1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <sys/sid.h> 26 #include <sys/nbmlock.h> 27 #include <smbsrv/smb_fsops.h> 28 #include <smbsrv/smb_kproto.h> 29 #include <acl/acl_common.h> 30 #include <sys/fcntl.h> 31 #include <sys/flock.h> 32 #include <fs/fs_subr.h> 33 34 extern caller_context_t smb_ct; 35 36 extern int smb_fem_oplock_install(smb_node_t *); 37 extern void smb_fem_oplock_uninstall(smb_node_t *); 38 39 extern int smb_vop_other_opens(vnode_t *, int); 40 41 static int smb_fsop_create_stream(smb_request_t *, cred_t *, smb_node_t *, 42 char *, char *, int, smb_attr_t *, smb_node_t **); 43 44 static int smb_fsop_create_file(smb_request_t *, cred_t *, smb_node_t *, 45 char *, int, smb_attr_t *, smb_node_t **); 46 47 static int smb_fsop_create_with_sd(smb_request_t *, cred_t *, smb_node_t *, 48 char *, smb_attr_t *, smb_node_t **, smb_fssd_t *); 49 50 static int smb_fsop_sdinherit(smb_request_t *, smb_node_t *, smb_fssd_t *); 51 52 /* 53 * The smb_fsop_* functions have knowledge of CIFS semantics. 54 * 55 * The smb_vop_* functions have minimal knowledge of CIFS semantics and 56 * serve as an interface to the VFS layer. 57 * 58 * Hence, smb_request_t and smb_node_t structures should not be passed 59 * from the smb_fsop_* layer to the smb_vop_* layer. 60 * 61 * In general, CIFS service code should only ever call smb_fsop_* 62 * functions directly, and never smb_vop_* functions directly. 63 * 64 * smb_fsop_* functions should call smb_vop_* functions where possible, instead 65 * of their smb_fsop_* counterparts. However, there are times when 66 * this cannot be avoided. 67 */ 68 69 /* 70 * Note: Stream names cannot be mangled. 71 */ 72 73 /* 74 * smb_fsop_amask_to_omode 75 * 76 * Convert the access mask to the open mode (for use 77 * with the VOP_OPEN call). 78 * 79 * Note that opening a file for attribute only access 80 * will also translate into an FREAD or FWRITE open mode 81 * (i.e., it's not just for data). 82 * 83 * This is needed so that opens are tracked appropriately 84 * for oplock processing. 85 */ 86 87 int 88 smb_fsop_amask_to_omode(uint32_t access) 89 { 90 int mode = 0; 91 92 if (access & (FILE_READ_DATA | FILE_EXECUTE | 93 FILE_READ_ATTRIBUTES | FILE_READ_EA)) 94 mode |= FREAD; 95 96 if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA | 97 FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA)) 98 mode |= FWRITE; 99 100 if (access & FILE_APPEND_DATA) 101 mode |= FAPPEND; 102 103 return (mode); 104 } 105 106 int 107 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred) 108 { 109 /* 110 * Assuming that the same vnode is returned as we had before. 111 * (I.e., with certain types of files or file systems, a 112 * different vnode might be returned by VOP_OPEN) 113 */ 114 return (smb_vop_open(&node->vp, mode, cred)); 115 } 116 117 void 118 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred) 119 { 120 smb_vop_close(node->vp, mode, cred); 121 } 122 123 int 124 smb_fsop_oplock_install(smb_node_t *node, int mode) 125 { 126 int rc; 127 128 if (smb_vop_other_opens(node->vp, mode)) 129 return (EMFILE); 130 131 if ((rc = smb_fem_oplock_install(node))) 132 return (rc); 133 134 if (smb_vop_other_opens(node->vp, mode)) { 135 (void) smb_fem_oplock_uninstall(node); 136 return (EMFILE); 137 } 138 139 return (0); 140 } 141 142 void 143 smb_fsop_oplock_uninstall(smb_node_t *node) 144 { 145 smb_fem_oplock_uninstall(node); 146 } 147 148 static int 149 smb_fsop_create_with_sd(smb_request_t *sr, cred_t *cr, 150 smb_node_t *dnode, char *name, 151 smb_attr_t *attr, smb_node_t **ret_snode, smb_fssd_t *fs_sd) 152 { 153 vsecattr_t *vsap; 154 vsecattr_t vsecattr; 155 acl_t *acl, *dacl, *sacl; 156 smb_attr_t set_attr; 157 vnode_t *vp; 158 int aclbsize = 0; /* size of acl list in bytes */ 159 int flags = 0; 160 int rc; 161 boolean_t is_dir; 162 163 ASSERT(fs_sd); 164 165 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 166 flags = SMB_IGNORE_CASE; 167 if (SMB_TREE_SUPPORTS_CATIA(sr)) 168 flags |= SMB_CATIA; 169 170 ASSERT(cr); 171 172 is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0); 173 174 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) { 175 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 176 dacl = fs_sd->sd_zdacl; 177 sacl = fs_sd->sd_zsacl; 178 ASSERT(dacl || sacl); 179 if (dacl && sacl) { 180 acl = smb_fsacl_merge(dacl, sacl); 181 } else if (dacl) { 182 acl = dacl; 183 } else { 184 acl = sacl; 185 } 186 187 rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize); 188 189 if (dacl && sacl) 190 acl_free(acl); 191 192 if (rc != 0) 193 return (rc); 194 195 vsap = &vsecattr; 196 } else { 197 vsap = NULL; 198 } 199 200 /* The tree ACEs may prevent a create */ 201 rc = EACCES; 202 if (is_dir) { 203 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0) 204 rc = smb_vop_mkdir(dnode->vp, name, attr, 205 &vp, flags, cr, vsap); 206 } else { 207 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0) 208 rc = smb_vop_create(dnode->vp, name, attr, 209 &vp, flags, cr, vsap); 210 } 211 212 if (vsap != NULL) 213 kmem_free(vsap->vsa_aclentp, aclbsize); 214 215 if (rc != 0) 216 return (rc); 217 218 set_attr.sa_mask = 0; 219 220 /* 221 * Ideally we should be able to specify the owner and owning 222 * group at create time along with the ACL. Since we cannot 223 * do that right now, kcred is passed to smb_vop_setattr so it 224 * doesn't fail due to lack of permission. 225 */ 226 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 227 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 228 set_attr.sa_mask |= SMB_AT_UID; 229 } 230 231 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 232 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 233 set_attr.sa_mask |= SMB_AT_GID; 234 } 235 236 if (set_attr.sa_mask) 237 rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred); 238 239 if (rc == 0) { 240 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 241 name, dnode, NULL); 242 243 if (*ret_snode == NULL) 244 rc = ENOMEM; 245 246 VN_RELE(vp); 247 } 248 } else { 249 /* 250 * For filesystems that don't support ACL-on-create, try 251 * to set the specified SD after create, which could actually 252 * fail because of conflicts between inherited security 253 * attributes upon creation and the specified SD. 254 * 255 * Passing kcred to smb_fsop_sdwrite() to overcome this issue. 256 */ 257 258 if (is_dir) { 259 rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, 260 flags, cr, NULL); 261 } else { 262 rc = smb_vop_create(dnode->vp, name, attr, &vp, 263 flags, cr, NULL); 264 } 265 266 if (rc != 0) 267 return (rc); 268 269 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 270 name, dnode, NULL); 271 272 if (*ret_snode != NULL) { 273 if (!smb_tree_has_feature(sr->tid_tree, 274 SMB_TREE_NFS_MOUNTED)) 275 rc = smb_fsop_sdwrite(sr, kcred, *ret_snode, 276 fs_sd, 1); 277 } else { 278 rc = ENOMEM; 279 } 280 281 VN_RELE(vp); 282 } 283 284 if (rc != 0) { 285 if (is_dir) 286 (void) smb_vop_rmdir(dnode->vp, name, flags, cr); 287 else 288 (void) smb_vop_remove(dnode->vp, name, flags, cr); 289 } 290 291 return (rc); 292 } 293 294 /* 295 * smb_fsop_create 296 * 297 * All SMB functions should use this wrapper to ensure that 298 * all the smb_vop_creates are performed with the appropriate credentials. 299 * Please document any direct calls to explain the reason for avoiding 300 * this wrapper. 301 * 302 * *ret_snode is returned with a reference upon success. No reference is 303 * taken if an error is returned. 304 */ 305 int 306 smb_fsop_create(smb_request_t *sr, cred_t *cr, smb_node_t *dnode, 307 char *name, smb_attr_t *attr, smb_node_t **ret_snode) 308 { 309 int rc = 0; 310 int flags = 0; 311 char *fname, *sname; 312 char *longname = NULL; 313 314 ASSERT(cr); 315 ASSERT(dnode); 316 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 317 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 318 319 ASSERT(ret_snode); 320 *ret_snode = 0; 321 322 ASSERT(name); 323 if (*name == 0) 324 return (EINVAL); 325 326 ASSERT(sr); 327 ASSERT(sr->tid_tree); 328 329 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 330 return (EACCES); 331 332 if (SMB_TREE_IS_READONLY(sr)) 333 return (EROFS); 334 335 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 336 flags = SMB_IGNORE_CASE; 337 if (SMB_TREE_SUPPORTS_CATIA(sr)) 338 flags |= SMB_CATIA; 339 if (SMB_TREE_SUPPORTS_ABE(sr)) 340 flags |= SMB_ABE; 341 342 if (smb_is_stream_name(name)) { 343 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 344 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 345 smb_stream_parse_name(name, fname, sname); 346 347 rc = smb_fsop_create_stream(sr, cr, dnode, 348 fname, sname, flags, attr, ret_snode); 349 350 kmem_free(fname, MAXNAMELEN); 351 kmem_free(sname, MAXNAMELEN); 352 return (rc); 353 } 354 355 /* Not a named stream */ 356 357 if (smb_maybe_mangled(name)) { 358 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 359 rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags); 360 kmem_free(longname, MAXNAMELEN); 361 362 if (rc == 0) 363 rc = EEXIST; 364 if (rc != ENOENT) 365 return (rc); 366 } 367 368 rc = smb_fsop_create_file(sr, cr, dnode, name, flags, 369 attr, ret_snode); 370 return (rc); 371 372 } 373 374 375 /* 376 * smb_fsop_create_stream 377 * 378 * Create NTFS named stream file (sname) on unnamed stream 379 * file (fname), creating the unnamed stream file if it 380 * doesn't exist. 381 * If we created the unnamed stream file and then creation 382 * of the named stream file fails, we delete the unnamed stream. 383 * Since we use the real file name for the smb_vop_remove we 384 * clear the SMB_IGNORE_CASE flag to ensure a case sensitive 385 * match. 386 * 387 * The second parameter of smb_vop_setattr() is set to 388 * NULL, even though an unnamed stream exists. This is 389 * because we want to set the UID and GID on the named 390 * stream in this case for consistency with the (unnamed 391 * stream) file (see comments for smb_vop_setattr()). 392 */ 393 static int 394 smb_fsop_create_stream(smb_request_t *sr, cred_t *cr, 395 smb_node_t *dnode, char *fname, char *sname, int flags, 396 smb_attr_t *attr, smb_node_t **ret_snode) 397 { 398 smb_node_t *fnode; 399 smb_attr_t fattr; 400 vnode_t *xattrdvp; 401 vnode_t *vp; 402 int rc = 0; 403 boolean_t fcreate = B_FALSE; 404 405 /* Look up / create the unnamed stream, fname */ 406 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 407 sr->tid_tree->t_snode, dnode, fname, &fnode); 408 if (rc == ENOENT) { 409 fcreate = B_TRUE; 410 rc = smb_fsop_create_file(sr, cr, dnode, fname, flags, 411 attr, &fnode); 412 } 413 if (rc != 0) 414 return (rc); 415 416 fattr.sa_mask = SMB_AT_UID | SMB_AT_GID; 417 rc = smb_vop_getattr(fnode->vp, NULL, &fattr, 0, kcred); 418 419 if (rc == 0) { 420 /* create the named stream, sname */ 421 rc = smb_vop_stream_create(fnode->vp, sname, attr, 422 &vp, &xattrdvp, flags, cr); 423 } 424 if (rc != 0) { 425 if (fcreate) { 426 flags &= ~SMB_IGNORE_CASE; 427 (void) smb_vop_remove(dnode->vp, 428 fnode->od_name, flags, cr); 429 } 430 smb_node_release(fnode); 431 return (rc); 432 } 433 434 attr->sa_vattr.va_uid = fattr.sa_vattr.va_uid; 435 attr->sa_vattr.va_gid = fattr.sa_vattr.va_gid; 436 attr->sa_mask = SMB_AT_UID | SMB_AT_GID; 437 438 rc = smb_vop_setattr(vp, NULL, attr, 0, kcred); 439 if (rc != 0) { 440 smb_node_release(fnode); 441 return (rc); 442 } 443 444 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdvp, 445 vp, sname); 446 447 smb_node_release(fnode); 448 VN_RELE(xattrdvp); 449 VN_RELE(vp); 450 451 if (*ret_snode == NULL) 452 rc = ENOMEM; 453 454 /* notify change to the unnamed stream */ 455 if (rc == 0) 456 smb_node_notify_change(dnode); 457 458 return (rc); 459 } 460 461 /* 462 * smb_fsop_create_file 463 */ 464 static int 465 smb_fsop_create_file(smb_request_t *sr, cred_t *cr, 466 smb_node_t *dnode, char *name, int flags, 467 smb_attr_t *attr, smb_node_t **ret_snode) 468 { 469 smb_arg_open_t *op = &sr->sr_open; 470 vnode_t *vp; 471 smb_fssd_t fs_sd; 472 uint32_t secinfo; 473 uint32_t status; 474 int rc = 0; 475 476 if (op->sd) { 477 /* 478 * SD sent by client in Windows format. Needs to be 479 * converted to FS format. No inheritance. 480 */ 481 secinfo = smb_sd_get_secinfo(op->sd); 482 smb_fssd_init(&fs_sd, secinfo, 0); 483 484 status = smb_sd_tofs(op->sd, &fs_sd); 485 if (status == NT_STATUS_SUCCESS) { 486 rc = smb_fsop_create_with_sd(sr, cr, dnode, 487 name, attr, ret_snode, &fs_sd); 488 } else { 489 rc = EINVAL; 490 } 491 smb_fssd_term(&fs_sd); 492 } else if (sr->tid_tree->t_acltype == ACE_T) { 493 /* 494 * No incoming SD and filesystem is ZFS 495 * Server applies Windows inheritance rules, 496 * see smb_fsop_sdinherit() comments as to why. 497 */ 498 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0); 499 rc = smb_fsop_sdinherit(sr, dnode, &fs_sd); 500 if (rc == 0) { 501 rc = smb_fsop_create_with_sd(sr, cr, dnode, 502 name, attr, ret_snode, &fs_sd); 503 } 504 505 smb_fssd_term(&fs_sd); 506 } else { 507 /* 508 * No incoming SD and filesystem is not ZFS 509 * let the filesystem handles the inheritance. 510 */ 511 rc = smb_vop_create(dnode->vp, name, attr, &vp, 512 flags, cr, NULL); 513 514 if (rc == 0) { 515 *ret_snode = smb_node_lookup(sr, op, cr, vp, 516 name, dnode, NULL); 517 518 if (*ret_snode == NULL) 519 rc = ENOMEM; 520 521 VN_RELE(vp); 522 } 523 524 } 525 526 if (rc == 0) 527 smb_node_notify_parents(dnode); 528 529 return (rc); 530 } 531 532 /* 533 * smb_fsop_mkdir 534 * 535 * All SMB functions should use this wrapper to ensure that 536 * the the calls are performed with the appropriate credentials. 537 * Please document any direct call to explain the reason 538 * for avoiding this wrapper. 539 * 540 * It is assumed that a reference exists on snode coming into this routine. 541 * 542 * *ret_snode is returned with a reference upon success. No reference is 543 * taken if an error is returned. 544 */ 545 int 546 smb_fsop_mkdir( 547 smb_request_t *sr, 548 cred_t *cr, 549 smb_node_t *dnode, 550 char *name, 551 smb_attr_t *attr, 552 smb_node_t **ret_snode) 553 { 554 struct open_param *op = &sr->arg.open; 555 char *longname; 556 vnode_t *vp; 557 int flags = 0; 558 smb_fssd_t fs_sd; 559 uint32_t secinfo; 560 uint32_t status; 561 int rc; 562 ASSERT(cr); 563 ASSERT(dnode); 564 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 565 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 566 567 ASSERT(ret_snode); 568 *ret_snode = 0; 569 570 ASSERT(name); 571 if (*name == 0) 572 return (EINVAL); 573 574 ASSERT(sr); 575 ASSERT(sr->tid_tree); 576 577 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 578 return (EACCES); 579 580 if (SMB_TREE_IS_READONLY(sr)) 581 return (EROFS); 582 if (SMB_TREE_SUPPORTS_CATIA(sr)) 583 flags |= SMB_CATIA; 584 if (SMB_TREE_SUPPORTS_ABE(sr)) 585 flags |= SMB_ABE; 586 587 if (smb_maybe_mangled(name)) { 588 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 589 rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags); 590 kmem_free(longname, MAXNAMELEN); 591 592 /* 593 * If the name passed in by the client has an unmangled 594 * equivalent that is found in the specified directory, 595 * then the mkdir cannot succeed. Return EEXIST. 596 * 597 * Only if ENOENT is returned will a mkdir be attempted. 598 */ 599 600 if (rc == 0) 601 rc = EEXIST; 602 603 if (rc != ENOENT) 604 return (rc); 605 } 606 607 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 608 flags = SMB_IGNORE_CASE; 609 610 if (op->sd) { 611 /* 612 * SD sent by client in Windows format. Needs to be 613 * converted to FS format. No inheritance. 614 */ 615 secinfo = smb_sd_get_secinfo(op->sd); 616 smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR); 617 618 status = smb_sd_tofs(op->sd, &fs_sd); 619 if (status == NT_STATUS_SUCCESS) { 620 rc = smb_fsop_create_with_sd(sr, cr, dnode, 621 name, attr, ret_snode, &fs_sd); 622 } 623 else 624 rc = EINVAL; 625 smb_fssd_term(&fs_sd); 626 } else if (sr->tid_tree->t_acltype == ACE_T) { 627 /* 628 * No incoming SD and filesystem is ZFS 629 * Server applies Windows inheritance rules, 630 * see smb_fsop_sdinherit() comments as to why. 631 */ 632 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR); 633 rc = smb_fsop_sdinherit(sr, dnode, &fs_sd); 634 if (rc == 0) { 635 rc = smb_fsop_create_with_sd(sr, cr, dnode, 636 name, attr, ret_snode, &fs_sd); 637 } 638 639 smb_fssd_term(&fs_sd); 640 641 } else { 642 rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, flags, cr, 643 NULL); 644 645 if (rc == 0) { 646 *ret_snode = smb_node_lookup(sr, op, cr, vp, name, 647 dnode, NULL); 648 649 if (*ret_snode == NULL) 650 rc = ENOMEM; 651 652 VN_RELE(vp); 653 } 654 } 655 656 if (rc == 0) 657 smb_node_notify_parents(dnode); 658 659 return (rc); 660 } 661 662 /* 663 * smb_fsop_remove 664 * 665 * All SMB functions should use this wrapper to ensure that 666 * the the calls are performed with the appropriate credentials. 667 * Please document any direct call to explain the reason 668 * for avoiding this wrapper. 669 * 670 * It is assumed that a reference exists on snode coming into this routine. 671 * 672 * A null smb_request might be passed to this function. 673 */ 674 int 675 smb_fsop_remove( 676 smb_request_t *sr, 677 cred_t *cr, 678 smb_node_t *dnode, 679 char *name, 680 uint32_t flags) 681 { 682 smb_node_t *fnode; 683 char *longname; 684 char *fname; 685 char *sname; 686 int rc; 687 688 ASSERT(cr); 689 /* 690 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 691 * function is called during the deletion of the node (because of 692 * DELETE_ON_CLOSE). 693 */ 694 ASSERT(dnode); 695 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 696 697 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 || 698 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0) 699 return (EACCES); 700 701 if (SMB_TREE_IS_READONLY(sr)) 702 return (EROFS); 703 704 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 705 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 706 707 if (dnode->flags & NODE_XATTR_DIR) { 708 fnode = dnode->n_dnode; 709 rc = smb_vop_stream_remove(fnode->vp, name, flags, cr); 710 711 /* notify change to the unnamed stream */ 712 if ((rc == 0) && fnode->n_dnode) 713 smb_node_notify_change(fnode->n_dnode); 714 715 } else if (smb_is_stream_name(name)) { 716 smb_stream_parse_name(name, fname, sname); 717 718 /* 719 * Look up the unnamed stream (i.e. fname). 720 * Unmangle processing will be done on fname 721 * as well as any link target. 722 */ 723 724 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 725 sr->tid_tree->t_snode, dnode, fname, &fnode); 726 727 if (rc != 0) { 728 kmem_free(fname, MAXNAMELEN); 729 kmem_free(sname, MAXNAMELEN); 730 return (rc); 731 } 732 733 /* 734 * XXX 735 * Need to find out what permission is required by NTFS 736 * to remove a stream. 737 */ 738 rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr); 739 740 smb_node_release(fnode); 741 742 /* notify change to the unnamed stream */ 743 if (rc == 0) 744 smb_node_notify_change(dnode); 745 } else { 746 rc = smb_vop_remove(dnode->vp, name, flags, cr); 747 748 if (rc == ENOENT) { 749 if (!smb_maybe_mangled(name)) { 750 kmem_free(fname, MAXNAMELEN); 751 kmem_free(sname, MAXNAMELEN); 752 return (rc); 753 } 754 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 755 756 if (SMB_TREE_SUPPORTS_ABE(sr)) 757 flags |= SMB_ABE; 758 759 rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, 760 flags); 761 762 if (rc == 0) { 763 /* 764 * longname is the real (case-sensitive) 765 * on-disk name. 766 * We make sure we do a remove on this exact 767 * name, as the name was mangled and denotes 768 * a unique file. 769 */ 770 flags &= ~SMB_IGNORE_CASE; 771 rc = smb_vop_remove(dnode->vp, longname, 772 flags, cr); 773 } 774 775 if (rc == 0) 776 smb_node_notify_parents(dnode); 777 778 kmem_free(longname, MAXNAMELEN); 779 } 780 } 781 782 kmem_free(fname, MAXNAMELEN); 783 kmem_free(sname, MAXNAMELEN); 784 785 return (rc); 786 } 787 788 /* 789 * smb_fsop_remove_streams 790 * 791 * This function removes a file's streams without removing the 792 * file itself. 793 * 794 * It is assumed that fnode is not a link. 795 */ 796 int 797 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode) 798 { 799 int rc, flags = 0; 800 uint16_t odid; 801 smb_odir_t *od; 802 smb_odirent_t *odirent; 803 boolean_t eos; 804 805 ASSERT(sr); 806 ASSERT(cr); 807 ASSERT(fnode); 808 ASSERT(fnode->n_magic == SMB_NODE_MAGIC); 809 ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING); 810 811 if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) { 812 smbsr_errno(sr, EACCES); 813 return (-1); 814 } 815 816 if (SMB_TREE_IS_READONLY(sr)) { 817 smbsr_errno(sr, EROFS); 818 return (-1); 819 } 820 821 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 822 flags = SMB_IGNORE_CASE; 823 824 if (SMB_TREE_SUPPORTS_CATIA(sr)) 825 flags |= SMB_CATIA; 826 827 if ((odid = smb_odir_openat(sr, fnode)) == 0) { 828 smbsr_errno(sr, ENOENT); 829 return (-1); 830 } 831 832 if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) { 833 smbsr_errno(sr, ENOENT); 834 return (-1); 835 } 836 837 odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP); 838 for (;;) { 839 rc = smb_odir_read(sr, od, odirent, &eos); 840 if ((rc != 0) || (eos)) 841 break; 842 (void) smb_vop_remove(od->d_dnode->vp, odirent->od_name, 843 flags, cr); 844 } 845 kmem_free(odirent, sizeof (smb_odirent_t)); 846 847 smb_odir_close(od); 848 smb_odir_release(od); 849 return (rc); 850 } 851 852 /* 853 * smb_fsop_rmdir 854 * 855 * All SMB functions should use this wrapper to ensure that 856 * the the calls are performed with the appropriate credentials. 857 * Please document any direct call to explain the reason 858 * for avoiding this wrapper. 859 * 860 * It is assumed that a reference exists on snode coming into this routine. 861 */ 862 int 863 smb_fsop_rmdir( 864 smb_request_t *sr, 865 cred_t *cr, 866 smb_node_t *dnode, 867 char *name, 868 uint32_t flags) 869 { 870 int rc; 871 char *longname; 872 873 ASSERT(cr); 874 /* 875 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 876 * function is called during the deletion of the node (because of 877 * DELETE_ON_CLOSE). 878 */ 879 ASSERT(dnode); 880 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 881 882 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 || 883 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0) 884 return (EACCES); 885 886 if (SMB_TREE_IS_READONLY(sr)) 887 return (EROFS); 888 889 rc = smb_vop_rmdir(dnode->vp, name, flags, cr); 890 891 if (rc == ENOENT) { 892 if (!smb_maybe_mangled(name)) 893 return (rc); 894 895 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 896 897 if (SMB_TREE_SUPPORTS_ABE(sr)) 898 flags |= SMB_ABE; 899 rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags); 900 901 if (rc == 0) { 902 /* 903 * longname is the real (case-sensitive) 904 * on-disk name. 905 * We make sure we do a rmdir on this exact 906 * name, as the name was mangled and denotes 907 * a unique directory. 908 */ 909 flags &= ~SMB_IGNORE_CASE; 910 rc = smb_vop_rmdir(dnode->vp, longname, flags, cr); 911 } 912 913 kmem_free(longname, MAXNAMELEN); 914 } 915 916 if (rc == 0) 917 smb_node_notify_parents(dnode); 918 919 return (rc); 920 } 921 922 /* 923 * smb_fsop_getattr 924 * 925 * All SMB functions should use this wrapper to ensure that 926 * the the calls are performed with the appropriate credentials. 927 * Please document any direct call to explain the reason 928 * for avoiding this wrapper. 929 * 930 * It is assumed that a reference exists on snode coming into this routine. 931 */ 932 int 933 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 934 smb_attr_t *attr) 935 { 936 smb_node_t *unnamed_node; 937 vnode_t *unnamed_vp = NULL; 938 uint32_t status; 939 uint32_t access = 0; 940 int flags = 0; 941 int rc; 942 943 ASSERT(cr); 944 ASSERT(snode); 945 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 946 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 947 948 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 || 949 SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0) 950 return (EACCES); 951 952 /* sr could be NULL in some cases */ 953 if (sr && sr->fid_ofile) { 954 /* if uid and/or gid is requested */ 955 if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID)) 956 access |= READ_CONTROL; 957 958 /* if anything else is also requested */ 959 if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID)) 960 access |= FILE_READ_ATTRIBUTES; 961 962 status = smb_ofile_access(sr->fid_ofile, cr, access); 963 if (status != NT_STATUS_SUCCESS) 964 return (EACCES); 965 966 if (smb_tree_has_feature(sr->tid_tree, 967 SMB_TREE_ACEMASKONACCESS)) 968 flags = ATTR_NOACLCHECK; 969 } 970 971 unnamed_node = SMB_IS_STREAM(snode); 972 973 if (unnamed_node) { 974 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 975 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 976 unnamed_vp = unnamed_node->vp; 977 } 978 979 rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr); 980 981 if ((rc == 0) && smb_node_is_dfslink(snode)) { 982 /* a DFS link should be treated as a directory */ 983 attr->sa_dosattr |= FILE_ATTRIBUTE_DIRECTORY; 984 } 985 986 return (rc); 987 } 988 989 /* 990 * smb_fsop_link 991 * 992 * All SMB functions should use this smb_vop_link wrapper to ensure that 993 * the smb_vop_link is performed with the appropriate credentials. 994 * Please document any direct call to smb_vop_link to explain the reason 995 * for avoiding this wrapper. 996 * 997 * It is assumed that references exist on from_dnode and to_dnode coming 998 * into this routine. 999 */ 1000 int 1001 smb_fsop_link(smb_request_t *sr, cred_t *cr, smb_node_t *from_fnode, 1002 smb_node_t *to_dnode, char *to_name) 1003 { 1004 char *longname = NULL; 1005 int flags = 0; 1006 int rc; 1007 1008 ASSERT(sr); 1009 ASSERT(sr->tid_tree); 1010 ASSERT(cr); 1011 ASSERT(to_dnode); 1012 ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC); 1013 ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING); 1014 ASSERT(from_fnode); 1015 ASSERT(from_fnode->n_magic == SMB_NODE_MAGIC); 1016 ASSERT(from_fnode->n_state != SMB_NODE_STATE_DESTROYING); 1017 1018 if (SMB_TREE_CONTAINS_NODE(sr, from_fnode) == 0) 1019 return (EACCES); 1020 1021 if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0) 1022 return (EACCES); 1023 1024 if (SMB_TREE_IS_READONLY(sr)) 1025 return (EROFS); 1026 1027 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1028 flags = SMB_IGNORE_CASE; 1029 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1030 flags |= SMB_CATIA; 1031 if (SMB_TREE_SUPPORTS_ABE(sr)) 1032 flags |= SMB_ABE; 1033 1034 if (smb_maybe_mangled(to_name)) { 1035 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1036 rc = smb_unmangle(to_dnode, to_name, longname, 1037 MAXNAMELEN, flags); 1038 kmem_free(longname, MAXNAMELEN); 1039 1040 if (rc == 0) 1041 rc = EEXIST; 1042 if (rc != ENOENT) 1043 return (rc); 1044 } 1045 1046 rc = smb_vop_link(to_dnode->vp, from_fnode->vp, to_name, flags, cr); 1047 1048 if ((rc == 0) && from_fnode->n_dnode) 1049 smb_node_notify_parents(from_fnode->n_dnode); 1050 1051 return (rc); 1052 } 1053 1054 /* 1055 * smb_fsop_rename 1056 * 1057 * All SMB functions should use this smb_vop_rename wrapper to ensure that 1058 * the smb_vop_rename is performed with the appropriate credentials. 1059 * Please document any direct call to smb_vop_rename to explain the reason 1060 * for avoiding this wrapper. 1061 * 1062 * It is assumed that references exist on from_dnode and to_dnode coming 1063 * into this routine. 1064 */ 1065 int 1066 smb_fsop_rename( 1067 smb_request_t *sr, 1068 cred_t *cr, 1069 smb_node_t *from_dnode, 1070 char *from_name, 1071 smb_node_t *to_dnode, 1072 char *to_name) 1073 { 1074 smb_node_t *from_snode; 1075 smb_attr_t from_attr; 1076 vnode_t *from_vp; 1077 int flags = 0, ret_flags; 1078 int rc; 1079 boolean_t isdir; 1080 1081 ASSERT(cr); 1082 ASSERT(from_dnode); 1083 ASSERT(from_dnode->n_magic == SMB_NODE_MAGIC); 1084 ASSERT(from_dnode->n_state != SMB_NODE_STATE_DESTROYING); 1085 1086 ASSERT(to_dnode); 1087 ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC); 1088 ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING); 1089 1090 if (SMB_TREE_CONTAINS_NODE(sr, from_dnode) == 0) 1091 return (EACCES); 1092 1093 if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0) 1094 return (EACCES); 1095 1096 ASSERT(sr); 1097 ASSERT(sr->tid_tree); 1098 if (SMB_TREE_IS_READONLY(sr)) 1099 return (EROFS); 1100 1101 /* 1102 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE 1103 * here. 1104 * 1105 * A case-sensitive rename is always done in this routine 1106 * because we are using the on-disk name from an earlier lookup. 1107 * If a mangled name was passed in by the caller (denoting a 1108 * deterministic lookup), then the exact file must be renamed 1109 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or 1110 * else the underlying file system might return a "first-match" 1111 * on this on-disk name, possibly resulting in the wrong file). 1112 */ 1113 1114 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1115 flags |= SMB_CATIA; 1116 1117 /* 1118 * XXX: Lock required through smb_node_release() below? 1119 */ 1120 1121 rc = smb_vop_lookup(from_dnode->vp, from_name, &from_vp, NULL, 1122 flags, &ret_flags, NULL, &from_attr, cr); 1123 1124 if (rc != 0) 1125 return (rc); 1126 1127 if (from_attr.sa_dosattr & FILE_ATTRIBUTE_REPARSE_POINT) { 1128 VN_RELE(from_vp); 1129 return (EACCES); 1130 } 1131 1132 isdir = ((from_attr.sa_dosattr & FILE_ATTRIBUTE_DIRECTORY) != 0); 1133 1134 if ((isdir && SMB_TREE_HAS_ACCESS(sr, 1135 ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) != 1136 (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) || 1137 (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) != 1138 (ACE_DELETE | ACE_ADD_FILE))) { 1139 VN_RELE(from_vp); 1140 return (EACCES); 1141 } 1142 1143 /* 1144 * SMB checks access on open and retains an access granted 1145 * mask for use while the file is open. ACL changes should 1146 * not affect access to an open file. 1147 * 1148 * If the rename is being performed on an ofile: 1149 * - Check the ofile's access granted mask to see if the 1150 * rename is permitted - requires DELETE access. 1151 * - If the file system does access checking, set the 1152 * ATTR_NOACLCHECK flag to ensure that the file system 1153 * does not check permissions on subsequent calls. 1154 */ 1155 if (sr && sr->fid_ofile) { 1156 rc = smb_ofile_access(sr->fid_ofile, cr, DELETE); 1157 if (rc != NT_STATUS_SUCCESS) { 1158 VN_RELE(from_vp); 1159 return (EACCES); 1160 } 1161 1162 if (smb_tree_has_feature(sr->tid_tree, 1163 SMB_TREE_ACEMASKONACCESS)) 1164 flags = ATTR_NOACLCHECK; 1165 } 1166 1167 rc = smb_vop_rename(from_dnode->vp, from_name, to_dnode->vp, 1168 to_name, flags, cr); 1169 1170 if (rc == 0) { 1171 from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name, 1172 from_dnode, NULL); 1173 1174 if (from_snode == NULL) { 1175 rc = ENOMEM; 1176 } else { 1177 smb_node_rename(from_dnode, from_snode, 1178 to_dnode, to_name); 1179 smb_node_release(from_snode); 1180 } 1181 } 1182 VN_RELE(from_vp); 1183 1184 if (rc == 0) 1185 smb_node_notify_parents(from_dnode); 1186 1187 /* XXX: unlock */ 1188 1189 return (rc); 1190 } 1191 1192 /* 1193 * smb_fsop_setattr 1194 * 1195 * All SMB functions should use this wrapper to ensure that 1196 * the the calls are performed with the appropriate credentials. 1197 * Please document any direct call to explain the reason 1198 * for avoiding this wrapper. 1199 * 1200 * It is assumed that a reference exists on snode coming into 1201 * this function. 1202 * A null smb_request might be passed to this function. 1203 */ 1204 int 1205 smb_fsop_setattr( 1206 smb_request_t *sr, 1207 cred_t *cr, 1208 smb_node_t *snode, 1209 smb_attr_t *set_attr) 1210 { 1211 smb_node_t *unnamed_node; 1212 vnode_t *unnamed_vp = NULL; 1213 uint32_t status; 1214 uint32_t access; 1215 int rc = 0; 1216 int flags = 0; 1217 uint_t sa_mask; 1218 1219 ASSERT(cr); 1220 ASSERT(snode); 1221 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1222 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1223 1224 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0) 1225 return (EACCES); 1226 1227 if (SMB_TREE_IS_READONLY(sr)) 1228 return (EROFS); 1229 1230 if (SMB_TREE_HAS_ACCESS(sr, 1231 ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0) 1232 return (EACCES); 1233 1234 /* 1235 * The file system cannot detect pending READDONLY 1236 * (i.e. if the file has been opened readonly but 1237 * not yet closed) so we need to test READONLY here. 1238 */ 1239 if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) { 1240 if (sr->fid_ofile) { 1241 if (SMB_OFILE_IS_READONLY(sr->fid_ofile)) 1242 return (EACCES); 1243 } else { 1244 if (SMB_PATHFILE_IS_READONLY(sr, snode)) 1245 return (EACCES); 1246 } 1247 } 1248 1249 /* 1250 * SMB checks access on open and retains an access granted 1251 * mask for use while the file is open. ACL changes should 1252 * not affect access to an open file. 1253 * 1254 * If the setattr is being performed on an ofile: 1255 * - Check the ofile's access granted mask to see if the 1256 * setattr is permitted. 1257 * UID, GID - require WRITE_OWNER 1258 * SIZE, ALLOCSZ - require FILE_WRITE_DATA 1259 * all other attributes require FILE_WRITE_ATTRIBUTES 1260 * 1261 * - If the file system does access checking, set the 1262 * ATTR_NOACLCHECK flag to ensure that the file system 1263 * does not check permissions on subsequent calls. 1264 */ 1265 if (sr && sr->fid_ofile) { 1266 sa_mask = set_attr->sa_mask; 1267 access = 0; 1268 1269 if (sa_mask & (SMB_AT_SIZE | SMB_AT_ALLOCSZ)) { 1270 access |= FILE_WRITE_DATA; 1271 sa_mask &= ~(SMB_AT_SIZE | SMB_AT_ALLOCSZ); 1272 } 1273 1274 if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) { 1275 access |= WRITE_OWNER; 1276 sa_mask &= ~(SMB_AT_UID|SMB_AT_GID); 1277 } 1278 1279 if (sa_mask) 1280 access |= FILE_WRITE_ATTRIBUTES; 1281 1282 status = smb_ofile_access(sr->fid_ofile, cr, access); 1283 if (status != NT_STATUS_SUCCESS) 1284 return (EACCES); 1285 1286 if (smb_tree_has_feature(sr->tid_tree, 1287 SMB_TREE_ACEMASKONACCESS)) 1288 flags = ATTR_NOACLCHECK; 1289 } 1290 1291 unnamed_node = SMB_IS_STREAM(snode); 1292 1293 if (unnamed_node) { 1294 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1295 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1296 unnamed_vp = unnamed_node->vp; 1297 } 1298 1299 rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr); 1300 return (rc); 1301 } 1302 1303 /* 1304 * smb_fsop_read 1305 * 1306 * All SMB functions should use this wrapper to ensure that 1307 * the the calls are performed with the appropriate credentials. 1308 * Please document any direct call to explain the reason 1309 * for avoiding this wrapper. 1310 * 1311 * It is assumed that a reference exists on snode coming into this routine. 1312 */ 1313 int 1314 smb_fsop_read(smb_request_t *sr, cred_t *cr, smb_node_t *snode, uio_t *uio) 1315 { 1316 caller_context_t ct; 1317 int svmand; 1318 int rc; 1319 1320 ASSERT(cr); 1321 ASSERT(snode); 1322 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1323 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1324 1325 ASSERT(sr); 1326 ASSERT(sr->fid_ofile); 1327 1328 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0) 1329 return (EACCES); 1330 1331 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA); 1332 if ((rc != NT_STATUS_SUCCESS) && 1333 (sr->smb_flg2 & SMB_FLAGS2_READ_IF_EXECUTE)) 1334 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE); 1335 1336 if (rc != NT_STATUS_SUCCESS) 1337 return (EACCES); 1338 1339 /* 1340 * Streams permission are checked against the unnamed stream, 1341 * but in FS level they have their own permissions. To avoid 1342 * rejection by FS due to lack of permission on the actual 1343 * extended attr kcred is passed for streams. 1344 */ 1345 if (SMB_IS_STREAM(snode)) 1346 cr = kcred; 1347 1348 smb_node_start_crit(snode, RW_READER); 1349 rc = nbl_svmand(snode->vp, kcred, &svmand); 1350 if (rc) { 1351 smb_node_end_crit(snode); 1352 return (rc); 1353 } 1354 1355 ct = smb_ct; 1356 ct.cc_pid = sr->fid_ofile->f_uniqid; 1357 rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset, 1358 uio->uio_iov->iov_len, svmand, &ct); 1359 1360 if (rc) { 1361 smb_node_end_crit(snode); 1362 return (ERANGE); 1363 } 1364 1365 rc = smb_vop_read(snode->vp, uio, cr); 1366 smb_node_end_crit(snode); 1367 1368 return (rc); 1369 } 1370 1371 /* 1372 * smb_fsop_write 1373 * 1374 * This is a wrapper function used for smb_write and smb_write_raw operations. 1375 * 1376 * It is assumed that a reference exists on snode coming into this routine. 1377 */ 1378 int 1379 smb_fsop_write( 1380 smb_request_t *sr, 1381 cred_t *cr, 1382 smb_node_t *snode, 1383 uio_t *uio, 1384 uint32_t *lcount, 1385 int ioflag) 1386 { 1387 caller_context_t ct; 1388 int svmand; 1389 int rc; 1390 1391 ASSERT(cr); 1392 ASSERT(snode); 1393 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1394 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1395 1396 ASSERT(sr); 1397 ASSERT(sr->tid_tree); 1398 ASSERT(sr->fid_ofile); 1399 1400 if (SMB_TREE_IS_READONLY(sr)) 1401 return (EROFS); 1402 1403 if (SMB_OFILE_IS_READONLY(sr->fid_ofile) || 1404 SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0) 1405 return (EACCES); 1406 1407 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA); 1408 if (rc != NT_STATUS_SUCCESS) { 1409 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA); 1410 if (rc != NT_STATUS_SUCCESS) 1411 return (EACCES); 1412 } 1413 1414 /* 1415 * Streams permission are checked against the unnamed stream, 1416 * but in FS level they have their own permissions. To avoid 1417 * rejection by FS due to lack of permission on the actual 1418 * extended attr kcred is passed for streams. 1419 */ 1420 if (SMB_IS_STREAM(snode)) 1421 cr = kcred; 1422 1423 smb_node_start_crit(snode, RW_READER); 1424 rc = nbl_svmand(snode->vp, kcred, &svmand); 1425 if (rc) { 1426 smb_node_end_crit(snode); 1427 return (rc); 1428 } 1429 1430 ct = smb_ct; 1431 ct.cc_pid = sr->fid_ofile->f_uniqid; 1432 rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset, 1433 uio->uio_iov->iov_len, svmand, &ct); 1434 1435 if (rc) { 1436 smb_node_end_crit(snode); 1437 return (ERANGE); 1438 } 1439 1440 rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr); 1441 smb_node_end_crit(snode); 1442 1443 return (rc); 1444 } 1445 1446 /* 1447 * smb_fsop_statfs 1448 * 1449 * This is a wrapper function used for stat operations. 1450 */ 1451 int 1452 smb_fsop_statfs( 1453 cred_t *cr, 1454 smb_node_t *snode, 1455 struct statvfs64 *statp) 1456 { 1457 ASSERT(cr); 1458 ASSERT(snode); 1459 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1460 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1461 1462 return (smb_vop_statfs(snode->vp, statp, cr)); 1463 } 1464 1465 /* 1466 * smb_fsop_access 1467 * 1468 * Named streams do not have separate permissions from the associated 1469 * unnamed stream. Thus, if node is a named stream, the permissions 1470 * check will be performed on the associated unnamed stream. 1471 * 1472 * However, our named streams do have their own quarantine attribute, 1473 * separate from that on the unnamed stream. If READ or EXECUTE 1474 * access has been requested on a named stream, an additional access 1475 * check is performed on the named stream in case it has been 1476 * quarantined. kcred is used to avoid issues with the permissions 1477 * set on the extended attribute file representing the named stream. 1478 */ 1479 int 1480 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1481 uint32_t faccess) 1482 { 1483 int access = 0; 1484 int error; 1485 vnode_t *dir_vp; 1486 boolean_t acl_check = B_TRUE; 1487 smb_node_t *unnamed_node; 1488 1489 ASSERT(sr); 1490 ASSERT(cr); 1491 ASSERT(snode); 1492 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1493 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1494 1495 if (faccess == 0) 1496 return (NT_STATUS_SUCCESS); 1497 1498 if (SMB_TREE_IS_READONLY(sr)) { 1499 if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA| 1500 FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES| 1501 DELETE|WRITE_DAC|WRITE_OWNER)) { 1502 return (NT_STATUS_ACCESS_DENIED); 1503 } 1504 } 1505 1506 if (smb_node_is_reparse(snode) && (faccess & DELETE)) 1507 return (NT_STATUS_ACCESS_DENIED); 1508 1509 unnamed_node = SMB_IS_STREAM(snode); 1510 if (unnamed_node) { 1511 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1512 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1513 1514 /* 1515 * Perform VREAD access check on the named stream in case it 1516 * is quarantined. kcred is passed to smb_vop_access so it 1517 * doesn't fail due to lack of permission. 1518 */ 1519 if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) { 1520 error = smb_vop_access(snode->vp, VREAD, 1521 0, NULL, kcred); 1522 if (error) 1523 return (NT_STATUS_ACCESS_DENIED); 1524 } 1525 1526 /* 1527 * Streams authorization should be performed against the 1528 * unnamed stream. 1529 */ 1530 snode = unnamed_node; 1531 } 1532 1533 if (faccess & ACCESS_SYSTEM_SECURITY) { 1534 /* 1535 * This permission is required for reading/writing SACL and 1536 * it's not part of DACL. It's only granted via proper 1537 * privileges. 1538 */ 1539 if ((sr->uid_user->u_privileges & 1540 (SMB_USER_PRIV_BACKUP | 1541 SMB_USER_PRIV_RESTORE | 1542 SMB_USER_PRIV_SECURITY)) == 0) 1543 return (NT_STATUS_PRIVILEGE_NOT_HELD); 1544 1545 faccess &= ~ACCESS_SYSTEM_SECURITY; 1546 } 1547 1548 /* Links don't have ACL */ 1549 if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) || 1550 smb_node_is_symlink(snode)) 1551 acl_check = B_FALSE; 1552 1553 /* 1554 * Use the most restrictive parts of both faccess and the 1555 * share access. An AND of the two value masks gives us that 1556 * since we've already converted to a mask of what we "can" 1557 * do. 1558 */ 1559 faccess &= sr->tid_tree->t_access; 1560 1561 if (acl_check) { 1562 dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL; 1563 error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp, 1564 cr); 1565 } else { 1566 /* 1567 * FS doesn't understand 32-bit mask, need to map 1568 */ 1569 if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA)) 1570 access |= VWRITE; 1571 1572 if (faccess & FILE_READ_DATA) 1573 access |= VREAD; 1574 1575 if (faccess & FILE_EXECUTE) 1576 access |= VEXEC; 1577 1578 error = smb_vop_access(snode->vp, access, 0, NULL, cr); 1579 } 1580 1581 return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS); 1582 } 1583 1584 /* 1585 * smb_fsop_lookup_name() 1586 * 1587 * If name indicates that the file is a stream file, perform 1588 * stream specific lookup, otherwise call smb_fsop_lookup. 1589 * 1590 * Return an error if the looked-up file is in outside the tree. 1591 * (Required when invoked from open path.) 1592 * 1593 * Case sensitivity flags (SMB_IGNORE_CASE, SMB_CASE_SENSITIVE): 1594 * if SMB_CASE_SENSITIVE is set, the SMB_IGNORE_CASE flag will NOT be set 1595 * based on the tree's case sensitivity. However, if the SMB_IGNORE_CASE 1596 * flag is set in the flags value passed as a parameter, a case insensitive 1597 * lookup WILL be done (regardless of whether SMB_CASE_SENSITIVE is set 1598 * or not). 1599 */ 1600 1601 int 1602 smb_fsop_lookup_name( 1603 smb_request_t *sr, 1604 cred_t *cr, 1605 int flags, 1606 smb_node_t *root_node, 1607 smb_node_t *dnode, 1608 char *name, 1609 smb_node_t **ret_snode) 1610 { 1611 smb_node_t *fnode; 1612 vnode_t *xattrdirvp; 1613 vnode_t *vp; 1614 char *od_name; 1615 char *fname; 1616 char *sname; 1617 int rc; 1618 1619 ASSERT(cr); 1620 ASSERT(dnode); 1621 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 1622 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 1623 1624 /* 1625 * The following check is required for streams processing, below 1626 */ 1627 1628 if (!(flags & SMB_CASE_SENSITIVE)) { 1629 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1630 flags |= SMB_IGNORE_CASE; 1631 } 1632 1633 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1634 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1635 1636 if (smb_is_stream_name(name)) { 1637 smb_stream_parse_name(name, fname, sname); 1638 1639 /* 1640 * Look up the unnamed stream (i.e. fname). 1641 * Unmangle processing will be done on fname 1642 * as well as any link target. 1643 */ 1644 rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, 1645 fname, &fnode); 1646 1647 if (rc != 0) { 1648 kmem_free(fname, MAXNAMELEN); 1649 kmem_free(sname, MAXNAMELEN); 1650 return (rc); 1651 } 1652 1653 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1654 1655 /* 1656 * od_name is the on-disk name of the stream, except 1657 * without the prepended stream prefix (SMB_STREAM_PREFIX) 1658 */ 1659 1660 /* 1661 * XXX 1662 * What permissions NTFS requires for stream lookup if any? 1663 */ 1664 rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name, 1665 &xattrdirvp, flags, root_node->vp, cr); 1666 1667 if (rc != 0) { 1668 smb_node_release(fnode); 1669 kmem_free(fname, MAXNAMELEN); 1670 kmem_free(sname, MAXNAMELEN); 1671 kmem_free(od_name, MAXNAMELEN); 1672 return (rc); 1673 } 1674 1675 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, 1676 vp, od_name); 1677 1678 kmem_free(od_name, MAXNAMELEN); 1679 smb_node_release(fnode); 1680 VN_RELE(xattrdirvp); 1681 VN_RELE(vp); 1682 1683 if (*ret_snode == NULL) { 1684 kmem_free(fname, MAXNAMELEN); 1685 kmem_free(sname, MAXNAMELEN); 1686 return (ENOMEM); 1687 } 1688 } else { 1689 rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, name, 1690 ret_snode); 1691 } 1692 1693 if (rc == 0) { 1694 ASSERT(ret_snode); 1695 if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) { 1696 smb_node_release(*ret_snode); 1697 *ret_snode = NULL; 1698 rc = EACCES; 1699 } 1700 } 1701 1702 kmem_free(fname, MAXNAMELEN); 1703 kmem_free(sname, MAXNAMELEN); 1704 1705 return (rc); 1706 } 1707 1708 /* 1709 * smb_fsop_lookup 1710 * 1711 * All SMB functions should use this smb_vop_lookup wrapper to ensure that 1712 * the smb_vop_lookup is performed with the appropriate credentials and using 1713 * case insensitive compares. Please document any direct call to smb_vop_lookup 1714 * to explain the reason for avoiding this wrapper. 1715 * 1716 * It is assumed that a reference exists on dnode coming into this routine 1717 * (and that it is safe from deallocation). 1718 * 1719 * Same with the root_node. 1720 * 1721 * *ret_snode is returned with a reference upon success. No reference is 1722 * taken if an error is returned. 1723 * 1724 * Note: The returned ret_snode may be in a child mount. This is ok for 1725 * readdir. 1726 * 1727 * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent 1728 * operations on files not in the parent mount. 1729 * 1730 * Case sensitivity flags (SMB_IGNORE_CASE, SMB_CASE_SENSITIVE): 1731 * if SMB_CASE_SENSITIVE is set, the SMB_IGNORE_CASE flag will NOT be set 1732 * based on the tree's case sensitivity. However, if the SMB_IGNORE_CASE 1733 * flag is set in the flags value passed as a parameter, a case insensitive 1734 * lookup WILL be done (regardless of whether SMB_CASE_SENSITIVE is set 1735 * or not). 1736 */ 1737 int 1738 smb_fsop_lookup( 1739 smb_request_t *sr, 1740 cred_t *cr, 1741 int flags, 1742 smb_node_t *root_node, 1743 smb_node_t *dnode, 1744 char *name, 1745 smb_node_t **ret_snode) 1746 { 1747 smb_node_t *lnk_target_node; 1748 smb_node_t *lnk_dnode; 1749 char *longname; 1750 char *od_name; 1751 vnode_t *vp; 1752 int rc; 1753 int ret_flags; 1754 smb_attr_t attr; 1755 1756 ASSERT(cr); 1757 ASSERT(dnode); 1758 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 1759 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 1760 1761 if (name == NULL) 1762 return (EINVAL); 1763 1764 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 1765 return (EACCES); 1766 1767 if (!(flags & SMB_CASE_SENSITIVE)) { 1768 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1769 flags |= SMB_IGNORE_CASE; 1770 } 1771 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1772 flags |= SMB_CATIA; 1773 if (SMB_TREE_SUPPORTS_ABE(sr)) 1774 flags |= SMB_ABE; 1775 1776 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1777 1778 rc = smb_vop_lookup(dnode->vp, name, &vp, od_name, flags, 1779 &ret_flags, root_node ? root_node->vp : NULL, &attr, cr); 1780 1781 if (rc != 0) { 1782 if (!smb_maybe_mangled(name)) { 1783 kmem_free(od_name, MAXNAMELEN); 1784 return (rc); 1785 } 1786 1787 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1788 rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags); 1789 if (rc != 0) { 1790 kmem_free(od_name, MAXNAMELEN); 1791 kmem_free(longname, MAXNAMELEN); 1792 return (rc); 1793 } 1794 1795 /* 1796 * longname is the real (case-sensitive) 1797 * on-disk name. 1798 * We make sure we do a lookup on this exact 1799 * name, as the name was mangled and denotes 1800 * a unique file. 1801 */ 1802 1803 if (flags & SMB_IGNORE_CASE) 1804 flags &= ~SMB_IGNORE_CASE; 1805 1806 rc = smb_vop_lookup(dnode->vp, longname, &vp, od_name, 1807 flags, &ret_flags, root_node ? root_node->vp : NULL, &attr, 1808 cr); 1809 1810 kmem_free(longname, MAXNAMELEN); 1811 1812 if (rc != 0) { 1813 kmem_free(od_name, MAXNAMELEN); 1814 return (rc); 1815 } 1816 } 1817 1818 if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK) && 1819 ((attr.sa_dosattr & FILE_ATTRIBUTE_REPARSE_POINT) == 0)) { 1820 rc = smb_pathname(sr, od_name, FOLLOW, root_node, dnode, 1821 &lnk_dnode, &lnk_target_node, cr); 1822 1823 if (rc != 0) { 1824 /* 1825 * The link is assumed to be for the last component 1826 * of a path. Hence any ENOTDIR error will be returned 1827 * as ENOENT. 1828 */ 1829 if (rc == ENOTDIR) 1830 rc = ENOENT; 1831 1832 VN_RELE(vp); 1833 kmem_free(od_name, MAXNAMELEN); 1834 return (rc); 1835 } 1836 1837 /* 1838 * Release the original VLNK vnode 1839 */ 1840 1841 VN_RELE(vp); 1842 vp = lnk_target_node->vp; 1843 1844 rc = smb_vop_traverse_check(&vp); 1845 1846 if (rc != 0) { 1847 smb_node_release(lnk_dnode); 1848 smb_node_release(lnk_target_node); 1849 kmem_free(od_name, MAXNAMELEN); 1850 return (rc); 1851 } 1852 1853 /* 1854 * smb_vop_traverse_check() may have returned a different vnode 1855 */ 1856 1857 if (lnk_target_node->vp == vp) { 1858 *ret_snode = lnk_target_node; 1859 } else { 1860 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, 1861 lnk_target_node->od_name, lnk_dnode, NULL); 1862 VN_RELE(vp); 1863 1864 if (*ret_snode == NULL) 1865 rc = ENOMEM; 1866 smb_node_release(lnk_target_node); 1867 } 1868 1869 smb_node_release(lnk_dnode); 1870 1871 } else { 1872 1873 rc = smb_vop_traverse_check(&vp); 1874 if (rc) { 1875 VN_RELE(vp); 1876 kmem_free(od_name, MAXNAMELEN); 1877 return (rc); 1878 } 1879 1880 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name, 1881 dnode, NULL); 1882 VN_RELE(vp); 1883 1884 if (*ret_snode == NULL) 1885 rc = ENOMEM; 1886 } 1887 1888 kmem_free(od_name, MAXNAMELEN); 1889 return (rc); 1890 } 1891 1892 int /*ARGSUSED*/ 1893 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode) 1894 { 1895 ASSERT(cr); 1896 ASSERT(snode); 1897 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1898 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1899 1900 ASSERT(sr); 1901 ASSERT(sr->tid_tree); 1902 if (SMB_TREE_IS_READONLY(sr)) 1903 return (EROFS); 1904 1905 return (smb_vop_commit(snode->vp, cr)); 1906 } 1907 1908 /* 1909 * smb_fsop_aclread 1910 * 1911 * Retrieve filesystem ACL. Depends on requested ACLs in 1912 * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in 1913 * fs_sd. Note that requesting a DACL/SACL doesn't mean that 1914 * the corresponding field in fs_sd should be non-NULL upon 1915 * return, since the target ACL might not contain that type of 1916 * entries. 1917 * 1918 * Returned ACL is always in ACE_T (aka ZFS) format. 1919 * If successful the allocated memory for the ACL should be freed 1920 * using smb_fsacl_free() or smb_fssd_term() 1921 */ 1922 int 1923 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1924 smb_fssd_t *fs_sd) 1925 { 1926 int error = 0; 1927 int flags = 0; 1928 int access = 0; 1929 acl_t *acl; 1930 smb_node_t *unnamed_node; 1931 1932 ASSERT(cr); 1933 1934 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0) 1935 return (EACCES); 1936 1937 if (sr->fid_ofile) { 1938 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1939 access = READ_CONTROL; 1940 1941 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1942 access |= ACCESS_SYSTEM_SECURITY; 1943 1944 error = smb_ofile_access(sr->fid_ofile, cr, access); 1945 if (error != NT_STATUS_SUCCESS) { 1946 return (EACCES); 1947 } 1948 } 1949 1950 unnamed_node = SMB_IS_STREAM(snode); 1951 if (unnamed_node) { 1952 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1953 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1954 /* 1955 * Streams don't have ACL, any read ACL attempt on a stream 1956 * should be performed on the unnamed stream. 1957 */ 1958 snode = unnamed_node; 1959 } 1960 1961 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) 1962 flags = ATTR_NOACLCHECK; 1963 1964 error = smb_vop_acl_read(snode->vp, &acl, flags, 1965 sr->tid_tree->t_acltype, cr); 1966 if (error != 0) { 1967 return (error); 1968 } 1969 1970 error = acl_translate(acl, _ACL_ACE_ENABLED, 1971 smb_node_is_dir(snode), fs_sd->sd_uid, fs_sd->sd_gid); 1972 1973 if (error == 0) { 1974 smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl, 1975 fs_sd->sd_secinfo); 1976 } 1977 1978 acl_free(acl); 1979 return (error); 1980 } 1981 1982 /* 1983 * smb_fsop_aclwrite 1984 * 1985 * Stores the filesystem ACL provided in fs_sd->sd_acl. 1986 */ 1987 int 1988 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1989 smb_fssd_t *fs_sd) 1990 { 1991 int target_flavor; 1992 int error = 0; 1993 int flags = 0; 1994 int access = 0; 1995 acl_t *acl, *dacl, *sacl; 1996 smb_node_t *unnamed_node; 1997 1998 ASSERT(cr); 1999 2000 ASSERT(sr); 2001 ASSERT(sr->tid_tree); 2002 if (SMB_TREE_IS_READONLY(sr)) 2003 return (EROFS); 2004 2005 if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0) 2006 return (EACCES); 2007 2008 if (sr->fid_ofile) { 2009 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 2010 access = WRITE_DAC; 2011 2012 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 2013 access |= ACCESS_SYSTEM_SECURITY; 2014 2015 error = smb_ofile_access(sr->fid_ofile, cr, access); 2016 if (error != NT_STATUS_SUCCESS) 2017 return (EACCES); 2018 } 2019 2020 switch (sr->tid_tree->t_acltype) { 2021 case ACLENT_T: 2022 target_flavor = _ACL_ACLENT_ENABLED; 2023 break; 2024 2025 case ACE_T: 2026 target_flavor = _ACL_ACE_ENABLED; 2027 break; 2028 default: 2029 return (EINVAL); 2030 } 2031 2032 unnamed_node = SMB_IS_STREAM(snode); 2033 if (unnamed_node) { 2034 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 2035 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 2036 /* 2037 * Streams don't have ACL, any write ACL attempt on a stream 2038 * should be performed on the unnamed stream. 2039 */ 2040 snode = unnamed_node; 2041 } 2042 2043 dacl = fs_sd->sd_zdacl; 2044 sacl = fs_sd->sd_zsacl; 2045 2046 ASSERT(dacl || sacl); 2047 if ((dacl == NULL) && (sacl == NULL)) 2048 return (EINVAL); 2049 2050 if (dacl && sacl) 2051 acl = smb_fsacl_merge(dacl, sacl); 2052 else if (dacl) 2053 acl = dacl; 2054 else 2055 acl = sacl; 2056 2057 error = acl_translate(acl, target_flavor, smb_node_is_dir(snode), 2058 fs_sd->sd_uid, fs_sd->sd_gid); 2059 if (error == 0) { 2060 if (smb_tree_has_feature(sr->tid_tree, 2061 SMB_TREE_ACEMASKONACCESS)) 2062 flags = ATTR_NOACLCHECK; 2063 2064 error = smb_vop_acl_write(snode->vp, acl, flags, cr); 2065 } 2066 2067 if (dacl && sacl) 2068 acl_free(acl); 2069 2070 return (error); 2071 } 2072 2073 acl_type_t 2074 smb_fsop_acltype(smb_node_t *snode) 2075 { 2076 return (smb_vop_acl_type(snode->vp)); 2077 } 2078 2079 /* 2080 * smb_fsop_sdread 2081 * 2082 * Read the requested security descriptor items from filesystem. 2083 * The items are specified in fs_sd->sd_secinfo. 2084 */ 2085 int 2086 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2087 smb_fssd_t *fs_sd) 2088 { 2089 int error = 0; 2090 int getowner = 0; 2091 cred_t *ga_cred; 2092 smb_attr_t attr; 2093 2094 ASSERT(cr); 2095 ASSERT(fs_sd); 2096 2097 /* 2098 * File's uid/gid is fetched in two cases: 2099 * 2100 * 1. it's explicitly requested 2101 * 2102 * 2. target ACL is ACE_T (ZFS ACL). They're needed for 2103 * owner@/group@ entries. In this case kcred should be used 2104 * because uid/gid are fetched on behalf of smb server. 2105 */ 2106 if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) { 2107 getowner = 1; 2108 ga_cred = cr; 2109 } else if (sr->tid_tree->t_acltype == ACE_T) { 2110 getowner = 1; 2111 ga_cred = kcred; 2112 } 2113 2114 if (getowner) { 2115 /* 2116 * Windows require READ_CONTROL to read owner/group SID since 2117 * they're part of Security Descriptor. 2118 * ZFS only requires read_attribute. Need to have a explicit 2119 * access check here. 2120 */ 2121 if (sr->fid_ofile == NULL) { 2122 error = smb_fsop_access(sr, ga_cred, snode, 2123 READ_CONTROL); 2124 if (error) 2125 return (EACCES); 2126 } 2127 2128 attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2129 error = smb_fsop_getattr(sr, ga_cred, snode, &attr); 2130 if (error == 0) { 2131 fs_sd->sd_uid = attr.sa_vattr.va_uid; 2132 fs_sd->sd_gid = attr.sa_vattr.va_gid; 2133 } else { 2134 return (error); 2135 } 2136 } 2137 2138 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2139 error = smb_fsop_aclread(sr, cr, snode, fs_sd); 2140 } 2141 2142 return (error); 2143 } 2144 2145 /* 2146 * smb_fsop_sdmerge 2147 * 2148 * From SMB point of view DACL and SACL are two separate list 2149 * which can be manipulated independently without one affecting 2150 * the other, but entries for both DACL and SACL will end up 2151 * in the same ACL if target filesystem supports ACE_T ACLs. 2152 * 2153 * So, if either DACL or SACL is present in the client set request 2154 * the entries corresponding to the non-present ACL shouldn't 2155 * be touched in the FS ACL. 2156 * 2157 * fs_sd parameter contains DACL and SACL specified by SMB 2158 * client to be set on a file/directory. The client could 2159 * specify both or one of these ACLs (if none is specified 2160 * we don't get this far). When both DACL and SACL are given 2161 * by client the existing ACL should be overwritten. If only 2162 * one of them is specified the entries corresponding to the other 2163 * ACL should not be touched. For example, if only DACL 2164 * is specified in input fs_sd, the function reads audit entries 2165 * of the existing ACL of the file and point fs_sd->sd_zsdacl 2166 * pointer to the fetched SACL, this way when smb_fsop_sdwrite() 2167 * function is called the passed fs_sd would point to the specified 2168 * DACL by client and fetched SACL from filesystem, so the file 2169 * will end up with correct ACL. 2170 */ 2171 static int 2172 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd) 2173 { 2174 smb_fssd_t cur_sd; 2175 int error = 0; 2176 2177 if (sr->tid_tree->t_acltype != ACE_T) 2178 /* Don't bother if target FS doesn't support ACE_T */ 2179 return (0); 2180 2181 if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) { 2182 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) { 2183 /* 2184 * Don't overwrite existing audit entries 2185 */ 2186 smb_fssd_init(&cur_sd, SMB_SACL_SECINFO, 2187 fs_sd->sd_flags); 2188 2189 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2190 if (error == 0) { 2191 ASSERT(fs_sd->sd_zsacl == NULL); 2192 fs_sd->sd_zsacl = cur_sd.sd_zsacl; 2193 if (fs_sd->sd_zsacl && fs_sd->sd_zdacl) 2194 fs_sd->sd_zsacl->acl_flags = 2195 fs_sd->sd_zdacl->acl_flags; 2196 } 2197 } else { 2198 /* 2199 * Don't overwrite existing access entries 2200 */ 2201 smb_fssd_init(&cur_sd, SMB_DACL_SECINFO, 2202 fs_sd->sd_flags); 2203 2204 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2205 if (error == 0) { 2206 ASSERT(fs_sd->sd_zdacl == NULL); 2207 fs_sd->sd_zdacl = cur_sd.sd_zdacl; 2208 if (fs_sd->sd_zdacl && fs_sd->sd_zsacl) 2209 fs_sd->sd_zdacl->acl_flags = 2210 fs_sd->sd_zsacl->acl_flags; 2211 } 2212 } 2213 2214 if (error) 2215 smb_fssd_term(&cur_sd); 2216 } 2217 2218 return (error); 2219 } 2220 2221 /* 2222 * smb_fsop_sdwrite 2223 * 2224 * Stores the given uid, gid and acl in filesystem. 2225 * Provided items in fs_sd are specified by fs_sd->sd_secinfo. 2226 * 2227 * A SMB security descriptor could contain owner, primary group, 2228 * DACL and SACL. Setting an SD should be atomic but here it has to 2229 * be done via two separate FS operations: VOP_SETATTR and 2230 * VOP_SETSECATTR. Therefore, this function has to simulate the 2231 * atomicity as well as it can. 2232 * 2233 * Get the current uid, gid before setting the new uid/gid 2234 * so if smb_fsop_aclwrite fails they can be restored. root cred is 2235 * used to get currend uid/gid since this operation is performed on 2236 * behalf of the server not the user. 2237 * 2238 * If setting uid/gid fails with EPERM it means that and invalid 2239 * owner has been specified. Callers should translate this to 2240 * STATUS_INVALID_OWNER which is not the normal mapping for EPERM 2241 * in upper layers, so EPERM is mapped to EBADE. 2242 */ 2243 int 2244 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2245 smb_fssd_t *fs_sd, int overwrite) 2246 { 2247 int error = 0; 2248 int access = 0; 2249 smb_attr_t set_attr; 2250 smb_attr_t orig_attr; 2251 2252 ASSERT(cr); 2253 ASSERT(fs_sd); 2254 2255 ASSERT(sr); 2256 ASSERT(sr->tid_tree); 2257 if (SMB_TREE_IS_READONLY(sr)) 2258 return (EROFS); 2259 2260 bzero(&set_attr, sizeof (smb_attr_t)); 2261 2262 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 2263 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 2264 set_attr.sa_mask |= SMB_AT_UID; 2265 access |= WRITE_OWNER; 2266 } 2267 2268 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 2269 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 2270 set_attr.sa_mask |= SMB_AT_GID; 2271 access |= WRITE_OWNER; 2272 } 2273 2274 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 2275 access |= WRITE_DAC; 2276 2277 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 2278 access |= ACCESS_SYSTEM_SECURITY; 2279 2280 if (sr->fid_ofile) 2281 error = smb_ofile_access(sr->fid_ofile, cr, access); 2282 else 2283 error = smb_fsop_access(sr, cr, snode, access); 2284 2285 if (error) 2286 return (EACCES); 2287 2288 if (set_attr.sa_mask) { 2289 orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2290 error = smb_fsop_getattr(sr, kcred, snode, &orig_attr); 2291 if (error == 0) { 2292 error = smb_fsop_setattr(sr, cr, snode, &set_attr); 2293 if (error == EPERM) 2294 error = EBADE; 2295 } 2296 2297 if (error) 2298 return (error); 2299 } 2300 2301 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2302 if (overwrite == 0) { 2303 error = smb_fsop_sdmerge(sr, snode, fs_sd); 2304 if (error) 2305 return (error); 2306 } 2307 2308 error = smb_fsop_aclwrite(sr, cr, snode, fs_sd); 2309 if (error) { 2310 /* 2311 * Revert uid/gid changes if required. 2312 */ 2313 if (set_attr.sa_mask) { 2314 orig_attr.sa_mask = set_attr.sa_mask; 2315 (void) smb_fsop_setattr(sr, kcred, snode, 2316 &orig_attr); 2317 } 2318 } 2319 } 2320 2321 return (error); 2322 } 2323 2324 /* 2325 * smb_fsop_sdinherit 2326 * 2327 * Inherit the security descriptor from the parent container. 2328 * This function is called after FS has created the file/folder 2329 * so if this doesn't do anything it means FS inheritance is 2330 * in place. 2331 * 2332 * Do inheritance for ZFS internally. 2333 * 2334 * If we want to let ZFS does the inheritance the 2335 * following setting should be true: 2336 * 2337 * - aclinherit = passthrough 2338 * - aclmode = passthrough 2339 * - smbd umask = 0777 2340 * 2341 * This will result in right effective permissions but 2342 * ZFS will always add 6 ACEs for owner, owning group 2343 * and others to be POSIX compliant. This is not what 2344 * Windows clients/users expect, so we decided that CIFS 2345 * implements Windows rules and overwrite whatever ZFS 2346 * comes up with. This way we also don't have to care 2347 * about ZFS aclinherit and aclmode settings. 2348 */ 2349 static int 2350 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd) 2351 { 2352 acl_t *dacl = NULL; 2353 acl_t *sacl = NULL; 2354 int is_dir; 2355 int error; 2356 2357 ASSERT(fs_sd); 2358 2359 if (sr->tid_tree->t_acltype != ACE_T) { 2360 /* 2361 * No forced inheritance for non-ZFS filesystems. 2362 */ 2363 fs_sd->sd_secinfo = 0; 2364 return (0); 2365 } 2366 2367 2368 /* Fetch parent directory's ACL */ 2369 error = smb_fsop_sdread(sr, kcred, dnode, fs_sd); 2370 if (error) { 2371 return (error); 2372 } 2373 2374 is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR); 2375 dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO, 2376 sr->user_cr); 2377 sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO, 2378 sr->user_cr); 2379 2380 if (sacl == NULL) 2381 fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO; 2382 2383 smb_fsacl_free(fs_sd->sd_zdacl); 2384 smb_fsacl_free(fs_sd->sd_zsacl); 2385 2386 fs_sd->sd_zdacl = dacl; 2387 fs_sd->sd_zsacl = sacl; 2388 2389 return (0); 2390 } 2391 2392 /* 2393 * smb_fsop_eaccess 2394 * 2395 * Returns the effective permission of the given credential for the 2396 * specified object. 2397 * 2398 * This is just a workaround. We need VFS/FS support for this. 2399 */ 2400 void 2401 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2402 uint32_t *eaccess) 2403 { 2404 int access = 0; 2405 vnode_t *dir_vp; 2406 smb_node_t *unnamed_node; 2407 2408 ASSERT(cr); 2409 ASSERT(snode); 2410 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 2411 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 2412 2413 unnamed_node = SMB_IS_STREAM(snode); 2414 if (unnamed_node) { 2415 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 2416 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 2417 /* 2418 * Streams authorization should be performed against the 2419 * unnamed stream. 2420 */ 2421 snode = unnamed_node; 2422 } 2423 2424 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) { 2425 dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL; 2426 smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp, 2427 cr); 2428 return; 2429 } 2430 2431 /* 2432 * FS doesn't understand 32-bit mask 2433 */ 2434 smb_vop_eaccess(snode->vp, &access, 0, NULL, cr); 2435 access &= sr->tid_tree->t_access; 2436 2437 *eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES; 2438 2439 if (access & VREAD) 2440 *eaccess |= FILE_READ_DATA; 2441 2442 if (access & VEXEC) 2443 *eaccess |= FILE_EXECUTE; 2444 2445 if (access & VWRITE) 2446 *eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | 2447 FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD; 2448 } 2449 2450 /* 2451 * smb_fsop_shrlock 2452 * 2453 * For the current open request, check file sharing rules 2454 * against existing opens. 2455 * 2456 * Returns NT_STATUS_SHARING_VIOLATION if there is any 2457 * sharing conflict. Returns NT_STATUS_SUCCESS otherwise. 2458 * 2459 * Full system-wide share reservation synchronization is available 2460 * when the nbmand (non-blocking mandatory) mount option is set 2461 * (i.e. nbl_need_crit() is true) and nbmand critical regions are used. 2462 * This provides synchronization with NFS and local processes. The 2463 * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called 2464 * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well 2465 * as the CIFS rename and delete paths. 2466 * 2467 * The CIFS server will also enter the nbl critical region in the open, 2468 * rename, and delete paths when nbmand is not set. There is limited 2469 * coordination with local and VFS share reservations in this case. 2470 * Note that when the nbmand mount option is not set, the VFS layer 2471 * only processes advisory reservations and the delete mode is not checked. 2472 * 2473 * Whether or not the nbmand mount option is set, intra-CIFS share 2474 * checking is done in the open, delete, and rename paths using a CIFS 2475 * critical region (node->n_share_lock). 2476 */ 2477 uint32_t 2478 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid, 2479 uint32_t desired_access, uint32_t share_access) 2480 { 2481 int rc; 2482 2483 /* Allow access if the request is just for meta data */ 2484 if ((desired_access & FILE_DATA_ALL) == 0) 2485 return (NT_STATUS_SUCCESS); 2486 2487 rc = smb_node_open_check(node, desired_access, share_access); 2488 if (rc) 2489 return (NT_STATUS_SHARING_VIOLATION); 2490 2491 rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access, 2492 cr); 2493 if (rc) 2494 return (NT_STATUS_SHARING_VIOLATION); 2495 2496 return (NT_STATUS_SUCCESS); 2497 } 2498 2499 void 2500 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid) 2501 { 2502 (void) smb_vop_unshrlock(node->vp, uniq_fid, cr); 2503 } 2504 2505 int 2506 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock, 2507 cred_t *cr) 2508 { 2509 flock64_t bf; 2510 int flag = F_REMOTELOCK; 2511 2512 /* 2513 * VOP_FRLOCK() will not be called if: 2514 * 2515 * 1) The lock has a range of zero bytes. The semantics of Windows and 2516 * POSIX are different. In the case of POSIX it asks for the locking 2517 * of all the bytes from the offset provided until the end of the 2518 * file. In the case of Windows a range of zero locks nothing and 2519 * doesn't conflict with any other lock. 2520 * 2521 * 2) The lock rolls over (start + lenght < start). Solaris will assert 2522 * if such a request is submitted. This will not create 2523 * incompatibilities between POSIX and Windows. In the Windows world, 2524 * if a client submits such a lock, the server will not lock any 2525 * bytes. Interestingly if the same lock (same offset and length) is 2526 * resubmitted Windows will consider that there is an overlap and 2527 * the granting rules will then apply. 2528 */ 2529 if ((lock->l_length == 0) || 2530 ((lock->l_start + lock->l_length - 1) < lock->l_start)) 2531 return (0); 2532 2533 bzero(&bf, sizeof (bf)); 2534 2535 if (unlock) { 2536 bf.l_type = F_UNLCK; 2537 } else if (lock->l_type == SMB_LOCK_TYPE_READONLY) { 2538 bf.l_type = F_RDLCK; 2539 flag |= FREAD; 2540 } else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) { 2541 bf.l_type = F_WRLCK; 2542 flag |= FWRITE; 2543 } 2544 2545 bf.l_start = lock->l_start; 2546 bf.l_len = lock->l_length; 2547 bf.l_pid = lock->l_file->f_uniqid; 2548 bf.l_sysid = smb_ct.cc_sysid; 2549 2550 return (smb_vop_frlock(node->vp, cr, flag, &bf)); 2551 } 2552