1*b51174daSChenXiaoSong /* SPDX-License-Identifier: LGPL-2.1+ */ 2*b51174daSChenXiaoSong /* 3*b51174daSChenXiaoSong * Copyright (c) International Business Machines Corp., 2007 4*b51174daSChenXiaoSong * Author(s): Steve French (sfrench@us.ibm.com) 5*b51174daSChenXiaoSong * Modified by Namjae Jeon (linkinjeon@kernel.org) 6*b51174daSChenXiaoSong */ 7*b51174daSChenXiaoSong 8*b51174daSChenXiaoSong #ifndef _COMMON_SMBACL_H 9*b51174daSChenXiaoSong #define _COMMON_SMBACL_H 10*b51174daSChenXiaoSong 11*b51174daSChenXiaoSong #define NUM_AUTHS (6) /* number of authority fields */ 12*b51174daSChenXiaoSong #define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ 13*b51174daSChenXiaoSong 14*b51174daSChenXiaoSong /* ACE types - see MS-DTYP 2.4.4.1 */ 15*b51174daSChenXiaoSong #define ACCESS_ALLOWED_ACE_TYPE 0x00 16*b51174daSChenXiaoSong #define ACCESS_DENIED_ACE_TYPE 0x01 17*b51174daSChenXiaoSong #define SYSTEM_AUDIT_ACE_TYPE 0x02 18*b51174daSChenXiaoSong #define SYSTEM_ALARM_ACE_TYPE 0x03 19*b51174daSChenXiaoSong #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 20*b51174daSChenXiaoSong #define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 21*b51174daSChenXiaoSong #define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 22*b51174daSChenXiaoSong #define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 23*b51174daSChenXiaoSong #define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 24*b51174daSChenXiaoSong #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 25*b51174daSChenXiaoSong #define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A 26*b51174daSChenXiaoSong #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B 27*b51174daSChenXiaoSong #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C 28*b51174daSChenXiaoSong #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D 29*b51174daSChenXiaoSong #define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ 30*b51174daSChenXiaoSong #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F 31*b51174daSChenXiaoSong #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ 32*b51174daSChenXiaoSong #define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 33*b51174daSChenXiaoSong #define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 34*b51174daSChenXiaoSong #define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 35*b51174daSChenXiaoSong 36*b51174daSChenXiaoSong /* ACE flags */ 37*b51174daSChenXiaoSong #define OBJECT_INHERIT_ACE 0x01 38*b51174daSChenXiaoSong #define CONTAINER_INHERIT_ACE 0x02 39*b51174daSChenXiaoSong #define NO_PROPAGATE_INHERIT_ACE 0x04 40*b51174daSChenXiaoSong #define INHERIT_ONLY_ACE 0x08 41*b51174daSChenXiaoSong #define INHERITED_ACE 0x10 42*b51174daSChenXiaoSong #define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 43*b51174daSChenXiaoSong #define FAILED_ACCESS_ACE_FLAG 0x80 44*b51174daSChenXiaoSong 45*b51174daSChenXiaoSong /* 46*b51174daSChenXiaoSong * Maximum size of a string representation of a SID: 47*b51174daSChenXiaoSong * 48*b51174daSChenXiaoSong * The fields are unsigned values in decimal. So: 49*b51174daSChenXiaoSong * 50*b51174daSChenXiaoSong * u8: max 3 bytes in decimal 51*b51174daSChenXiaoSong * u32: max 10 bytes in decimal 52*b51174daSChenXiaoSong * 53*b51174daSChenXiaoSong * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator 54*b51174daSChenXiaoSong * 55*b51174daSChenXiaoSong * For authority field, max is when all 6 values are non-zero and it must be 56*b51174daSChenXiaoSong * represented in hex. So "-0x" + 12 hex digits. 57*b51174daSChenXiaoSong * 58*b51174daSChenXiaoSong * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') 59*b51174daSChenXiaoSong */ 60*b51174daSChenXiaoSong #define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) 61*b51174daSChenXiaoSong #define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ 62*b51174daSChenXiaoSong 63*b51174daSChenXiaoSong #define DOMAIN_USER_RID_LE cpu_to_le32(513) 64*b51174daSChenXiaoSong 65*b51174daSChenXiaoSong /* 66*b51174daSChenXiaoSong * ACE types - see MS-DTYP 2.4.4.1 67*b51174daSChenXiaoSong */ 68*b51174daSChenXiaoSong enum { 69*b51174daSChenXiaoSong ACCESS_ALLOWED, 70*b51174daSChenXiaoSong ACCESS_DENIED, 71*b51174daSChenXiaoSong }; 72*b51174daSChenXiaoSong 73*b51174daSChenXiaoSong /* 74*b51174daSChenXiaoSong * Security ID types 75*b51174daSChenXiaoSong */ 76*b51174daSChenXiaoSong enum { 77*b51174daSChenXiaoSong SIDOWNER = 1, 78*b51174daSChenXiaoSong SIDGROUP, 79*b51174daSChenXiaoSong SIDCREATOR_OWNER, 80*b51174daSChenXiaoSong SIDCREATOR_GROUP, 81*b51174daSChenXiaoSong SIDUNIX_USER, 82*b51174daSChenXiaoSong SIDUNIX_GROUP, 83*b51174daSChenXiaoSong SIDNFS_USER, 84*b51174daSChenXiaoSong SIDNFS_GROUP, 85*b51174daSChenXiaoSong SIDNFS_MODE, 86*b51174daSChenXiaoSong }; 87*b51174daSChenXiaoSong 88*b51174daSChenXiaoSong struct smb_ntsd { 89*b51174daSChenXiaoSong __le16 revision; /* revision level */ 90*b51174daSChenXiaoSong __le16 type; 91*b51174daSChenXiaoSong __le32 osidoffset; 92*b51174daSChenXiaoSong __le32 gsidoffset; 93*b51174daSChenXiaoSong __le32 sacloffset; 94*b51174daSChenXiaoSong __le32 dacloffset; 95*b51174daSChenXiaoSong } __attribute__((packed)); 96*b51174daSChenXiaoSong 97*b51174daSChenXiaoSong struct smb_sid { 98*b51174daSChenXiaoSong __u8 revision; /* revision level */ 99*b51174daSChenXiaoSong __u8 num_subauth; 100*b51174daSChenXiaoSong __u8 authority[NUM_AUTHS]; 101*b51174daSChenXiaoSong __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ 102*b51174daSChenXiaoSong } __attribute__((packed)); 103*b51174daSChenXiaoSong 104*b51174daSChenXiaoSong /* size of a struct smb_sid, sans sub_auth array */ 105*b51174daSChenXiaoSong #define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) 106*b51174daSChenXiaoSong 107*b51174daSChenXiaoSong struct smb_acl { 108*b51174daSChenXiaoSong __le16 revision; /* revision level */ 109*b51174daSChenXiaoSong __le16 size; 110*b51174daSChenXiaoSong __le32 num_aces; 111*b51174daSChenXiaoSong } __attribute__((packed)); 112*b51174daSChenXiaoSong 113*b51174daSChenXiaoSong struct smb_ace { 114*b51174daSChenXiaoSong __u8 type; /* see above and MS-DTYP 2.4.4.1 */ 115*b51174daSChenXiaoSong __u8 flags; 116*b51174daSChenXiaoSong __le16 size; 117*b51174daSChenXiaoSong __le32 access_req; 118*b51174daSChenXiaoSong struct smb_sid sid; /* ie UUID of user or group who gets these perms */ 119*b51174daSChenXiaoSong } __attribute__((packed)); 120*b51174daSChenXiaoSong 121*b51174daSChenXiaoSong #endif /* _COMMON_SMBACL_H */ 122