xref: /titanic_41/usr/src/lib/smbsrv/libsmb/common/smb_sd.c (revision 6a634c9dca3093f3922e4b7ab826d7bdf17bf78e) 
129bd2886SAlan Wright /*
229bd2886SAlan Wright  * CDDL HEADER START
329bd2886SAlan Wright  *
429bd2886SAlan Wright  * The contents of this file are subject to the terms of the
529bd2886SAlan Wright  * Common Development and Distribution License (the "License").
629bd2886SAlan Wright  * You may not use this file except in compliance with the License.
729bd2886SAlan Wright  *
829bd2886SAlan Wright  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
929bd2886SAlan Wright  * or http://www.opensolaris.org/os/licensing.
1029bd2886SAlan Wright  * See the License for the specific language governing permissions
1129bd2886SAlan Wright  * and limitations under the License.
1229bd2886SAlan Wright  *
1329bd2886SAlan Wright  * When distributing Covered Code, include this CDDL HEADER in each
1429bd2886SAlan Wright  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1529bd2886SAlan Wright  * If applicable, add the following below this CDDL HEADER, with the
1629bd2886SAlan Wright  * fields enclosed by brackets "[]" replaced with your own identifying
1729bd2886SAlan Wright  * information: Portions Copyright [yyyy] [name of copyright owner]
1829bd2886SAlan Wright  *
1929bd2886SAlan Wright  * CDDL HEADER END
2029bd2886SAlan Wright  */
21148c5f43SAlan Wright 
2229bd2886SAlan Wright /*
23148c5f43SAlan Wright  * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
2429bd2886SAlan Wright  */
2529bd2886SAlan Wright 
2629bd2886SAlan Wright /*
2729bd2886SAlan Wright  * This module provides Security Descriptor handling functions.
2829bd2886SAlan Wright  */
2929bd2886SAlan Wright 
3029bd2886SAlan Wright #include <strings.h>
3129bd2886SAlan Wright #include <assert.h>
32*1fdeec65Sjoyce mcintosh #include <errno.h>
3329bd2886SAlan Wright #include <smbsrv/ntifs.h>
3429bd2886SAlan Wright #include <smbsrv/smb_idmap.h>
35b1352070SAlan Wright #include <smbsrv/libsmb.h>
3629bd2886SAlan Wright 
3729bd2886SAlan Wright #define	SMB_SHR_ACE_READ_PERMS	(ACE_READ_PERMS | ACE_EXECUTE | ACE_SYNCHRONIZE)
3829bd2886SAlan Wright #define	SMB_SHR_ACE_CONTROL_PERMS	(ACE_MODIFY_PERMS & (~ACE_DELETE_CHILD))
3929bd2886SAlan Wright 
409fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States /*
419fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  * This mapping table is provided to map permissions set by chmod
429fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  * using 'read_set' and 'modify_set' to what Windows share ACL GUI
439fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  * expects as Read and Control, respectively.
449fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  */
45b1352070SAlan Wright static struct {
46b1352070SAlan Wright 	int am_ace_perms;
47b1352070SAlan Wright 	int am_share_perms;
48b1352070SAlan Wright } smb_ace_map[] = {
49b1352070SAlan Wright 	{ ACE_MODIFY_PERMS,	SMB_SHR_ACE_CONTROL_PERMS },
50b1352070SAlan Wright 	{ ACE_READ_PERMS,	SMB_SHR_ACE_READ_PERMS }
51b1352070SAlan Wright };
52b1352070SAlan Wright 
53b1352070SAlan Wright #define	SMB_ACE_MASK_MAP_SIZE	(sizeof (smb_ace_map)/sizeof (smb_ace_map[0]))
54b1352070SAlan Wright 
5529bd2886SAlan Wright static void smb_sd_set_sacl(smb_sd_t *, smb_acl_t *, boolean_t, int);
5629bd2886SAlan Wright static void smb_sd_set_dacl(smb_sd_t *, smb_acl_t *, boolean_t, int);
5729bd2886SAlan Wright 
5829bd2886SAlan Wright void
smb_sd_init(smb_sd_t * sd,uint8_t revision)5929bd2886SAlan Wright smb_sd_init(smb_sd_t *sd, uint8_t revision)
6029bd2886SAlan Wright {
6129bd2886SAlan Wright 	bzero(sd, sizeof (smb_sd_t));
6229bd2886SAlan Wright 	sd->sd_revision = revision;
6329bd2886SAlan Wright }
6429bd2886SAlan Wright 
6529bd2886SAlan Wright /*
6629bd2886SAlan Wright  * smb_sd_term
6729bd2886SAlan Wright  *
6829bd2886SAlan Wright  * Free non-NULL members of 'sd' which has to be in
6929bd2886SAlan Wright  * absolute (pointer) form.
7029bd2886SAlan Wright  */
7129bd2886SAlan Wright void
smb_sd_term(smb_sd_t * sd)7229bd2886SAlan Wright smb_sd_term(smb_sd_t *sd)
7329bd2886SAlan Wright {
7429bd2886SAlan Wright 	assert(sd);
7529bd2886SAlan Wright 	assert((sd->sd_control & SE_SELF_RELATIVE) == 0);
7629bd2886SAlan Wright 
7729bd2886SAlan Wright 	smb_sid_free(sd->sd_owner);
7829bd2886SAlan Wright 	smb_sid_free(sd->sd_group);
7929bd2886SAlan Wright 	smb_acl_free(sd->sd_dacl);
8029bd2886SAlan Wright 	smb_acl_free(sd->sd_sacl);
8129bd2886SAlan Wright 
8229bd2886SAlan Wright 	bzero(sd, sizeof (smb_sd_t));
8329bd2886SAlan Wright }
8429bd2886SAlan Wright 
8529bd2886SAlan Wright uint32_t
smb_sd_len(smb_sd_t * sd,uint32_t secinfo)8629bd2886SAlan Wright smb_sd_len(smb_sd_t *sd, uint32_t secinfo)
8729bd2886SAlan Wright {
8829bd2886SAlan Wright 	uint32_t length = SMB_SD_HDRSIZE;
8929bd2886SAlan Wright 
9029bd2886SAlan Wright 	if (secinfo & SMB_OWNER_SECINFO)
9129bd2886SAlan Wright 		length += smb_sid_len(sd->sd_owner);
9229bd2886SAlan Wright 
9329bd2886SAlan Wright 	if (secinfo & SMB_GROUP_SECINFO)
9429bd2886SAlan Wright 		length += smb_sid_len(sd->sd_group);
9529bd2886SAlan Wright 
9629bd2886SAlan Wright 	if (secinfo & SMB_DACL_SECINFO)
9729bd2886SAlan Wright 		length += smb_acl_len(sd->sd_dacl);
9829bd2886SAlan Wright 
9929bd2886SAlan Wright 	if (secinfo & SMB_SACL_SECINFO)
10029bd2886SAlan Wright 		length += smb_acl_len(sd->sd_sacl);
10129bd2886SAlan Wright 
10229bd2886SAlan Wright 	return (length);
10329bd2886SAlan Wright }
10429bd2886SAlan Wright 
10529bd2886SAlan Wright /*
10629bd2886SAlan Wright  * smb_sd_get_secinfo
10729bd2886SAlan Wright  *
10829bd2886SAlan Wright  * Return the security information mask for the specified security
10929bd2886SAlan Wright  * descriptor.
11029bd2886SAlan Wright  */
11129bd2886SAlan Wright uint32_t
smb_sd_get_secinfo(smb_sd_t * sd)11229bd2886SAlan Wright smb_sd_get_secinfo(smb_sd_t *sd)
11329bd2886SAlan Wright {
11429bd2886SAlan Wright 	uint32_t sec_info = 0;
11529bd2886SAlan Wright 
11629bd2886SAlan Wright 	if (sd == NULL)
11729bd2886SAlan Wright 		return (0);
11829bd2886SAlan Wright 
11929bd2886SAlan Wright 	if (sd->sd_owner)
12029bd2886SAlan Wright 		sec_info |= SMB_OWNER_SECINFO;
12129bd2886SAlan Wright 
12229bd2886SAlan Wright 	if (sd->sd_group)
12329bd2886SAlan Wright 		sec_info |= SMB_GROUP_SECINFO;
12429bd2886SAlan Wright 
12529bd2886SAlan Wright 	if (sd->sd_dacl)
12629bd2886SAlan Wright 		sec_info |= SMB_DACL_SECINFO;
12729bd2886SAlan Wright 
12829bd2886SAlan Wright 	if (sd->sd_sacl)
12929bd2886SAlan Wright 		sec_info |= SMB_SACL_SECINFO;
13029bd2886SAlan Wright 
13129bd2886SAlan Wright 	return (sec_info);
13229bd2886SAlan Wright }
13329bd2886SAlan Wright 
13429bd2886SAlan Wright /*
13529bd2886SAlan Wright  * Adjust the Access Mask so that ZFS ACE mask and Windows ACE read mask match.
13629bd2886SAlan Wright  */
13729bd2886SAlan Wright static int
smb_sd_adjust_read_mask(int mask)13829bd2886SAlan Wright smb_sd_adjust_read_mask(int mask)
13929bd2886SAlan Wright {
140b1352070SAlan Wright 	int i;
141b1352070SAlan Wright 
142b1352070SAlan Wright 	for (i = 0; i < SMB_ACE_MASK_MAP_SIZE; ++i) {
143b1352070SAlan Wright 		if (smb_ace_map[i].am_ace_perms == mask)
144b1352070SAlan Wright 			return (smb_ace_map[i].am_share_perms);
145b1352070SAlan Wright 	}
146b1352070SAlan Wright 
1479fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	return (mask);
14829bd2886SAlan Wright }
14929bd2886SAlan Wright 
15029bd2886SAlan Wright /*
15129bd2886SAlan Wright  * Get ZFS acl from the share path via acl_get() method.
15229bd2886SAlan Wright  */
15329bd2886SAlan Wright static uint32_t
smb_sd_read_acl(char * path,smb_fssd_t * fs_sd)15429bd2886SAlan Wright smb_sd_read_acl(char *path, smb_fssd_t *fs_sd)
15529bd2886SAlan Wright {
15629bd2886SAlan Wright 	acl_t *z_acl;
15729bd2886SAlan Wright 	ace_t *z_ace;
15829bd2886SAlan Wright 
15929bd2886SAlan Wright 	fs_sd->sd_gid = fs_sd->sd_uid = 0;
16029bd2886SAlan Wright 
161*1fdeec65Sjoyce mcintosh 	errno = 0;
162*1fdeec65Sjoyce mcintosh 	if (acl_get(path, 0, &z_acl) != 0) {
163*1fdeec65Sjoyce mcintosh 		switch (errno) {
164*1fdeec65Sjoyce mcintosh 		case EACCES:
165*1fdeec65Sjoyce mcintosh 			return (NT_STATUS_ACCESS_DENIED);
166*1fdeec65Sjoyce mcintosh 		case ENOENT:
167*1fdeec65Sjoyce mcintosh 			return (NT_STATUS_OBJECT_PATH_NOT_FOUND);
168*1fdeec65Sjoyce mcintosh 		default:
16929bd2886SAlan Wright 			return (NT_STATUS_INTERNAL_ERROR);
170*1fdeec65Sjoyce mcintosh 		}
171*1fdeec65Sjoyce mcintosh 	}
17229bd2886SAlan Wright 
17329bd2886SAlan Wright 	if ((z_ace = (ace_t *)z_acl->acl_aclp) == NULL)
17429bd2886SAlan Wright 		return (NT_STATUS_INVALID_ACL);
17529bd2886SAlan Wright 
1769fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	for (int i = 0; i < z_acl->acl_cnt; i++, z_ace++)
1779fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 		z_ace->a_access_mask =
1789fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 		    smb_sd_adjust_read_mask(z_ace->a_access_mask);
17929bd2886SAlan Wright 
18029bd2886SAlan Wright 	fs_sd->sd_zdacl = z_acl;
18129bd2886SAlan Wright 	fs_sd->sd_zsacl = NULL;
18229bd2886SAlan Wright 	return (NT_STATUS_SUCCESS);
18329bd2886SAlan Wright }
18429bd2886SAlan Wright 
18529bd2886SAlan Wright /*
18629bd2886SAlan Wright  * smb_sd_read
18729bd2886SAlan Wright  *
18829bd2886SAlan Wright  * Reads ZFS acl from filesystem using acl_get() method. Convert the ZFS acl to
18929bd2886SAlan Wright  * a Win SD and return the Win SD in absolute form.
19029bd2886SAlan Wright  *
19129bd2886SAlan Wright  * NOTE: upon successful return caller MUST free the memory allocated
19229bd2886SAlan Wright  * for the returned SD by calling smb_sd_term().
19329bd2886SAlan Wright  */
19429bd2886SAlan Wright uint32_t
smb_sd_read(char * path,smb_sd_t * sd,uint32_t secinfo)19529bd2886SAlan Wright smb_sd_read(char *path, smb_sd_t *sd, uint32_t secinfo)
19629bd2886SAlan Wright {
19729bd2886SAlan Wright 	smb_fssd_t fs_sd;
19829bd2886SAlan Wright 	uint32_t status = NT_STATUS_SUCCESS;
19929bd2886SAlan Wright 	uint32_t sd_flags;
20029bd2886SAlan Wright 	int error;
20129bd2886SAlan Wright 
20229bd2886SAlan Wright 	sd_flags = SMB_FSSD_FLAGS_DIR;
20329bd2886SAlan Wright 	smb_fssd_init(&fs_sd, secinfo, sd_flags);
20429bd2886SAlan Wright 
20529bd2886SAlan Wright 	error = smb_sd_read_acl(path, &fs_sd);
20629bd2886SAlan Wright 	if (error != NT_STATUS_SUCCESS) {
20729bd2886SAlan Wright 		smb_fssd_term(&fs_sd);
20829bd2886SAlan Wright 		return (error);
20929bd2886SAlan Wright 	}
21029bd2886SAlan Wright 
21129bd2886SAlan Wright 	status = smb_sd_fromfs(&fs_sd, sd);
21229bd2886SAlan Wright 	smb_fssd_term(&fs_sd);
21329bd2886SAlan Wright 
21429bd2886SAlan Wright 	return (status);
21529bd2886SAlan Wright }
21629bd2886SAlan Wright 
21729bd2886SAlan Wright /*
21829bd2886SAlan Wright  * Apply ZFS acl to the share path via acl_set() method.
2199fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  * A NULL ACL pointer here represents an error.
2209fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  * Null or empty ACLs are handled in smb_sd_tofs().
22129bd2886SAlan Wright  */
22229bd2886SAlan Wright static uint32_t
smb_sd_write_acl(char * path,smb_fssd_t * fs_sd)22329bd2886SAlan Wright smb_sd_write_acl(char *path, smb_fssd_t *fs_sd)
22429bd2886SAlan Wright {
22529bd2886SAlan Wright 	acl_t *z_acl;
22629bd2886SAlan Wright 	ace_t *z_ace;
22729bd2886SAlan Wright 	uint32_t status = NT_STATUS_SUCCESS;
22829bd2886SAlan Wright 
2299fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	z_acl = fs_sd->sd_zdacl;
2309fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	if (z_acl == NULL)
23129bd2886SAlan Wright 		return (NT_STATUS_INVALID_ACL);
23229bd2886SAlan Wright 
2339fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	z_ace = (ace_t *)z_acl->acl_aclp;
2349fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	if (z_ace == NULL)
23529bd2886SAlan Wright 		return (NT_STATUS_INVALID_ACL);
23629bd2886SAlan Wright 
23729bd2886SAlan Wright 	fs_sd->sd_gid = fs_sd->sd_uid = 0;
23829bd2886SAlan Wright 	if (acl_set(path, z_acl) != 0)
23929bd2886SAlan Wright 		status = NT_STATUS_INTERNAL_ERROR;
24029bd2886SAlan Wright 
24129bd2886SAlan Wright 	return (status);
24229bd2886SAlan Wright }
24329bd2886SAlan Wright 
24429bd2886SAlan Wright /*
24529bd2886SAlan Wright  * smb_sd_write
24629bd2886SAlan Wright  *
24729bd2886SAlan Wright  * Takes a Win SD in absolute form, converts it to
24829bd2886SAlan Wright  * ZFS acl and applies the acl to the share path via acl_set() method.
24929bd2886SAlan Wright  */
25029bd2886SAlan Wright uint32_t
smb_sd_write(char * path,smb_sd_t * sd,uint32_t secinfo)25129bd2886SAlan Wright smb_sd_write(char *path, smb_sd_t *sd, uint32_t secinfo)
25229bd2886SAlan Wright {
25329bd2886SAlan Wright 	smb_fssd_t fs_sd;
25429bd2886SAlan Wright 	uint32_t status = NT_STATUS_SUCCESS;
25529bd2886SAlan Wright 	uint32_t sd_flags;
25629bd2886SAlan Wright 	int error;
25729bd2886SAlan Wright 
25829bd2886SAlan Wright 	sd_flags = SMB_FSSD_FLAGS_DIR;
25929bd2886SAlan Wright 	smb_fssd_init(&fs_sd, secinfo, sd_flags);
26029bd2886SAlan Wright 
26129bd2886SAlan Wright 	error = smb_sd_tofs(sd, &fs_sd);
26229bd2886SAlan Wright 	if (error != NT_STATUS_SUCCESS) {
26329bd2886SAlan Wright 		smb_fssd_term(&fs_sd);
26429bd2886SAlan Wright 		return (error);
26529bd2886SAlan Wright 	}
26629bd2886SAlan Wright 
26729bd2886SAlan Wright 	status = smb_sd_write_acl(path, &fs_sd);
26829bd2886SAlan Wright 	smb_fssd_term(&fs_sd);
26929bd2886SAlan Wright 
27029bd2886SAlan Wright 	return (status);
27129bd2886SAlan Wright }
27229bd2886SAlan Wright 
27329bd2886SAlan Wright /*
27429bd2886SAlan Wright  * smb_sd_tofs
27529bd2886SAlan Wright  *
27629bd2886SAlan Wright  * Creates a filesystem security structure based on the given
27729bd2886SAlan Wright  * Windows security descriptor.
27829bd2886SAlan Wright  */
27929bd2886SAlan Wright uint32_t
smb_sd_tofs(smb_sd_t * sd,smb_fssd_t * fs_sd)28029bd2886SAlan Wright smb_sd_tofs(smb_sd_t *sd, smb_fssd_t *fs_sd)
28129bd2886SAlan Wright {
28229bd2886SAlan Wright 	smb_sid_t *sid;
28329bd2886SAlan Wright 	uint32_t status = NT_STATUS_SUCCESS;
28429bd2886SAlan Wright 	uint16_t sd_control;
28529bd2886SAlan Wright 	idmap_stat idm_stat;
28629bd2886SAlan Wright 	int idtype;
28729bd2886SAlan Wright 	int flags = 0;
28829bd2886SAlan Wright 
28929bd2886SAlan Wright 	sd_control = sd->sd_control;
29029bd2886SAlan Wright 
29129bd2886SAlan Wright 	/*
29229bd2886SAlan Wright 	 * ZFS only has one set of flags so for now only
29329bd2886SAlan Wright 	 * Windows DACL flags are taken into account.
29429bd2886SAlan Wright 	 */
29529bd2886SAlan Wright 	if (sd_control & SE_DACL_DEFAULTED)
29629bd2886SAlan Wright 		flags |= ACL_DEFAULTED;
29729bd2886SAlan Wright 	if (sd_control & SE_DACL_AUTO_INHERITED)
29829bd2886SAlan Wright 		flags |= ACL_AUTO_INHERIT;
29929bd2886SAlan Wright 	if (sd_control & SE_DACL_PROTECTED)
30029bd2886SAlan Wright 		flags |= ACL_PROTECTED;
30129bd2886SAlan Wright 
30229bd2886SAlan Wright 	if (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR)
30329bd2886SAlan Wright 		flags |= ACL_IS_DIR;
30429bd2886SAlan Wright 
30529bd2886SAlan Wright 	/* Owner */
30629bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
30729bd2886SAlan Wright 		sid = sd->sd_owner;
30829bd2886SAlan Wright 		if (!smb_sid_isvalid(sid))
30929bd2886SAlan Wright 			return (NT_STATUS_INVALID_SID);
31029bd2886SAlan Wright 
31129bd2886SAlan Wright 		idtype = SMB_IDMAP_USER;
31229bd2886SAlan Wright 		idm_stat = smb_idmap_getid(sid, &fs_sd->sd_uid, &idtype);
31329bd2886SAlan Wright 		if (idm_stat != IDMAP_SUCCESS) {
31429bd2886SAlan Wright 			return (NT_STATUS_NONE_MAPPED);
31529bd2886SAlan Wright 		}
31629bd2886SAlan Wright 	}
31729bd2886SAlan Wright 
31829bd2886SAlan Wright 	/* Group */
31929bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
32029bd2886SAlan Wright 		sid = sd->sd_group;
32129bd2886SAlan Wright 		if (!smb_sid_isvalid(sid))
32229bd2886SAlan Wright 			return (NT_STATUS_INVALID_SID);
32329bd2886SAlan Wright 
32429bd2886SAlan Wright 		idtype = SMB_IDMAP_GROUP;
32529bd2886SAlan Wright 		idm_stat = smb_idmap_getid(sid, &fs_sd->sd_gid, &idtype);
32629bd2886SAlan Wright 		if (idm_stat != IDMAP_SUCCESS) {
32729bd2886SAlan Wright 			return (NT_STATUS_NONE_MAPPED);
32829bd2886SAlan Wright 		}
32929bd2886SAlan Wright 	}
33029bd2886SAlan Wright 
33129bd2886SAlan Wright 	/* DACL */
33229bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
33329bd2886SAlan Wright 		if (sd->sd_control & SE_DACL_PRESENT) {
33429bd2886SAlan Wright 			status = smb_acl_to_zfs(sd->sd_dacl, flags,
33529bd2886SAlan Wright 			    SMB_DACL_SECINFO, &fs_sd->sd_zdacl);
33629bd2886SAlan Wright 			if (status != NT_STATUS_SUCCESS)
33729bd2886SAlan Wright 				return (status);
33829bd2886SAlan Wright 		}
33929bd2886SAlan Wright 		else
34029bd2886SAlan Wright 			return (NT_STATUS_INVALID_ACL);
34129bd2886SAlan Wright 	}
34229bd2886SAlan Wright 
34329bd2886SAlan Wright 	/* SACL */
34429bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) {
34529bd2886SAlan Wright 		if (sd->sd_control & SE_SACL_PRESENT) {
34629bd2886SAlan Wright 			status = smb_acl_to_zfs(sd->sd_sacl, flags,
34729bd2886SAlan Wright 			    SMB_SACL_SECINFO, &fs_sd->sd_zsacl);
34829bd2886SAlan Wright 			if (status != NT_STATUS_SUCCESS) {
34929bd2886SAlan Wright 				return (status);
35029bd2886SAlan Wright 			}
35129bd2886SAlan Wright 		} else {
35229bd2886SAlan Wright 			return (NT_STATUS_INVALID_ACL);
35329bd2886SAlan Wright 		}
35429bd2886SAlan Wright 	}
35529bd2886SAlan Wright 
35629bd2886SAlan Wright 	return (status);
35729bd2886SAlan Wright }
35829bd2886SAlan Wright 
35929bd2886SAlan Wright /*
36029bd2886SAlan Wright  * smb_sd_fromfs
36129bd2886SAlan Wright  *
36229bd2886SAlan Wright  * Makes an Windows style security descriptor in absolute form
36329bd2886SAlan Wright  * based on the given filesystem security information.
36429bd2886SAlan Wright  *
36529bd2886SAlan Wright  * Should call smb_sd_term() for the returned sd to free allocated
36629bd2886SAlan Wright  * members.
36729bd2886SAlan Wright  */
368fe1c642dSBill Krier uint32_t
smb_sd_fromfs(smb_fssd_t * fs_sd,smb_sd_t * sd)36929bd2886SAlan Wright smb_sd_fromfs(smb_fssd_t *fs_sd, smb_sd_t *sd)
37029bd2886SAlan Wright {
37129bd2886SAlan Wright 	uint32_t status = NT_STATUS_SUCCESS;
37229bd2886SAlan Wright 	smb_acl_t *acl = NULL;
37329bd2886SAlan Wright 	smb_sid_t *sid;
37429bd2886SAlan Wright 	idmap_stat idm_stat;
37529bd2886SAlan Wright 
37629bd2886SAlan Wright 	assert(fs_sd);
37729bd2886SAlan Wright 	assert(sd);
37829bd2886SAlan Wright 
37929bd2886SAlan Wright 	smb_sd_init(sd, SECURITY_DESCRIPTOR_REVISION);
38029bd2886SAlan Wright 
38129bd2886SAlan Wright 	/* Owner */
38229bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
38329bd2886SAlan Wright 		idm_stat = smb_idmap_getsid(fs_sd->sd_uid,
38429bd2886SAlan Wright 		    SMB_IDMAP_USER, &sid);
38529bd2886SAlan Wright 
38629bd2886SAlan Wright 		if (idm_stat != IDMAP_SUCCESS) {
38729bd2886SAlan Wright 			smb_sd_term(sd);
38829bd2886SAlan Wright 			return (NT_STATUS_NONE_MAPPED);
38929bd2886SAlan Wright 		}
39029bd2886SAlan Wright 
39129bd2886SAlan Wright 		sd->sd_owner = sid;
39229bd2886SAlan Wright 	}
39329bd2886SAlan Wright 
39429bd2886SAlan Wright 	/* Group */
39529bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
39629bd2886SAlan Wright 		idm_stat = smb_idmap_getsid(fs_sd->sd_gid,
39729bd2886SAlan Wright 		    SMB_IDMAP_GROUP, &sid);
39829bd2886SAlan Wright 
39929bd2886SAlan Wright 		if (idm_stat != IDMAP_SUCCESS) {
40029bd2886SAlan Wright 			smb_sd_term(sd);
40129bd2886SAlan Wright 			return (NT_STATUS_NONE_MAPPED);
40229bd2886SAlan Wright 		}
40329bd2886SAlan Wright 
40429bd2886SAlan Wright 		sd->sd_group = sid;
40529bd2886SAlan Wright 	}
40629bd2886SAlan Wright 
40729bd2886SAlan Wright 	/* DACL */
40829bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
40929bd2886SAlan Wright 		if (fs_sd->sd_zdacl != NULL) {
410f96bd5c8SAlan Wright 			acl = smb_acl_from_zfs(fs_sd->sd_zdacl);
41129bd2886SAlan Wright 			if (acl == NULL) {
41229bd2886SAlan Wright 				smb_sd_term(sd);
41329bd2886SAlan Wright 				return (NT_STATUS_INTERNAL_ERROR);
41429bd2886SAlan Wright 			}
41529bd2886SAlan Wright 
41629bd2886SAlan Wright 			/*
41729bd2886SAlan Wright 			 * Need to sort the ACL before send it to Windows
41829bd2886SAlan Wright 			 * clients. Winodws GUI is sensitive about the order
41929bd2886SAlan Wright 			 * of ACEs.
42029bd2886SAlan Wright 			 */
42129bd2886SAlan Wright 			smb_acl_sort(acl);
42229bd2886SAlan Wright 			smb_sd_set_dacl(sd, acl, B_TRUE,
42329bd2886SAlan Wright 			    fs_sd->sd_zdacl->acl_flags);
42429bd2886SAlan Wright 		} else {
42529bd2886SAlan Wright 			smb_sd_set_dacl(sd, NULL, B_FALSE, 0);
42629bd2886SAlan Wright 		}
42729bd2886SAlan Wright 	}
42829bd2886SAlan Wright 
42929bd2886SAlan Wright 	/* SACL */
43029bd2886SAlan Wright 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) {
43129bd2886SAlan Wright 		if (fs_sd->sd_zsacl != NULL) {
432f96bd5c8SAlan Wright 			acl = smb_acl_from_zfs(fs_sd->sd_zsacl);
43329bd2886SAlan Wright 			if (acl == NULL) {
43429bd2886SAlan Wright 				smb_sd_term(sd);
43529bd2886SAlan Wright 				return (NT_STATUS_INTERNAL_ERROR);
43629bd2886SAlan Wright 			}
43729bd2886SAlan Wright 
43829bd2886SAlan Wright 			smb_sd_set_sacl(sd, acl, B_TRUE,
43929bd2886SAlan Wright 			    fs_sd->sd_zsacl->acl_flags);
44029bd2886SAlan Wright 		} else {
44129bd2886SAlan Wright 			smb_sd_set_sacl(sd, NULL, B_FALSE, 0);
44229bd2886SAlan Wright 		}
44329bd2886SAlan Wright 	}
44429bd2886SAlan Wright 
44529bd2886SAlan Wright 	return (status);
44629bd2886SAlan Wright }
44729bd2886SAlan Wright 
44829bd2886SAlan Wright static void
smb_sd_set_dacl(smb_sd_t * sd,smb_acl_t * acl,boolean_t present,int flags)44929bd2886SAlan Wright smb_sd_set_dacl(smb_sd_t *sd, smb_acl_t *acl, boolean_t present, int flags)
45029bd2886SAlan Wright {
45129bd2886SAlan Wright 	assert((sd->sd_control & SE_SELF_RELATIVE) == 0);
45229bd2886SAlan Wright 
45329bd2886SAlan Wright 	sd->sd_dacl = acl;
45429bd2886SAlan Wright 
45529bd2886SAlan Wright 	if (flags & ACL_DEFAULTED)
45629bd2886SAlan Wright 		sd->sd_control |= SE_DACL_DEFAULTED;
45729bd2886SAlan Wright 	if (flags & ACL_AUTO_INHERIT)
45829bd2886SAlan Wright 		sd->sd_control |= SE_DACL_AUTO_INHERITED;
45929bd2886SAlan Wright 	if (flags & ACL_PROTECTED)
46029bd2886SAlan Wright 		sd->sd_control |= SE_DACL_PROTECTED;
46129bd2886SAlan Wright 
46229bd2886SAlan Wright 	if (present)
46329bd2886SAlan Wright 		sd->sd_control |= SE_DACL_PRESENT;
46429bd2886SAlan Wright }
46529bd2886SAlan Wright 
46629bd2886SAlan Wright static void
smb_sd_set_sacl(smb_sd_t * sd,smb_acl_t * acl,boolean_t present,int flags)46729bd2886SAlan Wright smb_sd_set_sacl(smb_sd_t *sd, smb_acl_t *acl, boolean_t present, int flags)
46829bd2886SAlan Wright {
46929bd2886SAlan Wright 	assert((sd->sd_control & SE_SELF_RELATIVE) == 0);
47029bd2886SAlan Wright 
47129bd2886SAlan Wright 	sd->sd_sacl = acl;
47229bd2886SAlan Wright 
47329bd2886SAlan Wright 	if (flags & ACL_DEFAULTED)
47429bd2886SAlan Wright 		sd->sd_control |= SE_SACL_DEFAULTED;
47529bd2886SAlan Wright 	if (flags & ACL_AUTO_INHERIT)
47629bd2886SAlan Wright 		sd->sd_control |= SE_SACL_AUTO_INHERITED;
47729bd2886SAlan Wright 	if (flags & ACL_PROTECTED)
47829bd2886SAlan Wright 		sd->sd_control |= SE_SACL_PROTECTED;
47929bd2886SAlan Wright 
48029bd2886SAlan Wright 	if (present)
48129bd2886SAlan Wright 		sd->sd_control |= SE_SACL_PRESENT;
48229bd2886SAlan Wright }
48329bd2886SAlan Wright 
48429bd2886SAlan Wright /*
48529bd2886SAlan Wright  * smb_fssd_init
48629bd2886SAlan Wright  *
48729bd2886SAlan Wright  * Initializes the given FS SD structure.
48829bd2886SAlan Wright  */
48929bd2886SAlan Wright void
smb_fssd_init(smb_fssd_t * fs_sd,uint32_t secinfo,uint32_t flags)49029bd2886SAlan Wright smb_fssd_init(smb_fssd_t *fs_sd, uint32_t secinfo, uint32_t flags)
49129bd2886SAlan Wright {
49229bd2886SAlan Wright 	bzero(fs_sd, sizeof (smb_fssd_t));
49329bd2886SAlan Wright 	fs_sd->sd_secinfo = secinfo;
49429bd2886SAlan Wright 	fs_sd->sd_flags = flags;
49529bd2886SAlan Wright }
49629bd2886SAlan Wright 
49729bd2886SAlan Wright /*
49829bd2886SAlan Wright  * smb_fssd_term
49929bd2886SAlan Wright  *
50029bd2886SAlan Wright  * Frees allocated memory for acl fields.
50129bd2886SAlan Wright  */
50229bd2886SAlan Wright void
smb_fssd_term(smb_fssd_t * fs_sd)50329bd2886SAlan Wright smb_fssd_term(smb_fssd_t *fs_sd)
50429bd2886SAlan Wright {
50529bd2886SAlan Wright 	assert(fs_sd);
50629bd2886SAlan Wright 
50729bd2886SAlan Wright 	acl_free(fs_sd->sd_zdacl);
50829bd2886SAlan Wright 	acl_free(fs_sd->sd_zsacl);
50929bd2886SAlan Wright 
51029bd2886SAlan Wright 	bzero(fs_sd, sizeof (smb_fssd_t));
51129bd2886SAlan Wright }
512