138c8a9a5SSteve French /* SPDX-License-Identifier: LGPL-2.1+ */ 238c8a9a5SSteve French /* 338c8a9a5SSteve French * Copyright (c) International Business Machines Corp., 2007 438c8a9a5SSteve French * Author(s): Steve French (sfrench@us.ibm.com) 538c8a9a5SSteve French * Modified by Namjae Jeon (linkinjeon@kernel.org) 638c8a9a5SSteve French */ 738c8a9a5SSteve French 838c8a9a5SSteve French #ifndef _SMBACL_H 938c8a9a5SSteve French #define _SMBACL_H 1038c8a9a5SSteve French 11*b51174daSChenXiaoSong #include "../common/smbacl.h" 1238c8a9a5SSteve French #include <linux/fs.h> 1338c8a9a5SSteve French #include <linux/namei.h> 1438c8a9a5SSteve French #include <linux/posix_acl.h> 1538c8a9a5SSteve French #include <linux/mnt_idmapping.h> 1638c8a9a5SSteve French 1738c8a9a5SSteve French #include "mgmt/tree_connect.h" 1838c8a9a5SSteve French 1938c8a9a5SSteve French /* Revision for ACLs */ 2038c8a9a5SSteve French #define SD_REVISION 1 2138c8a9a5SSteve French 2238c8a9a5SSteve French /* Control flags for Security Descriptor */ 2338c8a9a5SSteve French #define OWNER_DEFAULTED 0x0001 2438c8a9a5SSteve French #define GROUP_DEFAULTED 0x0002 2538c8a9a5SSteve French #define DACL_PRESENT 0x0004 2638c8a9a5SSteve French #define DACL_DEFAULTED 0x0008 2738c8a9a5SSteve French #define SACL_PRESENT 0x0010 2838c8a9a5SSteve French #define SACL_DEFAULTED 0x0020 2938c8a9a5SSteve French #define DACL_TRUSTED 0x0040 3038c8a9a5SSteve French #define SERVER_SECURITY 0x0080 3138c8a9a5SSteve French #define DACL_AUTO_INHERIT_REQ 0x0100 3238c8a9a5SSteve French #define SACL_AUTO_INHERIT_REQ 0x0200 3338c8a9a5SSteve French #define DACL_AUTO_INHERITED 0x0400 3438c8a9a5SSteve French #define SACL_AUTO_INHERITED 0x0800 3538c8a9a5SSteve French #define DACL_PROTECTED 0x1000 3638c8a9a5SSteve French #define SACL_PROTECTED 0x2000 3738c8a9a5SSteve French #define RM_CONTROL_VALID 0x4000 3838c8a9a5SSteve French #define SELF_RELATIVE 0x8000 3938c8a9a5SSteve French 4038c8a9a5SSteve French struct ksmbd_conn; 4138c8a9a5SSteve French 4238c8a9a5SSteve French struct smb_fattr { 4338c8a9a5SSteve French kuid_t cf_uid; 4438c8a9a5SSteve French kgid_t cf_gid; 4538c8a9a5SSteve French umode_t cf_mode; 4638c8a9a5SSteve French __le32 daccess; 4738c8a9a5SSteve French struct posix_acl *cf_acls; 4838c8a9a5SSteve French struct posix_acl *cf_dacls; 4938c8a9a5SSteve French }; 5038c8a9a5SSteve French 5138c8a9a5SSteve French struct posix_ace_state { 5238c8a9a5SSteve French u32 allow; 5338c8a9a5SSteve French u32 deny; 5438c8a9a5SSteve French }; 5538c8a9a5SSteve French 5638c8a9a5SSteve French struct posix_user_ace_state { 5738c8a9a5SSteve French union { 5838c8a9a5SSteve French kuid_t uid; 5938c8a9a5SSteve French kgid_t gid; 6038c8a9a5SSteve French }; 6138c8a9a5SSteve French struct posix_ace_state perms; 6238c8a9a5SSteve French }; 6338c8a9a5SSteve French 6438c8a9a5SSteve French struct posix_ace_state_array { 6538c8a9a5SSteve French int n; 6638c8a9a5SSteve French struct posix_user_ace_state aces[]; 6738c8a9a5SSteve French }; 6838c8a9a5SSteve French 6938c8a9a5SSteve French /* 7038c8a9a5SSteve French * while processing the nfsv4 ace, this maintains the partial permissions 7138c8a9a5SSteve French * calculated so far: 7238c8a9a5SSteve French */ 7338c8a9a5SSteve French 7438c8a9a5SSteve French struct posix_acl_state { 7538c8a9a5SSteve French struct posix_ace_state owner; 7638c8a9a5SSteve French struct posix_ace_state group; 7738c8a9a5SSteve French struct posix_ace_state other; 7838c8a9a5SSteve French struct posix_ace_state everyone; 7938c8a9a5SSteve French struct posix_ace_state mask; /* deny unused in this case */ 8038c8a9a5SSteve French struct posix_ace_state_array *users; 8138c8a9a5SSteve French struct posix_ace_state_array *groups; 8238c8a9a5SSteve French }; 8338c8a9a5SSteve French 8438c8a9a5SSteve French int parse_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd, 8538c8a9a5SSteve French int acl_len, struct smb_fattr *fattr); 8638c8a9a5SSteve French int build_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd, 8738c8a9a5SSteve French struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info, 8838c8a9a5SSteve French __u32 *secdesclen, struct smb_fattr *fattr); 8938c8a9a5SSteve French int init_acl_state(struct posix_acl_state *state, int cnt); 9038c8a9a5SSteve French void free_acl_state(struct posix_acl_state *state); 9138c8a9a5SSteve French void posix_state_to_acl(struct posix_acl_state *state, 9238c8a9a5SSteve French struct posix_acl_entry *pace); 9338c8a9a5SSteve French int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid); 9438c8a9a5SSteve French bool smb_inherit_flags(int flags, bool is_dir); 9538c8a9a5SSteve French int smb_inherit_dacl(struct ksmbd_conn *conn, const struct path *path, 9638c8a9a5SSteve French unsigned int uid, unsigned int gid); 9738c8a9a5SSteve French int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path, 9838c8a9a5SSteve French __le32 *pdaccess, int uid); 9938c8a9a5SSteve French int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, 10038c8a9a5SSteve French const struct path *path, struct smb_ntsd *pntsd, int ntsd_len, 101864fb5d3SNamjae Jeon bool type_check, bool get_write); 10238c8a9a5SSteve French void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); 10338c8a9a5SSteve French void ksmbd_init_domain(u32 *sub_auth); 10438c8a9a5SSteve French 10538c8a9a5SSteve French static inline uid_t posix_acl_uid_translate(struct mnt_idmap *idmap, 10638c8a9a5SSteve French struct posix_acl_entry *pace) 10738c8a9a5SSteve French { 10838c8a9a5SSteve French vfsuid_t vfsuid; 10938c8a9a5SSteve French 11038c8a9a5SSteve French /* If this is an idmapped mount, apply the idmapping. */ 11138c8a9a5SSteve French vfsuid = make_vfsuid(idmap, &init_user_ns, pace->e_uid); 11238c8a9a5SSteve French 11338c8a9a5SSteve French /* Translate the kuid into a userspace id ksmbd would see. */ 11438c8a9a5SSteve French return from_kuid(&init_user_ns, vfsuid_into_kuid(vfsuid)); 11538c8a9a5SSteve French } 11638c8a9a5SSteve French 11738c8a9a5SSteve French static inline gid_t posix_acl_gid_translate(struct mnt_idmap *idmap, 11838c8a9a5SSteve French struct posix_acl_entry *pace) 11938c8a9a5SSteve French { 12038c8a9a5SSteve French vfsgid_t vfsgid; 12138c8a9a5SSteve French 12238c8a9a5SSteve French /* If this is an idmapped mount, apply the idmapping. */ 12338c8a9a5SSteve French vfsgid = make_vfsgid(idmap, &init_user_ns, pace->e_gid); 12438c8a9a5SSteve French 12538c8a9a5SSteve French /* Translate the kgid into a userspace id ksmbd would see. */ 12638c8a9a5SSteve French return from_kgid(&init_user_ns, vfsgid_into_kgid(vfsgid)); 12738c8a9a5SSteve French } 12838c8a9a5SSteve French 12938c8a9a5SSteve French #endif /* _SMBACL_H */ 130