1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/sid.h> 27 #include <sys/nbmlock.h> 28 #include <smbsrv/smb_fsops.h> 29 #include <smbsrv/smb_kproto.h> 30 #include <smbsrv/ntstatus.h> 31 #include <smbsrv/ntaccess.h> 32 #include <smbsrv/smb_incl.h> 33 #include <acl/acl_common.h> 34 #include <sys/fcntl.h> 35 #include <sys/flock.h> 36 #include <fs/fs_subr.h> 37 38 extern caller_context_t smb_ct; 39 40 extern int smb_fem_oplock_install(smb_node_t *); 41 extern void smb_fem_oplock_uninstall(smb_node_t *); 42 43 extern int smb_vop_other_opens(vnode_t *, int); 44 45 static int smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, 46 smb_fssd_t *fs_sd); 47 48 /* 49 * The smb_fsop_* functions have knowledge of CIFS semantics. 50 * 51 * The smb_vop_* functions have minimal knowledge of CIFS semantics and 52 * serve as an interface to the VFS layer. 53 * 54 * Hence, smb_request_t and smb_node_t structures should not be passed 55 * from the smb_fsop_* layer to the smb_vop_* layer. 56 * 57 * In general, CIFS service code should only ever call smb_fsop_* 58 * functions directly, and never smb_vop_* functions directly. 59 * 60 * smb_fsop_* functions should call smb_vop_* functions where possible, instead 61 * of their smb_fsop_* counterparts. However, there are times when 62 * this cannot be avoided. 63 */ 64 65 /* 66 * Note: Stream names cannot be mangled. 67 */ 68 69 /* 70 * smb_fsop_amask_to_omode 71 * 72 * Convert the access mask to the open mode (for use 73 * with the VOP_OPEN call). 74 * 75 * Note that opening a file for attribute only access 76 * will also translate into an FREAD or FWRITE open mode 77 * (i.e., it's not just for data). 78 * 79 * This is needed so that opens are tracked appropriately 80 * for oplock processing. 81 */ 82 83 int 84 smb_fsop_amask_to_omode(uint32_t access) 85 { 86 int mode = 0; 87 88 if (access & (FILE_READ_DATA | FILE_EXECUTE | 89 FILE_READ_ATTRIBUTES | FILE_READ_EA)) 90 mode |= FREAD; 91 92 if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA | 93 FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA)) 94 mode |= FWRITE; 95 96 if (access & FILE_APPEND_DATA) 97 mode |= FAPPEND; 98 99 return (mode); 100 } 101 102 int 103 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred) 104 { 105 /* 106 * Assuming that the same vnode is returned as we had before. 107 * (I.e., with certain types of files or file systems, a 108 * different vnode might be returned by VOP_OPEN) 109 */ 110 return (smb_vop_open(&node->vp, mode, cred)); 111 } 112 113 void 114 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred) 115 { 116 smb_vop_close(node->vp, mode, cred); 117 } 118 119 int 120 smb_fsop_oplock_install(smb_node_t *node, int mode) 121 { 122 int rc; 123 124 if (smb_vop_other_opens(node->vp, mode)) 125 return (EMFILE); 126 127 if ((rc = smb_fem_oplock_install(node))) 128 return (rc); 129 130 if (smb_vop_other_opens(node->vp, mode)) { 131 (void) smb_fem_oplock_uninstall(node); 132 return (EMFILE); 133 } 134 135 return (0); 136 } 137 138 void 139 smb_fsop_oplock_uninstall(smb_node_t *node) 140 { 141 smb_fem_oplock_uninstall(node); 142 } 143 144 static int 145 smb_fsop_create_with_sd( 146 smb_request_t *sr, 147 cred_t *cr, 148 smb_node_t *dir_snode, 149 char *name, 150 smb_attr_t *attr, 151 smb_node_t **ret_snode, 152 smb_attr_t *ret_attr, 153 smb_fssd_t *fs_sd) 154 { 155 vsecattr_t *vsap; 156 vsecattr_t vsecattr; 157 acl_t *acl, *dacl, *sacl; 158 smb_attr_t set_attr; 159 vnode_t *vp; 160 int aclbsize = 0; /* size of acl list in bytes */ 161 int flags = 0; 162 int rc; 163 boolean_t is_dir; 164 165 ASSERT(fs_sd); 166 167 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 168 flags = SMB_IGNORE_CASE; 169 170 ASSERT(cr); 171 172 is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0); 173 174 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) { 175 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 176 dacl = fs_sd->sd_zdacl; 177 sacl = fs_sd->sd_zsacl; 178 ASSERT(dacl || sacl); 179 if (dacl && sacl) { 180 acl = smb_fsacl_merge(dacl, sacl); 181 } else if (dacl) { 182 acl = dacl; 183 } else { 184 acl = sacl; 185 } 186 187 rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize); 188 189 if (dacl && sacl) 190 acl_free(acl); 191 192 if (rc != 0) 193 return (rc); 194 195 vsap = &vsecattr; 196 } else { 197 vsap = NULL; 198 } 199 200 /* The tree ACEs may prevent a create */ 201 rc = EACCES; 202 if (is_dir) { 203 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0) 204 rc = smb_vop_mkdir(dir_snode->vp, name, attr, 205 &vp, flags, cr, vsap); 206 } else { 207 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0) 208 rc = smb_vop_create(dir_snode->vp, name, attr, 209 &vp, flags, cr, vsap); 210 } 211 212 if (vsap != NULL) 213 kmem_free(vsap->vsa_aclentp, aclbsize); 214 215 if (rc != 0) 216 return (rc); 217 218 set_attr.sa_mask = 0; 219 220 /* 221 * Ideally we should be able to specify the owner and owning 222 * group at create time along with the ACL. Since we cannot 223 * do that right now, kcred is passed to smb_vop_setattr so it 224 * doesn't fail due to lack of permission. 225 */ 226 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 227 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 228 set_attr.sa_mask |= SMB_AT_UID; 229 } 230 231 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 232 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 233 set_attr.sa_mask |= SMB_AT_GID; 234 } 235 236 if (set_attr.sa_mask) 237 rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred); 238 239 if (rc == 0) { 240 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 241 name, dir_snode, NULL, ret_attr); 242 243 if (*ret_snode == NULL) 244 rc = ENOMEM; 245 246 VN_RELE(vp); 247 } 248 } else { 249 /* 250 * For filesystems that don't support ACL-on-create, try 251 * to set the specified SD after create, which could actually 252 * fail because of conflicts between inherited security 253 * attributes upon creation and the specified SD. 254 * 255 * Passing kcred to smb_fsop_sdwrite() to overcome this issue. 256 */ 257 258 if (is_dir) { 259 rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, 260 flags, cr, NULL); 261 } else { 262 rc = smb_vop_create(dir_snode->vp, name, attr, &vp, 263 flags, cr, NULL); 264 } 265 266 if (rc != 0) 267 return (rc); 268 269 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 270 name, dir_snode, NULL, ret_attr); 271 272 if (*ret_snode != NULL) { 273 if (!smb_tree_has_feature(sr->tid_tree, 274 SMB_TREE_NFS_MOUNTED)) 275 rc = smb_fsop_sdwrite(sr, kcred, *ret_snode, 276 fs_sd, 1); 277 } else { 278 rc = ENOMEM; 279 } 280 281 VN_RELE(vp); 282 } 283 284 if (rc != 0) { 285 if (is_dir) 286 (void) smb_vop_rmdir(dir_snode->vp, name, flags, cr); 287 else 288 (void) smb_vop_remove(dir_snode->vp, name, flags, cr); 289 } 290 291 return (rc); 292 } 293 294 /* 295 * smb_fsop_create 296 * 297 * All SMB functions should use this wrapper to ensure that 298 * all the smb_vop_creates are performed with the appropriate credentials. 299 * Please document any direct calls to explain the reason 300 * for avoiding this wrapper. 301 * 302 * It is assumed that a reference exists on snode coming into this routine. 303 * 304 * *ret_snode is returned with a reference upon success. No reference is 305 * taken if an error is returned. 306 */ 307 int 308 smb_fsop_create( 309 smb_request_t *sr, 310 cred_t *cr, 311 smb_node_t *dir_snode, 312 char *name, 313 smb_attr_t *attr, 314 smb_node_t **ret_snode, 315 smb_attr_t *ret_attr) 316 { 317 struct open_param *op = &sr->arg.open; 318 smb_node_t *fnode; 319 smb_attr_t file_attr; 320 vnode_t *xattrdirvp; 321 vnode_t *vp; 322 char *longname = NULL; 323 char *namep; 324 char *fname; 325 char *sname; 326 int is_stream; 327 int flags = 0; 328 int rc = 0; 329 smb_fssd_t fs_sd; 330 uint32_t secinfo; 331 uint32_t status; 332 333 ASSERT(cr); 334 ASSERT(dir_snode); 335 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 336 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 337 338 ASSERT(ret_snode); 339 *ret_snode = 0; 340 341 ASSERT(name); 342 if (*name == 0) 343 return (EINVAL); 344 345 ASSERT(sr); 346 ASSERT(sr->tid_tree); 347 348 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0) 349 return (EACCES); 350 351 if (SMB_TREE_IS_READONLY(sr)) 352 return (EROFS); 353 354 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 355 flags = SMB_IGNORE_CASE; 356 357 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 358 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 359 360 is_stream = smb_stream_parse_name(name, fname, sname); 361 if (is_stream == -1) { 362 kmem_free(fname, MAXNAMELEN); 363 kmem_free(sname, MAXNAMELEN); 364 return (EINVAL); 365 } 366 367 if (is_stream) 368 namep = fname; 369 else 370 namep = name; 371 372 if (smb_maybe_mangled_name(namep)) { 373 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 374 375 rc = smb_unmangle_name(sr, cr, dir_snode, namep, longname, 376 MAXNAMELEN, NULL, NULL, 1); 377 378 if ((is_stream == 0) && (rc == 0)) 379 rc = EEXIST; 380 381 if ((is_stream && rc) || 382 ((is_stream == 0) && (rc != ENOENT))) { 383 kmem_free(longname, MAXNAMELEN); 384 kmem_free(fname, MAXNAMELEN); 385 kmem_free(sname, MAXNAMELEN); 386 return (rc); 387 } 388 389 if (is_stream) 390 namep = longname; 391 else 392 kmem_free(longname, MAXNAMELEN); 393 } 394 395 if (is_stream) { 396 /* 397 * Look up the unnamed stream. 398 * 399 * Mangle processing in smb_fsop_lookup() for the unnamed 400 * stream won't be needed (as it was done above), but 401 * it may be needed on any link target (which 402 * smb_fsop_lookup() will provide). 403 */ 404 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 405 sr->tid_tree->t_snode, dir_snode, namep, &fnode, &file_attr, 406 0, 0); 407 408 if (longname) { 409 kmem_free(longname, MAXNAMELEN); 410 namep = NULL; 411 } 412 413 if (rc != 0) { 414 kmem_free(fname, MAXNAMELEN); 415 kmem_free(sname, MAXNAMELEN); 416 return (rc); 417 } 418 419 rc = smb_vop_stream_create(fnode->vp, sname, attr, &vp, 420 &xattrdirvp, flags, cr); 421 422 if (rc != 0) { 423 smb_node_release(fnode); 424 kmem_free(fname, MAXNAMELEN); 425 kmem_free(sname, MAXNAMELEN); 426 return (rc); 427 } 428 429 attr->sa_vattr.va_uid = file_attr.sa_vattr.va_uid; 430 attr->sa_vattr.va_gid = file_attr.sa_vattr.va_gid; 431 attr->sa_mask = SMB_AT_UID | SMB_AT_GID; 432 433 /* 434 * The second parameter of smb_vop_setattr() is set to 435 * NULL, even though an unnamed stream exists. This is 436 * because we want to set the UID and GID on the named 437 * stream in this case for consistency with the (unnamed 438 * stream) file (see comments for smb_vop_setattr()). 439 */ 440 441 rc = smb_vop_setattr(vp, NULL, attr, 0, kcred); 442 443 if (rc != 0) { 444 smb_node_release(fnode); 445 kmem_free(fname, MAXNAMELEN); 446 kmem_free(sname, MAXNAMELEN); 447 return (rc); 448 } 449 450 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, 451 vp, sname, ret_attr); 452 453 smb_node_release(fnode); 454 VN_RELE(xattrdirvp); 455 VN_RELE(vp); 456 457 if (*ret_snode == NULL) { 458 kmem_free(fname, MAXNAMELEN); 459 kmem_free(sname, MAXNAMELEN); 460 return (ENOMEM); 461 } 462 } else { 463 if (op->sd) { 464 /* 465 * SD sent by client in Windows format. Needs to be 466 * converted to FS format. No inheritance. 467 */ 468 secinfo = smb_sd_get_secinfo(op->sd); 469 smb_fssd_init(&fs_sd, secinfo, 0); 470 471 status = smb_sd_tofs(op->sd, &fs_sd); 472 if (status == NT_STATUS_SUCCESS) { 473 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 474 name, attr, ret_snode, ret_attr, &fs_sd); 475 } 476 else 477 rc = EINVAL; 478 smb_fssd_term(&fs_sd); 479 } else if (sr->tid_tree->t_acltype == ACE_T) { 480 /* 481 * No incoming SD and filesystem is ZFS 482 * Server applies Windows inheritance rules, 483 * see smb_fsop_sdinherit() comments as to why. 484 */ 485 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0); 486 rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd); 487 if (rc == 0) { 488 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 489 name, attr, ret_snode, ret_attr, &fs_sd); 490 } 491 492 smb_fssd_term(&fs_sd); 493 } else { 494 /* 495 * No incoming SD and filesystem is not ZFS 496 * let the filesystem handles the inheritance. 497 */ 498 rc = smb_vop_create(dir_snode->vp, name, attr, &vp, 499 flags, cr, NULL); 500 501 if (rc == 0) { 502 *ret_snode = smb_node_lookup(sr, op, cr, vp, 503 name, dir_snode, NULL, ret_attr); 504 505 if (*ret_snode == NULL) 506 rc = ENOMEM; 507 508 VN_RELE(vp); 509 } 510 511 } 512 } 513 514 kmem_free(fname, MAXNAMELEN); 515 kmem_free(sname, MAXNAMELEN); 516 return (rc); 517 } 518 519 /* 520 * smb_fsop_mkdir 521 * 522 * All SMB functions should use this wrapper to ensure that 523 * the the calls are performed with the appropriate credentials. 524 * Please document any direct call to explain the reason 525 * for avoiding this wrapper. 526 * 527 * It is assumed that a reference exists on snode coming into this routine. 528 * 529 * *ret_snode is returned with a reference upon success. No reference is 530 * taken if an error is returned. 531 */ 532 int 533 smb_fsop_mkdir( 534 smb_request_t *sr, 535 cred_t *cr, 536 smb_node_t *dir_snode, 537 char *name, 538 smb_attr_t *attr, 539 smb_node_t **ret_snode, 540 smb_attr_t *ret_attr) 541 { 542 struct open_param *op = &sr->arg.open; 543 char *longname; 544 vnode_t *vp; 545 int flags = 0; 546 smb_fssd_t fs_sd; 547 uint32_t secinfo; 548 uint32_t status; 549 int rc; 550 ASSERT(cr); 551 ASSERT(dir_snode); 552 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 553 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 554 555 ASSERT(ret_snode); 556 *ret_snode = 0; 557 558 ASSERT(name); 559 if (*name == 0) 560 return (EINVAL); 561 562 ASSERT(sr); 563 ASSERT(sr->tid_tree); 564 565 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0) 566 return (EACCES); 567 568 if (SMB_TREE_IS_READONLY(sr)) 569 return (EROFS); 570 571 if (smb_maybe_mangled_name(name)) { 572 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 573 rc = smb_unmangle_name(sr, cr, dir_snode, name, longname, 574 MAXNAMELEN, NULL, NULL, 1); 575 576 kmem_free(longname, MAXNAMELEN); 577 578 /* 579 * If the name passed in by the client has an unmangled 580 * equivalent that is found in the specified directory, 581 * then the mkdir cannot succeed. Return EEXIST. 582 * 583 * Only if ENOENT is returned will a mkdir be attempted. 584 */ 585 586 if (rc == 0) 587 rc = EEXIST; 588 589 if (rc != ENOENT) 590 return (rc); 591 } 592 593 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 594 flags = SMB_IGNORE_CASE; 595 596 if (op->sd) { 597 /* 598 * SD sent by client in Windows format. Needs to be 599 * converted to FS format. No inheritance. 600 */ 601 secinfo = smb_sd_get_secinfo(op->sd); 602 smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR); 603 604 status = smb_sd_tofs(op->sd, &fs_sd); 605 if (status == NT_STATUS_SUCCESS) { 606 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 607 name, attr, ret_snode, ret_attr, &fs_sd); 608 } 609 else 610 rc = EINVAL; 611 smb_fssd_term(&fs_sd); 612 } else if (sr->tid_tree->t_acltype == ACE_T) { 613 /* 614 * No incoming SD and filesystem is ZFS 615 * Server applies Windows inheritance rules, 616 * see smb_fsop_sdinherit() comments as to why. 617 */ 618 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR); 619 rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd); 620 if (rc == 0) { 621 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 622 name, attr, ret_snode, ret_attr, &fs_sd); 623 } 624 625 smb_fssd_term(&fs_sd); 626 627 } else { 628 rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, flags, cr, 629 NULL); 630 631 if (rc == 0) { 632 *ret_snode = smb_node_lookup(sr, op, cr, vp, name, 633 dir_snode, NULL, ret_attr); 634 635 if (*ret_snode == NULL) 636 rc = ENOMEM; 637 638 VN_RELE(vp); 639 } 640 } 641 642 return (rc); 643 } 644 645 /* 646 * smb_fsop_remove 647 * 648 * All SMB functions should use this wrapper to ensure that 649 * the the calls are performed with the appropriate credentials. 650 * Please document any direct call to explain the reason 651 * for avoiding this wrapper. 652 * 653 * It is assumed that a reference exists on snode coming into this routine. 654 * 655 * od: This means that the name passed in is an on-disk name. 656 * A null smb_request might be passed to this function. 657 */ 658 659 int 660 smb_fsop_remove( 661 smb_request_t *sr, 662 cred_t *cr, 663 smb_node_t *dir_snode, 664 char *name, 665 int od) 666 { 667 smb_node_t *fnode; 668 smb_attr_t file_attr; 669 char *longname; 670 char *fname; 671 char *sname; 672 int flags = 0; 673 int rc; 674 675 ASSERT(cr); 676 /* 677 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 678 * function is called during the deletion of the node (because of 679 * DELETE_ON_CLOSE). 680 */ 681 ASSERT(dir_snode); 682 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 683 684 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0 || 685 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0) 686 return (EACCES); 687 688 if (SMB_TREE_IS_READONLY(sr)) 689 return (EROFS); 690 691 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 692 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 693 694 /* 695 * If the passed-in name is an on-disk name, 696 * then we need to do a case-sensitive remove. 697 * This is important if the on-disk name 698 * corresponds to a mangled name passed in by 699 * the client. We want to make sure to remove 700 * the exact file specified by the client, 701 * instead of letting the underlying file system 702 * do a remove on the "first match." 703 */ 704 705 if ((od == 0) && SMB_TREE_IS_CASEINSENSITIVE(sr)) 706 flags = SMB_IGNORE_CASE; 707 708 if (dir_snode->flags & NODE_XATTR_DIR) { 709 rc = smb_vop_stream_remove(dir_snode->dir_snode->vp, 710 name, flags, cr); 711 } else if ((rc = smb_stream_parse_name(name, fname, sname)) != 0) { 712 if (rc == -1) { 713 kmem_free(fname, MAXNAMELEN); 714 kmem_free(sname, MAXNAMELEN); 715 return (EINVAL); 716 } 717 718 /* 719 * It is assumed that "name" corresponds to the path 720 * passed in by the client, and no need of suppressing 721 * case-insensitive lookups is needed. 722 */ 723 724 ASSERT(od == 0); 725 726 /* 727 * Look up the unnamed stream (i.e. fname). 728 * Unmangle processing will be done on fname 729 * as well as any link target. 730 */ 731 732 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 733 sr->tid_tree->t_snode, dir_snode, fname, &fnode, &file_attr, 734 0, 0); 735 736 if (rc != 0) { 737 kmem_free(fname, MAXNAMELEN); 738 kmem_free(sname, MAXNAMELEN); 739 return (rc); 740 } 741 742 /* 743 * XXX 744 * Need to find out what permission is required by NTFS 745 * to remove a stream. 746 */ 747 rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr); 748 749 smb_node_release(fnode); 750 } else { 751 rc = smb_vop_remove(dir_snode->vp, name, flags, cr); 752 753 if (rc == ENOENT) { 754 if (smb_maybe_mangled_name(name) == 0) { 755 kmem_free(fname, MAXNAMELEN); 756 kmem_free(sname, MAXNAMELEN); 757 return (rc); 758 } 759 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 760 761 rc = smb_unmangle_name(sr, cr, dir_snode, name, 762 longname, MAXNAMELEN, NULL, NULL, 1); 763 764 if (rc == 0) { 765 /* 766 * We passed "1" as the "od" parameter 767 * to smb_unmangle_name(), such that longname 768 * is the real (case-sensitive) on-disk name. 769 * We make sure we do a remove on this exact 770 * name, as the name was mangled and denotes 771 * a unique file. 772 */ 773 flags &= ~SMB_IGNORE_CASE; 774 rc = smb_vop_remove(dir_snode->vp, longname, 775 flags, cr); 776 } 777 778 kmem_free(longname, MAXNAMELEN); 779 } 780 } 781 782 kmem_free(fname, MAXNAMELEN); 783 kmem_free(sname, MAXNAMELEN); 784 return (rc); 785 } 786 787 /* 788 * smb_fsop_remove_streams 789 * 790 * This function removes a file's streams without removing the 791 * file itself. 792 * 793 * It is assumed that fnode is not a link. 794 */ 795 int 796 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode) 797 { 798 int rc, flags = 0; 799 uint16_t odid; 800 smb_odir_t *od; 801 smb_odirent_t *odirent; 802 boolean_t eos; 803 804 ASSERT(sr); 805 ASSERT(cr); 806 ASSERT(fnode); 807 ASSERT(fnode->n_magic == SMB_NODE_MAGIC); 808 ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING); 809 810 if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) 811 return (EACCES); 812 813 if (SMB_TREE_IS_READONLY(sr)) 814 return (EROFS); 815 816 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 817 flags = SMB_IGNORE_CASE; 818 819 /* TBD - error codes */ 820 if ((odid = smb_odir_openat(sr, fnode)) == 0) 821 return (ENOENT); 822 if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) 823 return (ENOENT); 824 825 odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP); 826 for (;;) { 827 rc = smb_odir_read(sr, od, odirent, &eos); 828 if ((rc != 0) || (eos)) 829 break; 830 (void) smb_vop_remove(od->d_dnode->vp, odirent->od_name, 831 flags, cr); 832 } 833 kmem_free(odirent, sizeof (smb_odirent_t)); 834 835 smb_odir_release(od); 836 smb_odir_close(od); 837 return (rc); 838 } 839 840 /* 841 * smb_fsop_rmdir 842 * 843 * All SMB functions should use this wrapper to ensure that 844 * the the calls are performed with the appropriate credentials. 845 * Please document any direct call to explain the reason 846 * for avoiding this wrapper. 847 * 848 * It is assumed that a reference exists on snode coming into this routine. 849 * 850 * od: This means that the name passed in is an on-disk name. 851 */ 852 853 int 854 smb_fsop_rmdir( 855 smb_request_t *sr, 856 cred_t *cr, 857 smb_node_t *dir_snode, 858 char *name, 859 int od) 860 { 861 int rc; 862 int flags = 0; 863 char *longname; 864 865 ASSERT(cr); 866 /* 867 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 868 * function is called during the deletion of the node (because of 869 * DELETE_ON_CLOSE). 870 */ 871 ASSERT(dir_snode); 872 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 873 874 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0 || 875 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0) 876 return (EACCES); 877 878 if (SMB_TREE_IS_READONLY(sr)) 879 return (EROFS); 880 881 /* 882 * If the passed-in name is an on-disk name, 883 * then we need to do a case-sensitive rmdir. 884 * This is important if the on-disk name 885 * corresponds to a mangled name passed in by 886 * the client. We want to make sure to remove 887 * the exact directory specified by the client, 888 * instead of letting the underlying file system 889 * do a rmdir on the "first match." 890 */ 891 892 if ((od == 0) && SMB_TREE_IS_CASEINSENSITIVE(sr)) 893 flags = SMB_IGNORE_CASE; 894 895 rc = smb_vop_rmdir(dir_snode->vp, name, flags, cr); 896 897 if (rc == ENOENT) { 898 if (smb_maybe_mangled_name(name) == 0) 899 return (rc); 900 901 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 902 903 rc = smb_unmangle_name(sr, cr, dir_snode, 904 name, longname, MAXNAMELEN, NULL, 905 NULL, 1); 906 907 if (rc == 0) { 908 /* 909 * We passed "1" as the "od" parameter 910 * to smb_unmangle_name(), such that longname 911 * is the real (case-sensitive) on-disk name. 912 * We make sure we do a rmdir on this exact 913 * name, as the name was mangled and denotes 914 * a unique directory. 915 */ 916 flags &= ~SMB_IGNORE_CASE; 917 rc = smb_vop_rmdir(dir_snode->vp, longname, flags, cr); 918 } 919 920 kmem_free(longname, MAXNAMELEN); 921 } 922 923 return (rc); 924 } 925 926 /* 927 * smb_fsop_getattr 928 * 929 * All SMB functions should use this wrapper to ensure that 930 * the the calls are performed with the appropriate credentials. 931 * Please document any direct call to explain the reason 932 * for avoiding this wrapper. 933 * 934 * It is assumed that a reference exists on snode coming into this routine. 935 */ 936 int 937 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 938 smb_attr_t *attr) 939 { 940 smb_node_t *unnamed_node; 941 vnode_t *unnamed_vp = NULL; 942 uint32_t status; 943 uint32_t access = 0; 944 int flags = 0; 945 int rc; 946 947 ASSERT(cr); 948 ASSERT(snode); 949 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 950 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 951 952 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 || 953 SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0) 954 return (EACCES); 955 956 if (sr->fid_ofile) { 957 /* if uid and/or gid is requested */ 958 if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID)) 959 access |= READ_CONTROL; 960 961 /* if anything else is also requested */ 962 if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID)) 963 access |= FILE_READ_ATTRIBUTES; 964 965 status = smb_ofile_access(sr->fid_ofile, cr, access); 966 if (status != NT_STATUS_SUCCESS) 967 return (EACCES); 968 969 if (smb_tree_has_feature(sr->tid_tree, 970 SMB_TREE_ACEMASKONACCESS)) 971 flags = ATTR_NOACLCHECK; 972 } 973 974 unnamed_node = SMB_IS_STREAM(snode); 975 976 if (unnamed_node) { 977 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 978 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 979 unnamed_vp = unnamed_node->vp; 980 } 981 982 rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr); 983 if (rc == 0) 984 snode->attr = *attr; 985 986 return (rc); 987 } 988 989 /* 990 * smb_fsop_rename 991 * 992 * All SMB functions should use this smb_vop_rename wrapper to ensure that 993 * the smb_vop_rename is performed with the appropriate credentials. 994 * Please document any direct call to smb_vop_rename to explain the reason 995 * for avoiding this wrapper. 996 * 997 * It is assumed that references exist on from_dir_snode and to_dir_snode coming 998 * into this routine. 999 */ 1000 int 1001 smb_fsop_rename( 1002 smb_request_t *sr, 1003 cred_t *cr, 1004 smb_node_t *from_dir_snode, 1005 char *from_name, 1006 smb_node_t *to_dir_snode, 1007 char *to_name) 1008 { 1009 smb_node_t *from_snode; 1010 smb_attr_t tmp_attr; 1011 vnode_t *from_vp; 1012 int flags = 0; 1013 int rc; 1014 boolean_t isdir; 1015 1016 ASSERT(cr); 1017 ASSERT(from_dir_snode); 1018 ASSERT(from_dir_snode->n_magic == SMB_NODE_MAGIC); 1019 ASSERT(from_dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 1020 1021 ASSERT(to_dir_snode); 1022 ASSERT(to_dir_snode->n_magic == SMB_NODE_MAGIC); 1023 ASSERT(to_dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 1024 1025 if (SMB_TREE_CONTAINS_NODE(sr, from_dir_snode) == 0) 1026 return (EACCES); 1027 1028 if (SMB_TREE_CONTAINS_NODE(sr, to_dir_snode) == 0) 1029 return (EACCES); 1030 1031 ASSERT(sr); 1032 ASSERT(sr->tid_tree); 1033 if (SMB_TREE_IS_READONLY(sr)) 1034 return (EROFS); 1035 1036 /* 1037 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE 1038 * here. 1039 * 1040 * A case-sensitive rename is always done in this routine 1041 * because we are using the on-disk name from an earlier lookup. 1042 * If a mangled name was passed in by the caller (denoting a 1043 * deterministic lookup), then the exact file must be renamed 1044 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or 1045 * else the underlying file system might return a "first-match" 1046 * on this on-disk name, possibly resulting in the wrong file). 1047 */ 1048 1049 /* 1050 * XXX: Lock required through smb_node_release() below? 1051 */ 1052 1053 rc = smb_vop_lookup(from_dir_snode->vp, from_name, &from_vp, NULL, 0, 1054 NULL, cr); 1055 1056 if (rc != 0) 1057 return (rc); 1058 1059 isdir = from_vp->v_type == VDIR; 1060 1061 if ((isdir && SMB_TREE_HAS_ACCESS(sr, 1062 ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) != 1063 (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) || 1064 (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) != 1065 (ACE_DELETE | ACE_ADD_FILE))) 1066 return (EACCES); 1067 1068 rc = smb_vop_rename(from_dir_snode->vp, from_name, to_dir_snode->vp, 1069 to_name, flags, cr); 1070 1071 if (rc == 0) { 1072 from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name, 1073 from_dir_snode, NULL, &tmp_attr); 1074 1075 if (from_snode == NULL) { 1076 rc = ENOMEM; 1077 } else { 1078 (void) smb_node_rename(from_dir_snode, from_snode, 1079 to_dir_snode, to_name); 1080 smb_node_release(from_snode); 1081 } 1082 } 1083 VN_RELE(from_vp); 1084 1085 /* XXX: unlock */ 1086 1087 return (rc); 1088 } 1089 1090 /* 1091 * smb_fsop_setattr 1092 * 1093 * All SMB functions should use this wrapper to ensure that 1094 * the the calls are performed with the appropriate credentials. 1095 * Please document any direct call to explain the reason 1096 * for avoiding this wrapper. 1097 * 1098 * It is assumed that a reference exists on snode coming into this routine. 1099 * A null smb_request might be passed to this function. 1100 */ 1101 int 1102 smb_fsop_setattr( 1103 smb_request_t *sr, 1104 cred_t *cr, 1105 smb_node_t *snode, 1106 smb_attr_t *set_attr, 1107 smb_attr_t *ret_attr) 1108 { 1109 smb_node_t *unnamed_node; 1110 vnode_t *unnamed_vp = NULL; 1111 uint32_t status; 1112 uint32_t access; 1113 int rc = 0; 1114 int flags = 0; 1115 uint_t sa_mask; 1116 1117 ASSERT(cr); 1118 ASSERT(snode); 1119 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1120 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1121 1122 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0) 1123 return (EACCES); 1124 1125 if (SMB_TREE_IS_READONLY(sr)) 1126 return (EROFS); 1127 1128 if (SMB_TREE_HAS_ACCESS(sr, 1129 ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0) 1130 return (EACCES); 1131 1132 if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) { 1133 if (sr->fid_ofile) { 1134 if (SMB_OFILE_IS_READONLY(sr->fid_ofile)) 1135 return (EACCES); 1136 } else { 1137 if (SMB_PATHFILE_IS_READONLY(sr, snode)) 1138 return (EACCES); 1139 } 1140 } 1141 1142 /* sr could be NULL in some cases */ 1143 if (sr && sr->fid_ofile) { 1144 sa_mask = set_attr->sa_mask; 1145 access = 0; 1146 1147 if (sa_mask & SMB_AT_SIZE) { 1148 access |= FILE_WRITE_DATA; 1149 sa_mask &= ~SMB_AT_SIZE; 1150 } 1151 1152 if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) { 1153 access |= WRITE_OWNER; 1154 sa_mask &= ~(SMB_AT_UID|SMB_AT_GID); 1155 } 1156 1157 if (sa_mask) 1158 access |= FILE_WRITE_ATTRIBUTES; 1159 1160 status = smb_ofile_access(sr->fid_ofile, cr, access); 1161 if (status != NT_STATUS_SUCCESS) 1162 return (EACCES); 1163 1164 if (smb_tree_has_feature(sr->tid_tree, 1165 SMB_TREE_ACEMASKONACCESS)) 1166 flags = ATTR_NOACLCHECK; 1167 } 1168 1169 unnamed_node = SMB_IS_STREAM(snode); 1170 1171 if (unnamed_node) { 1172 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1173 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1174 unnamed_vp = unnamed_node->vp; 1175 } 1176 1177 rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr); 1178 1179 if ((rc == 0) && ret_attr) { 1180 /* 1181 * Use kcred to update the node attr because this 1182 * call is not being made on behalf of the user. 1183 */ 1184 ret_attr->sa_mask = SMB_AT_ALL; 1185 rc = smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, flags, 1186 kcred); 1187 if (rc == 0) 1188 snode->attr = *ret_attr; 1189 } 1190 1191 return (rc); 1192 } 1193 1194 /* 1195 * smb_fsop_read 1196 * 1197 * All SMB functions should use this wrapper to ensure that 1198 * the the calls are performed with the appropriate credentials. 1199 * Please document any direct call to explain the reason 1200 * for avoiding this wrapper. 1201 * 1202 * It is assumed that a reference exists on snode coming into this routine. 1203 */ 1204 int 1205 smb_fsop_read( 1206 struct smb_request *sr, 1207 cred_t *cr, 1208 smb_node_t *snode, 1209 uio_t *uio, 1210 smb_attr_t *ret_attr) 1211 { 1212 smb_node_t *unnamed_node; 1213 vnode_t *unnamed_vp = NULL; 1214 caller_context_t ct; 1215 int svmand; 1216 int rc; 1217 1218 ASSERT(cr); 1219 ASSERT(snode); 1220 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1221 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1222 1223 ASSERT(sr); 1224 ASSERT(sr->fid_ofile); 1225 1226 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0) 1227 return (EACCES); 1228 1229 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA); 1230 if (rc != NT_STATUS_SUCCESS) { 1231 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE); 1232 if (rc != NT_STATUS_SUCCESS) 1233 return (EACCES); 1234 } 1235 1236 unnamed_node = SMB_IS_STREAM(snode); 1237 if (unnamed_node) { 1238 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1239 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1240 unnamed_vp = unnamed_node->vp; 1241 /* 1242 * Streams permission are checked against the unnamed stream, 1243 * but in FS level they have their own permissions. To avoid 1244 * rejection by FS due to lack of permission on the actual 1245 * extended attr kcred is passed for streams. 1246 */ 1247 cr = kcred; 1248 } 1249 1250 smb_node_start_crit(snode, RW_READER); 1251 rc = nbl_svmand(snode->vp, kcred, &svmand); 1252 if (rc) { 1253 smb_node_end_crit(snode); 1254 return (rc); 1255 } 1256 1257 ct = smb_ct; 1258 ct.cc_pid = sr->fid_ofile->f_uniqid; 1259 rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset, 1260 uio->uio_iov->iov_len, svmand, &ct); 1261 1262 if (rc) { 1263 smb_node_end_crit(snode); 1264 return (ERANGE); 1265 } 1266 rc = smb_vop_read(snode->vp, uio, cr); 1267 1268 if (rc == 0 && ret_attr) { 1269 /* 1270 * Use kcred to update the node attr because this 1271 * call is not being made on behalf of the user. 1272 */ 1273 ret_attr->sa_mask = SMB_AT_ALL; 1274 if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0, 1275 kcred) == 0) { 1276 snode->attr = *ret_attr; 1277 } 1278 } 1279 1280 smb_node_end_crit(snode); 1281 1282 return (rc); 1283 } 1284 1285 /* 1286 * smb_fsop_write 1287 * 1288 * This is a wrapper function used for smb_write and smb_write_raw operations. 1289 * 1290 * It is assumed that a reference exists on snode coming into this routine. 1291 */ 1292 int 1293 smb_fsop_write( 1294 smb_request_t *sr, 1295 cred_t *cr, 1296 smb_node_t *snode, 1297 uio_t *uio, 1298 uint32_t *lcount, 1299 smb_attr_t *ret_attr, 1300 int ioflag) 1301 { 1302 smb_node_t *unnamed_node; 1303 vnode_t *unnamed_vp = NULL; 1304 caller_context_t ct; 1305 int svmand; 1306 int rc; 1307 1308 ASSERT(cr); 1309 ASSERT(snode); 1310 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1311 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1312 1313 ASSERT(sr); 1314 ASSERT(sr->tid_tree); 1315 ASSERT(sr->fid_ofile); 1316 1317 if (SMB_TREE_IS_READONLY(sr)) 1318 return (EROFS); 1319 1320 if (SMB_OFILE_IS_READONLY(sr->fid_ofile) || 1321 SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0) 1322 return (EACCES); 1323 1324 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA); 1325 if (rc != NT_STATUS_SUCCESS) { 1326 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA); 1327 if (rc != NT_STATUS_SUCCESS) 1328 return (EACCES); 1329 } 1330 1331 unnamed_node = SMB_IS_STREAM(snode); 1332 1333 if (unnamed_node) { 1334 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1335 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1336 unnamed_vp = unnamed_node->vp; 1337 /* 1338 * Streams permission are checked against the unnamed stream, 1339 * but in FS level they have their own permissions. To avoid 1340 * rejection by FS due to lack of permission on the actual 1341 * extended attr kcred is passed for streams. 1342 */ 1343 cr = kcred; 1344 } 1345 1346 smb_node_start_crit(snode, RW_READER); 1347 rc = nbl_svmand(snode->vp, kcred, &svmand); 1348 if (rc) { 1349 smb_node_end_crit(snode); 1350 return (rc); 1351 } 1352 1353 ct = smb_ct; 1354 ct.cc_pid = sr->fid_ofile->f_uniqid; 1355 rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset, 1356 uio->uio_iov->iov_len, svmand, &ct); 1357 1358 if (rc) { 1359 smb_node_end_crit(snode); 1360 return (ERANGE); 1361 } 1362 rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr); 1363 1364 if (rc == 0 && ret_attr) { 1365 /* 1366 * Use kcred to update the node attr because this 1367 * call is not being made on behalf of the user. 1368 */ 1369 ret_attr->sa_mask = SMB_AT_ALL; 1370 if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0, 1371 kcred) == 0) { 1372 snode->attr = *ret_attr; 1373 } 1374 } 1375 1376 smb_node_end_crit(snode); 1377 1378 return (rc); 1379 } 1380 1381 /* 1382 * smb_fsop_statfs 1383 * 1384 * This is a wrapper function used for stat operations. 1385 */ 1386 int 1387 smb_fsop_statfs( 1388 cred_t *cr, 1389 smb_node_t *snode, 1390 struct statvfs64 *statp) 1391 { 1392 ASSERT(cr); 1393 ASSERT(snode); 1394 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1395 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1396 1397 return (smb_vop_statfs(snode->vp, statp, cr)); 1398 } 1399 1400 /* 1401 * smb_fsop_access 1402 * 1403 * Named streams do not have separate permissions from the associated 1404 * unnamed stream. Thus, if node is a named stream, the permissions 1405 * check will be performed on the associated unnamed stream. 1406 * 1407 * However, our named streams do have their own quarantine attribute, 1408 * separate from that on the unnamed stream. If READ or EXECUTE 1409 * access has been requested on a named stream, an additional access 1410 * check is performed on the named stream in case it has been 1411 * quarantined. kcred is used to avoid issues with the permissions 1412 * set on the extended attribute file representing the named stream. 1413 */ 1414 int 1415 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1416 uint32_t faccess) 1417 { 1418 int access = 0; 1419 int error; 1420 vnode_t *dir_vp; 1421 boolean_t acl_check = B_TRUE; 1422 smb_node_t *unnamed_node; 1423 1424 ASSERT(sr); 1425 ASSERT(cr); 1426 ASSERT(snode); 1427 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1428 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1429 1430 if (faccess == 0) 1431 return (NT_STATUS_SUCCESS); 1432 1433 if (SMB_TREE_IS_READONLY(sr)) { 1434 if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA| 1435 FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES| 1436 DELETE|WRITE_DAC|WRITE_OWNER)) { 1437 return (NT_STATUS_ACCESS_DENIED); 1438 } 1439 } 1440 1441 unnamed_node = SMB_IS_STREAM(snode); 1442 if (unnamed_node) { 1443 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1444 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1445 1446 /* 1447 * Perform VREAD access check on the named stream in case it 1448 * is quarantined. kcred is passed to smb_vop_access so it 1449 * doesn't fail due to lack of permission. 1450 */ 1451 if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) { 1452 error = smb_vop_access(snode->vp, VREAD, 1453 0, NULL, kcred); 1454 if (error) 1455 return (NT_STATUS_ACCESS_DENIED); 1456 } 1457 1458 /* 1459 * Streams authorization should be performed against the 1460 * unnamed stream. 1461 */ 1462 snode = unnamed_node; 1463 } 1464 1465 if (faccess & ACCESS_SYSTEM_SECURITY) { 1466 /* 1467 * This permission is required for reading/writing SACL and 1468 * it's not part of DACL. It's only granted via proper 1469 * privileges. 1470 */ 1471 if ((sr->uid_user->u_privileges & 1472 (SMB_USER_PRIV_BACKUP | 1473 SMB_USER_PRIV_RESTORE | 1474 SMB_USER_PRIV_SECURITY)) == 0) 1475 return (NT_STATUS_PRIVILEGE_NOT_HELD); 1476 1477 faccess &= ~ACCESS_SYSTEM_SECURITY; 1478 } 1479 1480 /* Links don't have ACL */ 1481 if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) || 1482 (snode->attr.sa_vattr.va_type == VLNK)) 1483 acl_check = B_FALSE; 1484 1485 /* 1486 * Use the most restrictive parts of both faccess and the 1487 * share access. An AND of the two value masks gives us that 1488 * since we've already converted to a mask of what we "can" 1489 * do. 1490 */ 1491 faccess &= sr->tid_tree->t_access; 1492 1493 if (acl_check) { 1494 dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL; 1495 error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp, 1496 cr); 1497 } else { 1498 /* 1499 * FS doesn't understand 32-bit mask, need to map 1500 */ 1501 if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA)) 1502 access |= VWRITE; 1503 1504 if (faccess & FILE_READ_DATA) 1505 access |= VREAD; 1506 1507 if (faccess & FILE_EXECUTE) 1508 access |= VEXEC; 1509 1510 error = smb_vop_access(snode->vp, access, 0, NULL, cr); 1511 } 1512 1513 return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS); 1514 } 1515 1516 /* 1517 * smb_fsop_lookup_name() 1518 * 1519 * If name indicates that the file is a stream file, perform 1520 * stream specific lookup, otherwise call smb_fsop_lookup. 1521 * 1522 * Return an error if the looked-up file is in outside the tree. 1523 * (Required when invoked from open path.) 1524 */ 1525 1526 int 1527 smb_fsop_lookup_name( 1528 smb_request_t *sr, 1529 cred_t *cr, 1530 int flags, 1531 smb_node_t *root_node, 1532 smb_node_t *dir_snode, 1533 char *name, 1534 smb_node_t **ret_snode, 1535 smb_attr_t *ret_attr) 1536 { 1537 smb_node_t *fnode; 1538 smb_attr_t file_attr; 1539 vnode_t *xattrdirvp; 1540 vnode_t *vp; 1541 char *od_name; 1542 char *fname; 1543 char *sname; 1544 int rc; 1545 1546 ASSERT(cr); 1547 ASSERT(dir_snode); 1548 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 1549 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 1550 1551 /* 1552 * The following check is required for streams processing, below 1553 */ 1554 1555 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1556 flags |= SMB_IGNORE_CASE; 1557 1558 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1559 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1560 1561 if ((rc = smb_stream_parse_name(name, fname, sname)) != 0) { 1562 if (rc == -1) { 1563 kmem_free(fname, MAXNAMELEN); 1564 kmem_free(sname, MAXNAMELEN); 1565 return (EINVAL); 1566 } 1567 1568 /* 1569 * Look up the unnamed stream (i.e. fname). 1570 * Unmangle processing will be done on fname 1571 * as well as any link target. 1572 */ 1573 rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, fname, 1574 &fnode, &file_attr, NULL, NULL); 1575 1576 if (rc != 0) { 1577 kmem_free(fname, MAXNAMELEN); 1578 kmem_free(sname, MAXNAMELEN); 1579 return (rc); 1580 } 1581 1582 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1583 1584 /* 1585 * od_name is the on-disk name of the stream, except 1586 * without the prepended stream prefix (SMB_STREAM_PREFIX) 1587 */ 1588 1589 /* 1590 * XXX 1591 * What permissions NTFS requires for stream lookup if any? 1592 */ 1593 rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name, 1594 &xattrdirvp, flags, root_node->vp, cr); 1595 1596 if (rc != 0) { 1597 smb_node_release(fnode); 1598 kmem_free(fname, MAXNAMELEN); 1599 kmem_free(sname, MAXNAMELEN); 1600 kmem_free(od_name, MAXNAMELEN); 1601 return (rc); 1602 } 1603 1604 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, 1605 vp, od_name, ret_attr); 1606 1607 kmem_free(od_name, MAXNAMELEN); 1608 smb_node_release(fnode); 1609 VN_RELE(xattrdirvp); 1610 VN_RELE(vp); 1611 1612 if (*ret_snode == NULL) { 1613 kmem_free(fname, MAXNAMELEN); 1614 kmem_free(sname, MAXNAMELEN); 1615 return (ENOMEM); 1616 } 1617 } else { 1618 rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, name, 1619 ret_snode, ret_attr, NULL, NULL); 1620 } 1621 1622 if (rc == 0) { 1623 ASSERT(ret_snode); 1624 if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) { 1625 smb_node_release(*ret_snode); 1626 *ret_snode = NULL; 1627 rc = EACCES; 1628 } 1629 } 1630 1631 kmem_free(fname, MAXNAMELEN); 1632 kmem_free(sname, MAXNAMELEN); 1633 1634 return (rc); 1635 } 1636 1637 /* 1638 * smb_fsop_lookup 1639 * 1640 * All SMB functions should use this smb_vop_lookup wrapper to ensure that 1641 * the smb_vop_lookup is performed with the appropriate credentials and using 1642 * case insensitive compares. Please document any direct call to smb_vop_lookup 1643 * to explain the reason for avoiding this wrapper. 1644 * 1645 * It is assumed that a reference exists on dir_snode coming into this routine 1646 * (and that it is safe from deallocation). 1647 * 1648 * Same with the root_node. 1649 * 1650 * *ret_snode is returned with a reference upon success. No reference is 1651 * taken if an error is returned. 1652 * 1653 * Note: The returned ret_snode may be in a child mount. This is ok for 1654 * readdir. 1655 * 1656 * ret_shortname and ret_name83 must each point to buffers of at least 1657 * SMB_SHORTNAMELEN bytes. 1658 * 1659 * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent 1660 * operations on files not in the parent mount. 1661 */ 1662 int 1663 smb_fsop_lookup( 1664 smb_request_t *sr, 1665 cred_t *cr, 1666 int flags, 1667 smb_node_t *root_node, 1668 smb_node_t *dir_snode, 1669 char *name, 1670 smb_node_t **ret_snode, 1671 smb_attr_t *ret_attr, 1672 char *ret_shortname, 1673 char *ret_name83) 1674 { 1675 smb_node_t *lnk_target_node; 1676 smb_node_t *lnk_dnode; 1677 char *longname; 1678 char *od_name; 1679 vnode_t *vp; 1680 int rc; 1681 1682 ASSERT(cr); 1683 ASSERT(dir_snode); 1684 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 1685 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 1686 1687 if (name == NULL) 1688 return (EINVAL); 1689 1690 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0) 1691 return (EACCES); 1692 1693 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1694 flags |= SMB_IGNORE_CASE; 1695 1696 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1697 1698 rc = smb_vop_lookup(dir_snode->vp, name, &vp, od_name, flags, 1699 root_node ? root_node->vp : NULL, cr); 1700 1701 if (rc != 0) { 1702 if (smb_maybe_mangled_name(name) == 0) { 1703 kmem_free(od_name, MAXNAMELEN); 1704 return (rc); 1705 } 1706 1707 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1708 1709 rc = smb_unmangle_name(sr, cr, dir_snode, name, longname, 1710 MAXNAMELEN, ret_shortname, ret_name83, 1); 1711 1712 if (rc != 0) { 1713 kmem_free(od_name, MAXNAMELEN); 1714 kmem_free(longname, MAXNAMELEN); 1715 return (rc); 1716 } 1717 1718 /* 1719 * We passed "1" as the "od" parameter 1720 * to smb_unmangle_name(), such that longname 1721 * is the real (case-sensitive) on-disk name. 1722 * We make sure we do a lookup on this exact 1723 * name, as the name was mangled and denotes 1724 * a unique file. 1725 */ 1726 1727 if (flags & SMB_IGNORE_CASE) 1728 flags &= ~SMB_IGNORE_CASE; 1729 1730 rc = smb_vop_lookup(dir_snode->vp, longname, &vp, od_name, 1731 flags, root_node ? root_node->vp : NULL, cr); 1732 1733 kmem_free(longname, MAXNAMELEN); 1734 1735 if (rc != 0) { 1736 kmem_free(od_name, MAXNAMELEN); 1737 return (rc); 1738 } 1739 } 1740 1741 if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) { 1742 1743 rc = smb_pathname(sr, od_name, FOLLOW, root_node, dir_snode, 1744 &lnk_dnode, &lnk_target_node, cr); 1745 1746 if (rc != 0) { 1747 /* 1748 * The link is assumed to be for the last component 1749 * of a path. Hence any ENOTDIR error will be returned 1750 * as ENOENT. 1751 */ 1752 if (rc == ENOTDIR) 1753 rc = ENOENT; 1754 1755 VN_RELE(vp); 1756 kmem_free(od_name, MAXNAMELEN); 1757 return (rc); 1758 } 1759 1760 /* 1761 * Release the original VLNK vnode 1762 */ 1763 1764 VN_RELE(vp); 1765 vp = lnk_target_node->vp; 1766 1767 rc = smb_vop_traverse_check(&vp); 1768 1769 if (rc != 0) { 1770 smb_node_release(lnk_dnode); 1771 smb_node_release(lnk_target_node); 1772 kmem_free(od_name, MAXNAMELEN); 1773 return (rc); 1774 } 1775 1776 /* 1777 * smb_vop_traverse_check() may have returned a different vnode 1778 */ 1779 1780 if (lnk_target_node->vp == vp) { 1781 *ret_snode = lnk_target_node; 1782 *ret_attr = (*ret_snode)->attr; 1783 } else { 1784 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, 1785 lnk_target_node->od_name, lnk_dnode, NULL, 1786 ret_attr); 1787 VN_RELE(vp); 1788 1789 if (*ret_snode == NULL) 1790 rc = ENOMEM; 1791 smb_node_release(lnk_target_node); 1792 } 1793 1794 smb_node_release(lnk_dnode); 1795 1796 } else { 1797 1798 rc = smb_vop_traverse_check(&vp); 1799 if (rc) { 1800 VN_RELE(vp); 1801 kmem_free(od_name, MAXNAMELEN); 1802 return (rc); 1803 } 1804 1805 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name, 1806 dir_snode, NULL, ret_attr); 1807 VN_RELE(vp); 1808 1809 if (*ret_snode == NULL) 1810 rc = ENOMEM; 1811 } 1812 1813 kmem_free(od_name, MAXNAMELEN); 1814 return (rc); 1815 } 1816 1817 int /*ARGSUSED*/ 1818 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode) 1819 { 1820 ASSERT(cr); 1821 ASSERT(snode); 1822 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1823 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1824 1825 ASSERT(sr); 1826 ASSERT(sr->tid_tree); 1827 if (SMB_TREE_IS_READONLY(sr)) 1828 return (EROFS); 1829 1830 return (smb_vop_commit(snode->vp, cr)); 1831 } 1832 1833 /* 1834 * smb_fsop_aclread 1835 * 1836 * Retrieve filesystem ACL. Depends on requested ACLs in 1837 * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in 1838 * fs_sd. Note that requesting a DACL/SACL doesn't mean that 1839 * the corresponding field in fs_sd should be non-NULL upon 1840 * return, since the target ACL might not contain that type of 1841 * entries. 1842 * 1843 * Returned ACL is always in ACE_T (aka ZFS) format. 1844 * If successful the allocated memory for the ACL should be freed 1845 * using smb_fsacl_free() or smb_fssd_term() 1846 */ 1847 int 1848 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1849 smb_fssd_t *fs_sd) 1850 { 1851 int error = 0; 1852 int flags = 0; 1853 int access = 0; 1854 acl_t *acl; 1855 smb_node_t *unnamed_node; 1856 1857 ASSERT(cr); 1858 1859 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0) 1860 return (EACCES); 1861 1862 if (sr->fid_ofile) { 1863 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1864 access = READ_CONTROL; 1865 1866 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1867 access |= ACCESS_SYSTEM_SECURITY; 1868 1869 error = smb_ofile_access(sr->fid_ofile, cr, access); 1870 if (error != NT_STATUS_SUCCESS) { 1871 return (EACCES); 1872 } 1873 } 1874 1875 unnamed_node = SMB_IS_STREAM(snode); 1876 if (unnamed_node) { 1877 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1878 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1879 /* 1880 * Streams don't have ACL, any read ACL attempt on a stream 1881 * should be performed on the unnamed stream. 1882 */ 1883 snode = unnamed_node; 1884 } 1885 1886 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) 1887 flags = ATTR_NOACLCHECK; 1888 1889 error = smb_vop_acl_read(snode->vp, &acl, flags, 1890 sr->tid_tree->t_acltype, cr); 1891 if (error != 0) { 1892 return (error); 1893 } 1894 1895 error = acl_translate(acl, _ACL_ACE_ENABLED, 1896 (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid); 1897 1898 if (error == 0) { 1899 smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl, 1900 fs_sd->sd_secinfo); 1901 } 1902 1903 acl_free(acl); 1904 return (error); 1905 } 1906 1907 /* 1908 * smb_fsop_aclwrite 1909 * 1910 * Stores the filesystem ACL provided in fs_sd->sd_acl. 1911 */ 1912 int 1913 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1914 smb_fssd_t *fs_sd) 1915 { 1916 int target_flavor; 1917 int error = 0; 1918 int flags = 0; 1919 int access = 0; 1920 acl_t *acl, *dacl, *sacl; 1921 smb_node_t *unnamed_node; 1922 1923 ASSERT(cr); 1924 1925 ASSERT(sr); 1926 ASSERT(sr->tid_tree); 1927 if (SMB_TREE_IS_READONLY(sr)) 1928 return (EROFS); 1929 1930 if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0) 1931 return (EACCES); 1932 1933 if (sr->fid_ofile) { 1934 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1935 access = WRITE_DAC; 1936 1937 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1938 access |= ACCESS_SYSTEM_SECURITY; 1939 1940 error = smb_ofile_access(sr->fid_ofile, cr, access); 1941 if (error != NT_STATUS_SUCCESS) 1942 return (EACCES); 1943 } 1944 1945 switch (sr->tid_tree->t_acltype) { 1946 case ACLENT_T: 1947 target_flavor = _ACL_ACLENT_ENABLED; 1948 break; 1949 1950 case ACE_T: 1951 target_flavor = _ACL_ACE_ENABLED; 1952 break; 1953 default: 1954 return (EINVAL); 1955 } 1956 1957 unnamed_node = SMB_IS_STREAM(snode); 1958 if (unnamed_node) { 1959 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1960 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1961 /* 1962 * Streams don't have ACL, any write ACL attempt on a stream 1963 * should be performed on the unnamed stream. 1964 */ 1965 snode = unnamed_node; 1966 } 1967 1968 dacl = fs_sd->sd_zdacl; 1969 sacl = fs_sd->sd_zsacl; 1970 1971 ASSERT(dacl || sacl); 1972 if ((dacl == NULL) && (sacl == NULL)) 1973 return (EINVAL); 1974 1975 if (dacl && sacl) 1976 acl = smb_fsacl_merge(dacl, sacl); 1977 else if (dacl) 1978 acl = dacl; 1979 else 1980 acl = sacl; 1981 1982 error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR), 1983 fs_sd->sd_uid, fs_sd->sd_gid); 1984 if (error == 0) { 1985 if (smb_tree_has_feature(sr->tid_tree, 1986 SMB_TREE_ACEMASKONACCESS)) 1987 flags = ATTR_NOACLCHECK; 1988 1989 error = smb_vop_acl_write(snode->vp, acl, flags, cr); 1990 } 1991 1992 if (dacl && sacl) 1993 acl_free(acl); 1994 1995 return (error); 1996 } 1997 1998 acl_type_t 1999 smb_fsop_acltype(smb_node_t *snode) 2000 { 2001 return (smb_vop_acl_type(snode->vp)); 2002 } 2003 2004 /* 2005 * smb_fsop_sdread 2006 * 2007 * Read the requested security descriptor items from filesystem. 2008 * The items are specified in fs_sd->sd_secinfo. 2009 */ 2010 int 2011 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2012 smb_fssd_t *fs_sd) 2013 { 2014 int error = 0; 2015 int getowner = 0; 2016 cred_t *ga_cred; 2017 smb_attr_t attr; 2018 2019 ASSERT(cr); 2020 ASSERT(fs_sd); 2021 2022 /* 2023 * File's uid/gid is fetched in two cases: 2024 * 2025 * 1. it's explicitly requested 2026 * 2027 * 2. target ACL is ACE_T (ZFS ACL). They're needed for 2028 * owner@/group@ entries. In this case kcred should be used 2029 * because uid/gid are fetched on behalf of smb server. 2030 */ 2031 if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) { 2032 getowner = 1; 2033 ga_cred = cr; 2034 } else if (sr->tid_tree->t_acltype == ACE_T) { 2035 getowner = 1; 2036 ga_cred = kcred; 2037 } 2038 2039 if (getowner) { 2040 /* 2041 * Windows require READ_CONTROL to read owner/group SID since 2042 * they're part of Security Descriptor. 2043 * ZFS only requires read_attribute. Need to have a explicit 2044 * access check here. 2045 */ 2046 if (sr->fid_ofile == NULL) { 2047 error = smb_fsop_access(sr, ga_cred, snode, 2048 READ_CONTROL); 2049 if (error) 2050 return (error); 2051 } 2052 2053 attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2054 error = smb_fsop_getattr(sr, ga_cred, snode, &attr); 2055 if (error == 0) { 2056 fs_sd->sd_uid = attr.sa_vattr.va_uid; 2057 fs_sd->sd_gid = attr.sa_vattr.va_gid; 2058 } else { 2059 return (error); 2060 } 2061 } 2062 2063 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2064 error = smb_fsop_aclread(sr, cr, snode, fs_sd); 2065 } 2066 2067 return (error); 2068 } 2069 2070 /* 2071 * smb_fsop_sdmerge 2072 * 2073 * From SMB point of view DACL and SACL are two separate list 2074 * which can be manipulated independently without one affecting 2075 * the other, but entries for both DACL and SACL will end up 2076 * in the same ACL if target filesystem supports ACE_T ACLs. 2077 * 2078 * So, if either DACL or SACL is present in the client set request 2079 * the entries corresponding to the non-present ACL shouldn't 2080 * be touched in the FS ACL. 2081 * 2082 * fs_sd parameter contains DACL and SACL specified by SMB 2083 * client to be set on a file/directory. The client could 2084 * specify both or one of these ACLs (if none is specified 2085 * we don't get this far). When both DACL and SACL are given 2086 * by client the existing ACL should be overwritten. If only 2087 * one of them is specified the entries corresponding to the other 2088 * ACL should not be touched. For example, if only DACL 2089 * is specified in input fs_sd, the function reads audit entries 2090 * of the existing ACL of the file and point fs_sd->sd_zsdacl 2091 * pointer to the fetched SACL, this way when smb_fsop_sdwrite() 2092 * function is called the passed fs_sd would point to the specified 2093 * DACL by client and fetched SACL from filesystem, so the file 2094 * will end up with correct ACL. 2095 */ 2096 static int 2097 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd) 2098 { 2099 smb_fssd_t cur_sd; 2100 int error = 0; 2101 2102 if (sr->tid_tree->t_acltype != ACE_T) 2103 /* Don't bother if target FS doesn't support ACE_T */ 2104 return (0); 2105 2106 if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) { 2107 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) { 2108 /* 2109 * Don't overwrite existing audit entries 2110 */ 2111 smb_fssd_init(&cur_sd, SMB_SACL_SECINFO, 2112 fs_sd->sd_flags); 2113 2114 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2115 if (error == 0) { 2116 ASSERT(fs_sd->sd_zsacl == NULL); 2117 fs_sd->sd_zsacl = cur_sd.sd_zsacl; 2118 if (fs_sd->sd_zsacl && fs_sd->sd_zdacl) 2119 fs_sd->sd_zsacl->acl_flags = 2120 fs_sd->sd_zdacl->acl_flags; 2121 } 2122 } else { 2123 /* 2124 * Don't overwrite existing access entries 2125 */ 2126 smb_fssd_init(&cur_sd, SMB_DACL_SECINFO, 2127 fs_sd->sd_flags); 2128 2129 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2130 if (error == 0) { 2131 ASSERT(fs_sd->sd_zdacl == NULL); 2132 fs_sd->sd_zdacl = cur_sd.sd_zdacl; 2133 if (fs_sd->sd_zdacl && fs_sd->sd_zsacl) 2134 fs_sd->sd_zdacl->acl_flags = 2135 fs_sd->sd_zsacl->acl_flags; 2136 } 2137 } 2138 2139 if (error) 2140 smb_fssd_term(&cur_sd); 2141 } 2142 2143 return (error); 2144 } 2145 2146 /* 2147 * smb_fsop_sdwrite 2148 * 2149 * Stores the given uid, gid and acl in filesystem. 2150 * Provided items in fs_sd are specified by fs_sd->sd_secinfo. 2151 * 2152 * A SMB security descriptor could contain owner, primary group, 2153 * DACL and SACL. Setting an SD should be atomic but here it has to 2154 * be done via two separate FS operations: VOP_SETATTR and 2155 * VOP_SETSECATTR. Therefore, this function has to simulate the 2156 * atomicity as well as it can. 2157 * 2158 * Get the current uid, gid before setting the new uid/gid 2159 * so if smb_fsop_aclwrite fails they can be restored. root cred is 2160 * used to get currend uid/gid since this operation is performed on 2161 * behalf of the server not the user. 2162 * 2163 * If setting uid/gid fails with EPERM it means that and invalid 2164 * owner has been specified. Callers should translate this to 2165 * STATUS_INVALID_OWNER which is not the normal mapping for EPERM 2166 * in upper layers, so EPERM is mapped to EBADE. 2167 */ 2168 int 2169 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2170 smb_fssd_t *fs_sd, int overwrite) 2171 { 2172 int error = 0; 2173 int access = 0; 2174 smb_attr_t set_attr; 2175 smb_attr_t orig_attr; 2176 2177 ASSERT(cr); 2178 ASSERT(fs_sd); 2179 2180 ASSERT(sr); 2181 ASSERT(sr->tid_tree); 2182 if (SMB_TREE_IS_READONLY(sr)) 2183 return (EROFS); 2184 2185 bzero(&set_attr, sizeof (smb_attr_t)); 2186 2187 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 2188 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 2189 set_attr.sa_mask |= SMB_AT_UID; 2190 access |= WRITE_OWNER; 2191 } 2192 2193 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 2194 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 2195 set_attr.sa_mask |= SMB_AT_GID; 2196 access |= WRITE_OWNER; 2197 } 2198 2199 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 2200 access |= WRITE_DAC; 2201 2202 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 2203 access |= ACCESS_SYSTEM_SECURITY; 2204 2205 if (sr->fid_ofile) 2206 error = smb_ofile_access(sr->fid_ofile, cr, access); 2207 else 2208 error = smb_fsop_access(sr, cr, snode, access); 2209 2210 if (error) 2211 return (EACCES); 2212 2213 if (set_attr.sa_mask) { 2214 orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2215 error = smb_fsop_getattr(sr, kcred, snode, &orig_attr); 2216 if (error == 0) { 2217 error = smb_fsop_setattr(sr, cr, snode, &set_attr, 2218 NULL); 2219 if (error == EPERM) 2220 error = EBADE; 2221 } 2222 2223 if (error) 2224 return (error); 2225 } 2226 2227 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2228 if (overwrite == 0) { 2229 error = smb_fsop_sdmerge(sr, snode, fs_sd); 2230 if (error) 2231 return (error); 2232 } 2233 2234 error = smb_fsop_aclwrite(sr, cr, snode, fs_sd); 2235 if (error) { 2236 /* 2237 * Revert uid/gid changes if required. 2238 */ 2239 if (set_attr.sa_mask) { 2240 orig_attr.sa_mask = set_attr.sa_mask; 2241 (void) smb_fsop_setattr(sr, kcred, snode, 2242 &orig_attr, NULL); 2243 } 2244 } 2245 } 2246 2247 return (error); 2248 } 2249 2250 /* 2251 * smb_fsop_sdinherit 2252 * 2253 * Inherit the security descriptor from the parent container. 2254 * This function is called after FS has created the file/folder 2255 * so if this doesn't do anything it means FS inheritance is 2256 * in place. 2257 * 2258 * Do inheritance for ZFS internally. 2259 * 2260 * If we want to let ZFS does the inheritance the 2261 * following setting should be true: 2262 * 2263 * - aclinherit = passthrough 2264 * - aclmode = passthrough 2265 * - smbd umask = 0777 2266 * 2267 * This will result in right effective permissions but 2268 * ZFS will always add 6 ACEs for owner, owning group 2269 * and others to be POSIX compliant. This is not what 2270 * Windows clients/users expect, so we decided that CIFS 2271 * implements Windows rules and overwrite whatever ZFS 2272 * comes up with. This way we also don't have to care 2273 * about ZFS aclinherit and aclmode settings. 2274 */ 2275 static int 2276 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd) 2277 { 2278 int is_dir; 2279 acl_t *dacl = NULL; 2280 acl_t *sacl = NULL; 2281 ksid_t *owner_sid; 2282 int error; 2283 2284 ASSERT(fs_sd); 2285 2286 if (sr->tid_tree->t_acltype != ACE_T) { 2287 /* 2288 * No forced inheritance for non-ZFS filesystems. 2289 */ 2290 fs_sd->sd_secinfo = 0; 2291 return (0); 2292 } 2293 2294 2295 /* Fetch parent directory's ACL */ 2296 error = smb_fsop_sdread(sr, kcred, dnode, fs_sd); 2297 if (error) { 2298 return (error); 2299 } 2300 2301 is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR); 2302 owner_sid = crgetsid(sr->user_cr, KSID_OWNER); 2303 ASSERT(owner_sid); 2304 dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO, 2305 owner_sid->ks_id); 2306 sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO, 2307 (uid_t)-1); 2308 2309 if (sacl == NULL) 2310 fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO; 2311 2312 smb_fsacl_free(fs_sd->sd_zdacl); 2313 smb_fsacl_free(fs_sd->sd_zsacl); 2314 2315 fs_sd->sd_zdacl = dacl; 2316 fs_sd->sd_zsacl = sacl; 2317 2318 return (0); 2319 } 2320 2321 /* 2322 * smb_fsop_eaccess 2323 * 2324 * Returns the effective permission of the given credential for the 2325 * specified object. 2326 * 2327 * This is just a workaround. We need VFS/FS support for this. 2328 */ 2329 void 2330 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2331 uint32_t *eaccess) 2332 { 2333 int access = 0; 2334 vnode_t *dir_vp; 2335 smb_node_t *unnamed_node; 2336 2337 ASSERT(cr); 2338 ASSERT(snode); 2339 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 2340 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 2341 2342 unnamed_node = SMB_IS_STREAM(snode); 2343 if (unnamed_node) { 2344 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 2345 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 2346 /* 2347 * Streams authorization should be performed against the 2348 * unnamed stream. 2349 */ 2350 snode = unnamed_node; 2351 } 2352 2353 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) { 2354 dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL; 2355 smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp, 2356 cr); 2357 return; 2358 } 2359 2360 /* 2361 * FS doesn't understand 32-bit mask 2362 */ 2363 smb_vop_eaccess(snode->vp, &access, 0, NULL, cr); 2364 access &= sr->tid_tree->t_access; 2365 2366 *eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES; 2367 2368 if (access & VREAD) 2369 *eaccess |= FILE_READ_DATA; 2370 2371 if (access & VEXEC) 2372 *eaccess |= FILE_EXECUTE; 2373 2374 if (access & VWRITE) 2375 *eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | 2376 FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD; 2377 } 2378 2379 /* 2380 * smb_fsop_shrlock 2381 * 2382 * For the current open request, check file sharing rules 2383 * against existing opens. 2384 * 2385 * Returns NT_STATUS_SHARING_VIOLATION if there is any 2386 * sharing conflict. Returns NT_STATUS_SUCCESS otherwise. 2387 * 2388 * Full system-wide share reservation synchronization is available 2389 * when the nbmand (non-blocking mandatory) mount option is set 2390 * (i.e. nbl_need_crit() is true) and nbmand critical regions are used. 2391 * This provides synchronization with NFS and local processes. The 2392 * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called 2393 * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well 2394 * as the CIFS rename and delete paths. 2395 * 2396 * The CIFS server will also enter the nbl critical region in the open, 2397 * rename, and delete paths when nbmand is not set. There is limited 2398 * coordination with local and VFS share reservations in this case. 2399 * Note that when the nbmand mount option is not set, the VFS layer 2400 * only processes advisory reservations and the delete mode is not checked. 2401 * 2402 * Whether or not the nbmand mount option is set, intra-CIFS share 2403 * checking is done in the open, delete, and rename paths using a CIFS 2404 * critical region (node->n_share_lock). 2405 */ 2406 2407 uint32_t 2408 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid, 2409 uint32_t desired_access, uint32_t share_access) 2410 { 2411 int rc; 2412 2413 if (node->attr.sa_vattr.va_type == VDIR) 2414 return (NT_STATUS_SUCCESS); 2415 2416 /* Allow access if the request is just for meta data */ 2417 if ((desired_access & FILE_DATA_ALL) == 0) 2418 return (NT_STATUS_SUCCESS); 2419 2420 rc = smb_node_open_check(node, cr, desired_access, share_access); 2421 if (rc) 2422 return (NT_STATUS_SHARING_VIOLATION); 2423 2424 rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access, 2425 cr); 2426 if (rc) 2427 return (NT_STATUS_SHARING_VIOLATION); 2428 2429 return (NT_STATUS_SUCCESS); 2430 } 2431 2432 void 2433 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid) 2434 { 2435 if (node->attr.sa_vattr.va_type == VDIR) 2436 return; 2437 2438 (void) smb_vop_unshrlock(node->vp, uniq_fid, cr); 2439 } 2440 2441 int 2442 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock, 2443 cred_t *cr) 2444 { 2445 flock64_t bf; 2446 int flag = F_REMOTELOCK; 2447 2448 /* 2449 * VOP_FRLOCK() will not be called if: 2450 * 2451 * 1) The lock has a range of zero bytes. The semantics of Windows and 2452 * POSIX are different. In the case of POSIX it asks for the locking 2453 * of all the bytes from the offset provided until the end of the 2454 * file. In the case of Windows a range of zero locks nothing and 2455 * doesn't conflict with any other lock. 2456 * 2457 * 2) The lock rolls over (start + lenght < start). Solaris will assert 2458 * if such a request is submitted. This will not create 2459 * incompatibilities between POSIX and Windows. In the Windows world, 2460 * if a client submits such a lock, the server will not lock any 2461 * bytes. Interestingly if the same lock (same offset and length) is 2462 * resubmitted Windows will consider that there is an overlap and 2463 * the granting rules will then apply. 2464 */ 2465 if ((lock->l_length == 0) || 2466 ((lock->l_start + lock->l_length - 1) < lock->l_start)) 2467 return (0); 2468 2469 bzero(&bf, sizeof (bf)); 2470 2471 if (unlock) { 2472 bf.l_type = F_UNLCK; 2473 } else if (lock->l_type == SMB_LOCK_TYPE_READONLY) { 2474 bf.l_type = F_RDLCK; 2475 flag |= FREAD; 2476 } else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) { 2477 bf.l_type = F_WRLCK; 2478 flag |= FWRITE; 2479 } 2480 2481 bf.l_start = lock->l_start; 2482 bf.l_len = lock->l_length; 2483 bf.l_pid = lock->l_file->f_uniqid; 2484 bf.l_sysid = smb_ct.cc_sysid; 2485 2486 return (smb_vop_frlock(node->vp, cr, flag, &bf)); 2487 } 2488