, CHKD)) 2021e9ea7e0SNamjae Jeon #define ntfs_is_chkd_recordp(p) (ntfs_is_magicp(p, CHKD)) 2031e9ea7e0SNamjae Jeon 2041e9ea7e0SNamjae Jeon #define ntfs_is_baad_record(x) (ntfs_is_magic(x, BAAD)) 2051e9ea7e0SNamjae Jeon #define ntfs_is_baad_recordp(p) (ntfs_is_magicp(p, BAAD)) 2061e9ea7e0SNamjae Jeon 2071e9ea7e0SNamjae Jeon #define ntfs_is_empty_record(x) (ntfs_is_magic(x, empty)) 2081e9ea7e0SNamjae Jeon #define ntfs_is_empty_recordp(p) (ntfs_is_magicp(p, empty)) 2091e9ea7e0SNamjae Jeon 2101e9ea7e0SNamjae Jeon /* 211*40796051SNamjae Jeon * struct ntfs_record - Common header for all multi-sector protected NTFS records 212*40796051SNamjae Jeon * 213*40796051SNamjae Jeon * @magic: 4-byte magic identifier for the record type and/or status. 214*40796051SNamjae Jeon * Common values are defined in the magic_* enum (FILE, INDX, RSTR, 215*40796051SNamjae Jeon * RCRD, CHKD, BAAD, HOLE, empty). 216*40796051SNamjae Jeon * - "FILE" = MFT record 217*40796051SNamjae Jeon * - "INDX" = Index allocation block 218*40796051SNamjae Jeon * - "BAAD" = Record corrupted (multi-sector fixup failed) 219*40796051SNamjae Jeon * - 0xffffffff = Uninitialized/empty page 220*40796051SNamjae Jeon * @usa_ofs: Offset (in bytes) from the start of this record to the Update 221*40796051SNamjae Jeon * Sequence Array (USA). 222*40796051SNamjae Jeon * The USA is located at record + usa_ofs. 223*40796051SNamjae Jeon * @usa_count: Number of 16-bit entries in the USA array (including the Update 224*40796051SNamjae Jeon * Sequence Number itself). 225*40796051SNamjae Jeon * - Number of fixup locations = usa_count - 1 226*40796051SNamjae Jeon * - Each fixup location is a 16-bit value in the record that needs 227*40796051SNamjae Jeon * protection against torn writes. 228*40796051SNamjae Jeon * 229*40796051SNamjae Jeon * The Update Sequence Array (usa) is an array of the __le16 values which belong 2301e9ea7e0SNamjae Jeon * to the end of each sector protected by the update sequence record in which 2311e9ea7e0SNamjae Jeon * this array is contained. Note that the first entry is the Update Sequence 2321e9ea7e0SNamjae Jeon * Number (usn), a cyclic counter of how many times the protected record has 2331e9ea7e0SNamjae Jeon * been written to disk. The values 0 and -1 (ie. 0xffff) are not used. All 2341e9ea7e0SNamjae Jeon * last le16's of each sector have to be equal to the usn (during reading) or 2351e9ea7e0SNamjae Jeon * are set to it (during writing). If they are not, an incomplete multi sector 2361e9ea7e0SNamjae Jeon * transfer has occurred when the data was written. 2371e9ea7e0SNamjae Jeon * The maximum size for the update sequence array is fixed to: 2381e9ea7e0SNamjae Jeon * maximum size = usa_ofs + (usa_count * 2) = 510 bytes 239*40796051SNamjae Jeon * The 510 bytes comes from the fact that the last __le16 in the array has to 240*40796051SNamjae Jeon * (obviously) finish before the last __le16 of the first 512-byte sector. 2411e9ea7e0SNamjae Jeon * This formula can be used as a consistency check in that usa_ofs + 2421e9ea7e0SNamjae Jeon * (usa_count * 2) has to be less than or equal to 510. 2431e9ea7e0SNamjae Jeon */ 244*40796051SNamjae Jeon struct ntfs_record { 245*40796051SNamjae Jeon __le32 magic; 246*40796051SNamjae Jeon __le16 usa_ofs; 247*40796051SNamjae Jeon __le16 usa_count; 248*40796051SNamjae Jeon } __packed; 2491e9ea7e0SNamjae Jeon 2501e9ea7e0SNamjae Jeon /* 2511e9ea7e0SNamjae Jeon * System files mft record numbers. All these files are always marked as used 2521e9ea7e0SNamjae Jeon * in the bitmap attribute of the mft; presumably in order to avoid accidental 2531e9ea7e0SNamjae Jeon * allocation for random other mft records. Also, the sequence number for each 2541e9ea7e0SNamjae Jeon * of the system files is always equal to their mft record number and it is 2551e9ea7e0SNamjae Jeon * never modified. 256*40796051SNamjae Jeon * 257*40796051SNamjae Jeon * FILE_MFT: Master File Table (MFT) itself. 258*40796051SNamjae Jeon * Data attribute contains all MFT entries; 259*40796051SNamjae Jeon * Bitmap attribute tracks which records are in use (bit==1). 260*40796051SNamjae Jeon * FILE_MFTMirr: MFT mirror: copy of the first four (or more) MFT records 261*40796051SNamjae Jeon * in its data attribute. 262*40796051SNamjae Jeon * If cluster size > 4 KiB, copies first N records where 263*40796051SNamjae Jeon * N = cluster_size / mft_record_size. 264*40796051SNamjae Jeon * FILE_LogFile: Journaling log (LogFile) in data attribute. 265*40796051SNamjae Jeon * Used for transaction logging and recovery. 266*40796051SNamjae Jeon * FILE_Volume: Volume information and name. 267*40796051SNamjae Jeon * Contains $VolumeName (label) and $VolumeInformation 268*40796051SNamjae Jeon * (flags, NTFS version). Windows calls this the volume DASD. 269*40796051SNamjae Jeon * FILE_AttrDef: Attribute definitions array in data attribute. 270*40796051SNamjae Jeon * Defines all possible attribute types and their properties. 271*40796051SNamjae Jeon * FILE_root: Root directory ($Root). 272*40796051SNamjae Jeon * The top-level directory of the filesystem. 273*40796051SNamjae Jeon * FILE_Bitmap: Cluster allocation bitmap ($Bitmap) in data attribute. 274*40796051SNamjae Jeon * Tracks free/used clusters (LCNs) on the volume. 275*40796051SNamjae Jeon * FILE_Boot: Boot sector ($Boot) in data attribute. 276*40796051SNamjae Jeon * Always located at cluster 0; contains BPB and NTFS parameters. 277*40796051SNamjae Jeon * FILE_BadClus: Bad cluster list ($BadClus) in non-resident data attribute. 278*40796051SNamjae Jeon * Marks all known bad clusters. 279*40796051SNamjae Jeon * FILE_Secure: Security descriptors ($Secure). 280*40796051SNamjae Jeon * Contains shared $SDS (security descriptors) and two indexes 281*40796051SNamjae Jeon * ($SDH, $SII). Introduced in Windows 2000. 282*40796051SNamjae Jeon * Before that, it was called $Quota but was unused. 283*40796051SNamjae Jeon * FILE_UpCase: Uppercase table ($UpCase) in data attribute. 284*40796051SNamjae Jeon * Maps all 65536 Unicode characters to their uppercase forms. 285*40796051SNamjae Jeon * FILE_Extend: System directory ($Extend). 286*40796051SNamjae Jeon * Contains additional system files ($ObjId, $Quota, $Reparse, 287*40796051SNamjae Jeon * $UsnJrnl, etc.). Introduced in NTFS 3.0 (Windows 2000). 288*40796051SNamjae Jeon * FILE_reserved12: Reserved for future use (MFT records 12–15). 289*40796051SNamjae Jeon * FILE_reserved13: Reserved. 290*40796051SNamjae Jeon * FILE_reserved14: Reserved. 291*40796051SNamjae Jeon * FILE_reserved15: Reserved. 292*40796051SNamjae Jeon * FILE_first_user: First possible user-created file MFT record number. 293*40796051SNamjae Jeon * Used as a boundary to distinguish system files from user files. 2941e9ea7e0SNamjae Jeon */ 295*40796051SNamjae Jeon enum { 296*40796051SNamjae Jeon FILE_MFT = 0, 297*40796051SNamjae Jeon FILE_MFTMirr = 1, 298*40796051SNamjae Jeon FILE_LogFile = 2, 299*40796051SNamjae Jeon FILE_Volume = 3, 300*40796051SNamjae Jeon FILE_AttrDef = 4, 301*40796051SNamjae Jeon FILE_root = 5, 302*40796051SNamjae Jeon FILE_Bitmap = 6, 303*40796051SNamjae Jeon FILE_Boot = 7, 304*40796051SNamjae Jeon FILE_BadClus = 8, 305*40796051SNamjae Jeon FILE_Secure = 9, 306*40796051SNamjae Jeon FILE_UpCase = 10, 307*40796051SNamjae Jeon FILE_Extend = 11, 308*40796051SNamjae Jeon FILE_reserved12 = 12, 3091e9ea7e0SNamjae Jeon FILE_reserved13 = 13, 3101e9ea7e0SNamjae Jeon FILE_reserved14 = 14, 3111e9ea7e0SNamjae Jeon FILE_reserved15 = 15, 312*40796051SNamjae Jeon FILE_first_user = 16, 313*40796051SNamjae Jeon }; 3141e9ea7e0SNamjae Jeon 3151e9ea7e0SNamjae Jeon /* 316*40796051SNamjae Jeon * enum - Flags for MFT record header 317*40796051SNamjae Jeon * 3181e9ea7e0SNamjae Jeon * These are the so far known MFT_RECORD_* flags (16-bit) which contain 3191e9ea7e0SNamjae Jeon * information about the mft record in which they are present. 320*40796051SNamjae Jeon * 321*40796051SNamjae Jeon * MFT_RECORD_IN_USE: This MFT record is allocated and in use. 322*40796051SNamjae Jeon * (bit set = record is valid/used; clear = free) 323*40796051SNamjae Jeon * MFT_RECORD_IS_DIRECTORY: This MFT record represents a directory. 324*40796051SNamjae Jeon * (Used to quickly distinguish files from directories) 325*40796051SNamjae Jeon * MFT_RECORD_IS_4: Indicates the record is a special "record 4" type. 326*40796051SNamjae Jeon * (Rarely used; related to NTFS internal special cases, 327*40796051SNamjae Jeon * often for $AttrDef or early system files) 328*40796051SNamjae Jeon * MFT_RECORD_IS_VIEW_INDEX: This MFT record is used as a view index. 329*40796051SNamjae Jeon * (Specific to NTFS indexed views or object ID indexes) 330*40796051SNamjae Jeon * MFT_REC_SPACE_FILLER: Dummy value to force the enum to be 16-bit wide. 331*40796051SNamjae Jeon * (Not a real flag; just a sentinel to ensure the type 332*40796051SNamjae Jeon * is __le16 and no higher bits are accidentally used) 3331e9ea7e0SNamjae Jeon */ 3341e9ea7e0SNamjae Jeon enum { 3351e9ea7e0SNamjae Jeon MFT_RECORD_IN_USE = cpu_to_le16(0x0001), 3361e9ea7e0SNamjae Jeon MFT_RECORD_IS_DIRECTORY = cpu_to_le16(0x0002), 337*40796051SNamjae Jeon MFT_RECORD_IS_4 = cpu_to_le16(0x0004), 338*40796051SNamjae Jeon MFT_RECORD_IS_VIEW_INDEX = cpu_to_le16(0x0008), 339*40796051SNamjae Jeon MFT_REC_SPACE_FILLER = cpu_to_le16(0xffff), /*Just to make flags 16-bit.*/ 340*40796051SNamjae Jeon } __packed; 3411e9ea7e0SNamjae Jeon 3421e9ea7e0SNamjae Jeon /* 3431e9ea7e0SNamjae Jeon * mft references (aka file references or file record segment references) are 3441e9ea7e0SNamjae Jeon * used whenever a structure needs to refer to a record in the mft. 3451e9ea7e0SNamjae Jeon * 3461e9ea7e0SNamjae Jeon * A reference consists of a 48-bit index into the mft and a 16-bit sequence 3471e9ea7e0SNamjae Jeon * number used to detect stale references. 3481e9ea7e0SNamjae Jeon * 3491e9ea7e0SNamjae Jeon * For error reporting purposes we treat the 48-bit index as a signed quantity. 3501e9ea7e0SNamjae Jeon * 3511e9ea7e0SNamjae Jeon * The sequence number is a circular counter (skipping 0) describing how many 3521e9ea7e0SNamjae Jeon * times the referenced mft record has been (re)used. This has to match the 3531e9ea7e0SNamjae Jeon * sequence number of the mft record being referenced, otherwise the reference 354*40796051SNamjae Jeon * is considered stale and removed. 3551e9ea7e0SNamjae Jeon * 3561e9ea7e0SNamjae Jeon * If the sequence number is zero it is assumed that no sequence number 3571e9ea7e0SNamjae Jeon * consistency checking should be performed. 3581e9ea7e0SNamjae Jeon */ 3591e9ea7e0SNamjae Jeon 3601e9ea7e0SNamjae Jeon /* 361*40796051SNamjae Jeon * Define two unpacking macros to get to the reference (MREF) and 3621e9ea7e0SNamjae Jeon * sequence number (MSEQNO) respectively. 3631e9ea7e0SNamjae Jeon * The _LE versions are to be applied on little endian MFT_REFs. 3641e9ea7e0SNamjae Jeon * Note: The _LE versions will return a CPU endian formatted value! 3651e9ea7e0SNamjae Jeon */ 3661e9ea7e0SNamjae Jeon #define MFT_REF_MASK_CPU 0x0000ffffffffffffULL 3671e9ea7e0SNamjae Jeon #define MFT_REF_MASK_LE cpu_to_le64(MFT_REF_MASK_CPU) 3681e9ea7e0SNamjae Jeon 369*40796051SNamjae Jeon #define MK_MREF(m, s) ((u64)(((u64)(s) << 48) | \ 370*40796051SNamjae Jeon ((u64)(m) & MFT_REF_MASK_CPU))) 3711e9ea7e0SNamjae Jeon #define MK_LE_MREF(m, s) cpu_to_le64(MK_MREF(m, s)) 3721e9ea7e0SNamjae Jeon 3731e9ea7e0SNamjae Jeon #define MREF(x) ((unsigned long)((x) & MFT_REF_MASK_CPU)) 3741e9ea7e0SNamjae Jeon #define MSEQNO(x) ((u16)(((x) >> 48) & 0xffff)) 3751e9ea7e0SNamjae Jeon #define MREF_LE(x) ((unsigned long)(le64_to_cpu(x) & MFT_REF_MASK_CPU)) 376*40796051SNamjae Jeon #define MREF_INO(x) ((unsigned long)MREF_LE(x)) 3771e9ea7e0SNamjae Jeon #define MSEQNO_LE(x) ((u16)((le64_to_cpu(x) >> 48) & 0xffff)) 3781e9ea7e0SNamjae Jeon 3791e9ea7e0SNamjae Jeon #define IS_ERR_MREF(x) (((x) & 0x0000800000000000ULL) ? true : false) 3801e9ea7e0SNamjae Jeon #define ERR_MREF(x) ((u64)((s64)(x))) 3811e9ea7e0SNamjae Jeon #define MREF_ERR(x) ((int)((s64)(x))) 3821e9ea7e0SNamjae Jeon 3831e9ea7e0SNamjae Jeon /* 384*40796051SNamjae Jeon * struct mft_record - NTFS Master File Table (MFT) record header 385*40796051SNamjae Jeon * 3861e9ea7e0SNamjae Jeon * The mft record header present at the beginning of every record in the mft. 3871e9ea7e0SNamjae Jeon * This is followed by a sequence of variable length attribute records which 3881e9ea7e0SNamjae Jeon * is terminated by an attribute of type AT_END which is a truncated attribute 3891e9ea7e0SNamjae Jeon * in that it only consists of the attribute type code AT_END and none of the 3901e9ea7e0SNamjae Jeon * other members of the attribute structure are present. 391*40796051SNamjae Jeon * 392*40796051SNamjae Jeon * magic: Record magic ("FILE" for valid MFT entries). 393*40796051SNamjae Jeon * See ntfs_record magic enum for other values. 394*40796051SNamjae Jeon * usa_ofs: Offset to Update Sequence Array (see ntfs_record). 395*40796051SNamjae Jeon * usa_count: Number of entries in USA (see ntfs_record). 396*40796051SNamjae Jeon * lsn: Log sequence number (LSN) from LogFile. 397*40796051SNamjae Jeon * Incremented on every modification to this record. 398*40796051SNamjae Jeon * sequence_number: Reuse count of this MFT record slot. 399*40796051SNamjae Jeon * Incremented (skipping zero) when the file is deleted. 400*40796051SNamjae Jeon * Zero means never reused or special case. 401*40796051SNamjae Jeon * Part of MFT reference (together with record number). 402*40796051SNamjae Jeon * link_count: Number of hard links (directory entries) to this file. 403*40796051SNamjae Jeon * Only meaningful in base MFT records. 404*40796051SNamjae Jeon * When deleting a directory entry: 405*40796051SNamjae Jeon * - If link_count == 1, delete the whole file 406*40796051SNamjae Jeon * - Else remove only the $FILE_NAME attribute and decrement 407*40796051SNamjae Jeon * attrs_offset: Byte offset from start of MFT record to first attribute. 408*40796051SNamjae Jeon * Must be 8-byte aligned. 409*40796051SNamjae Jeon * flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum). 410*40796051SNamjae Jeon * MFT_RECORD_IN_USE cleared when record is freed/deleted. 411*40796051SNamjae Jeon * bytes_in_use: Number of bytes actually used in this MFT record. 412*40796051SNamjae Jeon * Must be 8-byte aligned. 413*40796051SNamjae Jeon * Includes header + all attributes + padding. 414*40796051SNamjae Jeon * bytes_allocated: Total allocated size of this MFT record. 415*40796051SNamjae Jeon * Usually equal to MFT record size (1024 bytes or cluster size). 416*40796051SNamjae Jeon * base_mft_record: MFT reference to the base record. 417*40796051SNamjae Jeon * 0 for base records. 418*40796051SNamjae Jeon * Non-zero for extension records → points to base record 419*40796051SNamjae Jeon * containing the $ATTRIBUTE_LIST that describes this extension. 420*40796051SNamjae Jeon * next_attr_instance: Next attribute instance number to assign. 421*40796051SNamjae Jeon * Incremented after each use. 422*40796051SNamjae Jeon * Reset to 0 when MFT record is reused. 423*40796051SNamjae Jeon * First instance is always 0. 424*40796051SNamjae Jeon * reserved: Reserved for alignment (NTFS 3.1+). 425*40796051SNamjae Jeon * mft_record_number: This MFT record's number (index in $MFT). 426*40796051SNamjae Jeon * Only present in NTFS 3.1+ (Windows XP and above). 4271e9ea7e0SNamjae Jeon */ 428*40796051SNamjae Jeon struct mft_record { 429*40796051SNamjae Jeon __le32 magic; 430*40796051SNamjae Jeon __le16 usa_ofs; 431*40796051SNamjae Jeon __le16 usa_count; 4321e9ea7e0SNamjae Jeon 433*40796051SNamjae Jeon __le64 lsn; 434*40796051SNamjae Jeon __le16 sequence_number; 435*40796051SNamjae Jeon __le16 link_count; 436*40796051SNamjae Jeon __le16 attrs_offset; 437*40796051SNamjae Jeon __le16 flags; 438*40796051SNamjae Jeon __le32 bytes_in_use; 439*40796051SNamjae Jeon __le32 bytes_allocated; 440*40796051SNamjae Jeon __le64 base_mft_record; 441*40796051SNamjae Jeon __le16 next_attr_instance; 442*40796051SNamjae Jeon __le16 reserved; 443*40796051SNamjae Jeon __le32 mft_record_number; 444*40796051SNamjae Jeon } __packed; 445*40796051SNamjae Jeon 446*40796051SNamjae Jeon static_assert(sizeof(struct mft_record) == 48); 447*40796051SNamjae Jeon 448*40796051SNamjae Jeon /**x 449*40796051SNamjae Jeon * struct mft_record_old - Old NTFS MFT record header (pre-NTFS 3.1 / Windows XP) 450*40796051SNamjae Jeon * 451*40796051SNamjae Jeon * This is the older version of the MFT record header used in NTFS versions 452*40796051SNamjae Jeon * prior to 3.1 (Windows XP and later). It lacks the additional fields 453*40796051SNamjae Jeon * @reserved and @mft_record_number that were added in NTFS 3.1+. 454*40796051SNamjae Jeon * 455*40796051SNamjae Jeon * @magic: Record magic ("FILE" for valid MFT entries). 456*40796051SNamjae Jeon * See ntfs_record magic enum for other values. 457*40796051SNamjae Jeon * @usa_ofs: Offset to Update Sequence Array (see ntfs_record). 458*40796051SNamjae Jeon * @usa_count: Number of entries in USA (see ntfs_record). 459*40796051SNamjae Jeon * @lsn: Log sequence number (LSN) from LogFile. 460*40796051SNamjae Jeon * Incremented on every modification to this record. 461*40796051SNamjae Jeon * @sequence_number: Reuse count of this MFT record slot. 462*40796051SNamjae Jeon * Incremented (skipping zero) when the file is deleted. 463*40796051SNamjae Jeon * Zero means never reused or special case. 464*40796051SNamjae Jeon * Part of MFT reference (together with record number). 465*40796051SNamjae Jeon * @link_count: Number of hard links (directory entries) to this file. 466*40796051SNamjae Jeon * Only meaningful in base MFT records. 467*40796051SNamjae Jeon * When deleting a directory entry: 468*40796051SNamjae Jeon * - If link_count == 1, delete the whole file 469*40796051SNamjae Jeon * - Else remove only the $FILE_NAME attribute and decrement 470*40796051SNamjae Jeon * @attrs_offset: Byte offset from start of MFT record to first attribute. 471*40796051SNamjae Jeon * Must be 8-byte aligned. 472*40796051SNamjae Jeon * @flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum). 473*40796051SNamjae Jeon * MFT_RECORD_IN_USE cleared when record is freed/deleted. 474*40796051SNamjae Jeon * @bytes_in_use: Number of bytes actually used in this MFT record. 475*40796051SNamjae Jeon * Must be 8-byte aligned. 476*40796051SNamjae Jeon * Includes header + all attributes + padding. 477*40796051SNamjae Jeon * @bytes_allocated: Total allocated size of this MFT record. 478*40796051SNamjae Jeon * Usually equal to MFT record size (1024 bytes or cluster size). 479*40796051SNamjae Jeon * @base_mft_record: MFT reference to the base record. 480*40796051SNamjae Jeon * 0 for base records. 481*40796051SNamjae Jeon * Non-zero for extension records → points to base record 482*40796051SNamjae Jeon * containing the $ATTRIBUTE_LIST that describes this extension. 483*40796051SNamjae Jeon * @next_attr_instance: Next attribute instance number to assign. 484*40796051SNamjae Jeon * Incremented after each use. 485*40796051SNamjae Jeon * Reset to 0 when MFT record is reused. 486*40796051SNamjae Jeon * First instance is always 0. 4871e9ea7e0SNamjae Jeon */ 488*40796051SNamjae Jeon struct mft_record_old { 489*40796051SNamjae Jeon __le32 magic; 490*40796051SNamjae Jeon __le16 usa_ofs; 491*40796051SNamjae Jeon __le16 usa_count; 4921e9ea7e0SNamjae Jeon 493*40796051SNamjae Jeon __le64 lsn; 494*40796051SNamjae Jeon __le16 sequence_number; 495*40796051SNamjae Jeon __le16 link_count; 496*40796051SNamjae Jeon __le16 attrs_offset; 497*40796051SNamjae Jeon __le16 flags; 498*40796051SNamjae Jeon __le32 bytes_in_use; 499*40796051SNamjae Jeon __le32 bytes_allocated; 500*40796051SNamjae Jeon __le64 base_mft_record; 501*40796051SNamjae Jeon __le16 next_attr_instance; 502*40796051SNamjae Jeon } __packed; 5031e9ea7e0SNamjae Jeon 504*40796051SNamjae Jeon static_assert(sizeof(struct mft_record_old) == 42); 5051e9ea7e0SNamjae Jeon 5061e9ea7e0SNamjae Jeon /* 5071e9ea7e0SNamjae Jeon * System defined attributes (32-bit). Each attribute type has a corresponding 5081e9ea7e0SNamjae Jeon * attribute name (Unicode string of maximum 64 character length) as described 5091e9ea7e0SNamjae Jeon * by the attribute definitions present in the data attribute of the $AttrDef 5101e9ea7e0SNamjae Jeon * system file. On NTFS 3.0 volumes the names are just as the types are named 5111e9ea7e0SNamjae Jeon * in the below defines exchanging AT_ for the dollar sign ($). If that is not 5121e9ea7e0SNamjae Jeon * a revealing choice of symbol I do not know what is... (-; 5131e9ea7e0SNamjae Jeon */ 5141e9ea7e0SNamjae Jeon enum { 5151e9ea7e0SNamjae Jeon AT_UNUSED = cpu_to_le32(0), 5161e9ea7e0SNamjae Jeon AT_STANDARD_INFORMATION = cpu_to_le32(0x10), 5171e9ea7e0SNamjae Jeon AT_ATTRIBUTE_LIST = cpu_to_le32(0x20), 5181e9ea7e0SNamjae Jeon AT_FILE_NAME = cpu_to_le32(0x30), 5191e9ea7e0SNamjae Jeon AT_OBJECT_ID = cpu_to_le32(0x40), 5201e9ea7e0SNamjae Jeon AT_SECURITY_DESCRIPTOR = cpu_to_le32(0x50), 5211e9ea7e0SNamjae Jeon AT_VOLUME_NAME = cpu_to_le32(0x60), 5221e9ea7e0SNamjae Jeon AT_VOLUME_INFORMATION = cpu_to_le32(0x70), 5231e9ea7e0SNamjae Jeon AT_DATA = cpu_to_le32(0x80), 5241e9ea7e0SNamjae Jeon AT_INDEX_ROOT = cpu_to_le32(0x90), 5251e9ea7e0SNamjae Jeon AT_INDEX_ALLOCATION = cpu_to_le32(0xa0), 5261e9ea7e0SNamjae Jeon AT_BITMAP = cpu_to_le32(0xb0), 5271e9ea7e0SNamjae Jeon AT_REPARSE_POINT = cpu_to_le32(0xc0), 5281e9ea7e0SNamjae Jeon AT_EA_INFORMATION = cpu_to_le32(0xd0), 5291e9ea7e0SNamjae Jeon AT_EA = cpu_to_le32(0xe0), 5301e9ea7e0SNamjae Jeon AT_PROPERTY_SET = cpu_to_le32(0xf0), 5311e9ea7e0SNamjae Jeon AT_LOGGED_UTILITY_STREAM = cpu_to_le32(0x100), 5321e9ea7e0SNamjae Jeon AT_FIRST_USER_DEFINED_ATTRIBUTE = cpu_to_le32(0x1000), 5331e9ea7e0SNamjae Jeon AT_END = cpu_to_le32(0xffffffff) 5341e9ea7e0SNamjae Jeon }; 5351e9ea7e0SNamjae Jeon 5361e9ea7e0SNamjae Jeon /* 5371e9ea7e0SNamjae Jeon * The collation rules for sorting views/indexes/etc (32-bit). 5381e9ea7e0SNamjae Jeon * 5391e9ea7e0SNamjae Jeon * COLLATION_BINARY - Collate by binary compare where the first byte is most 5401e9ea7e0SNamjae Jeon * significant. 5411e9ea7e0SNamjae Jeon * COLLATION_UNICODE_STRING - Collate Unicode strings by comparing their binary 5421e9ea7e0SNamjae Jeon * Unicode values, except that when a character can be uppercased, the 5431e9ea7e0SNamjae Jeon * upper case value collates before the lower case one. 5441e9ea7e0SNamjae Jeon * COLLATION_FILE_NAME - Collate file names as Unicode strings. The collation 5451e9ea7e0SNamjae Jeon * is done very much like COLLATION_UNICODE_STRING. In fact I have no idea 5461e9ea7e0SNamjae Jeon * what the difference is. Perhaps the difference is that file names 5471e9ea7e0SNamjae Jeon * would treat some special characters in an odd way (see 5481e9ea7e0SNamjae Jeon * unistr.c::ntfs_collate_names() and unistr.c::legal_ansi_char_array[] 5491e9ea7e0SNamjae Jeon * for what I mean but COLLATION_UNICODE_STRING would not give any special 5501e9ea7e0SNamjae Jeon * treatment to any characters at all, but this is speculation. 551*40796051SNamjae Jeon * COLLATION_NTOFS_ULONG - Sorting is done according to ascending __le32 key 5521e9ea7e0SNamjae Jeon * values. E.g. used for $SII index in FILE_Secure, which sorts by 5531e9ea7e0SNamjae Jeon * security_id (le32). 5541e9ea7e0SNamjae Jeon * COLLATION_NTOFS_SID - Sorting is done according to ascending SID values. 5551e9ea7e0SNamjae Jeon * E.g. used for $O index in FILE_Extend/$Quota. 5561e9ea7e0SNamjae Jeon * COLLATION_NTOFS_SECURITY_HASH - Sorting is done first by ascending hash 5571e9ea7e0SNamjae Jeon * values and second by ascending security_id values. E.g. used for $SDH 5581e9ea7e0SNamjae Jeon * index in FILE_Secure. 5591e9ea7e0SNamjae Jeon * COLLATION_NTOFS_ULONGS - Sorting is done according to a sequence of ascending 560*40796051SNamjae Jeon * __le32 key values. E.g. used for $O index in FILE_Extend/$ObjId, which 5611e9ea7e0SNamjae Jeon * sorts by object_id (16-byte), by splitting up the object_id in four 562*40796051SNamjae Jeon * __le32 values and using them as individual keys. E.g. take the following 5631e9ea7e0SNamjae Jeon * two security_ids, stored as follows on disk: 5641e9ea7e0SNamjae Jeon * 1st: a1 61 65 b7 65 7b d4 11 9e 3d 00 e0 81 10 42 59 5651e9ea7e0SNamjae Jeon * 2nd: 38 14 37 d2 d2 f3 d4 11 a5 21 c8 6b 79 b1 97 45 566*40796051SNamjae Jeon * To compare them, they are split into four __le32 values each, like so: 5671e9ea7e0SNamjae Jeon * 1st: 0xb76561a1 0x11d47b65 0xe0003d9e 0x59421081 5681e9ea7e0SNamjae Jeon * 2nd: 0xd2371438 0x11d4f3d2 0x6bc821a5 0x4597b179 5691e9ea7e0SNamjae Jeon * Now, it is apparent why the 2nd object_id collates after the 1st: the 570*40796051SNamjae Jeon * first __le32 value of the 1st object_id is less than the first __le32 of 571*40796051SNamjae Jeon * the 2nd object_id. If the first __le32 values of both object_ids were 572*40796051SNamjae Jeon * equal then the second __le32 values would be compared, etc. 5731e9ea7e0SNamjae Jeon */ 5741e9ea7e0SNamjae Jeon enum { 5751e9ea7e0SNamjae Jeon COLLATION_BINARY = cpu_to_le32(0x00), 5761e9ea7e0SNamjae Jeon COLLATION_FILE_NAME = cpu_to_le32(0x01), 5771e9ea7e0SNamjae Jeon COLLATION_UNICODE_STRING = cpu_to_le32(0x02), 5781e9ea7e0SNamjae Jeon COLLATION_NTOFS_ULONG = cpu_to_le32(0x10), 5791e9ea7e0SNamjae Jeon COLLATION_NTOFS_SID = cpu_to_le32(0x11), 5801e9ea7e0SNamjae Jeon COLLATION_NTOFS_SECURITY_HASH = cpu_to_le32(0x12), 5811e9ea7e0SNamjae Jeon COLLATION_NTOFS_ULONGS = cpu_to_le32(0x13), 5821e9ea7e0SNamjae Jeon }; 5831e9ea7e0SNamjae Jeon 5841e9ea7e0SNamjae Jeon /* 585*40796051SNamjae Jeon * enum - Attribute definition flags 586*40796051SNamjae Jeon * 5871e9ea7e0SNamjae Jeon * The flags (32-bit) describing attribute properties in the attribute 588*40796051SNamjae Jeon * definition structure. 589*40796051SNamjae Jeon * The INDEXABLE flag is fairly certainly correct as only the file 5901e9ea7e0SNamjae Jeon * name attribute has this flag set and this is the only attribute indexed in 5911e9ea7e0SNamjae Jeon * NT4. 592*40796051SNamjae Jeon * 593*40796051SNamjae Jeon * ATTR_DEF_INDEXABLE: Attribute can be indexed. 594*40796051SNamjae Jeon * (Used for creating indexes like $I30, $SDH, etc.) 595*40796051SNamjae Jeon * ATTR_DEF_MULTIPLE: Attribute type can be present multiple times 596*40796051SNamjae Jeon * in the MFT record of an inode. 597*40796051SNamjae Jeon * (e.g., multiple $FILE_NAME, $DATA streams) 598*40796051SNamjae Jeon * ATTR_DEF_NOT_ZERO: Attribute value must contain at least one non-zero byte. 599*40796051SNamjae Jeon * (Prevents empty or all-zero values) 600*40796051SNamjae Jeon * ATTR_DEF_INDEXED_UNIQUE: Attribute must be indexed and the value must be unique 601*40796051SNamjae Jeon * for this attribute type across all MFT records of an inode. 602*40796051SNamjae Jeon * (e.g., security descriptor IDs in $Secure) 603*40796051SNamjae Jeon * ATTR_DEF_NAMED_UNIQUE: Attribute must be named and the name must be unique 604*40796051SNamjae Jeon * for this attribute type across all MFT records of an inode. 605*40796051SNamjae Jeon * (e.g., named $DATA streams or alternate data streams) 606*40796051SNamjae Jeon * ATTR_DEF_RESIDENT: Attribute must be resident (stored in MFT record). 607*40796051SNamjae Jeon * (Cannot be non-resident/sparse/compressed) 608*40796051SNamjae Jeon * ATTR_DEF_ALWAYS_LOG: Always log modifications to this attribute in LogFile, 609*40796051SNamjae Jeon * regardless of whether it is resident or non-resident. 610*40796051SNamjae Jeon * Without this flag, modifications are logged only if resident. 611*40796051SNamjae Jeon * (Used for critical metadata attributes) 6121e9ea7e0SNamjae Jeon */ 6131e9ea7e0SNamjae Jeon enum { 614*40796051SNamjae Jeon ATTR_DEF_INDEXABLE = cpu_to_le32(0x02), 615*40796051SNamjae Jeon ATTR_DEF_MULTIPLE = cpu_to_le32(0x04), 616*40796051SNamjae Jeon ATTR_DEF_NOT_ZERO = cpu_to_le32(0x08), 617*40796051SNamjae Jeon ATTR_DEF_INDEXED_UNIQUE = cpu_to_le32(0x10), 618*40796051SNamjae Jeon ATTR_DEF_NAMED_UNIQUE = cpu_to_le32(0x20), 619*40796051SNamjae Jeon ATTR_DEF_RESIDENT = cpu_to_le32(0x40), 620*40796051SNamjae Jeon ATTR_DEF_ALWAYS_LOG = cpu_to_le32(0x80), 6211e9ea7e0SNamjae Jeon }; 6221e9ea7e0SNamjae Jeon 6231e9ea7e0SNamjae Jeon /* 624*40796051SNamjae Jeon * struct attr_def - Attribute definition entry ($AttrDef array) 625*40796051SNamjae Jeon * 6261e9ea7e0SNamjae Jeon * The data attribute of FILE_AttrDef contains a sequence of attribute 6271e9ea7e0SNamjae Jeon * definitions for the NTFS volume. With this, it is supposed to be safe for an 6281e9ea7e0SNamjae Jeon * older NTFS driver to mount a volume containing a newer NTFS version without 6291e9ea7e0SNamjae Jeon * damaging it (that's the theory. In practice it's: not damaging it too much). 6301e9ea7e0SNamjae Jeon * Entries are sorted by attribute type. The flags describe whether the 6311e9ea7e0SNamjae Jeon * attribute can be resident/non-resident and possibly other things, but the 6321e9ea7e0SNamjae Jeon * actual bits are unknown. 633*40796051SNamjae Jeon * 634*40796051SNamjae Jeon * @name: Unicode (UTF-16LE) name of the attribute (e.g. "$DATA", "$FILE_NAME"). 635*40796051SNamjae Jeon * Zero-terminated string, maximum 0x40 characters (128 bytes). 636*40796051SNamjae Jeon * Used for human-readable display and debugging. 637*40796051SNamjae Jeon * @type: Attribute type code (ATTR_TYPE_* constants). 638*40796051SNamjae Jeon * Defines which attribute this entry describes. 639*40796051SNamjae Jeon * @display_rule: Default display rule (usually 0; rarely used in modern NTFS). 640*40796051SNamjae Jeon * Controls how the attribute is displayed in tools (legacy). 641*40796051SNamjae Jeon * @collation_rule: Default collation rule for indexing this attribute. 642*40796051SNamjae Jeon * Determines sort order when indexed (e.g. CASE_SENSITIVE, UNICODE). 643*40796051SNamjae Jeon * Used in $I30, $SDH, $SII, etc. 644*40796051SNamjae Jeon * @flags: Bit array of attribute constraints (ATTR_DEF_* flags). 645*40796051SNamjae Jeon * See ATTR_DEF_INDEXABLE, ATTR_DEF_MULTIPLE, etc. 646*40796051SNamjae Jeon * Defines whether the attribute can be indexed, multiple, resident-only, etc. 647*40796051SNamjae Jeon * @min_size: Optional minimum size of the attribute value (in bytes). 648*40796051SNamjae Jeon * 0 means no minimum enforced. 649*40796051SNamjae Jeon * @max_size: Maximum allowed size of the attribute value (in bytes). 6501e9ea7e0SNamjae Jeon */ 651*40796051SNamjae Jeon struct attr_def { 652*40796051SNamjae Jeon __le16 name[0x40]; 653*40796051SNamjae Jeon __le32 type; 654*40796051SNamjae Jeon __le32 display_rule; 655*40796051SNamjae Jeon __le32 collation_rule; 656*40796051SNamjae Jeon __le32 flags; 657*40796051SNamjae Jeon __le64 min_size; 658*40796051SNamjae Jeon __le64 max_size; 659*40796051SNamjae Jeon } __packed; 660*40796051SNamjae Jeon 661*40796051SNamjae Jeon static_assert(sizeof(struct attr_def) == 160); 6621e9ea7e0SNamjae Jeon 6631e9ea7e0SNamjae Jeon /* 664*40796051SNamjae Jeon * enum - Attribute flags (16-bit) for non-resident attributes 665*40796051SNamjae Jeon * 666*40796051SNamjae Jeon * ATTR_IS_COMPRESSED: Attribute is compressed. 667*40796051SNamjae Jeon * If set, data is compressed using the method in 668*40796051SNamjae Jeon * ATTR_COMPRESSION_MASK. 669*40796051SNamjae Jeon * ATTR_COMPRESSION_MASK: Mask for compression method. 670*40796051SNamjae Jeon * Valid values are defined in NTFS compression types 671*40796051SNamjae Jeon * (e.g., 0x02 = LZNT1, etc.). 672*40796051SNamjae Jeon * Also serves as the first illegal value for method. 673*40796051SNamjae Jeon * ATTR_IS_ENCRYPTED: Attribute is encrypted. 674*40796051SNamjae Jeon * Data is encrypted using EFS (Encrypting File System). 675*40796051SNamjae Jeon * ATTR_IS_SPARSE: Attribute is sparse. 676*40796051SNamjae Jeon * Contains holes (unallocated regions) that read as zeros. 6771e9ea7e0SNamjae Jeon */ 6781e9ea7e0SNamjae Jeon enum { 6791e9ea7e0SNamjae Jeon ATTR_IS_COMPRESSED = cpu_to_le16(0x0001), 680*40796051SNamjae Jeon ATTR_COMPRESSION_MASK = cpu_to_le16(0x00ff), 6811e9ea7e0SNamjae Jeon ATTR_IS_ENCRYPTED = cpu_to_le16(0x4000), 6821e9ea7e0SNamjae Jeon ATTR_IS_SPARSE = cpu_to_le16(0x8000), 683*40796051SNamjae Jeon } __packed; 6841e9ea7e0SNamjae Jeon 6851e9ea7e0SNamjae Jeon /* 6861e9ea7e0SNamjae Jeon * Attribute compression. 6871e9ea7e0SNamjae Jeon * 6881e9ea7e0SNamjae Jeon * Only the data attribute is ever compressed in the current ntfs driver in 6891e9ea7e0SNamjae Jeon * Windows. Further, compression is only applied when the data attribute is 6901e9ea7e0SNamjae Jeon * non-resident. Finally, to use compression, the maximum allowed cluster size 6911e9ea7e0SNamjae Jeon * on a volume is 4kib. 6921e9ea7e0SNamjae Jeon * 6931e9ea7e0SNamjae Jeon * The compression method is based on independently compressing blocks of X 6941e9ea7e0SNamjae Jeon * clusters, where X is determined from the compression_unit value found in the 6951e9ea7e0SNamjae Jeon * non-resident attribute record header (more precisely: X = 2^compression_unit 6961e9ea7e0SNamjae Jeon * clusters). On Windows NT/2k, X always is 16 clusters (compression_unit = 4). 6971e9ea7e0SNamjae Jeon * 6981e9ea7e0SNamjae Jeon * There are three different cases of how a compression block of X clusters 6991e9ea7e0SNamjae Jeon * can be stored: 7001e9ea7e0SNamjae Jeon * 7011e9ea7e0SNamjae Jeon * 1) The data in the block is all zero (a sparse block): 7021e9ea7e0SNamjae Jeon * This is stored as a sparse block in the runlist, i.e. the runlist 7031e9ea7e0SNamjae Jeon * entry has length = X and lcn = -1. The mapping pairs array actually 7041e9ea7e0SNamjae Jeon * uses a delta_lcn value length of 0, i.e. delta_lcn is not present at 7051e9ea7e0SNamjae Jeon * all, which is then interpreted by the driver as lcn = -1. 7061e9ea7e0SNamjae Jeon * NOTE: Even uncompressed files can be sparse on NTFS 3.0 volumes, then 7071e9ea7e0SNamjae Jeon * the same principles apply as above, except that the length is not 7081e9ea7e0SNamjae Jeon * restricted to being any particular value. 7091e9ea7e0SNamjae Jeon * 7101e9ea7e0SNamjae Jeon * 2) The data in the block is not compressed: 7111e9ea7e0SNamjae Jeon * This happens when compression doesn't reduce the size of the block 7121e9ea7e0SNamjae Jeon * in clusters. I.e. if compression has a small effect so that the 7131e9ea7e0SNamjae Jeon * compressed data still occupies X clusters, then the uncompressed data 7141e9ea7e0SNamjae Jeon * is stored in the block. 7151e9ea7e0SNamjae Jeon * This case is recognised by the fact that the runlist entry has 7161e9ea7e0SNamjae Jeon * length = X and lcn >= 0. The mapping pairs array stores this as 7171e9ea7e0SNamjae Jeon * normal with a run length of X and some specific delta_lcn, i.e. 7181e9ea7e0SNamjae Jeon * delta_lcn has to be present. 7191e9ea7e0SNamjae Jeon * 7201e9ea7e0SNamjae Jeon * 3) The data in the block is compressed: 7211e9ea7e0SNamjae Jeon * The common case. This case is recognised by the fact that the run 7221e9ea7e0SNamjae Jeon * list entry has length L < X and lcn >= 0. The mapping pairs array 7231e9ea7e0SNamjae Jeon * stores this as normal with a run length of X and some specific 7241e9ea7e0SNamjae Jeon * delta_lcn, i.e. delta_lcn has to be present. This runlist entry is 7251e9ea7e0SNamjae Jeon * immediately followed by a sparse entry with length = X - L and 7261e9ea7e0SNamjae Jeon * lcn = -1. The latter entry is to make up the vcn counting to the 7271e9ea7e0SNamjae Jeon * full compression block size X. 7281e9ea7e0SNamjae Jeon * 7291e9ea7e0SNamjae Jeon * In fact, life is more complicated because adjacent entries of the same type 7301e9ea7e0SNamjae Jeon * can be coalesced. This means that one has to keep track of the number of 7311e9ea7e0SNamjae Jeon * clusters handled and work on a basis of X clusters at a time being one 7321e9ea7e0SNamjae Jeon * block. An example: if length L > X this means that this particular runlist 7331e9ea7e0SNamjae Jeon * entry contains a block of length X and part of one or more blocks of length 7341e9ea7e0SNamjae Jeon * L - X. Another example: if length L < X, this does not necessarily mean that 7351e9ea7e0SNamjae Jeon * the block is compressed as it might be that the lcn changes inside the block 7361e9ea7e0SNamjae Jeon * and hence the following runlist entry describes the continuation of the 7371e9ea7e0SNamjae Jeon * potentially compressed block. The block would be compressed if the 7381e9ea7e0SNamjae Jeon * following runlist entry describes at least X - L sparse clusters, thus 7391e9ea7e0SNamjae Jeon * making up the compression block length as described in point 3 above. (Of 7401e9ea7e0SNamjae Jeon * course, there can be several runlist entries with small lengths so that the 7411e9ea7e0SNamjae Jeon * sparse entry does not follow the first data containing entry with 7421e9ea7e0SNamjae Jeon * length < X.) 7431e9ea7e0SNamjae Jeon * 7441e9ea7e0SNamjae Jeon * NOTE: At the end of the compressed attribute value, there most likely is not 7451e9ea7e0SNamjae Jeon * just the right amount of data to make up a compression block, thus this data 7461e9ea7e0SNamjae Jeon * is not even attempted to be compressed. It is just stored as is, unless 7471e9ea7e0SNamjae Jeon * the number of clusters it occupies is reduced when compressed in which case 7481e9ea7e0SNamjae Jeon * it is stored as a compressed compression block, complete with sparse 7491e9ea7e0SNamjae Jeon * clusters at the end. 7501e9ea7e0SNamjae Jeon */ 7511e9ea7e0SNamjae Jeon 7521e9ea7e0SNamjae Jeon /* 753*40796051SNamjae Jeon * enum - Flags for resident attributes (8-bit) 754*40796051SNamjae Jeon * 755*40796051SNamjae Jeon * RESIDENT_ATTR_IS_INDEXED: Attribute is referenced in an index. 756*40796051SNamjae Jeon * (e.g., part of an index key or entry) 757*40796051SNamjae Jeon * Has implications for deletion and modification: 758*40796051SNamjae Jeon * - Cannot be freely removed if indexed 759*40796051SNamjae Jeon * - Index must be updated when value changes 760*40796051SNamjae Jeon * - Used for attributes like $FILE_NAME in directories 7611e9ea7e0SNamjae Jeon */ 7621e9ea7e0SNamjae Jeon enum { 763*40796051SNamjae Jeon RESIDENT_ATTR_IS_INDEXED = 0x01, 764*40796051SNamjae Jeon } __packed; 7651e9ea7e0SNamjae Jeon 7661e9ea7e0SNamjae Jeon /* 767*40796051SNamjae Jeon * struct attr_record - NTFS attribute record header 768*40796051SNamjae Jeon * 769*40796051SNamjae Jeon * Common header for both resident and non-resident attributes. 770*40796051SNamjae Jeon * Always aligned to an 8-byte boundary on disk. 771*40796051SNamjae Jeon * Located at attrs_offset in the MFT record (see struct mft_record). 772*40796051SNamjae Jeon * 773*40796051SNamjae Jeon * @type: 32-bit attribute type (ATTR_TYPE_* constants). 774*40796051SNamjae Jeon * Identifies the attribute 775*40796051SNamjae Jeon * (e.g. 0x10 = $STANDARD_INFORMATION). 776*40796051SNamjae Jeon * @length: Total byte size of this attribute record (resident). 777*40796051SNamjae Jeon * 8-byte aligned; used to locate the next attribute. 778*40796051SNamjae Jeon * @non_resident: 0 = resident attribute 779*40796051SNamjae Jeon * 1 = non-resident attribute 780*40796051SNamjae Jeon * @name_length: Number of Unicode characters in the attribute name. 781*40796051SNamjae Jeon * 0 if unnamed (most system attributes are unnamed). 782*40796051SNamjae Jeon * @name_offset: Byte offset from start of attribute record to the name. 783*40796051SNamjae Jeon * 8-byte aligned; when creating, place at end of header. 784*40796051SNamjae Jeon * @flags: Attribute flags (see ATTR_IS_COMPRESSED, 785*40796051SNamjae Jeon * ATTR_IS_ENCRYPTED, etc.). 786*40796051SNamjae Jeon * For resident: see RESIDENT_ATTR_* flags. 787*40796051SNamjae Jeon * @instance: Unique instance number within this MFT record. 788*40796051SNamjae Jeon * Incremented via next_attr_instance; unique per record. 789*40796051SNamjae Jeon * 790*40796051SNamjae Jeon * Resident attributes (when @non_resident == 0): 791*40796051SNamjae Jeon * @data.resident.value_length: Byte size of the attribute value. 792*40796051SNamjae Jeon * @data.resident.value_offset: Byte offset from start of attribute 793*40796051SNamjae Jeon * record to the value data. 794*40796051SNamjae Jeon * 8-byte aligned if name present. 795*40796051SNamjae Jeon * @data.resident.flags: Resident-specific flags 796*40796051SNamjae Jeon * @data.resident.reserved: Reserved/alignment to 8 bytes. 797*40796051SNamjae Jeon * 798*40796051SNamjae Jeon * Non-resident attributes (when @non_resident == 1): 799*40796051SNamjae Jeon * @data.non_resident.lowest_vcn: Lowest valid VCN in this extent. 800*40796051SNamjae Jeon * Usually 0 unless attribute list is used. 801*40796051SNamjae Jeon * @data.non_resident.highest_vcn: Highest valid VCN in this extent. 802*40796051SNamjae Jeon * -1 for zero-length, 0 for single extent. 803*40796051SNamjae Jeon * @data.non_resident.mapping_pairs_offset: 804*40796051SNamjae Jeon * Byte offset to mapping pairs array 805*40796051SNamjae Jeon * (VCN → LCN mappings). 806*40796051SNamjae Jeon * 8-byte aligned when creating. 807*40796051SNamjae Jeon * @data.non_resident.compression_unit: 808*40796051SNamjae Jeon * Log2 of clusters per compression unit. 809*40796051SNamjae Jeon * 0 = not compressed. 810*40796051SNamjae Jeon * WinNT4 used 4; sparse files use 0 811*40796051SNamjae Jeon * on XP SP2+. 812*40796051SNamjae Jeon * @data.non_resident.reserved: 5 bytes for 8-byte alignment. 813*40796051SNamjae Jeon * @data.non_resident.allocated_size: 814*40796051SNamjae Jeon * Allocated disk space in bytes. 815*40796051SNamjae Jeon * For compressed: logical allocated size. 816*40796051SNamjae Jeon * @data.non_resident.data_size: Logical attribute value size in bytes. 817*40796051SNamjae Jeon * Can be larger than allocated_size if 818*40796051SNamjae Jeon * compressed/sparse. 819*40796051SNamjae Jeon * @data.non_resident.initialized_size: 820*40796051SNamjae Jeon * Initialized portion size in bytes. 821*40796051SNamjae Jeon * Usually equals data_size. 822*40796051SNamjae Jeon * @data.non_resident.compressed_size: 823*40796051SNamjae Jeon * Compressed on-disk size in bytes. 824*40796051SNamjae Jeon * Only present when compressed or sparse. 825*40796051SNamjae Jeon * Actual disk usage. 8261e9ea7e0SNamjae Jeon */ 827*40796051SNamjae Jeon struct attr_record { 828*40796051SNamjae Jeon __le32 type; 829*40796051SNamjae Jeon __le32 length; 830*40796051SNamjae Jeon u8 non_resident; 831*40796051SNamjae Jeon u8 name_length; 832*40796051SNamjae Jeon __le16 name_offset; 833*40796051SNamjae Jeon __le16 flags; 834*40796051SNamjae Jeon __le16 instance; 835*40796051SNamjae Jeon union { 8361e9ea7e0SNamjae Jeon struct { 837*40796051SNamjae Jeon __le32 value_length; 838*40796051SNamjae Jeon __le16 value_offset; 839*40796051SNamjae Jeon u8 flags; 840*40796051SNamjae Jeon s8 reserved; 841*40796051SNamjae Jeon } __packed resident; 8421e9ea7e0SNamjae Jeon struct { 843*40796051SNamjae Jeon __le64 lowest_vcn; 844*40796051SNamjae Jeon __le64 highest_vcn; 845*40796051SNamjae Jeon __le16 mapping_pairs_offset; 846*40796051SNamjae Jeon u8 compression_unit; 847*40796051SNamjae Jeon u8 reserved[5]; 848*40796051SNamjae Jeon __le64 allocated_size; 849*40796051SNamjae Jeon __le64 data_size; 850*40796051SNamjae Jeon __le64 initialized_size; 851*40796051SNamjae Jeon __le64 compressed_size; 852*40796051SNamjae Jeon } __packed non_resident; 853*40796051SNamjae Jeon } __packed data; 854*40796051SNamjae Jeon } __packed; 8551e9ea7e0SNamjae Jeon 8561e9ea7e0SNamjae Jeon /* 857*40796051SNamjae Jeon * enum - NTFS file attribute flags (32-bit) 858*40796051SNamjae Jeon * 8591e9ea7e0SNamjae Jeon * File attribute flags (32-bit) appearing in the file_attributes fields of the 8601e9ea7e0SNamjae Jeon * STANDARD_INFORMATION attribute of MFT_RECORDs and the FILENAME_ATTR 8611e9ea7e0SNamjae Jeon * attributes of MFT_RECORDs and directory index entries. 8621e9ea7e0SNamjae Jeon * 8631e9ea7e0SNamjae Jeon * All of the below flags appear in the directory index entries but only some 8641e9ea7e0SNamjae Jeon * appear in the STANDARD_INFORMATION attribute whilst only some others appear 8651e9ea7e0SNamjae Jeon * in the FILENAME_ATTR attribute of MFT_RECORDs. Unless otherwise stated the 8661e9ea7e0SNamjae Jeon * flags appear in all of the above. 867*40796051SNamjae Jeon * 868*40796051SNamjae Jeon * FILE_ATTR_READONLY: File is read-only. 869*40796051SNamjae Jeon * FILE_ATTR_HIDDEN: File is hidden (not shown by default). 870*40796051SNamjae Jeon * FILE_ATTR_SYSTEM: System file (protected by OS). 871*40796051SNamjae Jeon * FILE_ATTR_DIRECTORY: Directory flag (reserved in NT; use MFT flag instead). 872*40796051SNamjae Jeon * FILE_ATTR_ARCHIVE: File needs archiving (backup flag). 873*40796051SNamjae Jeon * FILE_ATTR_DEVICE: Device file (rarely used). 874*40796051SNamjae Jeon * FILE_ATTR_NORMAL: Normal file (no special attributes). 875*40796051SNamjae Jeon * FILE_ATTR_TEMPORARY: Temporary file (delete on close). 876*40796051SNamjae Jeon * FILE_ATTR_SPARSE_FILE: Sparse file (contains holes). 877*40796051SNamjae Jeon * FILE_ATTR_REPARSE_POINT: Reparse point (junction, symlink, mount point). 878*40796051SNamjae Jeon * FILE_ATTR_COMPRESSED: File is compressed. 879*40796051SNamjae Jeon * FILE_ATTR_OFFLINE: File data is offline (not locally available). 880*40796051SNamjae Jeon * FILE_ATTR_NOT_CONTENT_INDEXED: 881*40796051SNamjae Jeon * File is excluded from content indexing. 882*40796051SNamjae Jeon * FILE_ATTR_ENCRYPTED: File is encrypted (EFS). 883*40796051SNamjae Jeon * FILE_ATTR_VALID_FLAGS: Mask of all valid flags for reading. 884*40796051SNamjae Jeon * FILE_ATTR_VALID_SET_FLAGS: Mask of flags that can be set by user. 885*40796051SNamjae Jeon * FILE_ATTRIBUTE_RECALL_ON_OPEN: 886*40796051SNamjae Jeon * Recall data on open (cloud/HSM related). 887*40796051SNamjae Jeon * FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT: 888*40796051SNamjae Jeon * $FILE_NAME has duplicate index entry. 889*40796051SNamjae Jeon * FILE_ATTR_DUP_VIEW_INDEX_PRESENT: 890*40796051SNamjae Jeon * Duplicate view index present (object ID, quota, etc.). 8911e9ea7e0SNamjae Jeon */ 8921e9ea7e0SNamjae Jeon enum { 8931e9ea7e0SNamjae Jeon FILE_ATTR_READONLY = cpu_to_le32(0x00000001), 8941e9ea7e0SNamjae Jeon FILE_ATTR_HIDDEN = cpu_to_le32(0x00000002), 8951e9ea7e0SNamjae Jeon FILE_ATTR_SYSTEM = cpu_to_le32(0x00000004), 8961e9ea7e0SNamjae Jeon /* Old DOS volid. Unused in NT. = cpu_to_le32(0x00000008), */ 8971e9ea7e0SNamjae Jeon FILE_ATTR_DIRECTORY = cpu_to_le32(0x00000010), 8981e9ea7e0SNamjae Jeon FILE_ATTR_ARCHIVE = cpu_to_le32(0x00000020), 8991e9ea7e0SNamjae Jeon FILE_ATTR_DEVICE = cpu_to_le32(0x00000040), 9001e9ea7e0SNamjae Jeon FILE_ATTR_NORMAL = cpu_to_le32(0x00000080), 9011e9ea7e0SNamjae Jeon 9021e9ea7e0SNamjae Jeon FILE_ATTR_TEMPORARY = cpu_to_le32(0x00000100), 9031e9ea7e0SNamjae Jeon FILE_ATTR_SPARSE_FILE = cpu_to_le32(0x00000200), 9041e9ea7e0SNamjae Jeon FILE_ATTR_REPARSE_POINT = cpu_to_le32(0x00000400), 9051e9ea7e0SNamjae Jeon FILE_ATTR_COMPRESSED = cpu_to_le32(0x00000800), 9061e9ea7e0SNamjae Jeon 9071e9ea7e0SNamjae Jeon FILE_ATTR_OFFLINE = cpu_to_le32(0x00001000), 9081e9ea7e0SNamjae Jeon FILE_ATTR_NOT_CONTENT_INDEXED = cpu_to_le32(0x00002000), 9091e9ea7e0SNamjae Jeon FILE_ATTR_ENCRYPTED = cpu_to_le32(0x00004000), 9101e9ea7e0SNamjae Jeon 9111e9ea7e0SNamjae Jeon FILE_ATTR_VALID_FLAGS = cpu_to_le32(0x00007fb7), 9121e9ea7e0SNamjae Jeon FILE_ATTR_VALID_SET_FLAGS = cpu_to_le32(0x000031a7), 913*40796051SNamjae Jeon FILE_ATTRIBUTE_RECALL_ON_OPEN = cpu_to_le32(0x00040000), 9141e9ea7e0SNamjae Jeon FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT = cpu_to_le32(0x10000000), 9151e9ea7e0SNamjae Jeon FILE_ATTR_DUP_VIEW_INDEX_PRESENT = cpu_to_le32(0x20000000), 9161e9ea7e0SNamjae Jeon }; 9171e9ea7e0SNamjae Jeon 9181e9ea7e0SNamjae Jeon /* 9191e9ea7e0SNamjae Jeon * NOTE on times in NTFS: All times are in MS standard time format, i.e. they 9201e9ea7e0SNamjae Jeon * are the number of 100-nanosecond intervals since 1st January 1601, 00:00:00 9211e9ea7e0SNamjae Jeon * universal coordinated time (UTC). (In Linux time starts 1st January 1970, 9221e9ea7e0SNamjae Jeon * 00:00:00 UTC and is stored as the number of 1-second intervals since then.) 9231e9ea7e0SNamjae Jeon */ 9241e9ea7e0SNamjae Jeon 9251e9ea7e0SNamjae Jeon /* 926*40796051SNamjae Jeon * struct standard_information - $STANDARD_INFORMATION attribute content 9271e9ea7e0SNamjae Jeon * 9281e9ea7e0SNamjae Jeon * NOTE: Always resident. 9291e9ea7e0SNamjae Jeon * NOTE: Present in all base file records on a volume. 9301e9ea7e0SNamjae Jeon * NOTE: There is conflicting information about the meaning of each of the time 9311e9ea7e0SNamjae Jeon * fields but the meaning as defined below has been verified to be 9321e9ea7e0SNamjae Jeon * correct by practical experimentation on Windows NT4 SP6a and is hence 9331e9ea7e0SNamjae Jeon * assumed to be the one and only correct interpretation. 934*40796051SNamjae Jeon * 935*40796051SNamjae Jeon * @creation_time: File creation time (NTFS timestamp). 936*40796051SNamjae Jeon * Updated on filename change(?). 937*40796051SNamjae Jeon * @last_data_change_time: Last modification time of data streams. 938*40796051SNamjae Jeon * @last_mft_change_time: Last modification time of this MFT record. 939*40796051SNamjae Jeon * @last_access_time: Last access time (approximate). 940*40796051SNamjae Jeon * Not updated on read-only volumes; can be disabled. 941*40796051SNamjae Jeon * @file_attributes: File attribute flags (FILE_ATTR_* bits). 942*40796051SNamjae Jeon * 943*40796051SNamjae Jeon * Union (version-specific fields): 944*40796051SNamjae Jeon * @ver.v1.reserved12: 12 bytes reserved/alignment (NTFS 1.2 only). 945*40796051SNamjae Jeon * 946*40796051SNamjae Jeon * @ver.v3 (NTFS 3.x / Windows 2000+): 947*40796051SNamjae Jeon * @maximum_versions: Max allowed file versions (0 = disabled). 948*40796051SNamjae Jeon * @version_number: Current version number (0 if disabled). 949*40796051SNamjae Jeon * @class_id: Class ID (from bidirectional index?). 950*40796051SNamjae Jeon * @owner_id: Owner ID (maps to $Quota via $Q index). 951*40796051SNamjae Jeon * @security_id: Security ID (maps to $Secure $SII/$SDS). 952*40796051SNamjae Jeon * @quota_charged: Quota charge in bytes (0 if quotas disabled). 953*40796051SNamjae Jeon * @usn: Last USN from $UsnJrnl (0 if disabled). 9541e9ea7e0SNamjae Jeon */ 955*40796051SNamjae Jeon struct standard_information { 956*40796051SNamjae Jeon __le64 creation_time; 957*40796051SNamjae Jeon __le64 last_data_change_time; 958*40796051SNamjae Jeon __le64 last_mft_change_time; 959*40796051SNamjae Jeon __le64 last_access_time; 960*40796051SNamjae Jeon __le32 file_attributes; 961*40796051SNamjae Jeon union { 9621e9ea7e0SNamjae Jeon struct { 963*40796051SNamjae Jeon u8 reserved12[12]; 964*40796051SNamjae Jeon } __packed v1; 9651e9ea7e0SNamjae Jeon struct { 966*40796051SNamjae Jeon __le32 maximum_versions; 967*40796051SNamjae Jeon __le32 version_number; 968*40796051SNamjae Jeon __le32 class_id; 969*40796051SNamjae Jeon __le32 owner_id; 970*40796051SNamjae Jeon __le32 security_id; 971*40796051SNamjae Jeon __le64 quota_charged; 972*40796051SNamjae Jeon __le64 usn; 973*40796051SNamjae Jeon } __packed v3; 974*40796051SNamjae Jeon } __packed ver; 975*40796051SNamjae Jeon } __packed; 9761e9ea7e0SNamjae Jeon 9771e9ea7e0SNamjae Jeon /* 978*40796051SNamjae Jeon * struct attr_list_entry - Entry in $ATTRIBUTE_LIST attribute. 979*40796051SNamjae Jeon * 980*40796051SNamjae Jeon * @type: Attribute type code (ATTR_TYPE_*). 981*40796051SNamjae Jeon * @length: Byte size of this entry (8-byte aligned). 982*40796051SNamjae Jeon * @name_length: Unicode char count of attribute name (0 if unnamed). 983*40796051SNamjae Jeon * @name_offset: Byte offset from start of entry to name (always set). 984*40796051SNamjae Jeon * @lowest_vcn: Lowest VCN of this attribute extent (usually 0). 985*40796051SNamjae Jeon * Signed value; non-zero when attribute spans extents. 986*40796051SNamjae Jeon * @mft_reference: MFT record reference holding this attribute extent. 987*40796051SNamjae Jeon * @instance: Attribute instance number (if lowest_vcn == 0); else 0. 988*40796051SNamjae Jeon * @name: Variable Unicode name (use @name_offset when reading). 9891e9ea7e0SNamjae Jeon * 9901e9ea7e0SNamjae Jeon * - Can be either resident or non-resident. 9911e9ea7e0SNamjae Jeon * - Value consists of a sequence of variable length, 8-byte aligned, 9921e9ea7e0SNamjae Jeon * ATTR_LIST_ENTRY records. 9931e9ea7e0SNamjae Jeon * - The list is not terminated by anything at all! The only way to know when 9941e9ea7e0SNamjae Jeon * the end is reached is to keep track of the current offset and compare it to 9951e9ea7e0SNamjae Jeon * the attribute value size. 9961e9ea7e0SNamjae Jeon * - The attribute list attribute contains one entry for each attribute of 9971e9ea7e0SNamjae Jeon * the file in which the list is located, except for the list attribute 9981e9ea7e0SNamjae Jeon * itself. The list is sorted: first by attribute type, second by attribute 9991e9ea7e0SNamjae Jeon * name (if present), third by instance number. The extents of one 10001e9ea7e0SNamjae Jeon * non-resident attribute (if present) immediately follow after the initial 1001*40796051SNamjae Jeon * extent. They are ordered by lowest_vcn and have their instance set to zero. 10021e9ea7e0SNamjae Jeon * It is not allowed to have two attributes with all sorting keys equal. 10031e9ea7e0SNamjae Jeon * - Further restrictions: 10041e9ea7e0SNamjae Jeon * - If not resident, the vcn to lcn mapping array has to fit inside the 10051e9ea7e0SNamjae Jeon * base mft record. 10061e9ea7e0SNamjae Jeon * - The attribute list attribute value has a maximum size of 256kb. This 10071e9ea7e0SNamjae Jeon * is imposed by the Windows cache manager. 10081e9ea7e0SNamjae Jeon * - Attribute lists are only used when the attributes of mft record do not 10091e9ea7e0SNamjae Jeon * fit inside the mft record despite all attributes (that can be made 10101e9ea7e0SNamjae Jeon * non-resident) having been made non-resident. This can happen e.g. when: 10111e9ea7e0SNamjae Jeon * - File has a large number of hard links (lots of file name 10121e9ea7e0SNamjae Jeon * attributes present). 10131e9ea7e0SNamjae Jeon * - The mapping pairs array of some non-resident attribute becomes so 10141e9ea7e0SNamjae Jeon * large due to fragmentation that it overflows the mft record. 10151e9ea7e0SNamjae Jeon * - The security descriptor is very complex (not applicable to 10161e9ea7e0SNamjae Jeon * NTFS 3.0 volumes). 10171e9ea7e0SNamjae Jeon * - There are many named streams. 10181e9ea7e0SNamjae Jeon */ 1019*40796051SNamjae Jeon struct attr_list_entry { 1020*40796051SNamjae Jeon __le32 type; 1021*40796051SNamjae Jeon __le16 length; 1022*40796051SNamjae Jeon u8 name_length; 1023*40796051SNamjae Jeon u8 name_offset; 1024*40796051SNamjae Jeon __le64 lowest_vcn; 1025*40796051SNamjae Jeon __le64 mft_reference; 1026*40796051SNamjae Jeon __le16 instance; 1027*40796051SNamjae Jeon __le16 name[]; 1028*40796051SNamjae Jeon } __packed; 10291e9ea7e0SNamjae Jeon 10301e9ea7e0SNamjae Jeon /* 10311e9ea7e0SNamjae Jeon * The maximum allowed length for a file name. 10321e9ea7e0SNamjae Jeon */ 10331e9ea7e0SNamjae Jeon #define MAXIMUM_FILE_NAME_LENGTH 255 10341e9ea7e0SNamjae Jeon 10351e9ea7e0SNamjae Jeon /* 1036*40796051SNamjae Jeon * enum - Possible namespaces for filenames in ntfs (8-bit). 1037*40796051SNamjae Jeon * 1038*40796051SNamjae Jeon * FILE_NAME_POSIX POSIX namespace (case sensitive, most permissive). 1039*40796051SNamjae Jeon * Allows all Unicode except '\0' and '/'. 1040*40796051SNamjae Jeon * WinNT/2k/2003 default utilities ignore case 1041*40796051SNamjae Jeon * differences. SFU (Services For Unix) enables true 1042*40796051SNamjae Jeon * case sensitivity. 1043*40796051SNamjae Jeon * SFU restricts some chars: '"', '/', '<', '>', '\'. 1044*40796051SNamjae Jeon * FILE_NAME_WIN32 Standard WinNT/2k long filename namespace 1045*40796051SNamjae Jeon * (case insensitive). 1046*40796051SNamjae Jeon * Disallows '\0', '"', '*', '/', ':', '<', '>', '?', 1047*40796051SNamjae Jeon * '\', '|'. Names cannot end with '.' or space. 1048*40796051SNamjae Jeon * FILE_NAME_DOS DOS 8.3 namespace (uppercase only). 1049*40796051SNamjae Jeon * Allows 8-bit chars > space except '"', '*', '+', 1050*40796051SNamjae Jeon * ',', '/', ':', ';', '<', '=', '>', '?', '\'. 1051*40796051SNamjae Jeon * FILE_NAME_WIN32_AND_DOS 1052*40796051SNamjae Jeon * Win32 and DOS names are identical (single record). 1053*40796051SNamjae Jeon * Value 0x03 indicates both are stored in one entry. 10541e9ea7e0SNamjae Jeon */ 10551e9ea7e0SNamjae Jeon enum { 10561e9ea7e0SNamjae Jeon FILE_NAME_POSIX = 0x00, 10571e9ea7e0SNamjae Jeon FILE_NAME_WIN32 = 0x01, 10581e9ea7e0SNamjae Jeon FILE_NAME_DOS = 0x02, 10591e9ea7e0SNamjae Jeon FILE_NAME_WIN32_AND_DOS = 0x03, 1060*40796051SNamjae Jeon } __packed; 10611e9ea7e0SNamjae Jeon 10621e9ea7e0SNamjae Jeon /* 1063*40796051SNamjae Jeon * struct file_name_attr - $FILE_NAME attribute content 10641e9ea7e0SNamjae Jeon * 10651e9ea7e0SNamjae Jeon * NOTE: Always resident. 10661e9ea7e0SNamjae Jeon * NOTE: All fields, except the parent_directory, are only updated when the 10671e9ea7e0SNamjae Jeon * filename is changed. Until then, they just become out of sync with 10681e9ea7e0SNamjae Jeon * reality and the more up to date values are present in the standard 10691e9ea7e0SNamjae Jeon * information attribute. 10701e9ea7e0SNamjae Jeon * NOTE: There is conflicting information about the meaning of each of the time 10711e9ea7e0SNamjae Jeon * fields but the meaning as defined below has been verified to be 10721e9ea7e0SNamjae Jeon * correct by practical experimentation on Windows NT4 SP6a and is hence 10731e9ea7e0SNamjae Jeon * assumed to be the one and only correct interpretation. 1074*40796051SNamjae Jeon * 1075*40796051SNamjae Jeon * @parent_directory: MFT reference to parent directory. 1076*40796051SNamjae Jeon * @creation_time: File creation time (NTFS timestamp). 1077*40796051SNamjae Jeon * @last_data_change_time: 1078*40796051SNamjae Jeon * Last data modification time. 1079*40796051SNamjae Jeon * @last_mft_change_time: 1080*40796051SNamjae Jeon * Last MFT record modification time. 1081*40796051SNamjae Jeon * @last_access_time: Last access time (approximate; may not 1082*40796051SNamjae Jeon * update always). 1083*40796051SNamjae Jeon * @allocated_size: On-disk allocated size for unnamed $DATA. 1084*40796051SNamjae Jeon * Equals compressed_size if compressed/sparse. 1085*40796051SNamjae Jeon * 0 for directories or no $DATA. 1086*40796051SNamjae Jeon * Multiple of cluster size. 1087*40796051SNamjae Jeon * @data_size: Logical size of unnamed $DATA. 1088*40796051SNamjae Jeon * 0 for directories or no $DATA. 1089*40796051SNamjae Jeon * @file_attributes: File attribute flags (FILE_ATTR_* bits). 1090*40796051SNamjae Jeon * @type.ea.packed_ea_size: 1091*40796051SNamjae Jeon * Size needed to pack EAs (if present). 1092*40796051SNamjae Jeon * @type.ea.reserved: Alignment padding. 1093*40796051SNamjae Jeon * @type.rp.reparse_point_tag: 1094*40796051SNamjae Jeon * Reparse point type (if reparse point, no EAs). 1095*40796051SNamjae Jeon * @file_name_length: Length of filename in Unicode characters. 1096*40796051SNamjae Jeon * @file_name_type: Namespace (FILE_NAME_POSIX, WIN32, DOS, etc.). 1097*40796051SNamjae Jeon * @file_name: Variable-length Unicode filename. 10981e9ea7e0SNamjae Jeon */ 1099*40796051SNamjae Jeon struct file_name_attr { 1100*40796051SNamjae Jeon __le64 parent_directory; 1101*40796051SNamjae Jeon __le64 creation_time; 1102*40796051SNamjae Jeon __le64 last_data_change_time; 1103*40796051SNamjae Jeon __le64 last_mft_change_time; 1104*40796051SNamjae Jeon __le64 last_access_time; 1105*40796051SNamjae Jeon __le64 allocated_size; 1106*40796051SNamjae Jeon __le64 data_size; 1107*40796051SNamjae Jeon __le32 file_attributes; 1108*40796051SNamjae Jeon union { 1109*40796051SNamjae Jeon struct { 1110*40796051SNamjae Jeon __le16 packed_ea_size; 1111*40796051SNamjae Jeon __le16 reserved; 1112*40796051SNamjae Jeon } __packed ea; 1113*40796051SNamjae Jeon struct { 1114*40796051SNamjae Jeon __le32 reparse_point_tag; 1115*40796051SNamjae Jeon } __packed rp; 1116*40796051SNamjae Jeon } __packed type; 1117*40796051SNamjae Jeon u8 file_name_length; 1118*40796051SNamjae Jeon u8 file_name_type; 1119*40796051SNamjae Jeon __le16 file_name[]; 1120*40796051SNamjae Jeon } __packed; 11211e9ea7e0SNamjae Jeon 11221e9ea7e0SNamjae Jeon /* 1123*40796051SNamjae Jeon * struct guid - Globally Unique Identifier (GUID) structure 1124*40796051SNamjae Jeon * 11251e9ea7e0SNamjae Jeon * GUID structures store globally unique identifiers (GUID). A GUID is a 11261e9ea7e0SNamjae Jeon * 128-bit value consisting of one group of eight hexadecimal digits, followed 11271e9ea7e0SNamjae Jeon * by three groups of four hexadecimal digits each, followed by one group of 11281e9ea7e0SNamjae Jeon * twelve hexadecimal digits. GUIDs are Microsoft's implementation of the 11291e9ea7e0SNamjae Jeon * distributed computing environment (DCE) universally unique identifier (UUID). 11301e9ea7e0SNamjae Jeon * Example of a GUID: 11311e9ea7e0SNamjae Jeon * 1F010768-5A73-BC91-0010A52216A7 1132*40796051SNamjae Jeon * 1133*40796051SNamjae Jeon * @data1: First 32 bits (first 8 hex digits). 1134*40796051SNamjae Jeon * @data2: Next 16 bits (first group of 4 hex digits). 1135*40796051SNamjae Jeon * @data3: Next 16 bits (second group of 4 hex digits). 1136*40796051SNamjae Jeon * @data4: Final 64 bits (third group of 4 + last 12 hex digits). 1137*40796051SNamjae Jeon * data4[0-1]: third group; data4[2-7]: remaining part. 11381e9ea7e0SNamjae Jeon */ 1139*40796051SNamjae Jeon struct guid { 1140*40796051SNamjae Jeon __le32 data1; 1141*40796051SNamjae Jeon __le16 data2; 1142*40796051SNamjae Jeon __le16 data3; 1143*40796051SNamjae Jeon u8 data4[8]; 1144*40796051SNamjae Jeon } __packed; 11451e9ea7e0SNamjae Jeon 11461e9ea7e0SNamjae Jeon /* 1147*40796051SNamjae Jeon * struct object_id_attr - $OBJECT_ID attribute content (NTFS 3.0+) 11481e9ea7e0SNamjae Jeon * 11491e9ea7e0SNamjae Jeon * NOTE: Always resident. 1150*40796051SNamjae Jeon * 1151*40796051SNamjae Jeon * @object_id: Unique 128-bit GUID assigned to the file. 1152*40796051SNamjae Jeon * Core identifier; always present. 1153*40796051SNamjae Jeon * 1154*40796051SNamjae Jeon * Optional extended info (union; total value size 16–64 bytes): 1155*40796051SNamjae Jeon * @extended_info.birth_volume_id: 1156*40796051SNamjae Jeon * Birth volume GUID (where file was first created). 1157*40796051SNamjae Jeon * @extended_info.birth_object_id: 1158*40796051SNamjae Jeon * Birth object GUID (original ID before copy/move). 1159*40796051SNamjae Jeon * @extended_info.domain_id: 1160*40796051SNamjae Jeon * Domain GUID (usually zero; reserved). 11611e9ea7e0SNamjae Jeon */ 1162*40796051SNamjae Jeon struct object_id_attr { 1163*40796051SNamjae Jeon struct guid object_id; 11641e9ea7e0SNamjae Jeon union { 11651e9ea7e0SNamjae Jeon struct { 1166*40796051SNamjae Jeon struct guid birth_volume_id; 1167*40796051SNamjae Jeon struct guid birth_object_id; 1168*40796051SNamjae Jeon struct guid domain_id; 1169*40796051SNamjae Jeon } __packed; 11701e9ea7e0SNamjae Jeon u8 extended_info[48]; 1171*40796051SNamjae Jeon } __packed; 1172*40796051SNamjae Jeon } __packed; 11731e9ea7e0SNamjae Jeon 11741e9ea7e0SNamjae Jeon /* 1175*40796051SNamjae Jeon * enum - RIDs (Relative Identifiers) in Windows/NTFS security 1176*40796051SNamjae Jeon * 11771e9ea7e0SNamjae Jeon * These relative identifiers (RIDs) are used with the above identifier 11781e9ea7e0SNamjae Jeon * authorities to make up universal well-known SIDs. 11791e9ea7e0SNamjae Jeon * 1180*40796051SNamjae Jeon * SECURITY_NULL_RID S-1-0 (Null authority) 1181*40796051SNamjae Jeon * SECURITY_WORLD_RID S-1-1 (World/Everyone) 1182*40796051SNamjae Jeon * SECURITY_LOCAL_RID S-1-2 (Local) 1183*40796051SNamjae Jeon * SECURITY_CREATOR_OWNER_RID S-1-3-0 (Creator Owner) 1184*40796051SNamjae Jeon * SECURITY_CREATOR_GROUP_RID S-1-3-1 (Creator Group) 1185*40796051SNamjae Jeon * SECURITY_CREATOR_OWNER_SERVER_RID S-1-3-2 (Server Creator Owner) 1186*40796051SNamjae Jeon * SECURITY_CREATOR_GROUP_SERVER_RID S-1-3-3 (Server Creator Group) 1187*40796051SNamjae Jeon * SECURITY_DIALUP_RID S-1-5-1 (Dialup) 1188*40796051SNamjae Jeon * SECURITY_NETWORK_RID S-1-5-2 (Network) 1189*40796051SNamjae Jeon * SECURITY_BATCH_RID S-1-5-3 (Batch) 1190*40796051SNamjae Jeon * SECURITY_INTERACTIVE_RID S-1-5-4 (Interactive) 1191*40796051SNamjae Jeon * SECURITY_SERVICE_RID S-1-5-6 (Service) 1192*40796051SNamjae Jeon * SECURITY_ANONYMOUS_LOGON_RID S-1-5-7 (Anonymous Logon) 1193*40796051SNamjae Jeon * SECURITY_PROXY_RID S-1-5-8 (Proxy) 1194*40796051SNamjae Jeon * SECURITY_ENTERPRISE_CONTROLLERS_RID S-1-5-9 (Enterprise DCs) 1195*40796051SNamjae Jeon * SECURITY_SERVER_LOGON_RID S-1-5-9 (Server Logon alias) 1196*40796051SNamjae Jeon * SECURITY_PRINCIPAL_SELF_RID S-1-5-10 (Self/PrincipalSelf) 1197*40796051SNamjae Jeon * SECURITY_AUTHENTICATED_USER_RID S-1-5-11 (Authenticated Users) 1198*40796051SNamjae Jeon * SECURITY_RESTRICTED_CODE_RID S-1-5-12 (Restricted Code) 1199*40796051SNamjae Jeon * SECURITY_TERMINAL_SERVER_RID S-1-5-13 (Terminal Server) 1200*40796051SNamjae Jeon * SECURITY_LOGON_IDS_RID S-1-5-5 (Logon session IDs base) 1201*40796051SNamjae Jeon * SECURITY_LOCAL_SYSTEM_RID S-1-5-18 (Local System) 1202*40796051SNamjae Jeon * SECURITY_NT_NON_UNIQUE S-1-5-21 (NT non-unique authority) 1203*40796051SNamjae Jeon * SECURITY_BUILTIN_DOMAIN_RID S-1-5-32 (Built-in domain) 1204*40796051SNamjae Jeon * 1205*40796051SNamjae Jeon * Built-in domain relative RIDs (S-1-5-32-...): 1206*40796051SNamjae Jeon * Users: 1207*40796051SNamjae Jeon * DOMAIN_USER_RID_ADMIN Administrator 1208*40796051SNamjae Jeon * DOMAIN_USER_RID_GUEST Guest 1209*40796051SNamjae Jeon * DOMAIN_USER_RID_KRBTGT krbtgt (Kerberos ticket-granting) 1210*40796051SNamjae Jeon * 1211*40796051SNamjae Jeon * Groups: 1212*40796051SNamjae Jeon * DOMAIN_GROUP_RID_ADMINS Administrators 1213*40796051SNamjae Jeon * DOMAIN_GROUP_RID_USERS Users 1214*40796051SNamjae Jeon * DOMAIN_GROUP_RID_GUESTS Guests 1215*40796051SNamjae Jeon * DOMAIN_GROUP_RID_COMPUTERS Computers 1216*40796051SNamjae Jeon * DOMAIN_GROUP_RID_CONTROLLERS Domain Controllers 1217*40796051SNamjae Jeon * DOMAIN_GROUP_RID_CERT_ADMINS Cert Publishers 1218*40796051SNamjae Jeon * DOMAIN_GROUP_RID_SCHEMA_ADMINS Schema Admins 1219*40796051SNamjae Jeon * DOMAIN_GROUP_RID_ENTERPRISE_ADMINS Enterprise Admins 1220*40796051SNamjae Jeon * DOMAIN_GROUP_RID_POLICY_ADMINS Policy Admins (if present) 1221*40796051SNamjae Jeon * 1222*40796051SNamjae Jeon * Aliases: 1223*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_ADMINS Administrators alias 1224*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_USERS Users alias 1225*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_GUESTS Guests alias 1226*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_POWER_USERS Power Users 1227*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_ACCOUNT_OPS Account Operators 1228*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_SYSTEM_OPS Server Operators 1229*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_PRINT_OPS Print Operators 1230*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_BACKUP_OPS Backup Operators 1231*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_REPLICATOR Replicator 1232*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_RAS_SERVERS RAS Servers 1233*40796051SNamjae Jeon * DOMAIN_ALIAS_RID_PREW2KCOMPACCESS Pre-Windows 2000 Compatible Access 1234*40796051SNamjae Jeon * 12351e9ea7e0SNamjae Jeon * Note: The relative identifier (RID) refers to the portion of a SID, which 12361e9ea7e0SNamjae Jeon * identifies a user or group in relation to the authority that issued the SID. 12371e9ea7e0SNamjae Jeon * For example, the universal well-known SID Creator Owner ID (S-1-3-0) is 12381e9ea7e0SNamjae Jeon * made up of the identifier authority SECURITY_CREATOR_SID_AUTHORITY (3) and 12391e9ea7e0SNamjae Jeon * the relative identifier SECURITY_CREATOR_OWNER_RID (0). 12401e9ea7e0SNamjae Jeon */ 1241*40796051SNamjae Jeon enum { /* Identifier authority. */ 12421e9ea7e0SNamjae Jeon SECURITY_NULL_RID = 0, /* S-1-0 */ 12431e9ea7e0SNamjae Jeon SECURITY_WORLD_RID = 0, /* S-1-1 */ 12441e9ea7e0SNamjae Jeon SECURITY_LOCAL_RID = 0, /* S-1-2 */ 12451e9ea7e0SNamjae Jeon 12461e9ea7e0SNamjae Jeon SECURITY_CREATOR_OWNER_RID = 0, /* S-1-3 */ 12471e9ea7e0SNamjae Jeon SECURITY_CREATOR_GROUP_RID = 1, /* S-1-3 */ 12481e9ea7e0SNamjae Jeon 12491e9ea7e0SNamjae Jeon SECURITY_CREATOR_OWNER_SERVER_RID = 2, /* S-1-3 */ 12501e9ea7e0SNamjae Jeon SECURITY_CREATOR_GROUP_SERVER_RID = 3, /* S-1-3 */ 12511e9ea7e0SNamjae Jeon 12521e9ea7e0SNamjae Jeon SECURITY_DIALUP_RID = 1, 12531e9ea7e0SNamjae Jeon SECURITY_NETWORK_RID = 2, 12541e9ea7e0SNamjae Jeon SECURITY_BATCH_RID = 3, 12551e9ea7e0SNamjae Jeon SECURITY_INTERACTIVE_RID = 4, 12561e9ea7e0SNamjae Jeon SECURITY_SERVICE_RID = 6, 12571e9ea7e0SNamjae Jeon SECURITY_ANONYMOUS_LOGON_RID = 7, 12581e9ea7e0SNamjae Jeon SECURITY_PROXY_RID = 8, 12591e9ea7e0SNamjae Jeon SECURITY_ENTERPRISE_CONTROLLERS_RID = 9, 12601e9ea7e0SNamjae Jeon SECURITY_SERVER_LOGON_RID = 9, 12611e9ea7e0SNamjae Jeon SECURITY_PRINCIPAL_SELF_RID = 0xa, 12621e9ea7e0SNamjae Jeon SECURITY_AUTHENTICATED_USER_RID = 0xb, 12631e9ea7e0SNamjae Jeon SECURITY_RESTRICTED_CODE_RID = 0xc, 12641e9ea7e0SNamjae Jeon SECURITY_TERMINAL_SERVER_RID = 0xd, 12651e9ea7e0SNamjae Jeon 12661e9ea7e0SNamjae Jeon SECURITY_LOGON_IDS_RID = 5, 12671e9ea7e0SNamjae Jeon SECURITY_LOGON_IDS_RID_COUNT = 3, 12681e9ea7e0SNamjae Jeon 12691e9ea7e0SNamjae Jeon SECURITY_LOCAL_SYSTEM_RID = 0x12, 12701e9ea7e0SNamjae Jeon 12711e9ea7e0SNamjae Jeon SECURITY_NT_NON_UNIQUE = 0x15, 12721e9ea7e0SNamjae Jeon 12731e9ea7e0SNamjae Jeon SECURITY_BUILTIN_DOMAIN_RID = 0x20, 12741e9ea7e0SNamjae Jeon 12751e9ea7e0SNamjae Jeon /* 12761e9ea7e0SNamjae Jeon * Well-known domain relative sub-authority values (RIDs). 12771e9ea7e0SNamjae Jeon */ 12781e9ea7e0SNamjae Jeon 12791e9ea7e0SNamjae Jeon /* Users. */ 12801e9ea7e0SNamjae Jeon DOMAIN_USER_RID_ADMIN = 0x1f4, 12811e9ea7e0SNamjae Jeon DOMAIN_USER_RID_GUEST = 0x1f5, 12821e9ea7e0SNamjae Jeon DOMAIN_USER_RID_KRBTGT = 0x1f6, 12831e9ea7e0SNamjae Jeon 12841e9ea7e0SNamjae Jeon /* Groups. */ 12851e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_ADMINS = 0x200, 12861e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_USERS = 0x201, 12871e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_GUESTS = 0x202, 12881e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_COMPUTERS = 0x203, 12891e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_CONTROLLERS = 0x204, 12901e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_CERT_ADMINS = 0x205, 12911e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_SCHEMA_ADMINS = 0x206, 12921e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_ENTERPRISE_ADMINS = 0x207, 12931e9ea7e0SNamjae Jeon DOMAIN_GROUP_RID_POLICY_ADMINS = 0x208, 12941e9ea7e0SNamjae Jeon 12951e9ea7e0SNamjae Jeon /* Aliases. */ 12961e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_ADMINS = 0x220, 12971e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_USERS = 0x221, 12981e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_GUESTS = 0x222, 12991e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_POWER_USERS = 0x223, 13001e9ea7e0SNamjae Jeon 13011e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_ACCOUNT_OPS = 0x224, 13021e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_SYSTEM_OPS = 0x225, 13031e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_PRINT_OPS = 0x226, 13041e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_BACKUP_OPS = 0x227, 13051e9ea7e0SNamjae Jeon 13061e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_REPLICATOR = 0x228, 13071e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_RAS_SERVERS = 0x229, 13081e9ea7e0SNamjae Jeon DOMAIN_ALIAS_RID_PREW2KCOMPACCESS = 0x22a, 1309*40796051SNamjae Jeon }; 13101e9ea7e0SNamjae Jeon 13111e9ea7e0SNamjae Jeon /* 13121e9ea7e0SNamjae Jeon * The universal well-known SIDs: 13131e9ea7e0SNamjae Jeon * 13141e9ea7e0SNamjae Jeon * NULL_SID S-1-0-0 13151e9ea7e0SNamjae Jeon * WORLD_SID S-1-1-0 13161e9ea7e0SNamjae Jeon * LOCAL_SID S-1-2-0 13171e9ea7e0SNamjae Jeon * CREATOR_OWNER_SID S-1-3-0 13181e9ea7e0SNamjae Jeon * CREATOR_GROUP_SID S-1-3-1 13191e9ea7e0SNamjae Jeon * CREATOR_OWNER_SERVER_SID S-1-3-2 13201e9ea7e0SNamjae Jeon * CREATOR_GROUP_SERVER_SID S-1-3-3 13211e9ea7e0SNamjae Jeon * 13221e9ea7e0SNamjae Jeon * (Non-unique IDs) S-1-4 13231e9ea7e0SNamjae Jeon * 13241e9ea7e0SNamjae Jeon * NT well-known SIDs: 13251e9ea7e0SNamjae Jeon * 13261e9ea7e0SNamjae Jeon * NT_AUTHORITY_SID S-1-5 13271e9ea7e0SNamjae Jeon * DIALUP_SID S-1-5-1 13281e9ea7e0SNamjae Jeon * 13291e9ea7e0SNamjae Jeon * NETWORD_SID S-1-5-2 13301e9ea7e0SNamjae Jeon * BATCH_SID S-1-5-3 13311e9ea7e0SNamjae Jeon * INTERACTIVE_SID S-1-5-4 13321e9ea7e0SNamjae Jeon * SERVICE_SID S-1-5-6 13331e9ea7e0SNamjae Jeon * ANONYMOUS_LOGON_SID S-1-5-7 (aka null logon session) 13341e9ea7e0SNamjae Jeon * PROXY_SID S-1-5-8 13351e9ea7e0SNamjae Jeon * SERVER_LOGON_SID S-1-5-9 (aka domain controller account) 13361e9ea7e0SNamjae Jeon * SELF_SID S-1-5-10 (self RID) 13371e9ea7e0SNamjae Jeon * AUTHENTICATED_USER_SID S-1-5-11 13381e9ea7e0SNamjae Jeon * RESTRICTED_CODE_SID S-1-5-12 (running restricted code) 13391e9ea7e0SNamjae Jeon * TERMINAL_SERVER_SID S-1-5-13 (running on terminal server) 13401e9ea7e0SNamjae Jeon * 13411e9ea7e0SNamjae Jeon * (Logon IDs) S-1-5-5-X-Y 13421e9ea7e0SNamjae Jeon * 13431e9ea7e0SNamjae Jeon * (NT non-unique IDs) S-1-5-0x15-... 13441e9ea7e0SNamjae Jeon * 13451e9ea7e0SNamjae Jeon * (Built-in domain) S-1-5-0x20 13461e9ea7e0SNamjae Jeon */ 13471e9ea7e0SNamjae Jeon 13481e9ea7e0SNamjae Jeon /* 1349*40796051SNamjae Jeon * struct ntfs_sid - Security Identifier (SID) structure 13501e9ea7e0SNamjae Jeon * 1351*40796051SNamjae Jeon * @revision: SID revision level (usually 1). 1352*40796051SNamjae Jeon * @sub_authority_count: Number of sub-authorities (1 or more). 1353*40796051SNamjae Jeon * @identifier_authority: 1354*40796051SNamjae Jeon * 48-bit identifier authority (S-1-x-...). 1355*40796051SNamjae Jeon * @parts.high_part: high 16 bits. 1356*40796051SNamjae Jeon * @parts.low_part: low 32 bits. 1357*40796051SNamjae Jeon * @value: raw 6-byte array. 1358*40796051SNamjae Jeon * @sub_authority: Variable array of 32-bit RIDs. 1359*40796051SNamjae Jeon * At least one; defines the SID relative to authority. 1360*40796051SNamjae Jeon * 13611e9ea7e0SNamjae Jeon * The SID structure is a variable-length structure used to uniquely identify 13621e9ea7e0SNamjae Jeon * users or groups. SID stands for security identifier. 13631e9ea7e0SNamjae Jeon * 13641e9ea7e0SNamjae Jeon * The standard textual representation of the SID is of the form: 13651e9ea7e0SNamjae Jeon * S-R-I-S-S... 13661e9ea7e0SNamjae Jeon * Where: 13671e9ea7e0SNamjae Jeon * - The first "S" is the literal character 'S' identifying the following 13681e9ea7e0SNamjae Jeon * digits as a SID. 13691e9ea7e0SNamjae Jeon * - R is the revision level of the SID expressed as a sequence of digits 13701e9ea7e0SNamjae Jeon * either in decimal or hexadecimal (if the later, prefixed by "0x"). 13711e9ea7e0SNamjae Jeon * - I is the 48-bit identifier_authority, expressed as digits as R above. 13721e9ea7e0SNamjae Jeon * - S... is one or more sub_authority values, expressed as digits as above. 13731e9ea7e0SNamjae Jeon * 13741e9ea7e0SNamjae Jeon * Example SID; the domain-relative SID of the local Administrators group on 13751e9ea7e0SNamjae Jeon * Windows NT/2k: 13761e9ea7e0SNamjae Jeon * S-1-5-32-544 13771e9ea7e0SNamjae Jeon * This translates to a SID with: 13781e9ea7e0SNamjae Jeon * revision = 1, 13791e9ea7e0SNamjae Jeon * sub_authority_count = 2, 13801e9ea7e0SNamjae Jeon * identifier_authority = {0,0,0,0,0,5}, // SECURITY_NT_AUTHORITY 13811e9ea7e0SNamjae Jeon * sub_authority[0] = 32, // SECURITY_BUILTIN_DOMAIN_RID 13821e9ea7e0SNamjae Jeon * sub_authority[1] = 544 // DOMAIN_ALIAS_RID_ADMINS 13831e9ea7e0SNamjae Jeon */ 1384*40796051SNamjae Jeon struct ntfs_sid { 13851e9ea7e0SNamjae Jeon u8 revision; 13861e9ea7e0SNamjae Jeon u8 sub_authority_count; 1387*40796051SNamjae Jeon union { 1388*40796051SNamjae Jeon struct { 1389*40796051SNamjae Jeon u16 high_part; 1390*40796051SNamjae Jeon u32 low_part; 1391*40796051SNamjae Jeon } __packed parts; 1392*40796051SNamjae Jeon u8 value[6]; 1393*40796051SNamjae Jeon } identifier_authority; 1394*40796051SNamjae Jeon __le32 sub_authority[]; 1395*40796051SNamjae Jeon } __packed; 13961e9ea7e0SNamjae Jeon 13971e9ea7e0SNamjae Jeon /* 1398*40796051SNamjae Jeon * enum - Predefined ACE types (8-bit) for NTFS security descriptors 1399*40796051SNamjae Jeon * 1400*40796051SNamjae Jeon * ACCESS_MIN_MS_ACE_TYPE: Minimum MS ACE type (0). 1401*40796051SNamjae Jeon * ACCESS_ALLOWED_ACE_TYPE: Allow access (standard ACE). 1402*40796051SNamjae Jeon * ACCESS_DENIED_ACE_TYPE: Deny access (standard ACE). 1403*40796051SNamjae Jeon * SYSTEM_AUDIT_ACE_TYPE: Audit successful/failed access. 1404*40796051SNamjae Jeon * SYSTEM_ALARM_ACE_TYPE: Alarm on access (not in Win2k+). 1405*40796051SNamjae Jeon * ACCESS_MAX_MS_V2_ACE_TYPE: Max for V2 ACE types. 1406*40796051SNamjae Jeon * ACCESS_ALLOWED_COMPOUND_ACE_TYPE: 1407*40796051SNamjae Jeon * Compound ACE (legacy). 1408*40796051SNamjae Jeon * ACCESS_MAX_MS_V3_ACE_TYPE: Max for V3 ACE types. 1409*40796051SNamjae Jeon * ACCESS_MIN_MS_OBJECT_ACE_TYPE: Min for object ACE types (Win2k+). 1410*40796051SNamjae Jeon * ACCESS_ALLOWED_OBJECT_ACE_TYPE: Allow with object-specific rights. 1411*40796051SNamjae Jeon * ACCESS_DENIED_OBJECT_ACE_TYPE: Deny with object-specific rights. 1412*40796051SNamjae Jeon * SYSTEM_AUDIT_OBJECT_ACE_TYPE: Audit with object-specific rights. 1413*40796051SNamjae Jeon * SYSTEM_ALARM_OBJECT_ACE_TYPE: Alarm with object-specific rights. 1414*40796051SNamjae Jeon * ACCESS_MAX_MS_OBJECT_ACE_TYPE: Max for object ACE types. 1415*40796051SNamjae Jeon * ACCESS_MAX_MS_V4_ACE_TYPE: Max for V4 ACE types. 1416*40796051SNamjae Jeon * ACCESS_MAX_MS_ACE_TYPE: Overall max ACE type (WinNT/2k). 14171e9ea7e0SNamjae Jeon */ 14181e9ea7e0SNamjae Jeon enum { 14191e9ea7e0SNamjae Jeon ACCESS_MIN_MS_ACE_TYPE = 0, 14201e9ea7e0SNamjae Jeon ACCESS_ALLOWED_ACE_TYPE = 0, 14211e9ea7e0SNamjae Jeon ACCESS_DENIED_ACE_TYPE = 1, 14221e9ea7e0SNamjae Jeon SYSTEM_AUDIT_ACE_TYPE = 2, 1423*40796051SNamjae Jeon SYSTEM_ALARM_ACE_TYPE = 3, 14241e9ea7e0SNamjae Jeon ACCESS_MAX_MS_V2_ACE_TYPE = 3, 14251e9ea7e0SNamjae Jeon 14261e9ea7e0SNamjae Jeon ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 4, 14271e9ea7e0SNamjae Jeon ACCESS_MAX_MS_V3_ACE_TYPE = 4, 14281e9ea7e0SNamjae Jeon ACCESS_MIN_MS_OBJECT_ACE_TYPE = 5, 14291e9ea7e0SNamjae Jeon ACCESS_ALLOWED_OBJECT_ACE_TYPE = 5, 14301e9ea7e0SNamjae Jeon ACCESS_DENIED_OBJECT_ACE_TYPE = 6, 14311e9ea7e0SNamjae Jeon SYSTEM_AUDIT_OBJECT_ACE_TYPE = 7, 14321e9ea7e0SNamjae Jeon SYSTEM_ALARM_OBJECT_ACE_TYPE = 8, 14331e9ea7e0SNamjae Jeon ACCESS_MAX_MS_OBJECT_ACE_TYPE = 8, 14341e9ea7e0SNamjae Jeon 14351e9ea7e0SNamjae Jeon ACCESS_MAX_MS_V4_ACE_TYPE = 8, 14361e9ea7e0SNamjae Jeon ACCESS_MAX_MS_ACE_TYPE = 8, 1437*40796051SNamjae Jeon } __packed; 14381e9ea7e0SNamjae Jeon 14391e9ea7e0SNamjae Jeon /* 1440*40796051SNamjae Jeon * enum - ACE inheritance and audit flags (8-bit) 1441*40796051SNamjae Jeon * 1442*40796051SNamjae Jeon * OBJECT_INHERIT_ACE: Object inherit (files inherit this ACE). 1443*40796051SNamjae Jeon * CONTAINER_INHERIT_ACE: Container inherit (subdirectories inherit). 1444*40796051SNamjae Jeon * NO_PROPAGATE_INHERIT_ACE: No propagation (stop inheritance after this level). 1445*40796051SNamjae Jeon * INHERIT_ONLY_ACE: Inherit only (not applied to current object). 1446*40796051SNamjae Jeon * INHERITED_ACE: ACE was inherited (Win2k+ only). 1447*40796051SNamjae Jeon * VALID_INHERIT_FLAGS: Mask of all valid inheritance flags (0x1f). 1448*40796051SNamjae Jeon * SUCCESSFUL_ACCESS_ACE_FLAG: Audit successful access (system audit ACE). 1449*40796051SNamjae Jeon * FAILED_ACCESS_ACE_FLAG: Audit failed access (system audit ACE). 14501e9ea7e0SNamjae Jeon * 14511e9ea7e0SNamjae Jeon * SUCCESSFUL_ACCESS_ACE_FLAG is only used with system audit and alarm ACE 14521e9ea7e0SNamjae Jeon * types to indicate that a message is generated (in Windows!) for successful 14531e9ea7e0SNamjae Jeon * accesses. 14541e9ea7e0SNamjae Jeon * 14551e9ea7e0SNamjae Jeon * FAILED_ACCESS_ACE_FLAG is only used with system audit and alarm ACE types 14561e9ea7e0SNamjae Jeon * to indicate that a message is generated (in Windows!) for failed accesses. 14571e9ea7e0SNamjae Jeon */ 14581e9ea7e0SNamjae Jeon enum { 14591e9ea7e0SNamjae Jeon OBJECT_INHERIT_ACE = 0x01, 14601e9ea7e0SNamjae Jeon CONTAINER_INHERIT_ACE = 0x02, 14611e9ea7e0SNamjae Jeon NO_PROPAGATE_INHERIT_ACE = 0x04, 14621e9ea7e0SNamjae Jeon INHERIT_ONLY_ACE = 0x08, 1463*40796051SNamjae Jeon INHERITED_ACE = 0x10, 14641e9ea7e0SNamjae Jeon VALID_INHERIT_FLAGS = 0x1f, 14651e9ea7e0SNamjae Jeon SUCCESSFUL_ACCESS_ACE_FLAG = 0x40, 14661e9ea7e0SNamjae Jeon FAILED_ACCESS_ACE_FLAG = 0x80, 1467*40796051SNamjae Jeon } __packed; 14681e9ea7e0SNamjae Jeon 14691e9ea7e0SNamjae Jeon /* 1470*40796051SNamjae Jeon * enum - NTFS access rights masks (32-bit) 14711e9ea7e0SNamjae Jeon * 1472*40796051SNamjae Jeon * FILE_READ_DATA / FILE_LIST_DIRECTORY: Read file data / list dir contents. 1473*40796051SNamjae Jeon * FILE_WRITE_DATA / FILE_ADD_FILE: Write file data / create file in dir. 1474*40796051SNamjae Jeon * FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY: Append data / create subdir. 1475*40796051SNamjae Jeon * FILE_READ_EA: Read extended attributes. 1476*40796051SNamjae Jeon * FILE_WRITE_EA: Write extended attributes. 1477*40796051SNamjae Jeon * FILE_EXECUTE / FILE_TRAVERSE: Execute file / traverse dir. 1478*40796051SNamjae Jeon * FILE_DELETE_CHILD: Delete children in dir. 1479*40796051SNamjae Jeon * FILE_READ_ATTRIBUTES: Read attributes. 1480*40796051SNamjae Jeon * FILE_WRITE_ATTRIBUTES: Write attributes. 1481*40796051SNamjae Jeon * 1482*40796051SNamjae Jeon * Standard rights (object-independent): 1483*40796051SNamjae Jeon * DELETE: Delete object. 1484*40796051SNamjae Jeon * READ_CONTROL: Read security descriptor/owner. 1485*40796051SNamjae Jeon * WRITE_DAC: Modify DACL. 1486*40796051SNamjae Jeon * WRITE_OWNER: Change owner. 1487*40796051SNamjae Jeon * SYNCHRONIZE: Wait on object signal state. 1488*40796051SNamjae Jeon * 1489*40796051SNamjae Jeon * Combinations: 1490*40796051SNamjae Jeon * STANDARD_RIGHTS_READ / WRITE / EXECUTE: Aliases for READ_CONTROL. 1491*40796051SNamjae Jeon * STANDARD_RIGHTS_REQUIRED: DELETE + READ_CONTROL + 1492*40796051SNamjae Jeon * WRITE_DAC + WRITE_OWNER. 1493*40796051SNamjae Jeon * STANDARD_RIGHTS_ALL: Above + SYNCHRONIZE. 1494*40796051SNamjae Jeon * 1495*40796051SNamjae Jeon * System/access types: 1496*40796051SNamjae Jeon * ACCESS_SYSTEM_SECURITY: Access system ACL. 1497*40796051SNamjae Jeon * MAXIMUM_ALLOWED: Maximum allowed access. 1498*40796051SNamjae Jeon * 1499*40796051SNamjae Jeon * Generic rights (high bits, map to specific/standard): 1500*40796051SNamjae Jeon * GENERIC_ALL: Full access. 1501*40796051SNamjae Jeon * GENERIC_EXECUTE: Execute/traverse. 1502*40796051SNamjae Jeon * GENERIC_WRITE: Write (append, attrs, data, EA, etc.). 1503*40796051SNamjae Jeon * GENERIC_READ: Read (attrs, data, EA, etc.). 15041e9ea7e0SNamjae Jeon * 15051e9ea7e0SNamjae Jeon * The specific rights (bits 0 to 15). These depend on the type of the object 15061e9ea7e0SNamjae Jeon * being secured by the ACE. 15071e9ea7e0SNamjae Jeon */ 15081e9ea7e0SNamjae Jeon enum { 15091e9ea7e0SNamjae Jeon FILE_READ_DATA = cpu_to_le32(0x00000001), 15101e9ea7e0SNamjae Jeon FILE_LIST_DIRECTORY = cpu_to_le32(0x00000001), 15111e9ea7e0SNamjae Jeon FILE_WRITE_DATA = cpu_to_le32(0x00000002), 15121e9ea7e0SNamjae Jeon FILE_ADD_FILE = cpu_to_le32(0x00000002), 15131e9ea7e0SNamjae Jeon FILE_APPEND_DATA = cpu_to_le32(0x00000004), 15141e9ea7e0SNamjae Jeon FILE_ADD_SUBDIRECTORY = cpu_to_le32(0x00000004), 15151e9ea7e0SNamjae Jeon FILE_READ_EA = cpu_to_le32(0x00000008), 15161e9ea7e0SNamjae Jeon FILE_WRITE_EA = cpu_to_le32(0x00000010), 15171e9ea7e0SNamjae Jeon FILE_EXECUTE = cpu_to_le32(0x00000020), 15181e9ea7e0SNamjae Jeon FILE_TRAVERSE = cpu_to_le32(0x00000020), 15191e9ea7e0SNamjae Jeon FILE_DELETE_CHILD = cpu_to_le32(0x00000040), 15201e9ea7e0SNamjae Jeon FILE_READ_ATTRIBUTES = cpu_to_le32(0x00000080), 15211e9ea7e0SNamjae Jeon FILE_WRITE_ATTRIBUTES = cpu_to_le32(0x00000100), 15221e9ea7e0SNamjae Jeon DELETE = cpu_to_le32(0x00010000), 15231e9ea7e0SNamjae Jeon READ_CONTROL = cpu_to_le32(0x00020000), 15241e9ea7e0SNamjae Jeon WRITE_DAC = cpu_to_le32(0x00040000), 15251e9ea7e0SNamjae Jeon WRITE_OWNER = cpu_to_le32(0x00080000), 15261e9ea7e0SNamjae Jeon SYNCHRONIZE = cpu_to_le32(0x00100000), 15271e9ea7e0SNamjae Jeon STANDARD_RIGHTS_READ = cpu_to_le32(0x00020000), 15281e9ea7e0SNamjae Jeon STANDARD_RIGHTS_WRITE = cpu_to_le32(0x00020000), 15291e9ea7e0SNamjae Jeon STANDARD_RIGHTS_EXECUTE = cpu_to_le32(0x00020000), 15301e9ea7e0SNamjae Jeon STANDARD_RIGHTS_REQUIRED = cpu_to_le32(0x000f0000), 15311e9ea7e0SNamjae Jeon STANDARD_RIGHTS_ALL = cpu_to_le32(0x001f0000), 15321e9ea7e0SNamjae Jeon ACCESS_SYSTEM_SECURITY = cpu_to_le32(0x01000000), 15331e9ea7e0SNamjae Jeon MAXIMUM_ALLOWED = cpu_to_le32(0x02000000), 15341e9ea7e0SNamjae Jeon GENERIC_ALL = cpu_to_le32(0x10000000), 15351e9ea7e0SNamjae Jeon GENERIC_EXECUTE = cpu_to_le32(0x20000000), 15361e9ea7e0SNamjae Jeon GENERIC_WRITE = cpu_to_le32(0x40000000), 15371e9ea7e0SNamjae Jeon GENERIC_READ = cpu_to_le32(0x80000000), 15381e9ea7e0SNamjae Jeon }; 15391e9ea7e0SNamjae Jeon 15401e9ea7e0SNamjae Jeon /* 1541*40796051SNamjae Jeon * struct ntfs_ace - Access Control Entry (ACE) structure 15421e9ea7e0SNamjae Jeon * 1543*40796051SNamjae Jeon * @type: ACE type (ACCESS_ALLOWED_ACE_TYPE, ACCESS_DENIED_ACE_TYPE, etc.). 1544*40796051SNamjae Jeon * @flags: Inheritance and audit flags (OBJECT_INHERIT_ACE, etc.). 1545*40796051SNamjae Jeon * @size: Total byte size of this ACE (header + SID + variable data). 1546*40796051SNamjae Jeon * @mask: Access rights mask (FILE_READ_DATA, DELETE, GENERIC_ALL, etc.). 1547*40796051SNamjae Jeon * @sid: Security Identifier (SID) this ACE applies to. 15481e9ea7e0SNamjae Jeon */ 1549*40796051SNamjae Jeon struct ntfs_ace { 1550*40796051SNamjae Jeon u8 type; 1551*40796051SNamjae Jeon u8 flags; 1552*40796051SNamjae Jeon __le16 size; 1553*40796051SNamjae Jeon __le32 mask; 1554*40796051SNamjae Jeon struct ntfs_sid sid; 1555*40796051SNamjae Jeon } __packed; 15561e9ea7e0SNamjae Jeon 15571e9ea7e0SNamjae Jeon /* 15581e9ea7e0SNamjae Jeon * The object ACE flags (32-bit). 15591e9ea7e0SNamjae Jeon */ 15601e9ea7e0SNamjae Jeon enum { 15611e9ea7e0SNamjae Jeon ACE_OBJECT_TYPE_PRESENT = cpu_to_le32(1), 15621e9ea7e0SNamjae Jeon ACE_INHERITED_OBJECT_TYPE_PRESENT = cpu_to_le32(2), 15631e9ea7e0SNamjae Jeon }; 15641e9ea7e0SNamjae Jeon 15651e9ea7e0SNamjae Jeon /* 1566*40796051SNamjae Jeon * struct ntfs_acl - NTFS Access Control List (ACL) header 1567*40796051SNamjae Jeon * 15681e9ea7e0SNamjae Jeon * An ACL is an access-control list (ACL). 15691e9ea7e0SNamjae Jeon * An ACL starts with an ACL header structure, which specifies the size of 15701e9ea7e0SNamjae Jeon * the ACL and the number of ACEs it contains. The ACL header is followed by 15711e9ea7e0SNamjae Jeon * zero or more access control entries (ACEs). The ACL as well as each ACE 15721e9ea7e0SNamjae Jeon * are aligned on 4-byte boundaries. 1573*40796051SNamjae Jeon * 1574*40796051SNamjae Jeon * @revision: ACL revision level (usually 2 or 4). 1575*40796051SNamjae Jeon * @alignment1: Padding/alignment byte (zero). 1576*40796051SNamjae Jeon * @size: Total allocated size in bytes (header + all ACEs + 1577*40796051SNamjae Jeon * free space). 1578*40796051SNamjae Jeon * @ace_count: Number of ACE entries following the header. 1579*40796051SNamjae Jeon * @alignment2: Padding/alignment (zero). 15801e9ea7e0SNamjae Jeon */ 1581*40796051SNamjae Jeon struct ntfs_acl { 1582*40796051SNamjae Jeon u8 revision; 15831e9ea7e0SNamjae Jeon u8 alignment1; 1584*40796051SNamjae Jeon __le16 size; 1585*40796051SNamjae Jeon __le16 ace_count; 1586*40796051SNamjae Jeon __le16 alignment2; 1587*40796051SNamjae Jeon } __packed; 15881e9ea7e0SNamjae Jeon 1589*40796051SNamjae Jeon static_assert(sizeof(struct ntfs_acl) == 8); 15901e9ea7e0SNamjae Jeon 15911e9ea7e0SNamjae Jeon /* 15921e9ea7e0SNamjae Jeon * The security descriptor control flags (16-bit). 15931e9ea7e0SNamjae Jeon * 15941e9ea7e0SNamjae Jeon * SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the SID 15951e9ea7e0SNamjae Jeon * pointed to by the Owner field was provided by a defaulting mechanism 15961e9ea7e0SNamjae Jeon * rather than explicitly provided by the original provider of the 15971e9ea7e0SNamjae Jeon * security descriptor. This may affect the treatment of the SID with 15981e9ea7e0SNamjae Jeon * respect to inheritance of an owner. 15991e9ea7e0SNamjae Jeon * 16001e9ea7e0SNamjae Jeon * SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the SID in 16011e9ea7e0SNamjae Jeon * the Group field was provided by a defaulting mechanism rather than 16021e9ea7e0SNamjae Jeon * explicitly provided by the original provider of the security 16031e9ea7e0SNamjae Jeon * descriptor. This may affect the treatment of the SID with respect to 16041e9ea7e0SNamjae Jeon * inheritance of a primary group. 16051e9ea7e0SNamjae Jeon * 16061e9ea7e0SNamjae Jeon * SE_DACL_PRESENT - This boolean flag, when set, indicates that the security 16071e9ea7e0SNamjae Jeon * descriptor contains a discretionary ACL. If this flag is set and the 16081e9ea7e0SNamjae Jeon * Dacl field of the SECURITY_DESCRIPTOR is null, then a null ACL is 16091e9ea7e0SNamjae Jeon * explicitly being specified. 16101e9ea7e0SNamjae Jeon * 16111e9ea7e0SNamjae Jeon * SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the ACL 16121e9ea7e0SNamjae Jeon * pointed to by the Dacl field was provided by a defaulting mechanism 16131e9ea7e0SNamjae Jeon * rather than explicitly provided by the original provider of the 16141e9ea7e0SNamjae Jeon * security descriptor. This may affect the treatment of the ACL with 16151e9ea7e0SNamjae Jeon * respect to inheritance of an ACL. This flag is ignored if the 16161e9ea7e0SNamjae Jeon * DaclPresent flag is not set. 16171e9ea7e0SNamjae Jeon * 16181e9ea7e0SNamjae Jeon * SE_SACL_PRESENT - This boolean flag, when set, indicates that the security 16191e9ea7e0SNamjae Jeon * descriptor contains a system ACL pointed to by the Sacl field. If this 16201e9ea7e0SNamjae Jeon * flag is set and the Sacl field of the SECURITY_DESCRIPTOR is null, then 16211e9ea7e0SNamjae Jeon * an empty (but present) ACL is being specified. 16221e9ea7e0SNamjae Jeon * 16231e9ea7e0SNamjae Jeon * SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the ACL 16241e9ea7e0SNamjae Jeon * pointed to by the Sacl field was provided by a defaulting mechanism 16251e9ea7e0SNamjae Jeon * rather than explicitly provided by the original provider of the 16261e9ea7e0SNamjae Jeon * security descriptor. This may affect the treatment of the ACL with 16271e9ea7e0SNamjae Jeon * respect to inheritance of an ACL. This flag is ignored if the 16281e9ea7e0SNamjae Jeon * SaclPresent flag is not set. 16291e9ea7e0SNamjae Jeon * 16301e9ea7e0SNamjae Jeon * SE_SELF_RELATIVE - This boolean flag, when set, indicates that the security 16311e9ea7e0SNamjae Jeon * descriptor is in self-relative form. In this form, all fields of the 16321e9ea7e0SNamjae Jeon * security descriptor are contiguous in memory and all pointer fields are 16331e9ea7e0SNamjae Jeon * expressed as offsets from the beginning of the security descriptor. 16341e9ea7e0SNamjae Jeon */ 16351e9ea7e0SNamjae Jeon enum { 16361e9ea7e0SNamjae Jeon SE_OWNER_DEFAULTED = cpu_to_le16(0x0001), 16371e9ea7e0SNamjae Jeon SE_GROUP_DEFAULTED = cpu_to_le16(0x0002), 16381e9ea7e0SNamjae Jeon SE_DACL_PRESENT = cpu_to_le16(0x0004), 16391e9ea7e0SNamjae Jeon SE_DACL_DEFAULTED = cpu_to_le16(0x0008), 16401e9ea7e0SNamjae Jeon 16411e9ea7e0SNamjae Jeon SE_SACL_PRESENT = cpu_to_le16(0x0010), 16421e9ea7e0SNamjae Jeon SE_SACL_DEFAULTED = cpu_to_le16(0x0020), 16431e9ea7e0SNamjae Jeon 16441e9ea7e0SNamjae Jeon SE_DACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0100), 16451e9ea7e0SNamjae Jeon SE_SACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0200), 16461e9ea7e0SNamjae Jeon SE_DACL_AUTO_INHERITED = cpu_to_le16(0x0400), 16471e9ea7e0SNamjae Jeon SE_SACL_AUTO_INHERITED = cpu_to_le16(0x0800), 16481e9ea7e0SNamjae Jeon 16491e9ea7e0SNamjae Jeon SE_DACL_PROTECTED = cpu_to_le16(0x1000), 16501e9ea7e0SNamjae Jeon SE_SACL_PROTECTED = cpu_to_le16(0x2000), 16511e9ea7e0SNamjae Jeon SE_RM_CONTROL_VALID = cpu_to_le16(0x4000), 16521e9ea7e0SNamjae Jeon SE_SELF_RELATIVE = cpu_to_le16(0x8000) 1653*40796051SNamjae Jeon } __packed; 16541e9ea7e0SNamjae Jeon 16551e9ea7e0SNamjae Jeon /* 1656*40796051SNamjae Jeon * struct security_descriptor_relative - Relative security descriptor 1657*40796051SNamjae Jeon * 16581e9ea7e0SNamjae Jeon * Self-relative security descriptor. Contains the owner and group SIDs as well 16591e9ea7e0SNamjae Jeon * as the sacl and dacl ACLs inside the security descriptor itself. 16601e9ea7e0SNamjae Jeon * 1661*40796051SNamjae Jeon * @revision: Security descriptor revision (usually 1). 1662*40796051SNamjae Jeon * @alignment: Padding/alignment byte (zero). 1663*40796051SNamjae Jeon * @control: Control flags (SE_OWNER_DEFAULTED, SE_DACL_PRESENT, 1664*40796051SNamjae Jeon * SE_SACL_PRESENT, SE_SACL_AUTO_INHERITED, etc.). 1665*40796051SNamjae Jeon * @owner: Byte offset to owner SID (from start of descriptor). 1666*40796051SNamjae Jeon * 0 if no owner SID present. 1667*40796051SNamjae Jeon * @group: Byte offset to primary group SID. 1668*40796051SNamjae Jeon * 0 if no group SID present. 1669*40796051SNamjae Jeon * @sacl: Byte offset to System ACL (SACL). 1670*40796051SNamjae Jeon * Valid only if SE_SACL_PRESENT in @control. 1671*40796051SNamjae Jeon * 0 means NULL SACL. 1672*40796051SNamjae Jeon * @dacl: Byte offset to Discretionary ACL (DACL). 1673*40796051SNamjae Jeon * Valid only if SE_DACL_PRESENT in @control. 1674*40796051SNamjae Jeon * 0 means NULL DACL (full access granted). 16751e9ea7e0SNamjae Jeon */ 1676*40796051SNamjae Jeon struct security_descriptor_relative { 1677*40796051SNamjae Jeon u8 revision; 1678*40796051SNamjae Jeon u8 alignment; 1679*40796051SNamjae Jeon __le16 control; 1680*40796051SNamjae Jeon __le32 owner; 1681*40796051SNamjae Jeon __le32 group; 1682*40796051SNamjae Jeon __le32 sacl; 1683*40796051SNamjae Jeon __le32 dacl; 1684*40796051SNamjae Jeon } __packed; 1685*40796051SNamjae Jeon 1686*40796051SNamjae Jeon static_assert(sizeof(struct security_descriptor_relative) == 20); 16871e9ea7e0SNamjae Jeon 16881e9ea7e0SNamjae Jeon /* 16891e9ea7e0SNamjae Jeon * On NTFS 3.0+, all security descriptors are stored in FILE_Secure. Only one 16901e9ea7e0SNamjae Jeon * referenced instance of each unique security descriptor is stored. 16911e9ea7e0SNamjae Jeon * 16921e9ea7e0SNamjae Jeon * FILE_Secure contains no unnamed data attribute, i.e. it has zero length. It 16931e9ea7e0SNamjae Jeon * does, however, contain two indexes ($SDH and $SII) as well as a named data 16941e9ea7e0SNamjae Jeon * stream ($SDS). 16951e9ea7e0SNamjae Jeon * 16961e9ea7e0SNamjae Jeon * Every unique security descriptor is assigned a unique security identifier 16971e9ea7e0SNamjae Jeon * (security_id, not to be confused with a SID). The security_id is unique for 16981e9ea7e0SNamjae Jeon * the NTFS volume and is used as an index into the $SII index, which maps 16991e9ea7e0SNamjae Jeon * security_ids to the security descriptor's storage location within the $SDS 17001e9ea7e0SNamjae Jeon * data attribute. The $SII index is sorted by ascending security_id. 17011e9ea7e0SNamjae Jeon * 17021e9ea7e0SNamjae Jeon * A simple hash is computed from each security descriptor. This hash is used 17031e9ea7e0SNamjae Jeon * as an index into the $SDH index, which maps security descriptor hashes to 17041e9ea7e0SNamjae Jeon * the security descriptor's storage location within the $SDS data attribute. 17051e9ea7e0SNamjae Jeon * The $SDH index is sorted by security descriptor hash and is stored in a B+ 17061e9ea7e0SNamjae Jeon * tree. When searching $SDH (with the intent of determining whether or not a 17071e9ea7e0SNamjae Jeon * new security descriptor is already present in the $SDS data stream), if a 17081e9ea7e0SNamjae Jeon * matching hash is found, but the security descriptors do not match, the 17091e9ea7e0SNamjae Jeon * search in the $SDH index is continued, searching for a next matching hash. 17101e9ea7e0SNamjae Jeon * 17111e9ea7e0SNamjae Jeon * When a precise match is found, the security_id coresponding to the security 17121e9ea7e0SNamjae Jeon * descriptor in the $SDS attribute is read from the found $SDH index entry and 17131e9ea7e0SNamjae Jeon * is stored in the $STANDARD_INFORMATION attribute of the file/directory to 17141e9ea7e0SNamjae Jeon * which the security descriptor is being applied. The $STANDARD_INFORMATION 17151e9ea7e0SNamjae Jeon * attribute is present in all base mft records (i.e. in all files and 17161e9ea7e0SNamjae Jeon * directories). 17171e9ea7e0SNamjae Jeon * 17181e9ea7e0SNamjae Jeon * If a match is not found, the security descriptor is assigned a new unique 17191e9ea7e0SNamjae Jeon * security_id and is added to the $SDS data attribute. Then, entries 17201e9ea7e0SNamjae Jeon * referencing the this security descriptor in the $SDS data attribute are 17211e9ea7e0SNamjae Jeon * added to the $SDH and $SII indexes. 17221e9ea7e0SNamjae Jeon * 17231e9ea7e0SNamjae Jeon * Note: Entries are never deleted from FILE_Secure, even if nothing 17241e9ea7e0SNamjae Jeon * references an entry any more. 17251e9ea7e0SNamjae Jeon */ 17261e9ea7e0SNamjae Jeon 17271e9ea7e0SNamjae Jeon /* 1728*40796051SNamjae Jeon * struct sii_index_key - Key for $SII index in $Secure file 1729*40796051SNamjae Jeon * 17301e9ea7e0SNamjae Jeon * The index entry key used in the $SII index. The collation type is 17311e9ea7e0SNamjae Jeon * COLLATION_NTOFS_ULONG. 1732*40796051SNamjae Jeon * 1733*40796051SNamjae Jeon * @security_id: 32-bit security identifier. 1734*40796051SNamjae Jeon * Unique ID assigned to a security descriptor. 17351e9ea7e0SNamjae Jeon */ 1736*40796051SNamjae Jeon struct sii_index_key { 1737*40796051SNamjae Jeon __le32 security_id; 1738*40796051SNamjae Jeon } __packed; 17391e9ea7e0SNamjae Jeon 17401e9ea7e0SNamjae Jeon /* 1741*40796051SNamjae Jeon * struct sdh_index_key - Key for $SDH index in $Secure file 1742*40796051SNamjae Jeon * 17431e9ea7e0SNamjae Jeon * The index entry key used in the $SDH index. The keys are sorted first by 17441e9ea7e0SNamjae Jeon * hash and then by security_id. The collation rule is 17451e9ea7e0SNamjae Jeon * COLLATION_NTOFS_SECURITY_HASH. 17461e9ea7e0SNamjae Jeon * 1747*40796051SNamjae Jeon * @hash: 32-bit hash of the security descriptor. 1748*40796051SNamjae Jeon * Used for quick collision checks and indexing. 1749*40796051SNamjae Jeon * @security_id: 32-bit security identifier. 1750*40796051SNamjae Jeon * Unique ID assigned to the descriptor. 17511e9ea7e0SNamjae Jeon */ 1752*40796051SNamjae Jeon struct sdh_index_key { 1753*40796051SNamjae Jeon __le32 hash; 1754*40796051SNamjae Jeon __le32 security_id; 1755*40796051SNamjae Jeon } __packed; 17561e9ea7e0SNamjae Jeon 17571e9ea7e0SNamjae Jeon /* 1758*40796051SNamjae Jeon * enum - NTFS volume flags (16-bit) 1759*40796051SNamjae Jeon * 1760*40796051SNamjae Jeon * These flags are stored in $VolumeInformation attribute. 1761*40796051SNamjae Jeon * They indicate volume state and required actions. 1762*40796051SNamjae Jeon * 1763*40796051SNamjae Jeon * VOLUME_IS_DIRTY: Volume is dirty (needs chkdsk). 1764*40796051SNamjae Jeon * VOLUME_RESIZE_LOG_FILE: Resize LogFile on next mount. 1765*40796051SNamjae Jeon * VOLUME_UPGRADE_ON_MOUNT: Upgrade volume on mount (old NTFS). 1766*40796051SNamjae Jeon * VOLUME_MOUNTED_ON_NT4: Mounted on NT4 (compatibility flag). 1767*40796051SNamjae Jeon * VOLUME_DELETE_USN_UNDERWAY: USN journal deletion in progress. 1768*40796051SNamjae Jeon * VOLUME_REPAIR_OBJECT_ID: Repair $ObjId on next mount. 1769*40796051SNamjae Jeon * VOLUME_CHKDSK_UNDERWAY: Chkdsk is running. 1770*40796051SNamjae Jeon * VOLUME_MODIFIED_BY_CHKDSK: Modified by chkdsk. 1771*40796051SNamjae Jeon * VOLUME_FLAGS_MASK: Mask of all valid flags (0xc03f). 1772*40796051SNamjae Jeon * VOLUME_MUST_MOUNT_RO_MASK: Flags forcing read-only mount (0xc027). 1773*40796051SNamjae Jeon * If any set, mount read-only. 17741e9ea7e0SNamjae Jeon */ 17751e9ea7e0SNamjae Jeon enum { 17761e9ea7e0SNamjae Jeon VOLUME_IS_DIRTY = cpu_to_le16(0x0001), 17771e9ea7e0SNamjae Jeon VOLUME_RESIZE_LOG_FILE = cpu_to_le16(0x0002), 17781e9ea7e0SNamjae Jeon VOLUME_UPGRADE_ON_MOUNT = cpu_to_le16(0x0004), 17791e9ea7e0SNamjae Jeon VOLUME_MOUNTED_ON_NT4 = cpu_to_le16(0x0008), 17801e9ea7e0SNamjae Jeon 17811e9ea7e0SNamjae Jeon VOLUME_DELETE_USN_UNDERWAY = cpu_to_le16(0x0010), 17821e9ea7e0SNamjae Jeon VOLUME_REPAIR_OBJECT_ID = cpu_to_le16(0x0020), 17831e9ea7e0SNamjae Jeon 17841e9ea7e0SNamjae Jeon VOLUME_CHKDSK_UNDERWAY = cpu_to_le16(0x4000), 17851e9ea7e0SNamjae Jeon VOLUME_MODIFIED_BY_CHKDSK = cpu_to_le16(0x8000), 17861e9ea7e0SNamjae Jeon 17871e9ea7e0SNamjae Jeon VOLUME_FLAGS_MASK = cpu_to_le16(0xc03f), 17881e9ea7e0SNamjae Jeon 17891e9ea7e0SNamjae Jeon VOLUME_MUST_MOUNT_RO_MASK = cpu_to_le16(0xc027), 1790*40796051SNamjae Jeon } __packed; 17911e9ea7e0SNamjae Jeon 17921e9ea7e0SNamjae Jeon /* 1793*40796051SNamjae Jeon * struct volume_information - $VOLUME_INFORMATION (0x70) 1794*40796051SNamjae Jeon * 1795*40796051SNamjae Jeon * @reserved: Reserved 64-bit field (currently unused). 1796*40796051SNamjae Jeon * @major_ver: Major NTFS version number (e.g., 3 for NTFS 3.1). 1797*40796051SNamjae Jeon * @minor_ver: Minor NTFS version number (e.g., 1 for NTFS 3.1). 1798*40796051SNamjae Jeon * @flags: Volume flags (VOLUME_IS_DIRTY, VOLUME_CHKDSK_UNDERWAY, etc.). 1799*40796051SNamjae Jeon * See volume flags enum for details. 18001e9ea7e0SNamjae Jeon * 18011e9ea7e0SNamjae Jeon * NOTE: Always resident. 18021e9ea7e0SNamjae Jeon * NOTE: Present only in FILE_Volume. 18031e9ea7e0SNamjae Jeon * NOTE: Windows 2000 uses NTFS 3.0 while Windows NT4 service pack 6a uses 18041e9ea7e0SNamjae Jeon * NTFS 1.2. I haven't personally seen other values yet. 18051e9ea7e0SNamjae Jeon */ 1806*40796051SNamjae Jeon struct volume_information { 1807*40796051SNamjae Jeon __le64 reserved; 1808*40796051SNamjae Jeon u8 major_ver; 1809*40796051SNamjae Jeon u8 minor_ver; 1810*40796051SNamjae Jeon __le16 flags; 1811*40796051SNamjae Jeon } __packed; 18121e9ea7e0SNamjae Jeon 18131e9ea7e0SNamjae Jeon /* 1814*40796051SNamjae Jeon * enum - Index header flags 18151e9ea7e0SNamjae Jeon * 1816*40796051SNamjae Jeon * These flags are stored in the index header (INDEX_HEADER.flags) for both 1817*40796051SNamjae Jeon * index root ($INDEX_ROOT) and index allocation blocks ($INDEX_ALLOCATION). 18181e9ea7e0SNamjae Jeon * 1819*40796051SNamjae Jeon * For index root ($INDEX_ROOT attribute): 1820*40796051SNamjae Jeon * SMALL_INDEX: Index fits entirely in root attribute (no $INDEX_ALLOCATION). 1821*40796051SNamjae Jeon * LARGE_INDEX: Index too large for root; $INDEX_ALLOCATION present. 1822*40796051SNamjae Jeon * 1823*40796051SNamjae Jeon * For index blocks ($INDEX_ALLOCATION): 1824*40796051SNamjae Jeon * LEAF_NODE: Leaf node (no child nodes; contains actual entries). 1825*40796051SNamjae Jeon * INDEX_NODE: Internal node (indexes other nodes; contains keys/pointers). 1826*40796051SNamjae Jeon * 1827*40796051SNamjae Jeon * NODE_MASK: Mask to extract node type bits (0x01). 18281e9ea7e0SNamjae Jeon */ 18291e9ea7e0SNamjae Jeon enum { 1830*40796051SNamjae Jeon SMALL_INDEX = 0, 1831*40796051SNamjae Jeon LARGE_INDEX = 1, 1832*40796051SNamjae Jeon LEAF_NODE = 0, 1833*40796051SNamjae Jeon INDEX_NODE = 1, 1834*40796051SNamjae Jeon NODE_MASK = 1, 1835*40796051SNamjae Jeon } __packed; 18361e9ea7e0SNamjae Jeon 18371e9ea7e0SNamjae Jeon /* 1838*40796051SNamjae Jeon * struct index_header - Common header for index root and index blocks 1839*40796051SNamjae Jeon * 1840*40796051SNamjae Jeon * entries_offset: Byte offset to first INDEX_ENTRY (8-byte aligned). 1841*40796051SNamjae Jeon * index_length: Bytes used by index entries (8-byte aligned). 1842*40796051SNamjae Jeon * From entries_offset to end of used data. 1843*40796051SNamjae Jeon * allocated_size: Total allocated bytes for this index block. 1844*40796051SNamjae Jeon * Fixed size in index allocation; dynamic in root. 1845*40796051SNamjae Jeon * flags: Index flags (SMALL_INDEX, LARGE_INDEX, LEAF_NODE, etc.). 1846*40796051SNamjae Jeon * See INDEX_HEADER_FLAGS enum. 1847*40796051SNamjae Jeon * reserved: 3 bytes reserved/padding (zero, 8-byte aligned). 1848*40796051SNamjae Jeon * 18491e9ea7e0SNamjae Jeon * This is the header for indexes, describing the INDEX_ENTRY records, which 1850*40796051SNamjae Jeon * follow the index_header. Together the index header and the index entries 18511e9ea7e0SNamjae Jeon * make up a complete index. 18521e9ea7e0SNamjae Jeon * 18531e9ea7e0SNamjae Jeon * IMPORTANT NOTE: The offset, length and size structure members are counted 18541e9ea7e0SNamjae Jeon * relative to the start of the index header structure and not relative to the 18551e9ea7e0SNamjae Jeon * start of the index root or index allocation structures themselves. 1856*40796051SNamjae Jeon * 1857*40796051SNamjae Jeon * For the index root attribute, the above two numbers are always 1858*40796051SNamjae Jeon * equal, as the attribute is resident and it is resized as needed. In 1859*40796051SNamjae Jeon * the case of the index allocation attribute the attribute is not 1860*40796051SNamjae Jeon * resident and hence the allocated_size is a fixed value and must 1861*40796051SNamjae Jeon * equal the index_block_size specified by the INDEX_ROOT attribute 1862*40796051SNamjae Jeon * corresponding to the INDEX_ALLOCATION attribute this INDEX_BLOCK 1863*40796051SNamjae Jeon * belongs to. 18641e9ea7e0SNamjae Jeon */ 1865*40796051SNamjae Jeon struct index_header { 1866*40796051SNamjae Jeon __le32 entries_offset; 1867*40796051SNamjae Jeon __le32 index_length; 1868*40796051SNamjae Jeon __le32 allocated_size; 1869*40796051SNamjae Jeon u8 flags; 1870*40796051SNamjae Jeon u8 reserved[3]; 1871*40796051SNamjae Jeon } __packed; 18721e9ea7e0SNamjae Jeon 18731e9ea7e0SNamjae Jeon /* 1874*40796051SNamjae Jeon * struct index_root - $INDEX_ROOT attribute (0x90). 1875*40796051SNamjae Jeon * 1876*40796051SNamjae Jeon * @type: Indexed attribute type ($FILE_NAME for dirs, 1877*40796051SNamjae Jeon * 0 for view indexes). 1878*40796051SNamjae Jeon * @collation_rule: Collation rule for sorting entries 1879*40796051SNamjae Jeon * (COLLATION_FILE_NAME for $FILE_NAME). 1880*40796051SNamjae Jeon * @index_block_size: Size of each index block in bytes 1881*40796051SNamjae Jeon * (in $INDEX_ALLOCATION). 1882*40796051SNamjae Jeon * @clusters_per_index_block: 1883*40796051SNamjae Jeon * Clusters per index block (or log2(bytes) 1884*40796051SNamjae Jeon * if < cluster). 1885*40796051SNamjae Jeon * Power of 2; used for encoding block size. 1886*40796051SNamjae Jeon * @reserved: 3 bytes reserved/alignment (zero). 1887*40796051SNamjae Jeon * @index: Index header for root entries (entries follow 1888*40796051SNamjae Jeon * immediately). 18891e9ea7e0SNamjae Jeon * 18901e9ea7e0SNamjae Jeon * NOTE: Always resident. 18911e9ea7e0SNamjae Jeon * 18921e9ea7e0SNamjae Jeon * This is followed by a sequence of index entries (INDEX_ENTRY structures) 18931e9ea7e0SNamjae Jeon * as described by the index header. 18941e9ea7e0SNamjae Jeon * 18951e9ea7e0SNamjae Jeon * When a directory is small enough to fit inside the index root then this 18961e9ea7e0SNamjae Jeon * is the only attribute describing the directory. When the directory is too 18971e9ea7e0SNamjae Jeon * large to fit in the index root, on the other hand, two additional attributes 18981e9ea7e0SNamjae Jeon * are present: an index allocation attribute, containing sub-nodes of the B+ 18991e9ea7e0SNamjae Jeon * directory tree (see below), and a bitmap attribute, describing which virtual 19001e9ea7e0SNamjae Jeon * cluster numbers (vcns) in the index allocation attribute are in use by an 19011e9ea7e0SNamjae Jeon * index block. 19021e9ea7e0SNamjae Jeon * 19031e9ea7e0SNamjae Jeon * NOTE: The root directory (FILE_root) contains an entry for itself. Other 19041e9ea7e0SNamjae Jeon * directories do not contain entries for themselves, though. 19051e9ea7e0SNamjae Jeon */ 1906*40796051SNamjae Jeon struct index_root { 1907*40796051SNamjae Jeon __le32 type; 1908*40796051SNamjae Jeon __le32 collation_rule; 1909*40796051SNamjae Jeon __le32 index_block_size; 1910*40796051SNamjae Jeon u8 clusters_per_index_block; 1911*40796051SNamjae Jeon u8 reserved[3]; 1912*40796051SNamjae Jeon struct index_header index; 1913*40796051SNamjae Jeon } __packed; 19141e9ea7e0SNamjae Jeon 19151e9ea7e0SNamjae Jeon /* 1916*40796051SNamjae Jeon * struct index_block - Index allocation (0xa0). 19171e9ea7e0SNamjae Jeon * 1918*40796051SNamjae Jeon * @magic: Magic value "INDX" (see magic_INDX). 1919*40796051SNamjae Jeon * @usa_ofs: Offset to Update Sequence Array (see ntfs_record). 1920*40796051SNamjae Jeon * @usa_count: Number of USA entries (see ntfs_record). 1921*40796051SNamjae Jeon * @lsn: Log sequence number of last modification. 1922*40796051SNamjae Jeon * @index_block_vcn: VCN of this index block. 1923*40796051SNamjae Jeon * Units: clusters if cluster_size <= index_block_size; 1924*40796051SNamjae Jeon * sectors otherwise. 1925*40796051SNamjae Jeon * @index: Index header describing entries in this block. 19261e9ea7e0SNamjae Jeon * 19271e9ea7e0SNamjae Jeon * When creating the index block, we place the update sequence array at this 19281e9ea7e0SNamjae Jeon * offset, i.e. before we start with the index entries. This also makes sense, 19291e9ea7e0SNamjae Jeon * otherwise we could run into problems with the update sequence array 19301e9ea7e0SNamjae Jeon * containing in itself the last two bytes of a sector which would mean that 19311e9ea7e0SNamjae Jeon * multi sector transfer protection wouldn't work. As you can't protect data 19321e9ea7e0SNamjae Jeon * by overwriting it since you then can't get it back... 19331e9ea7e0SNamjae Jeon * When reading use the data from the ntfs record header. 1934*40796051SNamjae Jeon * 1935*40796051SNamjae Jeon * NOTE: Always non-resident (doesn't make sense to be resident anyway!). 1936*40796051SNamjae Jeon * 1937*40796051SNamjae Jeon * This is an array of index blocks. Each index block starts with an 1938*40796051SNamjae Jeon * index_block structure containing an index header, followed by a sequence of 1939*40796051SNamjae Jeon * index entries (INDEX_ENTRY structures), as described by the struct index_header. 19401e9ea7e0SNamjae Jeon */ 1941*40796051SNamjae Jeon struct index_block { 1942*40796051SNamjae Jeon __le32 magic; 1943*40796051SNamjae Jeon __le16 usa_ofs; 1944*40796051SNamjae Jeon __le16 usa_count; 1945*40796051SNamjae Jeon __le64 lsn; 1946*40796051SNamjae Jeon __le64 index_block_vcn; 1947*40796051SNamjae Jeon struct index_header index; 1948*40796051SNamjae Jeon } __packed; 19491e9ea7e0SNamjae Jeon 1950*40796051SNamjae Jeon static_assert(sizeof(struct index_block) == 40); 19511e9ea7e0SNamjae Jeon 19521e9ea7e0SNamjae Jeon /* 1953*40796051SNamjae Jeon * struct reparse_index_key - Key for $R reparse index in $Extend/$Reparse 1954*40796051SNamjae Jeon * 1955*40796051SNamjae Jeon * @reparse_tag: Reparse point type (including flags, REPARSE_TAG_*). 1956*40796051SNamjae Jeon * @file_id: MFT record number of the file with $REPARSE_POINT 1957*40796051SNamjae Jeon * attribute. 1958*40796051SNamjae Jeon * 19591e9ea7e0SNamjae Jeon * The system file FILE_Extend/$Reparse contains an index named $R listing 19601e9ea7e0SNamjae Jeon * all reparse points on the volume. The index entry keys are as defined 19611e9ea7e0SNamjae Jeon * below. Note, that there is no index data associated with the index entries. 19621e9ea7e0SNamjae Jeon * 19631e9ea7e0SNamjae Jeon * The index entries are sorted by the index key file_id. The collation rule is 1964*40796051SNamjae Jeon * COLLATION_NTOFS_ULONGS. 19651e9ea7e0SNamjae Jeon */ 1966*40796051SNamjae Jeon struct reparse_index_key { 1967*40796051SNamjae Jeon __le32 reparse_tag; 1968*40796051SNamjae Jeon __le64 file_id; 1969*40796051SNamjae Jeon } __packed; 19701e9ea7e0SNamjae Jeon 19711e9ea7e0SNamjae Jeon /* 1972*40796051SNamjae Jeon * enum - Quota entry flags (32-bit) in $Quota/$Q 19731e9ea7e0SNamjae Jeon * 1974*40796051SNamjae Jeon * These flags are stored in quota control entries ($Quota file). 1975*40796051SNamjae Jeon * They control quota tracking, limits, and state. 1976*40796051SNamjae Jeon * 1977*40796051SNamjae Jeon * User quota flags (mask 0x00000007): 1978*40796051SNamjae Jeon * @QUOTA_FLAG_DEFAULT_LIMITS: Use default limits. 1979*40796051SNamjae Jeon * @QUOTA_FLAG_LIMIT_REACHED: Quota limit reached. 1980*40796051SNamjae Jeon * @QUOTA_FLAG_ID_DELETED: Quota ID deleted. 1981*40796051SNamjae Jeon * @QUOTA_FLAG_USER_MASK: Mask for user quota flags (0x00000007). 1982*40796051SNamjae Jeon * 1983*40796051SNamjae Jeon * Default entry flags (owner_id = QUOTA_DEFAULTS_ID): 1984*40796051SNamjae Jeon * @QUOTA_FLAG_TRACKING_ENABLED: Quota tracking enabled. 1985*40796051SNamjae Jeon * @QUOTA_FLAG_ENFORCEMENT_ENABLED: Quota enforcement enabled. 1986*40796051SNamjae Jeon * @QUOTA_FLAG_TRACKING_REQUESTED: Tracking requested (pending). 1987*40796051SNamjae Jeon * @QUOTA_FLAG_LOG_THRESHOLD: Log when threshold reached. 1988*40796051SNamjae Jeon * @QUOTA_FLAG_LOG_LIMIT: Log when limit reached. 1989*40796051SNamjae Jeon * @QUOTA_FLAG_OUT_OF_DATE: Quota data out of date. 1990*40796051SNamjae Jeon * @QUOTA_FLAG_CORRUPT: Quota entry corrupt. 1991*40796051SNamjae Jeon * @QUOTA_FLAG_PENDING_DELETES: Pending quota deletes. 1992*40796051SNamjae Jeon * 19931e9ea7e0SNamjae Jeon */ 19941e9ea7e0SNamjae Jeon enum { 19951e9ea7e0SNamjae Jeon QUOTA_FLAG_DEFAULT_LIMITS = cpu_to_le32(0x00000001), 19961e9ea7e0SNamjae Jeon QUOTA_FLAG_LIMIT_REACHED = cpu_to_le32(0x00000002), 19971e9ea7e0SNamjae Jeon QUOTA_FLAG_ID_DELETED = cpu_to_le32(0x00000004), 19981e9ea7e0SNamjae Jeon 19991e9ea7e0SNamjae Jeon QUOTA_FLAG_USER_MASK = cpu_to_le32(0x00000007), 20001e9ea7e0SNamjae Jeon QUOTA_FLAG_TRACKING_ENABLED = cpu_to_le32(0x00000010), 20011e9ea7e0SNamjae Jeon QUOTA_FLAG_ENFORCEMENT_ENABLED = cpu_to_le32(0x00000020), 20021e9ea7e0SNamjae Jeon QUOTA_FLAG_TRACKING_REQUESTED = cpu_to_le32(0x00000040), 20031e9ea7e0SNamjae Jeon QUOTA_FLAG_LOG_THRESHOLD = cpu_to_le32(0x00000080), 20041e9ea7e0SNamjae Jeon 20051e9ea7e0SNamjae Jeon QUOTA_FLAG_LOG_LIMIT = cpu_to_le32(0x00000100), 20061e9ea7e0SNamjae Jeon QUOTA_FLAG_OUT_OF_DATE = cpu_to_le32(0x00000200), 20071e9ea7e0SNamjae Jeon QUOTA_FLAG_CORRUPT = cpu_to_le32(0x00000400), 20081e9ea7e0SNamjae Jeon QUOTA_FLAG_PENDING_DELETES = cpu_to_le32(0x00000800), 20091e9ea7e0SNamjae Jeon }; 20101e9ea7e0SNamjae Jeon 20111e9ea7e0SNamjae Jeon /* 2012*40796051SNamjae Jeon * struct quota_control_entry - Quota entry in $Quota/$Q 2013*40796051SNamjae Jeon * 2014*40796051SNamjae Jeon * @version: Currently 2. 2015*40796051SNamjae Jeon * @flags: Quota flags (QUOTA_FLAG_* bits). 2016*40796051SNamjae Jeon * @bytes_used: Current quota usage in bytes. 2017*40796051SNamjae Jeon * @change_time: Last modification time (NTFS timestamp). 2018*40796051SNamjae Jeon * @threshold: Soft quota limit (-1 = unlimited). 2019*40796051SNamjae Jeon * @limit: Hard quota limit (-1 = unlimited). 2020*40796051SNamjae Jeon * @exceeded_time: Time soft quota has been exceeded. 2021*40796051SNamjae Jeon * @sid: SID of user/object (zero for defaults entry). 2022*40796051SNamjae Jeon * 20231e9ea7e0SNamjae Jeon * The system file FILE_Extend/$Quota contains two indexes $O and $Q. Quotas 20241e9ea7e0SNamjae Jeon * are on a per volume and per user basis. 20251e9ea7e0SNamjae Jeon * 20261e9ea7e0SNamjae Jeon * The $Q index contains one entry for each existing user_id on the volume. The 20271e9ea7e0SNamjae Jeon * index key is the user_id of the user/group owning this quota control entry, 20281e9ea7e0SNamjae Jeon * i.e. the key is the owner_id. The user_id of the owner of a file, i.e. the 20291e9ea7e0SNamjae Jeon * owner_id, is found in the standard information attribute. The collation rule 20301e9ea7e0SNamjae Jeon * for $Q is COLLATION_NTOFS_ULONG. 20311e9ea7e0SNamjae Jeon * 20321e9ea7e0SNamjae Jeon * The $O index contains one entry for each user/group who has been assigned 20331e9ea7e0SNamjae Jeon * a quota on that volume. The index key holds the SID of the user_id the 20341e9ea7e0SNamjae Jeon * entry belongs to, i.e. the owner_id. The collation rule for $O is 20351e9ea7e0SNamjae Jeon * COLLATION_NTOFS_SID. 20361e9ea7e0SNamjae Jeon * 20371e9ea7e0SNamjae Jeon * The $O index entry data is the user_id of the user corresponding to the SID. 20381e9ea7e0SNamjae Jeon * This user_id is used as an index into $Q to find the quota control entry 20391e9ea7e0SNamjae Jeon * associated with the SID. 20401e9ea7e0SNamjae Jeon * 20411e9ea7e0SNamjae Jeon * The $Q index entry data is the quota control entry and is defined below. 20421e9ea7e0SNamjae Jeon */ 2043*40796051SNamjae Jeon struct quota_control_entry { 2044*40796051SNamjae Jeon __le32 version; 2045*40796051SNamjae Jeon __le32 flags; 2046*40796051SNamjae Jeon __le64 bytes_used; 2047*40796051SNamjae Jeon __le64 change_time; 2048*40796051SNamjae Jeon __le64 threshold; 2049*40796051SNamjae Jeon __le64 limit; 2050*40796051SNamjae Jeon __le64 exceeded_time; 2051*40796051SNamjae Jeon struct ntfs_sid sid; 2052*40796051SNamjae Jeon } __packed; 20531e9ea7e0SNamjae Jeon 20541e9ea7e0SNamjae Jeon /* 20551e9ea7e0SNamjae Jeon * Predefined owner_id values (32-bit). 20561e9ea7e0SNamjae Jeon */ 20571e9ea7e0SNamjae Jeon enum { 20581e9ea7e0SNamjae Jeon QUOTA_INVALID_ID = cpu_to_le32(0x00000000), 20591e9ea7e0SNamjae Jeon QUOTA_DEFAULTS_ID = cpu_to_le32(0x00000001), 20601e9ea7e0SNamjae Jeon QUOTA_FIRST_USER_ID = cpu_to_le32(0x00000100), 20611e9ea7e0SNamjae Jeon }; 20621e9ea7e0SNamjae Jeon 20631e9ea7e0SNamjae Jeon /* 20641e9ea7e0SNamjae Jeon * Current constants for quota control entries. 20651e9ea7e0SNamjae Jeon */ 2066*40796051SNamjae Jeon enum { 20671e9ea7e0SNamjae Jeon /* Current version. */ 20681e9ea7e0SNamjae Jeon QUOTA_VERSION = 2, 2069*40796051SNamjae Jeon }; 20701e9ea7e0SNamjae Jeon 20711e9ea7e0SNamjae Jeon /* 2072*40796051SNamjae Jeon * enum - Index entry flags (16-bit) 2073*40796051SNamjae Jeon * 2074*40796051SNamjae Jeon * These flags are in INDEX_ENTRY.flags (after key data). 2075*40796051SNamjae Jeon * They describe entry type and status in index blocks/root. 2076*40796051SNamjae Jeon * 2077*40796051SNamjae Jeon * @INDEX_ENTRY_NODE: Entry points to a sub-node (index block VCN). 2078*40796051SNamjae Jeon * (Not a leaf entry; internal node reference.) 2079*40796051SNamjae Jeon * i.e. a reference to an index block in form of 2080*40796051SNamjae Jeon * a virtual cluster number 2081*40796051SNamjae Jeon * @INDEX_ENTRY_END: Last entry in index block/root. 2082*40796051SNamjae Jeon * Does not represent a real file; can point to sub-node. 2083*40796051SNamjae Jeon * @INDEX_ENTRY_SPACE_FILLER: 2084*40796051SNamjae Jeon * Dummy value to force enum to 16-bit width. 20851e9ea7e0SNamjae Jeon */ 20861e9ea7e0SNamjae Jeon enum { 2087*40796051SNamjae Jeon INDEX_ENTRY_NODE = cpu_to_le16(1), 2088*40796051SNamjae Jeon INDEX_ENTRY_END = cpu_to_le16(2), 2089*40796051SNamjae Jeon INDEX_ENTRY_SPACE_FILLER = cpu_to_le16(0xffff), 2090*40796051SNamjae Jeon } __packed; 20911e9ea7e0SNamjae Jeon 20921e9ea7e0SNamjae Jeon /* 2093*40796051SNamjae Jeon * struct index_entry_header - Common header for all NTFS index entries 2094*40796051SNamjae Jeon * 2095*40796051SNamjae Jeon * This is the fixed header at the start of every INDEX_ENTRY in index 2096*40796051SNamjae Jeon * blocks or index root. It is followed by the variable key, data, and 2097*40796051SNamjae Jeon * sub-node VCN. 2098*40796051SNamjae Jeon * 2099*40796051SNamjae Jeon * Union @data: 2100*40796051SNamjae Jeon * - When INDEX_ENTRY_END is not set: 2101*40796051SNamjae Jeon * @data.dir.indexed_file: MFT reference of the file described by 2102*40796051SNamjae Jeon * this entry. Used in directory indexes ($I30). 2103*40796051SNamjae Jeon * - When INDEX_ENTRY_END is set or for view indexes: 2104*40796051SNamjae Jeon * @data.vi.data_offset: Byte offset from end of this header to 2105*40796051SNamjae Jeon * entry data. 2106*40796051SNamjae Jeon * @data.vi.data_length: Length of data in bytes. 2107*40796051SNamjae Jeon * @data.vi.reservedV: Reserved (zero). 2108*40796051SNamjae Jeon * 2109*40796051SNamjae Jeon * @length: Total byte size of this index entry 2110*40796051SNamjae Jeon * (multiple of 8 bytes). 2111*40796051SNamjae Jeon * @key_length: Byte size of the key (not multiple of 8 bytes). 2112*40796051SNamjae Jeon * Key follows the header immediately. 2113*40796051SNamjae Jeon * @flags: Bit field of INDEX_ENTRY_* flags (INDEX_ENTRY_NODE, etc.). 2114*40796051SNamjae Jeon * @reserved: Reserved/padding (zero; align to 8 bytes). 21151e9ea7e0SNamjae Jeon */ 2116*40796051SNamjae Jeon struct index_entry_header { 2117*40796051SNamjae Jeon union { 2118*40796051SNamjae Jeon struct { 2119*40796051SNamjae Jeon __le64 indexed_file; 2120*40796051SNamjae Jeon } __packed dir; 2121*40796051SNamjae Jeon struct { 2122*40796051SNamjae Jeon __le16 data_offset; 2123*40796051SNamjae Jeon __le16 data_length; 2124*40796051SNamjae Jeon __le32 reservedV; 2125*40796051SNamjae Jeon } __packed vi; 2126*40796051SNamjae Jeon } __packed data; 2127*40796051SNamjae Jeon __le16 length; 2128*40796051SNamjae Jeon __le16 key_length; 2129*40796051SNamjae Jeon __le16 flags; 2130*40796051SNamjae Jeon __le16 reserved; 2131*40796051SNamjae Jeon } __packed; 2132*40796051SNamjae Jeon 2133*40796051SNamjae Jeon static_assert(sizeof(struct index_entry_header) == 16); 21341e9ea7e0SNamjae Jeon 21351e9ea7e0SNamjae Jeon /* 2136*40796051SNamjae Jeon * struct index_entry - NTFS index entry structure 2137*40796051SNamjae Jeon * 2138*40796051SNamjae Jeon * This is an index entry. A sequence of such entries follows each index_header 21391e9ea7e0SNamjae Jeon * structure. Together they make up a complete index. The index follows either 21401e9ea7e0SNamjae Jeon * an index root attribute or an index allocation attribute. 21411e9ea7e0SNamjae Jeon * 2142*40796051SNamjae Jeon * Union @data (valid when INDEX_ENTRY_END not set): 2143*40796051SNamjae Jeon * @data.dir.indexed_file: MFT ref of file (for directory indexes). 2144*40796051SNamjae Jeon * @data.vi.data_offset: Offset to data after key. 2145*40796051SNamjae Jeon * @data.vi.data_length: Length of data in bytes. 2146*40796051SNamjae Jeon * @data.vi.reservedV: Reserved (zero). 2147*40796051SNamjae Jeon * 2148*40796051SNamjae Jeon * Fields: 2149*40796051SNamjae Jeon * @length: Total byte size of entry (multiple of 8 bytes). 2150*40796051SNamjae Jeon * @key_length: Byte size of key (not multiple of 8). 2151*40796051SNamjae Jeon * @flags: INDEX_ENTRY_* flags (NODE, END, etc.). 2152*40796051SNamjae Jeon * @reserved: Reserved/padding (zero). 2153*40796051SNamjae Jeon * 2154*40796051SNamjae Jeon * Union @key (valid when INDEX_ENTRY_END not set) 2155*40796051SNamjae Jeon * The key of the indexed attribute. NOTE: Only present 2156*40796051SNamjae Jeon * if INDEX_ENTRY_END bit in flags is not set. NOTE: On 2157*40796051SNamjae Jeon * NTFS versions before 3.0 the only valid key is the 2158*40796051SNamjae Jeon * struct file_name_attr. On NTFS 3.0+ the following 2159*40796051SNamjae Jeon * additional index keys are defined: 2160*40796051SNamjae Jeon * @key.file_name: $FILE_NAME attr (for $I30 directory indexes). 2161*40796051SNamjae Jeon * @key.sii: $SII key (for $Secure $SII index). 2162*40796051SNamjae Jeon * @key.sdh: $SDH key (for $Secure $SDH index). 2163*40796051SNamjae Jeon * @key.object_id: GUID (for $ObjId $O index). 2164*40796051SNamjae Jeon * @key.reparse: Reparse tag + file ID (for $Reparse $R). 2165*40796051SNamjae Jeon * @key.sid: SID (for $Quota $O index). 2166*40796051SNamjae Jeon * @key.owner_id: User ID (for $Quota $Q index). 2167*40796051SNamjae Jeon * 2168*40796051SNamjae Jeon * The (optional) index data is inserted here when creating. 2169*40796051SNamjae Jeon * __le64 vcn; If INDEX_ENTRY_NODE bit in flags is set, the last 2170*40796051SNamjae Jeon * eight bytes of this index entry contain the virtual 2171*40796051SNamjae Jeon * cluster number of the index block that holds the 2172*40796051SNamjae Jeon * entries immediately preceding the current entry (the 2173*40796051SNamjae Jeon * vcn references the corresponding cluster in the data 2174*40796051SNamjae Jeon * of the non-resident index allocation attribute). If 2175*40796051SNamjae Jeon * the key_length is zero, then the vcn immediately 2176*40796051SNamjae Jeon * follows the INDEX_ENTRY_HEADER. Regardless of 2177*40796051SNamjae Jeon * key_length, the address of the 8-byte boundary 2178*40796051SNamjae Jeon * aligned vcn of INDEX_ENTRY{_HEADER} *ie is given by 2179*40796051SNamjae Jeon * (char*)ie + le16_to_cpu(ie*)->length) - sizeof(VCN), 2180*40796051SNamjae Jeon * where sizeof(VCN) can be hardcoded as 8 if wanted. 2181*40796051SNamjae Jeon * 21821e9ea7e0SNamjae Jeon * NOTE: Before NTFS 3.0 only filename attributes were indexed. 21831e9ea7e0SNamjae Jeon */ 2184*40796051SNamjae Jeon struct index_entry { 21851e9ea7e0SNamjae Jeon union { 2186*40796051SNamjae Jeon struct { 2187*40796051SNamjae Jeon __le64 indexed_file; 2188*40796051SNamjae Jeon } __packed dir; 2189*40796051SNamjae Jeon struct { 2190*40796051SNamjae Jeon __le16 data_offset; 2191*40796051SNamjae Jeon __le16 data_length; 2192*40796051SNamjae Jeon __le32 reservedV; 2193*40796051SNamjae Jeon } __packed vi; 2194*40796051SNamjae Jeon } __packed data; 2195*40796051SNamjae Jeon __le16 length; 2196*40796051SNamjae Jeon __le16 key_length; 2197*40796051SNamjae Jeon __le16 flags; 2198*40796051SNamjae Jeon __le16 reserved; 2199*40796051SNamjae Jeon union { 2200*40796051SNamjae Jeon struct file_name_attr file_name; 2201*40796051SNamjae Jeon struct sii_index_key sii; 2202*40796051SNamjae Jeon struct sdh_index_key sdh; 2203*40796051SNamjae Jeon struct guid object_id; 2204*40796051SNamjae Jeon struct reparse_index_key reparse; 2205*40796051SNamjae Jeon struct ntfs_sid sid; 2206*40796051SNamjae Jeon __le32 owner_id; 2207*40796051SNamjae Jeon } __packed key; 2208*40796051SNamjae Jeon } __packed; 22091e9ea7e0SNamjae Jeon 22101e9ea7e0SNamjae Jeon /* 22111e9ea7e0SNamjae Jeon * The reparse point tag defines the type of the reparse point. It also 22121e9ea7e0SNamjae Jeon * includes several flags, which further describe the reparse point. 22131e9ea7e0SNamjae Jeon * 22141e9ea7e0SNamjae Jeon * The reparse point tag is an unsigned 32-bit value divided in three parts: 22151e9ea7e0SNamjae Jeon * 2216*40796051SNamjae Jeon * 1. The least significant 16 bits (i.e. bits 0 to 15) specify the type of 22171e9ea7e0SNamjae Jeon * the reparse point. 2218*40796051SNamjae Jeon * 2. The 12 bits after this (i.e. bits 16 to 27) are reserved for future use. 2219*40796051SNamjae Jeon * 3. The most significant four bits are flags describing the reparse point. 22201e9ea7e0SNamjae Jeon * They are defined as follows: 2221*40796051SNamjae Jeon * bit 28: Directory bit. If set, the directory is not a surrogate 2222*40796051SNamjae Jeon * and can be used the usual way. 22231e9ea7e0SNamjae Jeon * bit 29: Name surrogate bit. If set, the filename is an alias for 22241e9ea7e0SNamjae Jeon * another object in the system. 22251e9ea7e0SNamjae Jeon * bit 30: High-latency bit. If set, accessing the first byte of data will 22261e9ea7e0SNamjae Jeon * be slow. (E.g. the data is stored on a tape drive.) 22271e9ea7e0SNamjae Jeon * bit 31: Microsoft bit. If set, the tag is owned by Microsoft. User 22281e9ea7e0SNamjae Jeon * defined tags have to use zero here. 2229*40796051SNamjae Jeon * 4. Moreover, on Windows 10 : 2230*40796051SNamjae Jeon * Some flags may be used in bits 12 to 15 to further describe the 2231*40796051SNamjae Jeon * reparse point. 22321e9ea7e0SNamjae Jeon */ 22331e9ea7e0SNamjae Jeon enum { 2234*40796051SNamjae Jeon IO_REPARSE_TAG_DIRECTORY = cpu_to_le32(0x10000000), 22351e9ea7e0SNamjae Jeon IO_REPARSE_TAG_IS_ALIAS = cpu_to_le32(0x20000000), 22361e9ea7e0SNamjae Jeon IO_REPARSE_TAG_IS_HIGH_LATENCY = cpu_to_le32(0x40000000), 22371e9ea7e0SNamjae Jeon IO_REPARSE_TAG_IS_MICROSOFT = cpu_to_le32(0x80000000), 22381e9ea7e0SNamjae Jeon 22391e9ea7e0SNamjae Jeon IO_REPARSE_TAG_RESERVED_ZERO = cpu_to_le32(0x00000000), 22401e9ea7e0SNamjae Jeon IO_REPARSE_TAG_RESERVED_ONE = cpu_to_le32(0x00000001), 22411e9ea7e0SNamjae Jeon IO_REPARSE_TAG_RESERVED_RANGE = cpu_to_le32(0x00000001), 22421e9ea7e0SNamjae Jeon 2243*40796051SNamjae Jeon IO_REPARSE_TAG_CSV = cpu_to_le32(0x80000009), 2244*40796051SNamjae Jeon IO_REPARSE_TAG_DEDUP = cpu_to_le32(0x80000013), 2245*40796051SNamjae Jeon IO_REPARSE_TAG_DFS = cpu_to_le32(0x8000000A), 2246*40796051SNamjae Jeon IO_REPARSE_TAG_DFSR = cpu_to_le32(0x80000012), 2247*40796051SNamjae Jeon IO_REPARSE_TAG_HSM = cpu_to_le32(0xC0000004), 2248*40796051SNamjae Jeon IO_REPARSE_TAG_HSM2 = cpu_to_le32(0x80000006), 2249*40796051SNamjae Jeon IO_REPARSE_TAG_MOUNT_POINT = cpu_to_le32(0xA0000003), 2250*40796051SNamjae Jeon IO_REPARSE_TAG_NFS = cpu_to_le32(0x80000014), 2251*40796051SNamjae Jeon IO_REPARSE_TAG_SIS = cpu_to_le32(0x80000007), 2252*40796051SNamjae Jeon IO_REPARSE_TAG_SYMLINK = cpu_to_le32(0xA000000C), 2253*40796051SNamjae Jeon IO_REPARSE_TAG_WIM = cpu_to_le32(0x80000008), 2254*40796051SNamjae Jeon IO_REPARSE_TAG_DFM = cpu_to_le32(0x80000016), 2255*40796051SNamjae Jeon IO_REPARSE_TAG_WOF = cpu_to_le32(0x80000017), 2256*40796051SNamjae Jeon IO_REPARSE_TAG_WCI = cpu_to_le32(0x80000018), 2257*40796051SNamjae Jeon IO_REPARSE_TAG_CLOUD = cpu_to_le32(0x9000001A), 2258*40796051SNamjae Jeon IO_REPARSE_TAG_APPEXECLINK = cpu_to_le32(0x8000001B), 2259*40796051SNamjae Jeon IO_REPARSE_TAG_GVFS = cpu_to_le32(0x9000001C), 2260*40796051SNamjae Jeon IO_REPARSE_TAG_LX_SYMLINK = cpu_to_le32(0xA000001D), 2261*40796051SNamjae Jeon IO_REPARSE_TAG_AF_UNIX = cpu_to_le32(0x80000023), 2262*40796051SNamjae Jeon IO_REPARSE_TAG_LX_FIFO = cpu_to_le32(0x80000024), 2263*40796051SNamjae Jeon IO_REPARSE_TAG_LX_CHR = cpu_to_le32(0x80000025), 2264*40796051SNamjae Jeon IO_REPARSE_TAG_LX_BLK = cpu_to_le32(0x80000026), 22651e9ea7e0SNamjae Jeon 2266*40796051SNamjae Jeon IO_REPARSE_TAG_VALID_VALUES = cpu_to_le32(0xf000ffff), 2267*40796051SNamjae Jeon IO_REPARSE_PLUGIN_SELECT = cpu_to_le32(0xffff0fff), 22681e9ea7e0SNamjae Jeon }; 22691e9ea7e0SNamjae Jeon 22701e9ea7e0SNamjae Jeon /* 2271*40796051SNamjae Jeon * struct reparse_point - $REPARSE_POINT attribute content (0xc0)\ 2272*40796051SNamjae Jeon * 2273*40796051SNamjae Jeon * @reparse_tag: Reparse point type (with flags; REPARSE_TAG_*). 2274*40796051SNamjae Jeon * @reparse_data_length: Byte size of @reparse_data. 2275*40796051SNamjae Jeon * @reserved: Reserved/padding (zero; 8-byte alignment). 2276*40796051SNamjae Jeon * @reparse_data: Variable reparse data (meaning depends on @reparse_tag). 2277*40796051SNamjae Jeon * - Symbolic link/junction: struct reparse_symlink 2278*40796051SNamjae Jeon * - Mount point: similar symlink structure 2279*40796051SNamjae Jeon * - Other tags: vendor-specific or extended data 22801e9ea7e0SNamjae Jeon * 22811e9ea7e0SNamjae Jeon * NOTE: Can be resident or non-resident. 22821e9ea7e0SNamjae Jeon */ 2283*40796051SNamjae Jeon struct reparse_point { 2284*40796051SNamjae Jeon __le32 reparse_tag; 2285*40796051SNamjae Jeon __le16 reparse_data_length; 2286*40796051SNamjae Jeon __le16 reserved; 2287*40796051SNamjae Jeon u8 reparse_data[]; 2288*40796051SNamjae Jeon } __packed; 22891e9ea7e0SNamjae Jeon 22901e9ea7e0SNamjae Jeon /* 2291*40796051SNamjae Jeon * struct ea_information - $EA_INFORMATION attribute content (0xd0) 2292*40796051SNamjae Jeon * 2293*40796051SNamjae Jeon * @ea_length: Byte size of packed EAs. 2294*40796051SNamjae Jeon * @need_ea_count: Number of EAs with NEED_EA bit set. 2295*40796051SNamjae Jeon * @ea_query_length: Byte size needed to unpack/query EAs via ZwQueryEaFile(). 2296*40796051SNamjae Jeon * (Unpacked format size.) 22971e9ea7e0SNamjae Jeon * 22981e9ea7e0SNamjae Jeon * NOTE: Always resident. (Is this true???) 22991e9ea7e0SNamjae Jeon */ 2300*40796051SNamjae Jeon struct ea_information { 2301*40796051SNamjae Jeon __le16 ea_length; 2302*40796051SNamjae Jeon __le16 need_ea_count; 2303*40796051SNamjae Jeon __le32 ea_query_length; 2304*40796051SNamjae Jeon } __packed; 23051e9ea7e0SNamjae Jeon 23061e9ea7e0SNamjae Jeon /* 2307*40796051SNamjae Jeon * enum - Extended attribute flags (8-bit) 2308*40796051SNamjae Jeon * 2309*40796051SNamjae Jeon * These flags are stored in the EA header of each extended attribute 2310*40796051SNamjae Jeon * (in $EA attribute, type 0xe0). 2311*40796051SNamjae Jeon * 2312*40796051SNamjae Jeon * @NEED_EA: If set, the file cannot be properly interpreted 2313*40796051SNamjae Jeon * without understanding its associated EAs. 2314*40796051SNamjae Jeon * (Critical EA; applications must process it.) 23151e9ea7e0SNamjae Jeon */ 23161e9ea7e0SNamjae Jeon enum { 2317*40796051SNamjae Jeon NEED_EA = 0x80 2318*40796051SNamjae Jeon } __packed; 23191e9ea7e0SNamjae Jeon 23201e9ea7e0SNamjae Jeon /* 2321*40796051SNamjae Jeon * struct ea_attr - Extended attribute (EA) entry (0xe0) 2322*40796051SNamjae Jeon * 2323*40796051SNamjae Jeon * @next_entry_offset: Byte offset to the next EA_ATTR entry. 2324*40796051SNamjae Jeon * (From start of current entry.) 2325*40796051SNamjae Jeon * @flags: EA flags (NEED_EA = 0x80 if critical). 2326*40796051SNamjae Jeon * @ea_name_length: Length of @ea_name in bytes (excluding '\0'). 2327*40796051SNamjae Jeon * @ea_value_length: Byte size of the EA value. 2328*40796051SNamjae Jeon * @ea_name: ASCII name of the EA (zero-terminated). 2329*40796051SNamjae Jeon * Value immediately follows the name. 2330*40796051SNamjae Jeon * u8 ea_value[]; The value of the EA. Immediately follows the name. 2331*40796051SNamjae Jeon * 2332*40796051SNamjae Jeon * This is one variable-length record in the $EA attribute value. 2333*40796051SNamjae Jeon * The attribute can be resident or non-resident. 2334*40796051SNamjae Jeon * Sequence of these entries forms the packed EA list. 23351e9ea7e0SNamjae Jeon * 23361e9ea7e0SNamjae Jeon * NOTE: Can be resident or non-resident. 23371e9ea7e0SNamjae Jeon */ 2338*40796051SNamjae Jeon struct ea_attr { 2339*40796051SNamjae Jeon __le32 next_entry_offset; 2340*40796051SNamjae Jeon u8 flags; 2341*40796051SNamjae Jeon u8 ea_name_length; 2342*40796051SNamjae Jeon __le16 ea_value_length; 2343*40796051SNamjae Jeon u8 ea_name[]; 2344*40796051SNamjae Jeon } __packed; 23451e9ea7e0SNamjae Jeon 23461e9ea7e0SNamjae Jeon #endif /* _LINUX_NTFS_LAYOUT_H */ 2347