1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/sid.h> 27 #include <sys/nbmlock.h> 28 #include <smbsrv/smb_fsops.h> 29 #include <smbsrv/smb_kproto.h> 30 #include <acl/acl_common.h> 31 #include <sys/fcntl.h> 32 #include <sys/flock.h> 33 #include <fs/fs_subr.h> 34 35 extern caller_context_t smb_ct; 36 37 extern int smb_fem_oplock_install(smb_node_t *); 38 extern void smb_fem_oplock_uninstall(smb_node_t *); 39 40 extern int smb_vop_other_opens(vnode_t *, int); 41 42 static int smb_fsop_create_stream(smb_request_t *, cred_t *, smb_node_t *, 43 char *, char *, int, smb_attr_t *, smb_node_t **); 44 45 static int smb_fsop_create_file(smb_request_t *, cred_t *, smb_node_t *, 46 char *, int, smb_attr_t *, smb_node_t **); 47 48 static int smb_fsop_create_with_sd(smb_request_t *, cred_t *, smb_node_t *, 49 char *, smb_attr_t *, smb_node_t **, smb_fssd_t *); 50 51 static int smb_fsop_sdinherit(smb_request_t *, smb_node_t *, smb_fssd_t *); 52 53 /* 54 * The smb_fsop_* functions have knowledge of CIFS semantics. 55 * 56 * The smb_vop_* functions have minimal knowledge of CIFS semantics and 57 * serve as an interface to the VFS layer. 58 * 59 * Hence, smb_request_t and smb_node_t structures should not be passed 60 * from the smb_fsop_* layer to the smb_vop_* layer. 61 * 62 * In general, CIFS service code should only ever call smb_fsop_* 63 * functions directly, and never smb_vop_* functions directly. 64 * 65 * smb_fsop_* functions should call smb_vop_* functions where possible, instead 66 * of their smb_fsop_* counterparts. However, there are times when 67 * this cannot be avoided. 68 */ 69 70 /* 71 * Note: Stream names cannot be mangled. 72 */ 73 74 /* 75 * smb_fsop_amask_to_omode 76 * 77 * Convert the access mask to the open mode (for use 78 * with the VOP_OPEN call). 79 * 80 * Note that opening a file for attribute only access 81 * will also translate into an FREAD or FWRITE open mode 82 * (i.e., it's not just for data). 83 * 84 * This is needed so that opens are tracked appropriately 85 * for oplock processing. 86 */ 87 88 int 89 smb_fsop_amask_to_omode(uint32_t access) 90 { 91 int mode = 0; 92 93 if (access & (FILE_READ_DATA | FILE_EXECUTE | 94 FILE_READ_ATTRIBUTES | FILE_READ_EA)) 95 mode |= FREAD; 96 97 if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA | 98 FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA)) 99 mode |= FWRITE; 100 101 if (access & FILE_APPEND_DATA) 102 mode |= FAPPEND; 103 104 return (mode); 105 } 106 107 int 108 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred) 109 { 110 /* 111 * Assuming that the same vnode is returned as we had before. 112 * (I.e., with certain types of files or file systems, a 113 * different vnode might be returned by VOP_OPEN) 114 */ 115 return (smb_vop_open(&node->vp, mode, cred)); 116 } 117 118 void 119 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred) 120 { 121 smb_vop_close(node->vp, mode, cred); 122 } 123 124 int 125 smb_fsop_oplock_install(smb_node_t *node, int mode) 126 { 127 int rc; 128 129 if (smb_vop_other_opens(node->vp, mode)) 130 return (EMFILE); 131 132 if ((rc = smb_fem_oplock_install(node))) 133 return (rc); 134 135 if (smb_vop_other_opens(node->vp, mode)) { 136 (void) smb_fem_oplock_uninstall(node); 137 return (EMFILE); 138 } 139 140 return (0); 141 } 142 143 void 144 smb_fsop_oplock_uninstall(smb_node_t *node) 145 { 146 smb_fem_oplock_uninstall(node); 147 } 148 149 static int 150 smb_fsop_create_with_sd(smb_request_t *sr, cred_t *cr, 151 smb_node_t *dnode, char *name, 152 smb_attr_t *attr, smb_node_t **ret_snode, smb_fssd_t *fs_sd) 153 { 154 vsecattr_t *vsap; 155 vsecattr_t vsecattr; 156 acl_t *acl, *dacl, *sacl; 157 smb_attr_t set_attr; 158 vnode_t *vp; 159 int aclbsize = 0; /* size of acl list in bytes */ 160 int flags = 0; 161 int rc; 162 boolean_t is_dir; 163 164 ASSERT(fs_sd); 165 166 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 167 flags = SMB_IGNORE_CASE; 168 if (SMB_TREE_SUPPORTS_CATIA(sr)) 169 flags |= SMB_CATIA; 170 171 ASSERT(cr); 172 173 is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0); 174 175 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) { 176 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 177 dacl = fs_sd->sd_zdacl; 178 sacl = fs_sd->sd_zsacl; 179 ASSERT(dacl || sacl); 180 if (dacl && sacl) { 181 acl = smb_fsacl_merge(dacl, sacl); 182 } else if (dacl) { 183 acl = dacl; 184 } else { 185 acl = sacl; 186 } 187 188 rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize); 189 190 if (dacl && sacl) 191 acl_free(acl); 192 193 if (rc != 0) 194 return (rc); 195 196 vsap = &vsecattr; 197 } else { 198 vsap = NULL; 199 } 200 201 /* The tree ACEs may prevent a create */ 202 rc = EACCES; 203 if (is_dir) { 204 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0) 205 rc = smb_vop_mkdir(dnode->vp, name, attr, 206 &vp, flags, cr, vsap); 207 } else { 208 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0) 209 rc = smb_vop_create(dnode->vp, name, attr, 210 &vp, flags, cr, vsap); 211 } 212 213 if (vsap != NULL) 214 kmem_free(vsap->vsa_aclentp, aclbsize); 215 216 if (rc != 0) 217 return (rc); 218 219 set_attr.sa_mask = 0; 220 221 /* 222 * Ideally we should be able to specify the owner and owning 223 * group at create time along with the ACL. Since we cannot 224 * do that right now, kcred is passed to smb_vop_setattr so it 225 * doesn't fail due to lack of permission. 226 */ 227 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 228 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 229 set_attr.sa_mask |= SMB_AT_UID; 230 } 231 232 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 233 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 234 set_attr.sa_mask |= SMB_AT_GID; 235 } 236 237 if (set_attr.sa_mask) 238 rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred); 239 240 if (rc == 0) { 241 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 242 name, dnode, NULL); 243 244 if (*ret_snode == NULL) 245 rc = ENOMEM; 246 247 VN_RELE(vp); 248 } 249 } else { 250 /* 251 * For filesystems that don't support ACL-on-create, try 252 * to set the specified SD after create, which could actually 253 * fail because of conflicts between inherited security 254 * attributes upon creation and the specified SD. 255 * 256 * Passing kcred to smb_fsop_sdwrite() to overcome this issue. 257 */ 258 259 if (is_dir) { 260 rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, 261 flags, cr, NULL); 262 } else { 263 rc = smb_vop_create(dnode->vp, name, attr, &vp, 264 flags, cr, NULL); 265 } 266 267 if (rc != 0) 268 return (rc); 269 270 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 271 name, dnode, NULL); 272 273 if (*ret_snode != NULL) { 274 if (!smb_tree_has_feature(sr->tid_tree, 275 SMB_TREE_NFS_MOUNTED)) 276 rc = smb_fsop_sdwrite(sr, kcred, *ret_snode, 277 fs_sd, 1); 278 } else { 279 rc = ENOMEM; 280 } 281 282 VN_RELE(vp); 283 } 284 285 if (rc != 0) { 286 if (is_dir) 287 (void) smb_vop_rmdir(dnode->vp, name, flags, cr); 288 else 289 (void) smb_vop_remove(dnode->vp, name, flags, cr); 290 } 291 292 return (rc); 293 } 294 295 /* 296 * smb_fsop_create 297 * 298 * All SMB functions should use this wrapper to ensure that 299 * all the smb_vop_creates are performed with the appropriate credentials. 300 * Please document any direct calls to explain the reason for avoiding 301 * this wrapper. 302 * 303 * *ret_snode is returned with a reference upon success. No reference is 304 * taken if an error is returned. 305 */ 306 int 307 smb_fsop_create(smb_request_t *sr, cred_t *cr, smb_node_t *dnode, 308 char *name, smb_attr_t *attr, smb_node_t **ret_snode) 309 { 310 int rc = 0; 311 int flags = 0; 312 char *fname, *sname; 313 char *longname = NULL; 314 315 ASSERT(cr); 316 ASSERT(dnode); 317 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 318 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 319 320 ASSERT(ret_snode); 321 *ret_snode = 0; 322 323 ASSERT(name); 324 if (*name == 0) 325 return (EINVAL); 326 327 ASSERT(sr); 328 ASSERT(sr->tid_tree); 329 330 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 331 return (EACCES); 332 333 if (SMB_TREE_IS_READONLY(sr)) 334 return (EROFS); 335 336 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 337 flags = SMB_IGNORE_CASE; 338 if (SMB_TREE_SUPPORTS_CATIA(sr)) 339 flags |= SMB_CATIA; 340 if (SMB_TREE_SUPPORTS_ABE(sr)) 341 flags |= SMB_ABE; 342 343 if (smb_is_stream_name(name)) { 344 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 345 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 346 smb_stream_parse_name(name, fname, sname); 347 348 rc = smb_fsop_create_stream(sr, cr, dnode, 349 fname, sname, flags, attr, ret_snode); 350 351 kmem_free(fname, MAXNAMELEN); 352 kmem_free(sname, MAXNAMELEN); 353 return (rc); 354 } 355 356 /* Not a named stream */ 357 358 if (smb_maybe_mangled_name(name)) { 359 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 360 rc = smb_unmangle_name(dnode, name, longname, 361 MAXNAMELEN, flags); 362 kmem_free(longname, MAXNAMELEN); 363 364 if (rc == 0) 365 rc = EEXIST; 366 if (rc != ENOENT) 367 return (rc); 368 } 369 370 rc = smb_fsop_create_file(sr, cr, dnode, name, flags, 371 attr, ret_snode); 372 return (rc); 373 374 } 375 376 377 /* 378 * smb_fsop_create_stream 379 * 380 * Create NTFS named stream file (sname) on unnamed stream 381 * file (fname), creating the unnamed stream file if it 382 * doesn't exist. 383 * If we created the unnamed stream file and then creation 384 * of the named stream file fails, we delete the unnamed stream. 385 * Since we use the real file name for the smb_vop_remove we 386 * clear the SMB_IGNORE_CASE flag to ensure a case sensitive 387 * match. 388 * 389 * The second parameter of smb_vop_setattr() is set to 390 * NULL, even though an unnamed stream exists. This is 391 * because we want to set the UID and GID on the named 392 * stream in this case for consistency with the (unnamed 393 * stream) file (see comments for smb_vop_setattr()). 394 */ 395 static int 396 smb_fsop_create_stream(smb_request_t *sr, cred_t *cr, 397 smb_node_t *dnode, char *fname, char *sname, int flags, 398 smb_attr_t *attr, smb_node_t **ret_snode) 399 { 400 smb_node_t *fnode; 401 smb_attr_t fattr; 402 vnode_t *xattrdvp; 403 vnode_t *vp; 404 int rc = 0; 405 boolean_t fcreate = B_FALSE; 406 407 /* Look up / create the unnamed stream, fname */ 408 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 409 sr->tid_tree->t_snode, dnode, fname, &fnode); 410 if (rc == ENOENT) { 411 fcreate = B_TRUE; 412 rc = smb_fsop_create_file(sr, cr, dnode, fname, flags, 413 attr, &fnode); 414 } 415 if (rc != 0) 416 return (rc); 417 418 fattr.sa_mask = SMB_AT_UID | SMB_AT_GID; 419 rc = smb_vop_getattr(fnode->vp, NULL, &fattr, 0, kcred); 420 421 if (rc == 0) { 422 /* create the named stream, sname */ 423 rc = smb_vop_stream_create(fnode->vp, sname, attr, 424 &vp, &xattrdvp, flags, cr); 425 } 426 if (rc != 0) { 427 if (fcreate) { 428 flags &= ~SMB_IGNORE_CASE; 429 (void) smb_vop_remove(dnode->vp, 430 fnode->od_name, flags, cr); 431 } 432 smb_node_release(fnode); 433 return (rc); 434 } 435 436 attr->sa_vattr.va_uid = fattr.sa_vattr.va_uid; 437 attr->sa_vattr.va_gid = fattr.sa_vattr.va_gid; 438 attr->sa_mask = SMB_AT_UID | SMB_AT_GID; 439 440 rc = smb_vop_setattr(vp, NULL, attr, 0, kcred); 441 if (rc != 0) { 442 smb_node_release(fnode); 443 return (rc); 444 } 445 446 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdvp, 447 vp, sname); 448 449 smb_node_release(fnode); 450 VN_RELE(xattrdvp); 451 VN_RELE(vp); 452 453 if (*ret_snode == NULL) 454 rc = ENOMEM; 455 456 return (rc); 457 } 458 459 /* 460 * smb_fsop_create_file 461 */ 462 static int 463 smb_fsop_create_file(smb_request_t *sr, cred_t *cr, 464 smb_node_t *dnode, char *name, int flags, 465 smb_attr_t *attr, smb_node_t **ret_snode) 466 { 467 open_param_t *op = &sr->arg.open; 468 vnode_t *vp; 469 smb_fssd_t fs_sd; 470 uint32_t secinfo; 471 uint32_t status; 472 int rc = 0; 473 474 if (op->sd) { 475 /* 476 * SD sent by client in Windows format. Needs to be 477 * converted to FS format. No inheritance. 478 */ 479 secinfo = smb_sd_get_secinfo(op->sd); 480 smb_fssd_init(&fs_sd, secinfo, 0); 481 482 status = smb_sd_tofs(op->sd, &fs_sd); 483 if (status == NT_STATUS_SUCCESS) { 484 rc = smb_fsop_create_with_sd(sr, cr, dnode, 485 name, attr, ret_snode, &fs_sd); 486 } else { 487 rc = EINVAL; 488 } 489 smb_fssd_term(&fs_sd); 490 } else if (sr->tid_tree->t_acltype == ACE_T) { 491 /* 492 * No incoming SD and filesystem is ZFS 493 * Server applies Windows inheritance rules, 494 * see smb_fsop_sdinherit() comments as to why. 495 */ 496 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0); 497 rc = smb_fsop_sdinherit(sr, dnode, &fs_sd); 498 if (rc == 0) { 499 rc = smb_fsop_create_with_sd(sr, cr, dnode, 500 name, attr, ret_snode, &fs_sd); 501 } 502 503 smb_fssd_term(&fs_sd); 504 } else { 505 /* 506 * No incoming SD and filesystem is not ZFS 507 * let the filesystem handles the inheritance. 508 */ 509 rc = smb_vop_create(dnode->vp, name, attr, &vp, 510 flags, cr, NULL); 511 512 if (rc == 0) { 513 *ret_snode = smb_node_lookup(sr, op, cr, vp, 514 name, dnode, NULL); 515 516 if (*ret_snode == NULL) 517 rc = ENOMEM; 518 519 VN_RELE(vp); 520 } 521 522 } 523 return (rc); 524 } 525 526 /* 527 * smb_fsop_mkdir 528 * 529 * All SMB functions should use this wrapper to ensure that 530 * the the calls are performed with the appropriate credentials. 531 * Please document any direct call to explain the reason 532 * for avoiding this wrapper. 533 * 534 * It is assumed that a reference exists on snode coming into this routine. 535 * 536 * *ret_snode is returned with a reference upon success. No reference is 537 * taken if an error is returned. 538 */ 539 int 540 smb_fsop_mkdir( 541 smb_request_t *sr, 542 cred_t *cr, 543 smb_node_t *dnode, 544 char *name, 545 smb_attr_t *attr, 546 smb_node_t **ret_snode) 547 { 548 struct open_param *op = &sr->arg.open; 549 char *longname; 550 vnode_t *vp; 551 int flags = 0; 552 smb_fssd_t fs_sd; 553 uint32_t secinfo; 554 uint32_t status; 555 int rc; 556 ASSERT(cr); 557 ASSERT(dnode); 558 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 559 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 560 561 ASSERT(ret_snode); 562 *ret_snode = 0; 563 564 ASSERT(name); 565 if (*name == 0) 566 return (EINVAL); 567 568 ASSERT(sr); 569 ASSERT(sr->tid_tree); 570 571 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 572 return (EACCES); 573 574 if (SMB_TREE_IS_READONLY(sr)) 575 return (EROFS); 576 if (SMB_TREE_SUPPORTS_CATIA(sr)) 577 flags |= SMB_CATIA; 578 if (SMB_TREE_SUPPORTS_ABE(sr)) 579 flags |= SMB_ABE; 580 581 if (smb_maybe_mangled_name(name)) { 582 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 583 rc = smb_unmangle_name(dnode, name, longname, 584 MAXNAMELEN, flags); 585 kmem_free(longname, MAXNAMELEN); 586 587 /* 588 * If the name passed in by the client has an unmangled 589 * equivalent that is found in the specified directory, 590 * then the mkdir cannot succeed. Return EEXIST. 591 * 592 * Only if ENOENT is returned will a mkdir be attempted. 593 */ 594 595 if (rc == 0) 596 rc = EEXIST; 597 598 if (rc != ENOENT) 599 return (rc); 600 } 601 602 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 603 flags = SMB_IGNORE_CASE; 604 605 if (op->sd) { 606 /* 607 * SD sent by client in Windows format. Needs to be 608 * converted to FS format. No inheritance. 609 */ 610 secinfo = smb_sd_get_secinfo(op->sd); 611 smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR); 612 613 status = smb_sd_tofs(op->sd, &fs_sd); 614 if (status == NT_STATUS_SUCCESS) { 615 rc = smb_fsop_create_with_sd(sr, cr, dnode, 616 name, attr, ret_snode, &fs_sd); 617 } 618 else 619 rc = EINVAL; 620 smb_fssd_term(&fs_sd); 621 } else if (sr->tid_tree->t_acltype == ACE_T) { 622 /* 623 * No incoming SD and filesystem is ZFS 624 * Server applies Windows inheritance rules, 625 * see smb_fsop_sdinherit() comments as to why. 626 */ 627 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR); 628 rc = smb_fsop_sdinherit(sr, dnode, &fs_sd); 629 if (rc == 0) { 630 rc = smb_fsop_create_with_sd(sr, cr, dnode, 631 name, attr, ret_snode, &fs_sd); 632 } 633 634 smb_fssd_term(&fs_sd); 635 636 } else { 637 rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, flags, cr, 638 NULL); 639 640 if (rc == 0) { 641 *ret_snode = smb_node_lookup(sr, op, cr, vp, name, 642 dnode, NULL); 643 644 if (*ret_snode == NULL) 645 rc = ENOMEM; 646 647 VN_RELE(vp); 648 } 649 } 650 651 return (rc); 652 } 653 654 /* 655 * smb_fsop_remove 656 * 657 * All SMB functions should use this wrapper to ensure that 658 * the the calls are performed with the appropriate credentials. 659 * Please document any direct call to explain the reason 660 * for avoiding this wrapper. 661 * 662 * It is assumed that a reference exists on snode coming into this routine. 663 * 664 * A null smb_request might be passed to this function. 665 */ 666 int 667 smb_fsop_remove( 668 smb_request_t *sr, 669 cred_t *cr, 670 smb_node_t *dnode, 671 char *name, 672 uint32_t flags) 673 { 674 smb_node_t *fnode; 675 char *longname; 676 char *fname; 677 char *sname; 678 int rc; 679 680 ASSERT(cr); 681 /* 682 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 683 * function is called during the deletion of the node (because of 684 * DELETE_ON_CLOSE). 685 */ 686 ASSERT(dnode); 687 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 688 689 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 || 690 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0) 691 return (EACCES); 692 693 if (SMB_TREE_IS_READONLY(sr)) 694 return (EROFS); 695 696 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 697 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 698 699 if (dnode->flags & NODE_XATTR_DIR) { 700 rc = smb_vop_stream_remove(dnode->n_dnode->vp, 701 name, flags, cr); 702 } else if (smb_is_stream_name(name)) { 703 smb_stream_parse_name(name, fname, sname); 704 705 /* 706 * Look up the unnamed stream (i.e. fname). 707 * Unmangle processing will be done on fname 708 * as well as any link target. 709 */ 710 711 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 712 sr->tid_tree->t_snode, dnode, fname, &fnode); 713 714 if (rc != 0) { 715 kmem_free(fname, MAXNAMELEN); 716 kmem_free(sname, MAXNAMELEN); 717 return (rc); 718 } 719 720 /* 721 * XXX 722 * Need to find out what permission is required by NTFS 723 * to remove a stream. 724 */ 725 rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr); 726 727 smb_node_release(fnode); 728 } else { 729 rc = smb_vop_remove(dnode->vp, name, flags, cr); 730 731 if (rc == ENOENT) { 732 if (smb_maybe_mangled_name(name) == 0) { 733 kmem_free(fname, MAXNAMELEN); 734 kmem_free(sname, MAXNAMELEN); 735 return (rc); 736 } 737 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 738 739 if (SMB_TREE_SUPPORTS_ABE(sr)) 740 flags |= SMB_ABE; 741 742 rc = smb_unmangle_name(dnode, name, 743 longname, MAXNAMELEN, flags); 744 745 if (rc == 0) { 746 /* 747 * longname is the real (case-sensitive) 748 * on-disk name. 749 * We make sure we do a remove on this exact 750 * name, as the name was mangled and denotes 751 * a unique file. 752 */ 753 flags &= ~SMB_IGNORE_CASE; 754 rc = smb_vop_remove(dnode->vp, longname, 755 flags, cr); 756 } 757 758 kmem_free(longname, MAXNAMELEN); 759 } 760 } 761 762 kmem_free(fname, MAXNAMELEN); 763 kmem_free(sname, MAXNAMELEN); 764 return (rc); 765 } 766 767 /* 768 * smb_fsop_remove_streams 769 * 770 * This function removes a file's streams without removing the 771 * file itself. 772 * 773 * It is assumed that fnode is not a link. 774 */ 775 int 776 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode) 777 { 778 int rc, flags = 0; 779 uint16_t odid; 780 smb_odir_t *od; 781 smb_odirent_t *odirent; 782 boolean_t eos; 783 784 ASSERT(sr); 785 ASSERT(cr); 786 ASSERT(fnode); 787 ASSERT(fnode->n_magic == SMB_NODE_MAGIC); 788 ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING); 789 790 if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) { 791 smbsr_errno(sr, EACCES); 792 return (-1); 793 } 794 795 if (SMB_TREE_IS_READONLY(sr)) { 796 smbsr_errno(sr, EROFS); 797 return (-1); 798 } 799 800 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 801 flags = SMB_IGNORE_CASE; 802 803 if (SMB_TREE_SUPPORTS_CATIA(sr)) 804 flags |= SMB_CATIA; 805 806 if ((odid = smb_odir_openat(sr, fnode)) == 0) { 807 smbsr_errno(sr, ENOENT); 808 return (-1); 809 } 810 811 if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) { 812 smbsr_errno(sr, ENOENT); 813 return (-1); 814 } 815 816 odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP); 817 for (;;) { 818 rc = smb_odir_read(sr, od, odirent, &eos); 819 if ((rc != 0) || (eos)) 820 break; 821 (void) smb_vop_remove(od->d_dnode->vp, odirent->od_name, 822 flags, cr); 823 } 824 kmem_free(odirent, sizeof (smb_odirent_t)); 825 826 smb_odir_close(od); 827 smb_odir_release(od); 828 return (rc); 829 } 830 831 /* 832 * smb_fsop_rmdir 833 * 834 * All SMB functions should use this wrapper to ensure that 835 * the the calls are performed with the appropriate credentials. 836 * Please document any direct call to explain the reason 837 * for avoiding this wrapper. 838 * 839 * It is assumed that a reference exists on snode coming into this routine. 840 */ 841 int 842 smb_fsop_rmdir( 843 smb_request_t *sr, 844 cred_t *cr, 845 smb_node_t *dnode, 846 char *name, 847 uint32_t flags) 848 { 849 int rc; 850 char *longname; 851 852 ASSERT(cr); 853 /* 854 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 855 * function is called during the deletion of the node (because of 856 * DELETE_ON_CLOSE). 857 */ 858 ASSERT(dnode); 859 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 860 861 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 || 862 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0) 863 return (EACCES); 864 865 if (SMB_TREE_IS_READONLY(sr)) 866 return (EROFS); 867 868 rc = smb_vop_rmdir(dnode->vp, name, flags, cr); 869 870 if (rc == ENOENT) { 871 if (smb_maybe_mangled_name(name) == 0) 872 return (rc); 873 874 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 875 876 if (SMB_TREE_SUPPORTS_ABE(sr)) 877 flags |= SMB_ABE; 878 rc = smb_unmangle_name(dnode, name, longname, 879 MAXNAMELEN, flags); 880 881 if (rc == 0) { 882 /* 883 * longname is the real (case-sensitive) 884 * on-disk name. 885 * We make sure we do a rmdir on this exact 886 * name, as the name was mangled and denotes 887 * a unique directory. 888 */ 889 flags &= ~SMB_IGNORE_CASE; 890 rc = smb_vop_rmdir(dnode->vp, longname, flags, cr); 891 } 892 893 kmem_free(longname, MAXNAMELEN); 894 } 895 896 return (rc); 897 } 898 899 /* 900 * smb_fsop_getattr 901 * 902 * All SMB functions should use this wrapper to ensure that 903 * the the calls are performed with the appropriate credentials. 904 * Please document any direct call to explain the reason 905 * for avoiding this wrapper. 906 * 907 * It is assumed that a reference exists on snode coming into this routine. 908 */ 909 int 910 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 911 smb_attr_t *attr) 912 { 913 smb_node_t *unnamed_node; 914 vnode_t *unnamed_vp = NULL; 915 uint32_t status; 916 uint32_t access = 0; 917 int flags = 0; 918 int rc; 919 920 ASSERT(cr); 921 ASSERT(snode); 922 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 923 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 924 925 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 || 926 SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0) 927 return (EACCES); 928 929 /* sr could be NULL in some cases */ 930 if (sr && sr->fid_ofile) { 931 /* if uid and/or gid is requested */ 932 if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID)) 933 access |= READ_CONTROL; 934 935 /* if anything else is also requested */ 936 if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID)) 937 access |= FILE_READ_ATTRIBUTES; 938 939 status = smb_ofile_access(sr->fid_ofile, cr, access); 940 if (status != NT_STATUS_SUCCESS) 941 return (EACCES); 942 943 if (smb_tree_has_feature(sr->tid_tree, 944 SMB_TREE_ACEMASKONACCESS)) 945 flags = ATTR_NOACLCHECK; 946 } 947 948 unnamed_node = SMB_IS_STREAM(snode); 949 950 if (unnamed_node) { 951 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 952 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 953 unnamed_vp = unnamed_node->vp; 954 } 955 956 rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr); 957 return (rc); 958 } 959 960 /* 961 * smb_fsop_link 962 * 963 * All SMB functions should use this smb_vop_link wrapper to ensure that 964 * the smb_vop_link is performed with the appropriate credentials. 965 * Please document any direct call to smb_vop_link to explain the reason 966 * for avoiding this wrapper. 967 * 968 * It is assumed that references exist on from_dnode and to_dnode coming 969 * into this routine. 970 */ 971 int 972 smb_fsop_link(smb_request_t *sr, cred_t *cr, smb_node_t *from_fnode, 973 smb_node_t *to_dnode, char *to_name) 974 { 975 char *longname = NULL; 976 int flags = 0; 977 int rc; 978 979 ASSERT(sr); 980 ASSERT(sr->tid_tree); 981 ASSERT(cr); 982 ASSERT(to_dnode); 983 ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC); 984 ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING); 985 ASSERT(from_fnode); 986 ASSERT(from_fnode->n_magic == SMB_NODE_MAGIC); 987 ASSERT(from_fnode->n_state != SMB_NODE_STATE_DESTROYING); 988 989 if (SMB_TREE_CONTAINS_NODE(sr, from_fnode) == 0) 990 return (EACCES); 991 992 if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0) 993 return (EACCES); 994 995 if (SMB_TREE_IS_READONLY(sr)) 996 return (EROFS); 997 998 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 999 flags = SMB_IGNORE_CASE; 1000 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1001 flags |= SMB_CATIA; 1002 if (SMB_TREE_SUPPORTS_ABE(sr)) 1003 flags |= SMB_ABE; 1004 1005 if (smb_maybe_mangled_name(to_name)) { 1006 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1007 rc = smb_unmangle_name(to_dnode, to_name, 1008 longname, MAXNAMELEN, flags); 1009 kmem_free(longname, MAXNAMELEN); 1010 1011 if (rc == 0) 1012 rc = EEXIST; 1013 if (rc != ENOENT) 1014 return (rc); 1015 } 1016 1017 rc = smb_vop_link(to_dnode->vp, from_fnode->vp, to_name, flags, cr); 1018 return (rc); 1019 } 1020 1021 /* 1022 * smb_fsop_rename 1023 * 1024 * All SMB functions should use this smb_vop_rename wrapper to ensure that 1025 * the smb_vop_rename is performed with the appropriate credentials. 1026 * Please document any direct call to smb_vop_rename to explain the reason 1027 * for avoiding this wrapper. 1028 * 1029 * It is assumed that references exist on from_dnode and to_dnode coming 1030 * into this routine. 1031 */ 1032 int 1033 smb_fsop_rename( 1034 smb_request_t *sr, 1035 cred_t *cr, 1036 smb_node_t *from_dnode, 1037 char *from_name, 1038 smb_node_t *to_dnode, 1039 char *to_name) 1040 { 1041 smb_node_t *from_snode; 1042 vnode_t *from_vp; 1043 int flags = 0, ret_flags; 1044 int rc; 1045 boolean_t isdir; 1046 1047 ASSERT(cr); 1048 ASSERT(from_dnode); 1049 ASSERT(from_dnode->n_magic == SMB_NODE_MAGIC); 1050 ASSERT(from_dnode->n_state != SMB_NODE_STATE_DESTROYING); 1051 1052 ASSERT(to_dnode); 1053 ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC); 1054 ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING); 1055 1056 if (SMB_TREE_CONTAINS_NODE(sr, from_dnode) == 0) 1057 return (EACCES); 1058 1059 if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0) 1060 return (EACCES); 1061 1062 ASSERT(sr); 1063 ASSERT(sr->tid_tree); 1064 if (SMB_TREE_IS_READONLY(sr)) 1065 return (EROFS); 1066 1067 /* 1068 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE 1069 * here. 1070 * 1071 * A case-sensitive rename is always done in this routine 1072 * because we are using the on-disk name from an earlier lookup. 1073 * If a mangled name was passed in by the caller (denoting a 1074 * deterministic lookup), then the exact file must be renamed 1075 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or 1076 * else the underlying file system might return a "first-match" 1077 * on this on-disk name, possibly resulting in the wrong file). 1078 */ 1079 1080 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1081 flags |= SMB_CATIA; 1082 1083 /* 1084 * XXX: Lock required through smb_node_release() below? 1085 */ 1086 1087 rc = smb_vop_lookup(from_dnode->vp, from_name, &from_vp, NULL, 1088 flags, &ret_flags, NULL, cr); 1089 1090 if (rc != 0) 1091 return (rc); 1092 1093 isdir = from_vp->v_type == VDIR; 1094 1095 if ((isdir && SMB_TREE_HAS_ACCESS(sr, 1096 ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) != 1097 (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) || 1098 (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) != 1099 (ACE_DELETE | ACE_ADD_FILE))) 1100 return (EACCES); 1101 1102 /* 1103 * SMB checks access on open and retains an access granted 1104 * mask for use while the file is open. ACL changes should 1105 * not affect access to an open file. 1106 * 1107 * If the rename is being performed on an ofile: 1108 * - Check the ofile's access granted mask to see if the 1109 * rename is permitted - requires DELETE access. 1110 * - If the file system does access checking, set the 1111 * ATTR_NOACLCHECK flag to ensure that the file system 1112 * does not check permissions on subsequent calls. 1113 */ 1114 if (sr && sr->fid_ofile) { 1115 rc = smb_ofile_access(sr->fid_ofile, cr, DELETE); 1116 if (rc != NT_STATUS_SUCCESS) 1117 return (EACCES); 1118 1119 if (smb_tree_has_feature(sr->tid_tree, 1120 SMB_TREE_ACEMASKONACCESS)) 1121 flags = ATTR_NOACLCHECK; 1122 } 1123 1124 rc = smb_vop_rename(from_dnode->vp, from_name, to_dnode->vp, 1125 to_name, flags, cr); 1126 1127 if (rc == 0) { 1128 from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name, 1129 from_dnode, NULL); 1130 1131 if (from_snode == NULL) { 1132 rc = ENOMEM; 1133 } else { 1134 smb_node_rename(from_dnode, from_snode, 1135 to_dnode, to_name); 1136 smb_node_release(from_snode); 1137 } 1138 } 1139 VN_RELE(from_vp); 1140 1141 /* XXX: unlock */ 1142 1143 return (rc); 1144 } 1145 1146 /* 1147 * smb_fsop_setattr 1148 * 1149 * All SMB functions should use this wrapper to ensure that 1150 * the the calls are performed with the appropriate credentials. 1151 * Please document any direct call to explain the reason 1152 * for avoiding this wrapper. 1153 * 1154 * It is assumed that a reference exists on snode coming into 1155 * this function. 1156 * A null smb_request might be passed to this function. 1157 */ 1158 int 1159 smb_fsop_setattr( 1160 smb_request_t *sr, 1161 cred_t *cr, 1162 smb_node_t *snode, 1163 smb_attr_t *set_attr) 1164 { 1165 smb_node_t *unnamed_node; 1166 vnode_t *unnamed_vp = NULL; 1167 uint32_t status; 1168 uint32_t access; 1169 int rc = 0; 1170 int flags = 0; 1171 uint_t sa_mask; 1172 1173 ASSERT(cr); 1174 ASSERT(snode); 1175 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1176 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1177 1178 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0) 1179 return (EACCES); 1180 1181 if (SMB_TREE_IS_READONLY(sr)) 1182 return (EROFS); 1183 1184 if (SMB_TREE_HAS_ACCESS(sr, 1185 ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0) 1186 return (EACCES); 1187 1188 /* 1189 * The file system cannot detect pending READDONLY 1190 * (i.e. if the file has been opened readonly but 1191 * not yet closed) so we need to test READONLY here. 1192 */ 1193 if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) { 1194 if (sr->fid_ofile) { 1195 if (SMB_OFILE_IS_READONLY(sr->fid_ofile)) 1196 return (EACCES); 1197 } else { 1198 if (SMB_PATHFILE_IS_READONLY(sr, snode)) 1199 return (EACCES); 1200 } 1201 } 1202 1203 /* 1204 * SMB checks access on open and retains an access granted 1205 * mask for use while the file is open. ACL changes should 1206 * not affect access to an open file. 1207 * 1208 * If the setattr is being performed on an ofile: 1209 * - Check the ofile's access granted mask to see if the 1210 * setattr is permitted. 1211 * UID, GID - require WRITE_OWNER 1212 * SIZE, ALLOCSZ - require FILE_WRITE_DATA 1213 * all other attributes require FILE_WRITE_ATTRIBUTES 1214 * 1215 * - If the file system does access checking, set the 1216 * ATTR_NOACLCHECK flag to ensure that the file system 1217 * does not check permissions on subsequent calls. 1218 */ 1219 if (sr && sr->fid_ofile) { 1220 sa_mask = set_attr->sa_mask; 1221 access = 0; 1222 1223 if (sa_mask & (SMB_AT_SIZE | SMB_AT_ALLOCSZ)) { 1224 access |= FILE_WRITE_DATA; 1225 sa_mask &= ~(SMB_AT_SIZE | SMB_AT_ALLOCSZ); 1226 } 1227 1228 if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) { 1229 access |= WRITE_OWNER; 1230 sa_mask &= ~(SMB_AT_UID|SMB_AT_GID); 1231 } 1232 1233 if (sa_mask) 1234 access |= FILE_WRITE_ATTRIBUTES; 1235 1236 status = smb_ofile_access(sr->fid_ofile, cr, access); 1237 if (status != NT_STATUS_SUCCESS) 1238 return (EACCES); 1239 1240 if (smb_tree_has_feature(sr->tid_tree, 1241 SMB_TREE_ACEMASKONACCESS)) 1242 flags = ATTR_NOACLCHECK; 1243 } 1244 1245 unnamed_node = SMB_IS_STREAM(snode); 1246 1247 if (unnamed_node) { 1248 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1249 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1250 unnamed_vp = unnamed_node->vp; 1251 } 1252 1253 rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr); 1254 return (rc); 1255 } 1256 1257 /* 1258 * smb_fsop_read 1259 * 1260 * All SMB functions should use this wrapper to ensure that 1261 * the the calls are performed with the appropriate credentials. 1262 * Please document any direct call to explain the reason 1263 * for avoiding this wrapper. 1264 * 1265 * It is assumed that a reference exists on snode coming into this routine. 1266 */ 1267 int 1268 smb_fsop_read(smb_request_t *sr, cred_t *cr, smb_node_t *snode, uio_t *uio) 1269 { 1270 caller_context_t ct; 1271 int svmand; 1272 int rc; 1273 1274 ASSERT(cr); 1275 ASSERT(snode); 1276 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1277 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1278 1279 ASSERT(sr); 1280 ASSERT(sr->fid_ofile); 1281 1282 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0) 1283 return (EACCES); 1284 1285 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA); 1286 if (rc != NT_STATUS_SUCCESS) { 1287 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE); 1288 if (rc != NT_STATUS_SUCCESS) 1289 return (EACCES); 1290 } 1291 1292 /* 1293 * Streams permission are checked against the unnamed stream, 1294 * but in FS level they have their own permissions. To avoid 1295 * rejection by FS due to lack of permission on the actual 1296 * extended attr kcred is passed for streams. 1297 */ 1298 if (SMB_IS_STREAM(snode)) 1299 cr = kcred; 1300 1301 smb_node_start_crit(snode, RW_READER); 1302 rc = nbl_svmand(snode->vp, kcred, &svmand); 1303 if (rc) { 1304 smb_node_end_crit(snode); 1305 return (rc); 1306 } 1307 1308 ct = smb_ct; 1309 ct.cc_pid = sr->fid_ofile->f_uniqid; 1310 rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset, 1311 uio->uio_iov->iov_len, svmand, &ct); 1312 1313 if (rc) { 1314 smb_node_end_crit(snode); 1315 return (ERANGE); 1316 } 1317 1318 rc = smb_vop_read(snode->vp, uio, cr); 1319 smb_node_end_crit(snode); 1320 1321 return (rc); 1322 } 1323 1324 /* 1325 * smb_fsop_write 1326 * 1327 * This is a wrapper function used for smb_write and smb_write_raw operations. 1328 * 1329 * It is assumed that a reference exists on snode coming into this routine. 1330 */ 1331 int 1332 smb_fsop_write( 1333 smb_request_t *sr, 1334 cred_t *cr, 1335 smb_node_t *snode, 1336 uio_t *uio, 1337 uint32_t *lcount, 1338 int ioflag) 1339 { 1340 caller_context_t ct; 1341 int svmand; 1342 int rc; 1343 1344 ASSERT(cr); 1345 ASSERT(snode); 1346 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1347 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1348 1349 ASSERT(sr); 1350 ASSERT(sr->tid_tree); 1351 ASSERT(sr->fid_ofile); 1352 1353 if (SMB_TREE_IS_READONLY(sr)) 1354 return (EROFS); 1355 1356 if (SMB_OFILE_IS_READONLY(sr->fid_ofile) || 1357 SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0) 1358 return (EACCES); 1359 1360 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA); 1361 if (rc != NT_STATUS_SUCCESS) { 1362 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA); 1363 if (rc != NT_STATUS_SUCCESS) 1364 return (EACCES); 1365 } 1366 1367 /* 1368 * Streams permission are checked against the unnamed stream, 1369 * but in FS level they have their own permissions. To avoid 1370 * rejection by FS due to lack of permission on the actual 1371 * extended attr kcred is passed for streams. 1372 */ 1373 if (SMB_IS_STREAM(snode)) 1374 cr = kcred; 1375 1376 smb_node_start_crit(snode, RW_READER); 1377 rc = nbl_svmand(snode->vp, kcred, &svmand); 1378 if (rc) { 1379 smb_node_end_crit(snode); 1380 return (rc); 1381 } 1382 1383 ct = smb_ct; 1384 ct.cc_pid = sr->fid_ofile->f_uniqid; 1385 rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset, 1386 uio->uio_iov->iov_len, svmand, &ct); 1387 1388 if (rc) { 1389 smb_node_end_crit(snode); 1390 return (ERANGE); 1391 } 1392 1393 rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr); 1394 smb_node_end_crit(snode); 1395 1396 return (rc); 1397 } 1398 1399 /* 1400 * smb_fsop_statfs 1401 * 1402 * This is a wrapper function used for stat operations. 1403 */ 1404 int 1405 smb_fsop_statfs( 1406 cred_t *cr, 1407 smb_node_t *snode, 1408 struct statvfs64 *statp) 1409 { 1410 ASSERT(cr); 1411 ASSERT(snode); 1412 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1413 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1414 1415 return (smb_vop_statfs(snode->vp, statp, cr)); 1416 } 1417 1418 /* 1419 * smb_fsop_access 1420 * 1421 * Named streams do not have separate permissions from the associated 1422 * unnamed stream. Thus, if node is a named stream, the permissions 1423 * check will be performed on the associated unnamed stream. 1424 * 1425 * However, our named streams do have their own quarantine attribute, 1426 * separate from that on the unnamed stream. If READ or EXECUTE 1427 * access has been requested on a named stream, an additional access 1428 * check is performed on the named stream in case it has been 1429 * quarantined. kcred is used to avoid issues with the permissions 1430 * set on the extended attribute file representing the named stream. 1431 */ 1432 int 1433 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1434 uint32_t faccess) 1435 { 1436 int access = 0; 1437 int error; 1438 vnode_t *dir_vp; 1439 boolean_t acl_check = B_TRUE; 1440 smb_node_t *unnamed_node; 1441 1442 ASSERT(sr); 1443 ASSERT(cr); 1444 ASSERT(snode); 1445 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1446 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1447 1448 if (faccess == 0) 1449 return (NT_STATUS_SUCCESS); 1450 1451 if (SMB_TREE_IS_READONLY(sr)) { 1452 if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA| 1453 FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES| 1454 DELETE|WRITE_DAC|WRITE_OWNER)) { 1455 return (NT_STATUS_ACCESS_DENIED); 1456 } 1457 } 1458 1459 unnamed_node = SMB_IS_STREAM(snode); 1460 if (unnamed_node) { 1461 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1462 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1463 1464 /* 1465 * Perform VREAD access check on the named stream in case it 1466 * is quarantined. kcred is passed to smb_vop_access so it 1467 * doesn't fail due to lack of permission. 1468 */ 1469 if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) { 1470 error = smb_vop_access(snode->vp, VREAD, 1471 0, NULL, kcred); 1472 if (error) 1473 return (NT_STATUS_ACCESS_DENIED); 1474 } 1475 1476 /* 1477 * Streams authorization should be performed against the 1478 * unnamed stream. 1479 */ 1480 snode = unnamed_node; 1481 } 1482 1483 if (faccess & ACCESS_SYSTEM_SECURITY) { 1484 /* 1485 * This permission is required for reading/writing SACL and 1486 * it's not part of DACL. It's only granted via proper 1487 * privileges. 1488 */ 1489 if ((sr->uid_user->u_privileges & 1490 (SMB_USER_PRIV_BACKUP | 1491 SMB_USER_PRIV_RESTORE | 1492 SMB_USER_PRIV_SECURITY)) == 0) 1493 return (NT_STATUS_PRIVILEGE_NOT_HELD); 1494 1495 faccess &= ~ACCESS_SYSTEM_SECURITY; 1496 } 1497 1498 /* Links don't have ACL */ 1499 if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) || 1500 smb_node_is_link(snode)) 1501 acl_check = B_FALSE; 1502 1503 /* 1504 * Use the most restrictive parts of both faccess and the 1505 * share access. An AND of the two value masks gives us that 1506 * since we've already converted to a mask of what we "can" 1507 * do. 1508 */ 1509 faccess &= sr->tid_tree->t_access; 1510 1511 if (acl_check) { 1512 dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL; 1513 error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp, 1514 cr); 1515 } else { 1516 /* 1517 * FS doesn't understand 32-bit mask, need to map 1518 */ 1519 if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA)) 1520 access |= VWRITE; 1521 1522 if (faccess & FILE_READ_DATA) 1523 access |= VREAD; 1524 1525 if (faccess & FILE_EXECUTE) 1526 access |= VEXEC; 1527 1528 error = smb_vop_access(snode->vp, access, 0, NULL, cr); 1529 } 1530 1531 return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS); 1532 } 1533 1534 /* 1535 * smb_fsop_lookup_name() 1536 * 1537 * If name indicates that the file is a stream file, perform 1538 * stream specific lookup, otherwise call smb_fsop_lookup. 1539 * 1540 * Return an error if the looked-up file is in outside the tree. 1541 * (Required when invoked from open path.) 1542 */ 1543 1544 int 1545 smb_fsop_lookup_name( 1546 smb_request_t *sr, 1547 cred_t *cr, 1548 int flags, 1549 smb_node_t *root_node, 1550 smb_node_t *dnode, 1551 char *name, 1552 smb_node_t **ret_snode) 1553 { 1554 smb_node_t *fnode; 1555 vnode_t *xattrdirvp; 1556 vnode_t *vp; 1557 char *od_name; 1558 char *fname; 1559 char *sname; 1560 int rc; 1561 1562 ASSERT(cr); 1563 ASSERT(dnode); 1564 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 1565 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 1566 1567 /* 1568 * The following check is required for streams processing, below 1569 */ 1570 1571 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1572 flags |= SMB_IGNORE_CASE; 1573 1574 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1575 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1576 1577 if (smb_is_stream_name(name)) { 1578 smb_stream_parse_name(name, fname, sname); 1579 1580 /* 1581 * Look up the unnamed stream (i.e. fname). 1582 * Unmangle processing will be done on fname 1583 * as well as any link target. 1584 */ 1585 rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, 1586 fname, &fnode); 1587 1588 if (rc != 0) { 1589 kmem_free(fname, MAXNAMELEN); 1590 kmem_free(sname, MAXNAMELEN); 1591 return (rc); 1592 } 1593 1594 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1595 1596 /* 1597 * od_name is the on-disk name of the stream, except 1598 * without the prepended stream prefix (SMB_STREAM_PREFIX) 1599 */ 1600 1601 /* 1602 * XXX 1603 * What permissions NTFS requires for stream lookup if any? 1604 */ 1605 rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name, 1606 &xattrdirvp, flags, root_node->vp, cr); 1607 1608 if (rc != 0) { 1609 smb_node_release(fnode); 1610 kmem_free(fname, MAXNAMELEN); 1611 kmem_free(sname, MAXNAMELEN); 1612 kmem_free(od_name, MAXNAMELEN); 1613 return (rc); 1614 } 1615 1616 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, 1617 vp, od_name); 1618 1619 kmem_free(od_name, MAXNAMELEN); 1620 smb_node_release(fnode); 1621 VN_RELE(xattrdirvp); 1622 VN_RELE(vp); 1623 1624 if (*ret_snode == NULL) { 1625 kmem_free(fname, MAXNAMELEN); 1626 kmem_free(sname, MAXNAMELEN); 1627 return (ENOMEM); 1628 } 1629 } else { 1630 rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, name, 1631 ret_snode); 1632 } 1633 1634 if (rc == 0) { 1635 ASSERT(ret_snode); 1636 if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) { 1637 smb_node_release(*ret_snode); 1638 *ret_snode = NULL; 1639 rc = EACCES; 1640 } 1641 } 1642 1643 kmem_free(fname, MAXNAMELEN); 1644 kmem_free(sname, MAXNAMELEN); 1645 1646 return (rc); 1647 } 1648 1649 /* 1650 * smb_fsop_lookup 1651 * 1652 * All SMB functions should use this smb_vop_lookup wrapper to ensure that 1653 * the smb_vop_lookup is performed with the appropriate credentials and using 1654 * case insensitive compares. Please document any direct call to smb_vop_lookup 1655 * to explain the reason for avoiding this wrapper. 1656 * 1657 * It is assumed that a reference exists on dnode coming into this routine 1658 * (and that it is safe from deallocation). 1659 * 1660 * Same with the root_node. 1661 * 1662 * *ret_snode is returned with a reference upon success. No reference is 1663 * taken if an error is returned. 1664 * 1665 * Note: The returned ret_snode may be in a child mount. This is ok for 1666 * readdir. 1667 * 1668 * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent 1669 * operations on files not in the parent mount. 1670 * 1671 * Case sensitivity flags (SMB_IGNORE_CASE, SMB_CASE_SENSITIVE): 1672 * if SMB_CASE_SENSITIVE is set, the SMB_IGNORE_CASE flag will NOT be set 1673 * based on the tree's case sensitivity. However, if the SMB_IGNORE_CASE 1674 * flag is set in the flags value passed as a parameter, a case insensitive 1675 * lookup WILL be done (regardless of whether SMB_CASE_SENSITIVE is set 1676 * or not). 1677 */ 1678 int 1679 smb_fsop_lookup( 1680 smb_request_t *sr, 1681 cred_t *cr, 1682 int flags, 1683 smb_node_t *root_node, 1684 smb_node_t *dnode, 1685 char *name, 1686 smb_node_t **ret_snode) 1687 { 1688 smb_node_t *lnk_target_node; 1689 smb_node_t *lnk_dnode; 1690 char *longname; 1691 char *od_name; 1692 vnode_t *vp; 1693 int rc; 1694 int ret_flags; 1695 1696 ASSERT(cr); 1697 ASSERT(dnode); 1698 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 1699 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 1700 1701 if (name == NULL) 1702 return (EINVAL); 1703 1704 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 1705 return (EACCES); 1706 1707 if (!(flags & SMB_CASE_SENSITIVE)) { 1708 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1709 flags |= SMB_IGNORE_CASE; 1710 } 1711 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1712 flags |= SMB_CATIA; 1713 if (SMB_TREE_SUPPORTS_ABE(sr)) 1714 flags |= SMB_ABE; 1715 1716 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1717 1718 rc = smb_vop_lookup(dnode->vp, name, &vp, od_name, flags, 1719 &ret_flags, root_node ? root_node->vp : NULL, cr); 1720 1721 if (rc != 0) { 1722 if (smb_maybe_mangled_name(name) == 0) { 1723 kmem_free(od_name, MAXNAMELEN); 1724 return (rc); 1725 } 1726 1727 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1728 rc = smb_unmangle_name(dnode, name, longname, 1729 MAXNAMELEN, flags); 1730 if (rc != 0) { 1731 kmem_free(od_name, MAXNAMELEN); 1732 kmem_free(longname, MAXNAMELEN); 1733 return (rc); 1734 } 1735 1736 /* 1737 * longname is the real (case-sensitive) 1738 * on-disk name. 1739 * We make sure we do a lookup on this exact 1740 * name, as the name was mangled and denotes 1741 * a unique file. 1742 */ 1743 1744 if (flags & SMB_IGNORE_CASE) 1745 flags &= ~SMB_IGNORE_CASE; 1746 1747 rc = smb_vop_lookup(dnode->vp, longname, &vp, od_name, 1748 flags, &ret_flags, root_node ? root_node->vp : NULL, cr); 1749 1750 kmem_free(longname, MAXNAMELEN); 1751 1752 if (rc != 0) { 1753 kmem_free(od_name, MAXNAMELEN); 1754 return (rc); 1755 } 1756 } 1757 1758 if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) { 1759 1760 rc = smb_pathname(sr, od_name, FOLLOW, root_node, dnode, 1761 &lnk_dnode, &lnk_target_node, cr); 1762 1763 if (rc != 0) { 1764 /* 1765 * The link is assumed to be for the last component 1766 * of a path. Hence any ENOTDIR error will be returned 1767 * as ENOENT. 1768 */ 1769 if (rc == ENOTDIR) 1770 rc = ENOENT; 1771 1772 VN_RELE(vp); 1773 kmem_free(od_name, MAXNAMELEN); 1774 return (rc); 1775 } 1776 1777 /* 1778 * Release the original VLNK vnode 1779 */ 1780 1781 VN_RELE(vp); 1782 vp = lnk_target_node->vp; 1783 1784 rc = smb_vop_traverse_check(&vp); 1785 1786 if (rc != 0) { 1787 smb_node_release(lnk_dnode); 1788 smb_node_release(lnk_target_node); 1789 kmem_free(od_name, MAXNAMELEN); 1790 return (rc); 1791 } 1792 1793 /* 1794 * smb_vop_traverse_check() may have returned a different vnode 1795 */ 1796 1797 if (lnk_target_node->vp == vp) { 1798 *ret_snode = lnk_target_node; 1799 } else { 1800 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, 1801 lnk_target_node->od_name, lnk_dnode, NULL); 1802 VN_RELE(vp); 1803 1804 if (*ret_snode == NULL) 1805 rc = ENOMEM; 1806 smb_node_release(lnk_target_node); 1807 } 1808 1809 smb_node_release(lnk_dnode); 1810 1811 } else { 1812 1813 rc = smb_vop_traverse_check(&vp); 1814 if (rc) { 1815 VN_RELE(vp); 1816 kmem_free(od_name, MAXNAMELEN); 1817 return (rc); 1818 } 1819 1820 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name, 1821 dnode, NULL); 1822 VN_RELE(vp); 1823 1824 if (*ret_snode == NULL) 1825 rc = ENOMEM; 1826 } 1827 1828 kmem_free(od_name, MAXNAMELEN); 1829 return (rc); 1830 } 1831 1832 int /*ARGSUSED*/ 1833 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode) 1834 { 1835 ASSERT(cr); 1836 ASSERT(snode); 1837 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1838 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1839 1840 ASSERT(sr); 1841 ASSERT(sr->tid_tree); 1842 if (SMB_TREE_IS_READONLY(sr)) 1843 return (EROFS); 1844 1845 return (smb_vop_commit(snode->vp, cr)); 1846 } 1847 1848 /* 1849 * smb_fsop_aclread 1850 * 1851 * Retrieve filesystem ACL. Depends on requested ACLs in 1852 * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in 1853 * fs_sd. Note that requesting a DACL/SACL doesn't mean that 1854 * the corresponding field in fs_sd should be non-NULL upon 1855 * return, since the target ACL might not contain that type of 1856 * entries. 1857 * 1858 * Returned ACL is always in ACE_T (aka ZFS) format. 1859 * If successful the allocated memory for the ACL should be freed 1860 * using smb_fsacl_free() or smb_fssd_term() 1861 */ 1862 int 1863 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1864 smb_fssd_t *fs_sd) 1865 { 1866 int error = 0; 1867 int flags = 0; 1868 int access = 0; 1869 acl_t *acl; 1870 smb_node_t *unnamed_node; 1871 1872 ASSERT(cr); 1873 1874 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0) 1875 return (EACCES); 1876 1877 if (sr->fid_ofile) { 1878 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1879 access = READ_CONTROL; 1880 1881 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1882 access |= ACCESS_SYSTEM_SECURITY; 1883 1884 error = smb_ofile_access(sr->fid_ofile, cr, access); 1885 if (error != NT_STATUS_SUCCESS) { 1886 return (EACCES); 1887 } 1888 } 1889 1890 unnamed_node = SMB_IS_STREAM(snode); 1891 if (unnamed_node) { 1892 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1893 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1894 /* 1895 * Streams don't have ACL, any read ACL attempt on a stream 1896 * should be performed on the unnamed stream. 1897 */ 1898 snode = unnamed_node; 1899 } 1900 1901 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) 1902 flags = ATTR_NOACLCHECK; 1903 1904 error = smb_vop_acl_read(snode->vp, &acl, flags, 1905 sr->tid_tree->t_acltype, cr); 1906 if (error != 0) { 1907 return (error); 1908 } 1909 1910 error = acl_translate(acl, _ACL_ACE_ENABLED, 1911 (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid); 1912 1913 if (error == 0) { 1914 smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl, 1915 fs_sd->sd_secinfo); 1916 } 1917 1918 acl_free(acl); 1919 return (error); 1920 } 1921 1922 /* 1923 * smb_fsop_aclwrite 1924 * 1925 * Stores the filesystem ACL provided in fs_sd->sd_acl. 1926 */ 1927 int 1928 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1929 smb_fssd_t *fs_sd) 1930 { 1931 int target_flavor; 1932 int error = 0; 1933 int flags = 0; 1934 int access = 0; 1935 acl_t *acl, *dacl, *sacl; 1936 smb_node_t *unnamed_node; 1937 1938 ASSERT(cr); 1939 1940 ASSERT(sr); 1941 ASSERT(sr->tid_tree); 1942 if (SMB_TREE_IS_READONLY(sr)) 1943 return (EROFS); 1944 1945 if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0) 1946 return (EACCES); 1947 1948 if (sr->fid_ofile) { 1949 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1950 access = WRITE_DAC; 1951 1952 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1953 access |= ACCESS_SYSTEM_SECURITY; 1954 1955 error = smb_ofile_access(sr->fid_ofile, cr, access); 1956 if (error != NT_STATUS_SUCCESS) 1957 return (EACCES); 1958 } 1959 1960 switch (sr->tid_tree->t_acltype) { 1961 case ACLENT_T: 1962 target_flavor = _ACL_ACLENT_ENABLED; 1963 break; 1964 1965 case ACE_T: 1966 target_flavor = _ACL_ACE_ENABLED; 1967 break; 1968 default: 1969 return (EINVAL); 1970 } 1971 1972 unnamed_node = SMB_IS_STREAM(snode); 1973 if (unnamed_node) { 1974 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1975 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1976 /* 1977 * Streams don't have ACL, any write ACL attempt on a stream 1978 * should be performed on the unnamed stream. 1979 */ 1980 snode = unnamed_node; 1981 } 1982 1983 dacl = fs_sd->sd_zdacl; 1984 sacl = fs_sd->sd_zsacl; 1985 1986 ASSERT(dacl || sacl); 1987 if ((dacl == NULL) && (sacl == NULL)) 1988 return (EINVAL); 1989 1990 if (dacl && sacl) 1991 acl = smb_fsacl_merge(dacl, sacl); 1992 else if (dacl) 1993 acl = dacl; 1994 else 1995 acl = sacl; 1996 1997 error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR), 1998 fs_sd->sd_uid, fs_sd->sd_gid); 1999 if (error == 0) { 2000 if (smb_tree_has_feature(sr->tid_tree, 2001 SMB_TREE_ACEMASKONACCESS)) 2002 flags = ATTR_NOACLCHECK; 2003 2004 error = smb_vop_acl_write(snode->vp, acl, flags, cr); 2005 } 2006 2007 if (dacl && sacl) 2008 acl_free(acl); 2009 2010 return (error); 2011 } 2012 2013 acl_type_t 2014 smb_fsop_acltype(smb_node_t *snode) 2015 { 2016 return (smb_vop_acl_type(snode->vp)); 2017 } 2018 2019 /* 2020 * smb_fsop_sdread 2021 * 2022 * Read the requested security descriptor items from filesystem. 2023 * The items are specified in fs_sd->sd_secinfo. 2024 */ 2025 int 2026 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2027 smb_fssd_t *fs_sd) 2028 { 2029 int error = 0; 2030 int getowner = 0; 2031 cred_t *ga_cred; 2032 smb_attr_t attr; 2033 2034 ASSERT(cr); 2035 ASSERT(fs_sd); 2036 2037 /* 2038 * File's uid/gid is fetched in two cases: 2039 * 2040 * 1. it's explicitly requested 2041 * 2042 * 2. target ACL is ACE_T (ZFS ACL). They're needed for 2043 * owner@/group@ entries. In this case kcred should be used 2044 * because uid/gid are fetched on behalf of smb server. 2045 */ 2046 if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) { 2047 getowner = 1; 2048 ga_cred = cr; 2049 } else if (sr->tid_tree->t_acltype == ACE_T) { 2050 getowner = 1; 2051 ga_cred = kcred; 2052 } 2053 2054 if (getowner) { 2055 /* 2056 * Windows require READ_CONTROL to read owner/group SID since 2057 * they're part of Security Descriptor. 2058 * ZFS only requires read_attribute. Need to have a explicit 2059 * access check here. 2060 */ 2061 if (sr->fid_ofile == NULL) { 2062 error = smb_fsop_access(sr, ga_cred, snode, 2063 READ_CONTROL); 2064 if (error) 2065 return (EACCES); 2066 } 2067 2068 attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2069 error = smb_fsop_getattr(sr, ga_cred, snode, &attr); 2070 if (error == 0) { 2071 fs_sd->sd_uid = attr.sa_vattr.va_uid; 2072 fs_sd->sd_gid = attr.sa_vattr.va_gid; 2073 } else { 2074 return (error); 2075 } 2076 } 2077 2078 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2079 error = smb_fsop_aclread(sr, cr, snode, fs_sd); 2080 } 2081 2082 return (error); 2083 } 2084 2085 /* 2086 * smb_fsop_sdmerge 2087 * 2088 * From SMB point of view DACL and SACL are two separate list 2089 * which can be manipulated independently without one affecting 2090 * the other, but entries for both DACL and SACL will end up 2091 * in the same ACL if target filesystem supports ACE_T ACLs. 2092 * 2093 * So, if either DACL or SACL is present in the client set request 2094 * the entries corresponding to the non-present ACL shouldn't 2095 * be touched in the FS ACL. 2096 * 2097 * fs_sd parameter contains DACL and SACL specified by SMB 2098 * client to be set on a file/directory. The client could 2099 * specify both or one of these ACLs (if none is specified 2100 * we don't get this far). When both DACL and SACL are given 2101 * by client the existing ACL should be overwritten. If only 2102 * one of them is specified the entries corresponding to the other 2103 * ACL should not be touched. For example, if only DACL 2104 * is specified in input fs_sd, the function reads audit entries 2105 * of the existing ACL of the file and point fs_sd->sd_zsdacl 2106 * pointer to the fetched SACL, this way when smb_fsop_sdwrite() 2107 * function is called the passed fs_sd would point to the specified 2108 * DACL by client and fetched SACL from filesystem, so the file 2109 * will end up with correct ACL. 2110 */ 2111 static int 2112 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd) 2113 { 2114 smb_fssd_t cur_sd; 2115 int error = 0; 2116 2117 if (sr->tid_tree->t_acltype != ACE_T) 2118 /* Don't bother if target FS doesn't support ACE_T */ 2119 return (0); 2120 2121 if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) { 2122 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) { 2123 /* 2124 * Don't overwrite existing audit entries 2125 */ 2126 smb_fssd_init(&cur_sd, SMB_SACL_SECINFO, 2127 fs_sd->sd_flags); 2128 2129 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2130 if (error == 0) { 2131 ASSERT(fs_sd->sd_zsacl == NULL); 2132 fs_sd->sd_zsacl = cur_sd.sd_zsacl; 2133 if (fs_sd->sd_zsacl && fs_sd->sd_zdacl) 2134 fs_sd->sd_zsacl->acl_flags = 2135 fs_sd->sd_zdacl->acl_flags; 2136 } 2137 } else { 2138 /* 2139 * Don't overwrite existing access entries 2140 */ 2141 smb_fssd_init(&cur_sd, SMB_DACL_SECINFO, 2142 fs_sd->sd_flags); 2143 2144 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2145 if (error == 0) { 2146 ASSERT(fs_sd->sd_zdacl == NULL); 2147 fs_sd->sd_zdacl = cur_sd.sd_zdacl; 2148 if (fs_sd->sd_zdacl && fs_sd->sd_zsacl) 2149 fs_sd->sd_zdacl->acl_flags = 2150 fs_sd->sd_zsacl->acl_flags; 2151 } 2152 } 2153 2154 if (error) 2155 smb_fssd_term(&cur_sd); 2156 } 2157 2158 return (error); 2159 } 2160 2161 /* 2162 * smb_fsop_sdwrite 2163 * 2164 * Stores the given uid, gid and acl in filesystem. 2165 * Provided items in fs_sd are specified by fs_sd->sd_secinfo. 2166 * 2167 * A SMB security descriptor could contain owner, primary group, 2168 * DACL and SACL. Setting an SD should be atomic but here it has to 2169 * be done via two separate FS operations: VOP_SETATTR and 2170 * VOP_SETSECATTR. Therefore, this function has to simulate the 2171 * atomicity as well as it can. 2172 * 2173 * Get the current uid, gid before setting the new uid/gid 2174 * so if smb_fsop_aclwrite fails they can be restored. root cred is 2175 * used to get currend uid/gid since this operation is performed on 2176 * behalf of the server not the user. 2177 * 2178 * If setting uid/gid fails with EPERM it means that and invalid 2179 * owner has been specified. Callers should translate this to 2180 * STATUS_INVALID_OWNER which is not the normal mapping for EPERM 2181 * in upper layers, so EPERM is mapped to EBADE. 2182 */ 2183 int 2184 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2185 smb_fssd_t *fs_sd, int overwrite) 2186 { 2187 int error = 0; 2188 int access = 0; 2189 smb_attr_t set_attr; 2190 smb_attr_t orig_attr; 2191 2192 ASSERT(cr); 2193 ASSERT(fs_sd); 2194 2195 ASSERT(sr); 2196 ASSERT(sr->tid_tree); 2197 if (SMB_TREE_IS_READONLY(sr)) 2198 return (EROFS); 2199 2200 bzero(&set_attr, sizeof (smb_attr_t)); 2201 2202 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 2203 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 2204 set_attr.sa_mask |= SMB_AT_UID; 2205 access |= WRITE_OWNER; 2206 } 2207 2208 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 2209 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 2210 set_attr.sa_mask |= SMB_AT_GID; 2211 access |= WRITE_OWNER; 2212 } 2213 2214 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 2215 access |= WRITE_DAC; 2216 2217 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 2218 access |= ACCESS_SYSTEM_SECURITY; 2219 2220 if (sr->fid_ofile) 2221 error = smb_ofile_access(sr->fid_ofile, cr, access); 2222 else 2223 error = smb_fsop_access(sr, cr, snode, access); 2224 2225 if (error) 2226 return (EACCES); 2227 2228 if (set_attr.sa_mask) { 2229 orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2230 error = smb_fsop_getattr(sr, kcred, snode, &orig_attr); 2231 if (error == 0) { 2232 error = smb_fsop_setattr(sr, cr, snode, &set_attr); 2233 if (error == EPERM) 2234 error = EBADE; 2235 } 2236 2237 if (error) 2238 return (error); 2239 } 2240 2241 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2242 if (overwrite == 0) { 2243 error = smb_fsop_sdmerge(sr, snode, fs_sd); 2244 if (error) 2245 return (error); 2246 } 2247 2248 error = smb_fsop_aclwrite(sr, cr, snode, fs_sd); 2249 if (error) { 2250 /* 2251 * Revert uid/gid changes if required. 2252 */ 2253 if (set_attr.sa_mask) { 2254 orig_attr.sa_mask = set_attr.sa_mask; 2255 (void) smb_fsop_setattr(sr, kcred, snode, 2256 &orig_attr); 2257 } 2258 } 2259 } 2260 2261 return (error); 2262 } 2263 2264 /* 2265 * smb_fsop_sdinherit 2266 * 2267 * Inherit the security descriptor from the parent container. 2268 * This function is called after FS has created the file/folder 2269 * so if this doesn't do anything it means FS inheritance is 2270 * in place. 2271 * 2272 * Do inheritance for ZFS internally. 2273 * 2274 * If we want to let ZFS does the inheritance the 2275 * following setting should be true: 2276 * 2277 * - aclinherit = passthrough 2278 * - aclmode = passthrough 2279 * - smbd umask = 0777 2280 * 2281 * This will result in right effective permissions but 2282 * ZFS will always add 6 ACEs for owner, owning group 2283 * and others to be POSIX compliant. This is not what 2284 * Windows clients/users expect, so we decided that CIFS 2285 * implements Windows rules and overwrite whatever ZFS 2286 * comes up with. This way we also don't have to care 2287 * about ZFS aclinherit and aclmode settings. 2288 */ 2289 static int 2290 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd) 2291 { 2292 int is_dir; 2293 acl_t *dacl = NULL; 2294 acl_t *sacl = NULL; 2295 ksid_t *owner_sid; 2296 int error; 2297 2298 ASSERT(fs_sd); 2299 2300 if (sr->tid_tree->t_acltype != ACE_T) { 2301 /* 2302 * No forced inheritance for non-ZFS filesystems. 2303 */ 2304 fs_sd->sd_secinfo = 0; 2305 return (0); 2306 } 2307 2308 2309 /* Fetch parent directory's ACL */ 2310 error = smb_fsop_sdread(sr, kcred, dnode, fs_sd); 2311 if (error) { 2312 return (error); 2313 } 2314 2315 is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR); 2316 owner_sid = crgetsid(sr->user_cr, KSID_OWNER); 2317 ASSERT(owner_sid); 2318 dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO, 2319 owner_sid->ks_id); 2320 sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO, 2321 (uid_t)-1); 2322 2323 if (sacl == NULL) 2324 fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO; 2325 2326 smb_fsacl_free(fs_sd->sd_zdacl); 2327 smb_fsacl_free(fs_sd->sd_zsacl); 2328 2329 fs_sd->sd_zdacl = dacl; 2330 fs_sd->sd_zsacl = sacl; 2331 2332 return (0); 2333 } 2334 2335 /* 2336 * smb_fsop_eaccess 2337 * 2338 * Returns the effective permission of the given credential for the 2339 * specified object. 2340 * 2341 * This is just a workaround. We need VFS/FS support for this. 2342 */ 2343 void 2344 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2345 uint32_t *eaccess) 2346 { 2347 int access = 0; 2348 vnode_t *dir_vp; 2349 smb_node_t *unnamed_node; 2350 2351 ASSERT(cr); 2352 ASSERT(snode); 2353 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 2354 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 2355 2356 unnamed_node = SMB_IS_STREAM(snode); 2357 if (unnamed_node) { 2358 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 2359 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 2360 /* 2361 * Streams authorization should be performed against the 2362 * unnamed stream. 2363 */ 2364 snode = unnamed_node; 2365 } 2366 2367 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) { 2368 dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL; 2369 smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp, 2370 cr); 2371 return; 2372 } 2373 2374 /* 2375 * FS doesn't understand 32-bit mask 2376 */ 2377 smb_vop_eaccess(snode->vp, &access, 0, NULL, cr); 2378 access &= sr->tid_tree->t_access; 2379 2380 *eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES; 2381 2382 if (access & VREAD) 2383 *eaccess |= FILE_READ_DATA; 2384 2385 if (access & VEXEC) 2386 *eaccess |= FILE_EXECUTE; 2387 2388 if (access & VWRITE) 2389 *eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | 2390 FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD; 2391 } 2392 2393 /* 2394 * smb_fsop_shrlock 2395 * 2396 * For the current open request, check file sharing rules 2397 * against existing opens. 2398 * 2399 * Returns NT_STATUS_SHARING_VIOLATION if there is any 2400 * sharing conflict. Returns NT_STATUS_SUCCESS otherwise. 2401 * 2402 * Full system-wide share reservation synchronization is available 2403 * when the nbmand (non-blocking mandatory) mount option is set 2404 * (i.e. nbl_need_crit() is true) and nbmand critical regions are used. 2405 * This provides synchronization with NFS and local processes. The 2406 * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called 2407 * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well 2408 * as the CIFS rename and delete paths. 2409 * 2410 * The CIFS server will also enter the nbl critical region in the open, 2411 * rename, and delete paths when nbmand is not set. There is limited 2412 * coordination with local and VFS share reservations in this case. 2413 * Note that when the nbmand mount option is not set, the VFS layer 2414 * only processes advisory reservations and the delete mode is not checked. 2415 * 2416 * Whether or not the nbmand mount option is set, intra-CIFS share 2417 * checking is done in the open, delete, and rename paths using a CIFS 2418 * critical region (node->n_share_lock). 2419 */ 2420 2421 uint32_t 2422 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid, 2423 uint32_t desired_access, uint32_t share_access) 2424 { 2425 int rc; 2426 2427 if (smb_node_is_dir(node)) 2428 return (NT_STATUS_SUCCESS); 2429 2430 /* Allow access if the request is just for meta data */ 2431 if ((desired_access & FILE_DATA_ALL) == 0) 2432 return (NT_STATUS_SUCCESS); 2433 2434 rc = smb_node_open_check(node, cr, desired_access, share_access); 2435 if (rc) 2436 return (NT_STATUS_SHARING_VIOLATION); 2437 2438 rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access, 2439 cr); 2440 if (rc) 2441 return (NT_STATUS_SHARING_VIOLATION); 2442 2443 return (NT_STATUS_SUCCESS); 2444 } 2445 2446 void 2447 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid) 2448 { 2449 if (smb_node_is_dir(node)) 2450 return; 2451 2452 (void) smb_vop_unshrlock(node->vp, uniq_fid, cr); 2453 } 2454 2455 int 2456 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock, 2457 cred_t *cr) 2458 { 2459 flock64_t bf; 2460 int flag = F_REMOTELOCK; 2461 2462 /* 2463 * VOP_FRLOCK() will not be called if: 2464 * 2465 * 1) The lock has a range of zero bytes. The semantics of Windows and 2466 * POSIX are different. In the case of POSIX it asks for the locking 2467 * of all the bytes from the offset provided until the end of the 2468 * file. In the case of Windows a range of zero locks nothing and 2469 * doesn't conflict with any other lock. 2470 * 2471 * 2) The lock rolls over (start + lenght < start). Solaris will assert 2472 * if such a request is submitted. This will not create 2473 * incompatibilities between POSIX and Windows. In the Windows world, 2474 * if a client submits such a lock, the server will not lock any 2475 * bytes. Interestingly if the same lock (same offset and length) is 2476 * resubmitted Windows will consider that there is an overlap and 2477 * the granting rules will then apply. 2478 */ 2479 if ((lock->l_length == 0) || 2480 ((lock->l_start + lock->l_length - 1) < lock->l_start)) 2481 return (0); 2482 2483 bzero(&bf, sizeof (bf)); 2484 2485 if (unlock) { 2486 bf.l_type = F_UNLCK; 2487 } else if (lock->l_type == SMB_LOCK_TYPE_READONLY) { 2488 bf.l_type = F_RDLCK; 2489 flag |= FREAD; 2490 } else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) { 2491 bf.l_type = F_WRLCK; 2492 flag |= FWRITE; 2493 } 2494 2495 bf.l_start = lock->l_start; 2496 bf.l_len = lock->l_length; 2497 bf.l_pid = lock->l_file->f_uniqid; 2498 bf.l_sysid = smb_ct.cc_sysid; 2499 2500 return (smb_vop_frlock(node->vp, cr, flag, &bf)); 2501 } 2502