xref: /titanic_41/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision 861a91627796c35220e75654dac61e5707536dcd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/sid.h>
27 #include <sys/nbmlock.h>
28 #include <smbsrv/smb_fsops.h>
29 #include <smbsrv/smb_kproto.h>
30 #include <acl/acl_common.h>
31 #include <sys/fcntl.h>
32 #include <sys/flock.h>
33 #include <fs/fs_subr.h>
34 
35 extern caller_context_t smb_ct;
36 
37 extern int smb_fem_oplock_install(smb_node_t *);
38 extern void smb_fem_oplock_uninstall(smb_node_t *);
39 
40 extern int smb_vop_other_opens(vnode_t *, int);
41 
42 static int smb_fsop_create_stream(smb_request_t *, cred_t *, smb_node_t *,
43     char *, char *, int, smb_attr_t *, smb_node_t **);
44 
45 static int smb_fsop_create_file(smb_request_t *, cred_t *, smb_node_t *,
46     char *, int, smb_attr_t *, smb_node_t **);
47 
48 static int smb_fsop_create_with_sd(smb_request_t *, cred_t *, smb_node_t *,
49     char *, smb_attr_t *, smb_node_t **, smb_fssd_t *);
50 
51 static int smb_fsop_sdinherit(smb_request_t *, smb_node_t *, smb_fssd_t *);
52 
53 /*
54  * The smb_fsop_* functions have knowledge of CIFS semantics.
55  *
56  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
57  * serve as an interface to the VFS layer.
58  *
59  * Hence, smb_request_t and smb_node_t structures should not be passed
60  * from the smb_fsop_* layer to the smb_vop_* layer.
61  *
62  * In general, CIFS service code should only ever call smb_fsop_*
63  * functions directly, and never smb_vop_* functions directly.
64  *
65  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
66  * of their smb_fsop_* counterparts.  However, there are times when
67  * this cannot be avoided.
68  */
69 
70 /*
71  * Note: Stream names cannot be mangled.
72  */
73 
74 /*
75  * smb_fsop_amask_to_omode
76  *
77  * Convert the access mask to the open mode (for use
78  * with the VOP_OPEN call).
79  *
80  * Note that opening a file for attribute only access
81  * will also translate into an FREAD or FWRITE open mode
82  * (i.e., it's not just for data).
83  *
84  * This is needed so that opens are tracked appropriately
85  * for oplock processing.
86  */
87 
88 int
89 smb_fsop_amask_to_omode(uint32_t access)
90 {
91 	int mode = 0;
92 
93 	if (access & (FILE_READ_DATA | FILE_EXECUTE |
94 	    FILE_READ_ATTRIBUTES | FILE_READ_EA))
95 		mode |= FREAD;
96 
97 	if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA |
98 	    FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA))
99 		mode |= FWRITE;
100 
101 	if (access & FILE_APPEND_DATA)
102 		mode |= FAPPEND;
103 
104 	return (mode);
105 }
106 
107 int
108 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred)
109 {
110 	/*
111 	 * Assuming that the same vnode is returned as we had before.
112 	 * (I.e., with certain types of files or file systems, a
113 	 * different vnode might be returned by VOP_OPEN)
114 	 */
115 	return (smb_vop_open(&node->vp, mode, cred));
116 }
117 
118 void
119 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred)
120 {
121 	smb_vop_close(node->vp, mode, cred);
122 }
123 
124 int
125 smb_fsop_oplock_install(smb_node_t *node, int mode)
126 {
127 	int rc;
128 
129 	if (smb_vop_other_opens(node->vp, mode))
130 		return (EMFILE);
131 
132 	if ((rc = smb_fem_oplock_install(node)))
133 		return (rc);
134 
135 	if (smb_vop_other_opens(node->vp, mode)) {
136 		(void) smb_fem_oplock_uninstall(node);
137 		return (EMFILE);
138 	}
139 
140 	return (0);
141 }
142 
143 void
144 smb_fsop_oplock_uninstall(smb_node_t *node)
145 {
146 	smb_fem_oplock_uninstall(node);
147 }
148 
149 static int
150 smb_fsop_create_with_sd(smb_request_t *sr, cred_t *cr,
151     smb_node_t *dnode, char *name,
152     smb_attr_t *attr, smb_node_t **ret_snode, smb_fssd_t *fs_sd)
153 {
154 	vsecattr_t *vsap;
155 	vsecattr_t vsecattr;
156 	acl_t *acl, *dacl, *sacl;
157 	smb_attr_t set_attr;
158 	vnode_t *vp;
159 	int aclbsize = 0;	/* size of acl list in bytes */
160 	int flags = 0;
161 	int rc;
162 	boolean_t is_dir;
163 
164 	ASSERT(fs_sd);
165 
166 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
167 		flags = SMB_IGNORE_CASE;
168 	if (SMB_TREE_SUPPORTS_CATIA(sr))
169 		flags |= SMB_CATIA;
170 
171 	ASSERT(cr);
172 
173 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
174 
175 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) {
176 		if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
177 			dacl = fs_sd->sd_zdacl;
178 			sacl = fs_sd->sd_zsacl;
179 			ASSERT(dacl || sacl);
180 			if (dacl && sacl) {
181 				acl = smb_fsacl_merge(dacl, sacl);
182 			} else if (dacl) {
183 				acl = dacl;
184 			} else {
185 				acl = sacl;
186 			}
187 
188 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
189 
190 			if (dacl && sacl)
191 				acl_free(acl);
192 
193 			if (rc != 0)
194 				return (rc);
195 
196 			vsap = &vsecattr;
197 		} else {
198 			vsap = NULL;
199 		}
200 
201 		/* The tree ACEs may prevent a create */
202 		rc = EACCES;
203 		if (is_dir) {
204 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0)
205 				rc = smb_vop_mkdir(dnode->vp, name, attr,
206 				    &vp, flags, cr, vsap);
207 		} else {
208 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0)
209 				rc = smb_vop_create(dnode->vp, name, attr,
210 				    &vp, flags, cr, vsap);
211 		}
212 
213 		if (vsap != NULL)
214 			kmem_free(vsap->vsa_aclentp, aclbsize);
215 
216 		if (rc != 0)
217 			return (rc);
218 
219 		set_attr.sa_mask = 0;
220 
221 		/*
222 		 * Ideally we should be able to specify the owner and owning
223 		 * group at create time along with the ACL. Since we cannot
224 		 * do that right now, kcred is passed to smb_vop_setattr so it
225 		 * doesn't fail due to lack of permission.
226 		 */
227 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
228 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
229 			set_attr.sa_mask |= SMB_AT_UID;
230 		}
231 
232 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
233 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
234 			set_attr.sa_mask |= SMB_AT_GID;
235 		}
236 
237 		if (set_attr.sa_mask)
238 			rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred);
239 
240 		if (rc == 0) {
241 			*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
242 			    name, dnode, NULL);
243 
244 			if (*ret_snode == NULL)
245 				rc = ENOMEM;
246 
247 			VN_RELE(vp);
248 		}
249 	} else {
250 		/*
251 		 * For filesystems that don't support ACL-on-create, try
252 		 * to set the specified SD after create, which could actually
253 		 * fail because of conflicts between inherited security
254 		 * attributes upon creation and the specified SD.
255 		 *
256 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
257 		 */
258 
259 		if (is_dir) {
260 			rc = smb_vop_mkdir(dnode->vp, name, attr, &vp,
261 			    flags, cr, NULL);
262 		} else {
263 			rc = smb_vop_create(dnode->vp, name, attr, &vp,
264 			    flags, cr, NULL);
265 		}
266 
267 		if (rc != 0)
268 			return (rc);
269 
270 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
271 		    name, dnode, NULL);
272 
273 		if (*ret_snode != NULL) {
274 			if (!smb_tree_has_feature(sr->tid_tree,
275 			    SMB_TREE_NFS_MOUNTED))
276 				rc = smb_fsop_sdwrite(sr, kcred, *ret_snode,
277 				    fs_sd, 1);
278 		} else {
279 			rc = ENOMEM;
280 		}
281 
282 		VN_RELE(vp);
283 	}
284 
285 	if (rc != 0) {
286 		if (is_dir)
287 			(void) smb_vop_rmdir(dnode->vp, name, flags, cr);
288 		else
289 			(void) smb_vop_remove(dnode->vp, name, flags, cr);
290 	}
291 
292 	return (rc);
293 }
294 
295 /*
296  * smb_fsop_create
297  *
298  * All SMB functions should use this wrapper to ensure that
299  * all the smb_vop_creates are performed with the appropriate credentials.
300  * Please document any direct calls to explain the reason for avoiding
301  * this wrapper.
302  *
303  * *ret_snode is returned with a reference upon success.  No reference is
304  * taken if an error is returned.
305  */
306 int
307 smb_fsop_create(smb_request_t *sr, cred_t *cr, smb_node_t *dnode,
308     char *name, smb_attr_t *attr, smb_node_t **ret_snode)
309 {
310 	int	rc = 0;
311 	int	flags = 0;
312 	char	*fname, *sname;
313 	char	*longname = NULL;
314 
315 	ASSERT(cr);
316 	ASSERT(dnode);
317 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
318 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
319 
320 	ASSERT(ret_snode);
321 	*ret_snode = 0;
322 
323 	ASSERT(name);
324 	if (*name == 0)
325 		return (EINVAL);
326 
327 	ASSERT(sr);
328 	ASSERT(sr->tid_tree);
329 
330 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
331 		return (EACCES);
332 
333 	if (SMB_TREE_IS_READONLY(sr))
334 		return (EROFS);
335 
336 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
337 		flags = SMB_IGNORE_CASE;
338 	if (SMB_TREE_SUPPORTS_CATIA(sr))
339 		flags |= SMB_CATIA;
340 	if (SMB_TREE_SUPPORTS_ABE(sr))
341 		flags |= SMB_ABE;
342 
343 	if (smb_is_stream_name(name)) {
344 		fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
345 		sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
346 		smb_stream_parse_name(name, fname, sname);
347 
348 		rc = smb_fsop_create_stream(sr, cr, dnode,
349 		    fname, sname, flags, attr, ret_snode);
350 
351 		kmem_free(fname, MAXNAMELEN);
352 		kmem_free(sname, MAXNAMELEN);
353 		return (rc);
354 	}
355 
356 	/* Not a named stream */
357 
358 	if (smb_maybe_mangled_name(name)) {
359 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
360 		rc = smb_unmangle_name(dnode, name, longname,
361 		    MAXNAMELEN, flags);
362 		kmem_free(longname, MAXNAMELEN);
363 
364 		if (rc == 0)
365 			rc = EEXIST;
366 		if (rc != ENOENT)
367 			return (rc);
368 	}
369 
370 	rc = smb_fsop_create_file(sr, cr, dnode, name, flags,
371 	    attr, ret_snode);
372 	return (rc);
373 
374 }
375 
376 
377 /*
378  * smb_fsop_create_stream
379  *
380  * Create NTFS named stream file (sname) on unnamed stream
381  * file (fname), creating the unnamed stream file if it
382  * doesn't exist.
383  * If we created the unnamed stream file and then creation
384  * of the named stream file fails, we delete the unnamed stream.
385  * Since we use the real file name for the smb_vop_remove we
386  * clear the SMB_IGNORE_CASE flag to ensure a case sensitive
387  * match.
388  *
389  * The second parameter of smb_vop_setattr() is set to
390  * NULL, even though an unnamed stream exists.  This is
391  * because we want to set the UID and GID on the named
392  * stream in this case for consistency with the (unnamed
393  * stream) file (see comments for smb_vop_setattr()).
394  */
395 static int
396 smb_fsop_create_stream(smb_request_t *sr, cred_t *cr,
397     smb_node_t *dnode, char *fname, char *sname, int flags,
398     smb_attr_t *attr, smb_node_t **ret_snode)
399 {
400 	smb_node_t	*fnode;
401 	smb_attr_t	fattr;
402 	vnode_t		*xattrdvp;
403 	vnode_t		*vp;
404 	int		rc = 0;
405 	boolean_t	fcreate = B_FALSE;
406 
407 	/* Look up / create the unnamed stream, fname */
408 	rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
409 	    sr->tid_tree->t_snode, dnode, fname, &fnode);
410 	if (rc == ENOENT) {
411 		fcreate = B_TRUE;
412 		rc = smb_fsop_create_file(sr, cr, dnode, fname, flags,
413 		    attr, &fnode);
414 	}
415 	if (rc != 0)
416 		return (rc);
417 
418 	fattr.sa_mask = SMB_AT_UID | SMB_AT_GID;
419 	rc = smb_vop_getattr(fnode->vp, NULL, &fattr, 0, kcred);
420 
421 	if (rc == 0) {
422 		/* create the named stream, sname */
423 		rc = smb_vop_stream_create(fnode->vp, sname, attr,
424 		    &vp, &xattrdvp, flags, cr);
425 	}
426 	if (rc != 0) {
427 		if (fcreate) {
428 			flags &= ~SMB_IGNORE_CASE;
429 			(void) smb_vop_remove(dnode->vp,
430 			    fnode->od_name, flags, cr);
431 		}
432 		smb_node_release(fnode);
433 		return (rc);
434 	}
435 
436 	attr->sa_vattr.va_uid = fattr.sa_vattr.va_uid;
437 	attr->sa_vattr.va_gid = fattr.sa_vattr.va_gid;
438 	attr->sa_mask = SMB_AT_UID | SMB_AT_GID;
439 
440 	rc = smb_vop_setattr(vp, NULL, attr, 0, kcred);
441 	if (rc != 0) {
442 		smb_node_release(fnode);
443 		return (rc);
444 	}
445 
446 	*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdvp,
447 	    vp, sname);
448 
449 	smb_node_release(fnode);
450 	VN_RELE(xattrdvp);
451 	VN_RELE(vp);
452 
453 	if (*ret_snode == NULL)
454 		rc = ENOMEM;
455 
456 	/* notify change to the unnamed stream */
457 	if (rc == 0)
458 		smb_node_notify_change(dnode);
459 
460 	return (rc);
461 }
462 
463 /*
464  * smb_fsop_create_file
465  */
466 static int
467 smb_fsop_create_file(smb_request_t *sr, cred_t *cr,
468     smb_node_t *dnode, char *name, int flags,
469     smb_attr_t *attr, smb_node_t **ret_snode)
470 {
471 	open_param_t	*op = &sr->arg.open;
472 	vnode_t		*vp;
473 	smb_fssd_t	fs_sd;
474 	uint32_t	secinfo;
475 	uint32_t	status;
476 	int		rc = 0;
477 
478 	if (op->sd) {
479 		/*
480 		 * SD sent by client in Windows format. Needs to be
481 		 * converted to FS format. No inheritance.
482 		 */
483 		secinfo = smb_sd_get_secinfo(op->sd);
484 		smb_fssd_init(&fs_sd, secinfo, 0);
485 
486 		status = smb_sd_tofs(op->sd, &fs_sd);
487 		if (status == NT_STATUS_SUCCESS) {
488 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
489 			    name, attr, ret_snode, &fs_sd);
490 		} else {
491 			rc = EINVAL;
492 		}
493 		smb_fssd_term(&fs_sd);
494 	} else if (sr->tid_tree->t_acltype == ACE_T) {
495 		/*
496 		 * No incoming SD and filesystem is ZFS
497 		 * Server applies Windows inheritance rules,
498 		 * see smb_fsop_sdinherit() comments as to why.
499 		 */
500 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0);
501 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
502 		if (rc == 0) {
503 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
504 			    name, attr, ret_snode, &fs_sd);
505 		}
506 
507 		smb_fssd_term(&fs_sd);
508 	} else {
509 		/*
510 		 * No incoming SD and filesystem is not ZFS
511 		 * let the filesystem handles the inheritance.
512 		 */
513 		rc = smb_vop_create(dnode->vp, name, attr, &vp,
514 		    flags, cr, NULL);
515 
516 		if (rc == 0) {
517 			*ret_snode = smb_node_lookup(sr, op, cr, vp,
518 			    name, dnode, NULL);
519 
520 			if (*ret_snode == NULL)
521 				rc = ENOMEM;
522 
523 			VN_RELE(vp);
524 		}
525 
526 	}
527 
528 	if (rc == 0)
529 		smb_node_notify_parents(dnode);
530 
531 	return (rc);
532 }
533 
534 /*
535  * smb_fsop_mkdir
536  *
537  * All SMB functions should use this wrapper to ensure that
538  * the the calls are performed with the appropriate credentials.
539  * Please document any direct call to explain the reason
540  * for avoiding this wrapper.
541  *
542  * It is assumed that a reference exists on snode coming into this routine.
543  *
544  * *ret_snode is returned with a reference upon success.  No reference is
545  * taken if an error is returned.
546  */
547 int
548 smb_fsop_mkdir(
549     smb_request_t *sr,
550     cred_t *cr,
551     smb_node_t *dnode,
552     char *name,
553     smb_attr_t *attr,
554     smb_node_t **ret_snode)
555 {
556 	struct open_param *op = &sr->arg.open;
557 	char *longname;
558 	vnode_t *vp;
559 	int flags = 0;
560 	smb_fssd_t fs_sd;
561 	uint32_t secinfo;
562 	uint32_t status;
563 	int rc;
564 	ASSERT(cr);
565 	ASSERT(dnode);
566 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
567 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
568 
569 	ASSERT(ret_snode);
570 	*ret_snode = 0;
571 
572 	ASSERT(name);
573 	if (*name == 0)
574 		return (EINVAL);
575 
576 	ASSERT(sr);
577 	ASSERT(sr->tid_tree);
578 
579 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
580 		return (EACCES);
581 
582 	if (SMB_TREE_IS_READONLY(sr))
583 		return (EROFS);
584 	if (SMB_TREE_SUPPORTS_CATIA(sr))
585 		flags |= SMB_CATIA;
586 	if (SMB_TREE_SUPPORTS_ABE(sr))
587 		flags |= SMB_ABE;
588 
589 	if (smb_maybe_mangled_name(name)) {
590 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
591 		rc = smb_unmangle_name(dnode, name, longname,
592 		    MAXNAMELEN, flags);
593 		kmem_free(longname, MAXNAMELEN);
594 
595 		/*
596 		 * If the name passed in by the client has an unmangled
597 		 * equivalent that is found in the specified directory,
598 		 * then the mkdir cannot succeed.  Return EEXIST.
599 		 *
600 		 * Only if ENOENT is returned will a mkdir be attempted.
601 		 */
602 
603 		if (rc == 0)
604 			rc = EEXIST;
605 
606 		if (rc != ENOENT)
607 			return (rc);
608 	}
609 
610 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
611 		flags = SMB_IGNORE_CASE;
612 
613 	if (op->sd) {
614 		/*
615 		 * SD sent by client in Windows format. Needs to be
616 		 * converted to FS format. No inheritance.
617 		 */
618 		secinfo = smb_sd_get_secinfo(op->sd);
619 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
620 
621 		status = smb_sd_tofs(op->sd, &fs_sd);
622 		if (status == NT_STATUS_SUCCESS) {
623 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
624 			    name, attr, ret_snode, &fs_sd);
625 		}
626 		else
627 			rc = EINVAL;
628 		smb_fssd_term(&fs_sd);
629 	} else if (sr->tid_tree->t_acltype == ACE_T) {
630 		/*
631 		 * No incoming SD and filesystem is ZFS
632 		 * Server applies Windows inheritance rules,
633 		 * see smb_fsop_sdinherit() comments as to why.
634 		 */
635 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR);
636 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
637 		if (rc == 0) {
638 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
639 			    name, attr, ret_snode, &fs_sd);
640 		}
641 
642 		smb_fssd_term(&fs_sd);
643 
644 	} else {
645 		rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, flags, cr,
646 		    NULL);
647 
648 		if (rc == 0) {
649 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
650 			    dnode, NULL);
651 
652 			if (*ret_snode == NULL)
653 				rc = ENOMEM;
654 
655 			VN_RELE(vp);
656 		}
657 	}
658 
659 	if (rc == 0)
660 		smb_node_notify_parents(dnode);
661 
662 	return (rc);
663 }
664 
665 /*
666  * smb_fsop_remove
667  *
668  * All SMB functions should use this wrapper to ensure that
669  * the the calls are performed with the appropriate credentials.
670  * Please document any direct call to explain the reason
671  * for avoiding this wrapper.
672  *
673  * It is assumed that a reference exists on snode coming into this routine.
674  *
675  * A null smb_request might be passed to this function.
676  */
677 int
678 smb_fsop_remove(
679     smb_request_t	*sr,
680     cred_t		*cr,
681     smb_node_t		*dnode,
682     char		*name,
683     uint32_t		flags)
684 {
685 	smb_node_t	*fnode;
686 	char		*longname;
687 	char		*fname;
688 	char		*sname;
689 	int		rc;
690 
691 	ASSERT(cr);
692 	/*
693 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
694 	 * function is called during the deletion of the node (because of
695 	 * DELETE_ON_CLOSE).
696 	 */
697 	ASSERT(dnode);
698 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
699 
700 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
701 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0)
702 		return (EACCES);
703 
704 	if (SMB_TREE_IS_READONLY(sr))
705 		return (EROFS);
706 
707 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
708 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
709 
710 	if (dnode->flags & NODE_XATTR_DIR) {
711 		fnode = dnode->n_dnode;
712 		rc = smb_vop_stream_remove(fnode->vp, name, flags, cr);
713 
714 		/* notify change to the unnamed stream */
715 		if ((rc == 0) && fnode->n_dnode)
716 			smb_node_notify_change(fnode->n_dnode);
717 
718 	} else if (smb_is_stream_name(name)) {
719 		smb_stream_parse_name(name, fname, sname);
720 
721 		/*
722 		 * Look up the unnamed stream (i.e. fname).
723 		 * Unmangle processing will be done on fname
724 		 * as well as any link target.
725 		 */
726 
727 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
728 		    sr->tid_tree->t_snode, dnode, fname, &fnode);
729 
730 		if (rc != 0) {
731 			kmem_free(fname, MAXNAMELEN);
732 			kmem_free(sname, MAXNAMELEN);
733 			return (rc);
734 		}
735 
736 		/*
737 		 * XXX
738 		 * Need to find out what permission is required by NTFS
739 		 * to remove a stream.
740 		 */
741 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr);
742 
743 		smb_node_release(fnode);
744 
745 		/* notify change to the unnamed stream */
746 		if (rc == 0)
747 			smb_node_notify_change(dnode);
748 	} else {
749 		rc = smb_vop_remove(dnode->vp, name, flags, cr);
750 
751 		if (rc == ENOENT) {
752 			if (smb_maybe_mangled_name(name) == 0) {
753 				kmem_free(fname, MAXNAMELEN);
754 				kmem_free(sname, MAXNAMELEN);
755 				return (rc);
756 			}
757 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
758 
759 			if (SMB_TREE_SUPPORTS_ABE(sr))
760 				flags |= SMB_ABE;
761 
762 			rc = smb_unmangle_name(dnode, name,
763 			    longname, MAXNAMELEN, flags);
764 
765 			if (rc == 0) {
766 				/*
767 				 * longname is the real (case-sensitive)
768 				 * on-disk name.
769 				 * We make sure we do a remove on this exact
770 				 * name, as the name was mangled and denotes
771 				 * a unique file.
772 				 */
773 				flags &= ~SMB_IGNORE_CASE;
774 				rc = smb_vop_remove(dnode->vp, longname,
775 				    flags, cr);
776 			}
777 
778 			if (rc == 0)
779 				smb_node_notify_parents(dnode);
780 
781 			kmem_free(longname, MAXNAMELEN);
782 		}
783 	}
784 
785 	kmem_free(fname, MAXNAMELEN);
786 	kmem_free(sname, MAXNAMELEN);
787 
788 	return (rc);
789 }
790 
791 /*
792  * smb_fsop_remove_streams
793  *
794  * This function removes a file's streams without removing the
795  * file itself.
796  *
797  * It is assumed that fnode is not a link.
798  */
799 int
800 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode)
801 {
802 	int rc, flags = 0;
803 	uint16_t odid;
804 	smb_odir_t *od;
805 	smb_odirent_t *odirent;
806 	boolean_t eos;
807 
808 	ASSERT(sr);
809 	ASSERT(cr);
810 	ASSERT(fnode);
811 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
812 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
813 
814 	if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) {
815 		smbsr_errno(sr, EACCES);
816 		return (-1);
817 	}
818 
819 	if (SMB_TREE_IS_READONLY(sr)) {
820 		smbsr_errno(sr, EROFS);
821 		return (-1);
822 	}
823 
824 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
825 		flags = SMB_IGNORE_CASE;
826 
827 	if (SMB_TREE_SUPPORTS_CATIA(sr))
828 		flags |= SMB_CATIA;
829 
830 	if ((odid = smb_odir_openat(sr, fnode)) == 0) {
831 		smbsr_errno(sr, ENOENT);
832 		return (-1);
833 	}
834 
835 	if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) {
836 		smbsr_errno(sr, ENOENT);
837 		return (-1);
838 	}
839 
840 	odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP);
841 	for (;;) {
842 		rc = smb_odir_read(sr, od, odirent, &eos);
843 		if ((rc != 0) || (eos))
844 			break;
845 		(void) smb_vop_remove(od->d_dnode->vp, odirent->od_name,
846 		    flags, cr);
847 	}
848 	kmem_free(odirent, sizeof (smb_odirent_t));
849 
850 	smb_odir_close(od);
851 	smb_odir_release(od);
852 	return (rc);
853 }
854 
855 /*
856  * smb_fsop_rmdir
857  *
858  * All SMB functions should use this wrapper to ensure that
859  * the the calls are performed with the appropriate credentials.
860  * Please document any direct call to explain the reason
861  * for avoiding this wrapper.
862  *
863  * It is assumed that a reference exists on snode coming into this routine.
864  */
865 int
866 smb_fsop_rmdir(
867     smb_request_t	*sr,
868     cred_t		*cr,
869     smb_node_t		*dnode,
870     char		*name,
871     uint32_t		flags)
872 {
873 	int		rc;
874 	char		*longname;
875 
876 	ASSERT(cr);
877 	/*
878 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
879 	 * function is called during the deletion of the node (because of
880 	 * DELETE_ON_CLOSE).
881 	 */
882 	ASSERT(dnode);
883 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
884 
885 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
886 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0)
887 		return (EACCES);
888 
889 	if (SMB_TREE_IS_READONLY(sr))
890 		return (EROFS);
891 
892 	rc = smb_vop_rmdir(dnode->vp, name, flags, cr);
893 
894 	if (rc == ENOENT) {
895 		if (smb_maybe_mangled_name(name) == 0)
896 			return (rc);
897 
898 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
899 
900 		if (SMB_TREE_SUPPORTS_ABE(sr))
901 			flags |= SMB_ABE;
902 		rc = smb_unmangle_name(dnode, name, longname,
903 		    MAXNAMELEN, flags);
904 
905 		if (rc == 0) {
906 			/*
907 			 * longname is the real (case-sensitive)
908 			 * on-disk name.
909 			 * We make sure we do a rmdir on this exact
910 			 * name, as the name was mangled and denotes
911 			 * a unique directory.
912 			 */
913 			flags &= ~SMB_IGNORE_CASE;
914 			rc = smb_vop_rmdir(dnode->vp, longname, flags, cr);
915 		}
916 
917 		kmem_free(longname, MAXNAMELEN);
918 	}
919 
920 	if (rc == 0)
921 		smb_node_notify_parents(dnode);
922 
923 	return (rc);
924 }
925 
926 /*
927  * smb_fsop_getattr
928  *
929  * All SMB functions should use this wrapper to ensure that
930  * the the calls are performed with the appropriate credentials.
931  * Please document any direct call to explain the reason
932  * for avoiding this wrapper.
933  *
934  * It is assumed that a reference exists on snode coming into this routine.
935  */
936 int
937 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
938     smb_attr_t *attr)
939 {
940 	smb_node_t *unnamed_node;
941 	vnode_t *unnamed_vp = NULL;
942 	uint32_t status;
943 	uint32_t access = 0;
944 	int flags = 0;
945 	int rc;
946 
947 	ASSERT(cr);
948 	ASSERT(snode);
949 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
950 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
951 
952 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 ||
953 	    SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0)
954 		return (EACCES);
955 
956 	/* sr could be NULL in some cases */
957 	if (sr && sr->fid_ofile) {
958 		/* if uid and/or gid is requested */
959 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
960 			access |= READ_CONTROL;
961 
962 		/* if anything else is also requested */
963 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
964 			access |= FILE_READ_ATTRIBUTES;
965 
966 		status = smb_ofile_access(sr->fid_ofile, cr, access);
967 		if (status != NT_STATUS_SUCCESS)
968 			return (EACCES);
969 
970 		if (smb_tree_has_feature(sr->tid_tree,
971 		    SMB_TREE_ACEMASKONACCESS))
972 			flags = ATTR_NOACLCHECK;
973 	}
974 
975 	unnamed_node = SMB_IS_STREAM(snode);
976 
977 	if (unnamed_node) {
978 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
979 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
980 		unnamed_vp = unnamed_node->vp;
981 	}
982 
983 	rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr);
984 
985 	if ((rc == 0) && smb_node_is_dfslink(snode)) {
986 		/* a DFS link should be treated as a directory */
987 		attr->sa_dosattr |= FILE_ATTRIBUTE_DIRECTORY;
988 	}
989 
990 	return (rc);
991 }
992 
993 /*
994  * smb_fsop_link
995  *
996  * All SMB functions should use this smb_vop_link wrapper to ensure that
997  * the smb_vop_link is performed with the appropriate credentials.
998  * Please document any direct call to smb_vop_link to explain the reason
999  * for avoiding this wrapper.
1000  *
1001  * It is assumed that references exist on from_dnode and to_dnode coming
1002  * into this routine.
1003  */
1004 int
1005 smb_fsop_link(smb_request_t *sr, cred_t *cr, smb_node_t *from_fnode,
1006     smb_node_t *to_dnode, char *to_name)
1007 {
1008 	char	*longname = NULL;
1009 	int	flags = 0;
1010 	int	rc;
1011 
1012 	ASSERT(sr);
1013 	ASSERT(sr->tid_tree);
1014 	ASSERT(cr);
1015 	ASSERT(to_dnode);
1016 	ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC);
1017 	ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1018 	ASSERT(from_fnode);
1019 	ASSERT(from_fnode->n_magic == SMB_NODE_MAGIC);
1020 	ASSERT(from_fnode->n_state != SMB_NODE_STATE_DESTROYING);
1021 
1022 	if (SMB_TREE_CONTAINS_NODE(sr, from_fnode) == 0)
1023 		return (EACCES);
1024 
1025 	if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0)
1026 		return (EACCES);
1027 
1028 	if (SMB_TREE_IS_READONLY(sr))
1029 		return (EROFS);
1030 
1031 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1032 		flags = SMB_IGNORE_CASE;
1033 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1034 		flags |= SMB_CATIA;
1035 	if (SMB_TREE_SUPPORTS_ABE(sr))
1036 		flags |= SMB_ABE;
1037 
1038 	if (smb_maybe_mangled_name(to_name)) {
1039 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1040 		rc = smb_unmangle_name(to_dnode, to_name,
1041 		    longname, MAXNAMELEN, flags);
1042 		kmem_free(longname, MAXNAMELEN);
1043 
1044 		if (rc == 0)
1045 			rc = EEXIST;
1046 		if (rc != ENOENT)
1047 			return (rc);
1048 	}
1049 
1050 	rc = smb_vop_link(to_dnode->vp, from_fnode->vp, to_name, flags, cr);
1051 
1052 	if ((rc == 0) && from_fnode->n_dnode)
1053 		smb_node_notify_parents(from_fnode->n_dnode);
1054 
1055 	return (rc);
1056 }
1057 
1058 /*
1059  * smb_fsop_rename
1060  *
1061  * All SMB functions should use this smb_vop_rename wrapper to ensure that
1062  * the smb_vop_rename is performed with the appropriate credentials.
1063  * Please document any direct call to smb_vop_rename to explain the reason
1064  * for avoiding this wrapper.
1065  *
1066  * It is assumed that references exist on from_dnode and to_dnode coming
1067  * into this routine.
1068  */
1069 int
1070 smb_fsop_rename(
1071     smb_request_t *sr,
1072     cred_t *cr,
1073     smb_node_t *from_dnode,
1074     char *from_name,
1075     smb_node_t *to_dnode,
1076     char *to_name)
1077 {
1078 	smb_node_t *from_snode;
1079 	smb_attr_t from_attr;
1080 	vnode_t *from_vp;
1081 	int flags = 0, ret_flags;
1082 	int rc;
1083 	boolean_t isdir;
1084 
1085 	ASSERT(cr);
1086 	ASSERT(from_dnode);
1087 	ASSERT(from_dnode->n_magic == SMB_NODE_MAGIC);
1088 	ASSERT(from_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1089 
1090 	ASSERT(to_dnode);
1091 	ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC);
1092 	ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1093 
1094 	if (SMB_TREE_CONTAINS_NODE(sr, from_dnode) == 0)
1095 		return (EACCES);
1096 
1097 	if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0)
1098 		return (EACCES);
1099 
1100 	ASSERT(sr);
1101 	ASSERT(sr->tid_tree);
1102 	if (SMB_TREE_IS_READONLY(sr))
1103 		return (EROFS);
1104 
1105 	/*
1106 	 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE
1107 	 * here.
1108 	 *
1109 	 * A case-sensitive rename is always done in this routine
1110 	 * because we are using the on-disk name from an earlier lookup.
1111 	 * If a mangled name was passed in by the caller (denoting a
1112 	 * deterministic lookup), then the exact file must be renamed
1113 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1114 	 * else the underlying file system might return a "first-match"
1115 	 * on this on-disk name, possibly resulting in the wrong file).
1116 	 */
1117 
1118 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1119 		flags |= SMB_CATIA;
1120 
1121 	/*
1122 	 * XXX: Lock required through smb_node_release() below?
1123 	 */
1124 
1125 	rc = smb_vop_lookup(from_dnode->vp, from_name, &from_vp, NULL,
1126 	    flags, &ret_flags, NULL, &from_attr, cr);
1127 
1128 	if (rc != 0)
1129 		return (rc);
1130 
1131 	if (from_attr.sa_dosattr & FILE_ATTRIBUTE_REPARSE_POINT) {
1132 		VN_RELE(from_vp);
1133 		return (EACCES);
1134 	}
1135 
1136 	isdir = ((from_attr.sa_dosattr & FILE_ATTRIBUTE_DIRECTORY) != 0);
1137 
1138 	if ((isdir && SMB_TREE_HAS_ACCESS(sr,
1139 	    ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) !=
1140 	    (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) ||
1141 	    (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) !=
1142 	    (ACE_DELETE | ACE_ADD_FILE))) {
1143 		VN_RELE(from_vp);
1144 		return (EACCES);
1145 	}
1146 
1147 	/*
1148 	 * SMB checks access on open and retains an access granted
1149 	 * mask for use while the file is open.  ACL changes should
1150 	 * not affect access to an open file.
1151 	 *
1152 	 * If the rename is being performed on an ofile:
1153 	 * - Check the ofile's access granted mask to see if the
1154 	 *   rename is permitted - requires DELETE access.
1155 	 * - If the file system does access checking, set the
1156 	 *   ATTR_NOACLCHECK flag to ensure that the file system
1157 	 *   does not check permissions on subsequent calls.
1158 	 */
1159 	if (sr && sr->fid_ofile) {
1160 		rc = smb_ofile_access(sr->fid_ofile, cr, DELETE);
1161 		if (rc != NT_STATUS_SUCCESS) {
1162 			VN_RELE(from_vp);
1163 			return (EACCES);
1164 		}
1165 
1166 		if (smb_tree_has_feature(sr->tid_tree,
1167 		    SMB_TREE_ACEMASKONACCESS))
1168 			flags = ATTR_NOACLCHECK;
1169 	}
1170 
1171 	rc = smb_vop_rename(from_dnode->vp, from_name, to_dnode->vp,
1172 	    to_name, flags, cr);
1173 
1174 	if (rc == 0) {
1175 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1176 		    from_dnode, NULL);
1177 
1178 		if (from_snode == NULL) {
1179 			rc = ENOMEM;
1180 		} else {
1181 			smb_node_rename(from_dnode, from_snode,
1182 			    to_dnode, to_name);
1183 			smb_node_release(from_snode);
1184 		}
1185 	}
1186 	VN_RELE(from_vp);
1187 
1188 	if (rc == 0)
1189 		smb_node_notify_parents(from_dnode);
1190 
1191 	/* XXX: unlock */
1192 
1193 	return (rc);
1194 }
1195 
1196 /*
1197  * smb_fsop_setattr
1198  *
1199  * All SMB functions should use this wrapper to ensure that
1200  * the the calls are performed with the appropriate credentials.
1201  * Please document any direct call to explain the reason
1202  * for avoiding this wrapper.
1203  *
1204  * It is assumed that a reference exists on snode coming into
1205  * this function.
1206  * A null smb_request might be passed to this function.
1207  */
1208 int
1209 smb_fsop_setattr(
1210     smb_request_t	*sr,
1211     cred_t		*cr,
1212     smb_node_t		*snode,
1213     smb_attr_t		*set_attr)
1214 {
1215 	smb_node_t *unnamed_node;
1216 	vnode_t *unnamed_vp = NULL;
1217 	uint32_t status;
1218 	uint32_t access;
1219 	int rc = 0;
1220 	int flags = 0;
1221 	uint_t sa_mask;
1222 
1223 	ASSERT(cr);
1224 	ASSERT(snode);
1225 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1226 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1227 
1228 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0)
1229 		return (EACCES);
1230 
1231 	if (SMB_TREE_IS_READONLY(sr))
1232 		return (EROFS);
1233 
1234 	if (SMB_TREE_HAS_ACCESS(sr,
1235 	    ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0)
1236 		return (EACCES);
1237 
1238 	/*
1239 	 * The file system cannot detect pending READDONLY
1240 	 * (i.e. if the file has been opened readonly but
1241 	 * not yet closed) so we need to test READONLY here.
1242 	 */
1243 	if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) {
1244 		if (sr->fid_ofile) {
1245 			if (SMB_OFILE_IS_READONLY(sr->fid_ofile))
1246 				return (EACCES);
1247 		} else {
1248 			if (SMB_PATHFILE_IS_READONLY(sr, snode))
1249 				return (EACCES);
1250 		}
1251 	}
1252 
1253 	/*
1254 	 * SMB checks access on open and retains an access granted
1255 	 * mask for use while the file is open.  ACL changes should
1256 	 * not affect access to an open file.
1257 	 *
1258 	 * If the setattr is being performed on an ofile:
1259 	 * - Check the ofile's access granted mask to see if the
1260 	 *   setattr is permitted.
1261 	 *   UID, GID - require WRITE_OWNER
1262 	 *   SIZE, ALLOCSZ - require FILE_WRITE_DATA
1263 	 *   all other attributes require FILE_WRITE_ATTRIBUTES
1264 	 *
1265 	 * - If the file system does access checking, set the
1266 	 *   ATTR_NOACLCHECK flag to ensure that the file system
1267 	 *   does not check permissions on subsequent calls.
1268 	 */
1269 	if (sr && sr->fid_ofile) {
1270 		sa_mask = set_attr->sa_mask;
1271 		access = 0;
1272 
1273 		if (sa_mask & (SMB_AT_SIZE | SMB_AT_ALLOCSZ)) {
1274 			access |= FILE_WRITE_DATA;
1275 			sa_mask &= ~(SMB_AT_SIZE | SMB_AT_ALLOCSZ);
1276 		}
1277 
1278 		if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) {
1279 			access |= WRITE_OWNER;
1280 			sa_mask &= ~(SMB_AT_UID|SMB_AT_GID);
1281 		}
1282 
1283 		if (sa_mask)
1284 			access |= FILE_WRITE_ATTRIBUTES;
1285 
1286 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1287 		if (status != NT_STATUS_SUCCESS)
1288 			return (EACCES);
1289 
1290 		if (smb_tree_has_feature(sr->tid_tree,
1291 		    SMB_TREE_ACEMASKONACCESS))
1292 			flags = ATTR_NOACLCHECK;
1293 	}
1294 
1295 	unnamed_node = SMB_IS_STREAM(snode);
1296 
1297 	if (unnamed_node) {
1298 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1299 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1300 		unnamed_vp = unnamed_node->vp;
1301 	}
1302 
1303 	rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr);
1304 	return (rc);
1305 }
1306 
1307 /*
1308  * smb_fsop_read
1309  *
1310  * All SMB functions should use this wrapper to ensure that
1311  * the the calls are performed with the appropriate credentials.
1312  * Please document any direct call to explain the reason
1313  * for avoiding this wrapper.
1314  *
1315  * It is assumed that a reference exists on snode coming into this routine.
1316  */
1317 int
1318 smb_fsop_read(smb_request_t *sr, cred_t *cr, smb_node_t *snode, uio_t *uio)
1319 {
1320 	caller_context_t ct;
1321 	int svmand;
1322 	int rc;
1323 
1324 	ASSERT(cr);
1325 	ASSERT(snode);
1326 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1327 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1328 
1329 	ASSERT(sr);
1330 	ASSERT(sr->fid_ofile);
1331 
1332 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0)
1333 		return (EACCES);
1334 
1335 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA);
1336 	if ((rc != NT_STATUS_SUCCESS) &&
1337 	    (sr->smb_flg2 & SMB_FLAGS2_READ_IF_EXECUTE))
1338 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE);
1339 
1340 	if (rc != NT_STATUS_SUCCESS)
1341 		return (EACCES);
1342 
1343 	/*
1344 	 * Streams permission are checked against the unnamed stream,
1345 	 * but in FS level they have their own permissions. To avoid
1346 	 * rejection by FS due to lack of permission on the actual
1347 	 * extended attr kcred is passed for streams.
1348 	 */
1349 	if (SMB_IS_STREAM(snode))
1350 		cr = kcred;
1351 
1352 	smb_node_start_crit(snode, RW_READER);
1353 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1354 	if (rc) {
1355 		smb_node_end_crit(snode);
1356 		return (rc);
1357 	}
1358 
1359 	ct = smb_ct;
1360 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1361 	rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset,
1362 	    uio->uio_iov->iov_len, svmand, &ct);
1363 
1364 	if (rc) {
1365 		smb_node_end_crit(snode);
1366 		return (ERANGE);
1367 	}
1368 
1369 	rc = smb_vop_read(snode->vp, uio, cr);
1370 	smb_node_end_crit(snode);
1371 
1372 	return (rc);
1373 }
1374 
1375 /*
1376  * smb_fsop_write
1377  *
1378  * This is a wrapper function used for smb_write and smb_write_raw operations.
1379  *
1380  * It is assumed that a reference exists on snode coming into this routine.
1381  */
1382 int
1383 smb_fsop_write(
1384     smb_request_t *sr,
1385     cred_t *cr,
1386     smb_node_t *snode,
1387     uio_t *uio,
1388     uint32_t *lcount,
1389     int ioflag)
1390 {
1391 	caller_context_t ct;
1392 	int svmand;
1393 	int rc;
1394 
1395 	ASSERT(cr);
1396 	ASSERT(snode);
1397 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1398 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1399 
1400 	ASSERT(sr);
1401 	ASSERT(sr->tid_tree);
1402 	ASSERT(sr->fid_ofile);
1403 
1404 	if (SMB_TREE_IS_READONLY(sr))
1405 		return (EROFS);
1406 
1407 	if (SMB_OFILE_IS_READONLY(sr->fid_ofile) ||
1408 	    SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0)
1409 		return (EACCES);
1410 
1411 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA);
1412 	if (rc != NT_STATUS_SUCCESS) {
1413 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA);
1414 		if (rc != NT_STATUS_SUCCESS)
1415 			return (EACCES);
1416 	}
1417 
1418 	/*
1419 	 * Streams permission are checked against the unnamed stream,
1420 	 * but in FS level they have their own permissions. To avoid
1421 	 * rejection by FS due to lack of permission on the actual
1422 	 * extended attr kcred is passed for streams.
1423 	 */
1424 	if (SMB_IS_STREAM(snode))
1425 		cr = kcred;
1426 
1427 	smb_node_start_crit(snode, RW_READER);
1428 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1429 	if (rc) {
1430 		smb_node_end_crit(snode);
1431 		return (rc);
1432 	}
1433 
1434 	ct = smb_ct;
1435 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1436 	rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset,
1437 	    uio->uio_iov->iov_len, svmand, &ct);
1438 
1439 	if (rc) {
1440 		smb_node_end_crit(snode);
1441 		return (ERANGE);
1442 	}
1443 
1444 	rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr);
1445 	smb_node_end_crit(snode);
1446 
1447 	return (rc);
1448 }
1449 
1450 /*
1451  * smb_fsop_statfs
1452  *
1453  * This is a wrapper function used for stat operations.
1454  */
1455 int
1456 smb_fsop_statfs(
1457     cred_t *cr,
1458     smb_node_t *snode,
1459     struct statvfs64 *statp)
1460 {
1461 	ASSERT(cr);
1462 	ASSERT(snode);
1463 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1464 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1465 
1466 	return (smb_vop_statfs(snode->vp, statp, cr));
1467 }
1468 
1469 /*
1470  * smb_fsop_access
1471  *
1472  * Named streams do not have separate permissions from the associated
1473  * unnamed stream.  Thus, if node is a named stream, the permissions
1474  * check will be performed on the associated unnamed stream.
1475  *
1476  * However, our named streams do have their own quarantine attribute,
1477  * separate from that on the unnamed stream. If READ or EXECUTE
1478  * access has been requested on a named stream, an additional access
1479  * check is performed on the named stream in case it has been
1480  * quarantined.  kcred is used to avoid issues with the permissions
1481  * set on the extended attribute file representing the named stream.
1482  */
1483 int
1484 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1485     uint32_t faccess)
1486 {
1487 	int access = 0;
1488 	int error;
1489 	vnode_t *dir_vp;
1490 	boolean_t acl_check = B_TRUE;
1491 	smb_node_t *unnamed_node;
1492 
1493 	ASSERT(sr);
1494 	ASSERT(cr);
1495 	ASSERT(snode);
1496 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1497 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1498 
1499 	if (faccess == 0)
1500 		return (NT_STATUS_SUCCESS);
1501 
1502 	if (SMB_TREE_IS_READONLY(sr)) {
1503 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1504 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1505 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1506 			return (NT_STATUS_ACCESS_DENIED);
1507 		}
1508 	}
1509 
1510 	if (smb_node_is_reparse(snode) && (faccess & DELETE))
1511 		return (NT_STATUS_ACCESS_DENIED);
1512 
1513 	unnamed_node = SMB_IS_STREAM(snode);
1514 	if (unnamed_node) {
1515 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1516 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1517 
1518 		/*
1519 		 * Perform VREAD access check on the named stream in case it
1520 		 * is quarantined. kcred is passed to smb_vop_access so it
1521 		 * doesn't fail due to lack of permission.
1522 		 */
1523 		if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) {
1524 			error = smb_vop_access(snode->vp, VREAD,
1525 			    0, NULL, kcred);
1526 			if (error)
1527 				return (NT_STATUS_ACCESS_DENIED);
1528 		}
1529 
1530 		/*
1531 		 * Streams authorization should be performed against the
1532 		 * unnamed stream.
1533 		 */
1534 		snode = unnamed_node;
1535 	}
1536 
1537 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1538 		/*
1539 		 * This permission is required for reading/writing SACL and
1540 		 * it's not part of DACL. It's only granted via proper
1541 		 * privileges.
1542 		 */
1543 		if ((sr->uid_user->u_privileges &
1544 		    (SMB_USER_PRIV_BACKUP |
1545 		    SMB_USER_PRIV_RESTORE |
1546 		    SMB_USER_PRIV_SECURITY)) == 0)
1547 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1548 
1549 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1550 	}
1551 
1552 	/* Links don't have ACL */
1553 	if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) ||
1554 	    smb_node_is_symlink(snode))
1555 		acl_check = B_FALSE;
1556 
1557 	/*
1558 	 * Use the most restrictive parts of both faccess and the
1559 	 * share access.  An AND of the two value masks gives us that
1560 	 * since we've already converted to a mask of what we "can"
1561 	 * do.
1562 	 */
1563 	faccess &= sr->tid_tree->t_access;
1564 
1565 	if (acl_check) {
1566 		dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL;
1567 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1568 		    cr);
1569 	} else {
1570 		/*
1571 		 * FS doesn't understand 32-bit mask, need to map
1572 		 */
1573 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1574 			access |= VWRITE;
1575 
1576 		if (faccess & FILE_READ_DATA)
1577 			access |= VREAD;
1578 
1579 		if (faccess & FILE_EXECUTE)
1580 			access |= VEXEC;
1581 
1582 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1583 	}
1584 
1585 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1586 }
1587 
1588 /*
1589  * smb_fsop_lookup_name()
1590  *
1591  * If name indicates that the file is a stream file, perform
1592  * stream specific lookup, otherwise call smb_fsop_lookup.
1593  *
1594  * Return an error if the looked-up file is in outside the tree.
1595  * (Required when invoked from open path.)
1596  */
1597 
1598 int
1599 smb_fsop_lookup_name(
1600     smb_request_t *sr,
1601     cred_t	*cr,
1602     int		flags,
1603     smb_node_t	*root_node,
1604     smb_node_t	*dnode,
1605     char	*name,
1606     smb_node_t	**ret_snode)
1607 {
1608 	smb_node_t	*fnode;
1609 	vnode_t		*xattrdirvp;
1610 	vnode_t		*vp;
1611 	char		*od_name;
1612 	char		*fname;
1613 	char		*sname;
1614 	int		rc;
1615 
1616 	ASSERT(cr);
1617 	ASSERT(dnode);
1618 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
1619 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
1620 
1621 	/*
1622 	 * The following check is required for streams processing, below
1623 	 */
1624 
1625 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1626 		flags |= SMB_IGNORE_CASE;
1627 
1628 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1629 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1630 
1631 	if (smb_is_stream_name(name)) {
1632 		smb_stream_parse_name(name, fname, sname);
1633 
1634 		/*
1635 		 * Look up the unnamed stream (i.e. fname).
1636 		 * Unmangle processing will be done on fname
1637 		 * as well as any link target.
1638 		 */
1639 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode,
1640 		    fname, &fnode);
1641 
1642 		if (rc != 0) {
1643 			kmem_free(fname, MAXNAMELEN);
1644 			kmem_free(sname, MAXNAMELEN);
1645 			return (rc);
1646 		}
1647 
1648 		od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1649 
1650 		/*
1651 		 * od_name is the on-disk name of the stream, except
1652 		 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1653 		 */
1654 
1655 		/*
1656 		 * XXX
1657 		 * What permissions NTFS requires for stream lookup if any?
1658 		 */
1659 		rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1660 		    &xattrdirvp, flags, root_node->vp, cr);
1661 
1662 		if (rc != 0) {
1663 			smb_node_release(fnode);
1664 			kmem_free(fname, MAXNAMELEN);
1665 			kmem_free(sname, MAXNAMELEN);
1666 			kmem_free(od_name, MAXNAMELEN);
1667 			return (rc);
1668 		}
1669 
1670 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1671 		    vp, od_name);
1672 
1673 		kmem_free(od_name, MAXNAMELEN);
1674 		smb_node_release(fnode);
1675 		VN_RELE(xattrdirvp);
1676 		VN_RELE(vp);
1677 
1678 		if (*ret_snode == NULL) {
1679 			kmem_free(fname, MAXNAMELEN);
1680 			kmem_free(sname, MAXNAMELEN);
1681 			return (ENOMEM);
1682 		}
1683 	} else {
1684 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, name,
1685 		    ret_snode);
1686 	}
1687 
1688 	if (rc == 0) {
1689 		ASSERT(ret_snode);
1690 		if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) {
1691 			smb_node_release(*ret_snode);
1692 			*ret_snode = NULL;
1693 			rc = EACCES;
1694 		}
1695 	}
1696 
1697 	kmem_free(fname, MAXNAMELEN);
1698 	kmem_free(sname, MAXNAMELEN);
1699 
1700 	return (rc);
1701 }
1702 
1703 /*
1704  * smb_fsop_lookup
1705  *
1706  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1707  * the smb_vop_lookup is performed with the appropriate credentials and using
1708  * case insensitive compares. Please document any direct call to smb_vop_lookup
1709  * to explain the reason for avoiding this wrapper.
1710  *
1711  * It is assumed that a reference exists on dnode coming into this routine
1712  * (and that it is safe from deallocation).
1713  *
1714  * Same with the root_node.
1715  *
1716  * *ret_snode is returned with a reference upon success.  No reference is
1717  * taken if an error is returned.
1718  *
1719  * Note: The returned ret_snode may be in a child mount.  This is ok for
1720  * readdir.
1721  *
1722  * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent
1723  * operations on files not in the parent mount.
1724  *
1725  * Case sensitivity flags (SMB_IGNORE_CASE, SMB_CASE_SENSITIVE):
1726  * if SMB_CASE_SENSITIVE is set, the SMB_IGNORE_CASE flag will NOT be set
1727  * based on the tree's case sensitivity. However, if the SMB_IGNORE_CASE
1728  * flag is set in the flags value passed as a parameter, a case insensitive
1729  * lookup WILL be done (regardless of whether SMB_CASE_SENSITIVE is set
1730  * or not).
1731  */
1732 int
1733 smb_fsop_lookup(
1734     smb_request_t *sr,
1735     cred_t	*cr,
1736     int		flags,
1737     smb_node_t	*root_node,
1738     smb_node_t	*dnode,
1739     char	*name,
1740     smb_node_t	**ret_snode)
1741 {
1742 	smb_node_t *lnk_target_node;
1743 	smb_node_t *lnk_dnode;
1744 	char *longname;
1745 	char *od_name;
1746 	vnode_t *vp;
1747 	int rc;
1748 	int ret_flags;
1749 	smb_attr_t attr;
1750 
1751 	ASSERT(cr);
1752 	ASSERT(dnode);
1753 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
1754 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
1755 
1756 	if (name == NULL)
1757 		return (EINVAL);
1758 
1759 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
1760 		return (EACCES);
1761 
1762 	if (!(flags & SMB_CASE_SENSITIVE)) {
1763 		if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1764 			flags |= SMB_IGNORE_CASE;
1765 	}
1766 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1767 		flags |= SMB_CATIA;
1768 	if (SMB_TREE_SUPPORTS_ABE(sr))
1769 		flags |= SMB_ABE;
1770 
1771 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1772 
1773 	rc = smb_vop_lookup(dnode->vp, name, &vp, od_name, flags,
1774 	    &ret_flags, root_node ? root_node->vp : NULL, &attr, cr);
1775 
1776 	if (rc != 0) {
1777 		if (smb_maybe_mangled_name(name) == 0) {
1778 			kmem_free(od_name, MAXNAMELEN);
1779 			return (rc);
1780 		}
1781 
1782 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1783 		rc = smb_unmangle_name(dnode, name, longname,
1784 		    MAXNAMELEN, flags);
1785 		if (rc != 0) {
1786 			kmem_free(od_name, MAXNAMELEN);
1787 			kmem_free(longname, MAXNAMELEN);
1788 			return (rc);
1789 		}
1790 
1791 		/*
1792 		 * longname is the real (case-sensitive)
1793 		 * on-disk name.
1794 		 * We make sure we do a lookup on this exact
1795 		 * name, as the name was mangled and denotes
1796 		 * a unique file.
1797 		 */
1798 
1799 		if (flags & SMB_IGNORE_CASE)
1800 			flags &= ~SMB_IGNORE_CASE;
1801 
1802 		rc = smb_vop_lookup(dnode->vp, longname, &vp, od_name,
1803 		    flags, &ret_flags, root_node ? root_node->vp : NULL, &attr,
1804 		    cr);
1805 
1806 		kmem_free(longname, MAXNAMELEN);
1807 
1808 		if (rc != 0) {
1809 			kmem_free(od_name, MAXNAMELEN);
1810 			return (rc);
1811 		}
1812 	}
1813 
1814 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK) &&
1815 	    ((attr.sa_dosattr & FILE_ATTRIBUTE_REPARSE_POINT) == 0)) {
1816 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dnode,
1817 		    &lnk_dnode, &lnk_target_node, cr);
1818 
1819 		if (rc != 0) {
1820 			/*
1821 			 * The link is assumed to be for the last component
1822 			 * of a path.  Hence any ENOTDIR error will be returned
1823 			 * as ENOENT.
1824 			 */
1825 			if (rc == ENOTDIR)
1826 				rc = ENOENT;
1827 
1828 			VN_RELE(vp);
1829 			kmem_free(od_name, MAXNAMELEN);
1830 			return (rc);
1831 		}
1832 
1833 		/*
1834 		 * Release the original VLNK vnode
1835 		 */
1836 
1837 		VN_RELE(vp);
1838 		vp = lnk_target_node->vp;
1839 
1840 		rc = smb_vop_traverse_check(&vp);
1841 
1842 		if (rc != 0) {
1843 			smb_node_release(lnk_dnode);
1844 			smb_node_release(lnk_target_node);
1845 			kmem_free(od_name, MAXNAMELEN);
1846 			return (rc);
1847 		}
1848 
1849 		/*
1850 		 * smb_vop_traverse_check() may have returned a different vnode
1851 		 */
1852 
1853 		if (lnk_target_node->vp == vp) {
1854 			*ret_snode = lnk_target_node;
1855 		} else {
1856 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
1857 			    lnk_target_node->od_name, lnk_dnode, NULL);
1858 			VN_RELE(vp);
1859 
1860 			if (*ret_snode == NULL)
1861 				rc = ENOMEM;
1862 			smb_node_release(lnk_target_node);
1863 		}
1864 
1865 		smb_node_release(lnk_dnode);
1866 
1867 	} else {
1868 
1869 		rc = smb_vop_traverse_check(&vp);
1870 		if (rc) {
1871 			VN_RELE(vp);
1872 			kmem_free(od_name, MAXNAMELEN);
1873 			return (rc);
1874 		}
1875 
1876 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
1877 		    dnode, NULL);
1878 		VN_RELE(vp);
1879 
1880 		if (*ret_snode == NULL)
1881 			rc = ENOMEM;
1882 	}
1883 
1884 	kmem_free(od_name, MAXNAMELEN);
1885 	return (rc);
1886 }
1887 
1888 int /*ARGSUSED*/
1889 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
1890 {
1891 	ASSERT(cr);
1892 	ASSERT(snode);
1893 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1894 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1895 
1896 	ASSERT(sr);
1897 	ASSERT(sr->tid_tree);
1898 	if (SMB_TREE_IS_READONLY(sr))
1899 		return (EROFS);
1900 
1901 	return (smb_vop_commit(snode->vp, cr));
1902 }
1903 
1904 /*
1905  * smb_fsop_aclread
1906  *
1907  * Retrieve filesystem ACL. Depends on requested ACLs in
1908  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
1909  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
1910  * the corresponding field in fs_sd should be non-NULL upon
1911  * return, since the target ACL might not contain that type of
1912  * entries.
1913  *
1914  * Returned ACL is always in ACE_T (aka ZFS) format.
1915  * If successful the allocated memory for the ACL should be freed
1916  * using smb_fsacl_free() or smb_fssd_term()
1917  */
1918 int
1919 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1920     smb_fssd_t *fs_sd)
1921 {
1922 	int error = 0;
1923 	int flags = 0;
1924 	int access = 0;
1925 	acl_t *acl;
1926 	smb_node_t *unnamed_node;
1927 
1928 	ASSERT(cr);
1929 
1930 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0)
1931 		return (EACCES);
1932 
1933 	if (sr->fid_ofile) {
1934 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1935 			access = READ_CONTROL;
1936 
1937 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1938 			access |= ACCESS_SYSTEM_SECURITY;
1939 
1940 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1941 		if (error != NT_STATUS_SUCCESS) {
1942 			return (EACCES);
1943 		}
1944 	}
1945 
1946 	unnamed_node = SMB_IS_STREAM(snode);
1947 	if (unnamed_node) {
1948 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1949 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1950 		/*
1951 		 * Streams don't have ACL, any read ACL attempt on a stream
1952 		 * should be performed on the unnamed stream.
1953 		 */
1954 		snode = unnamed_node;
1955 	}
1956 
1957 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS))
1958 		flags = ATTR_NOACLCHECK;
1959 
1960 	error = smb_vop_acl_read(snode->vp, &acl, flags,
1961 	    sr->tid_tree->t_acltype, cr);
1962 	if (error != 0) {
1963 		return (error);
1964 	}
1965 
1966 	error = acl_translate(acl, _ACL_ACE_ENABLED,
1967 	    smb_node_is_dir(snode), fs_sd->sd_uid, fs_sd->sd_gid);
1968 
1969 	if (error == 0) {
1970 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
1971 		    fs_sd->sd_secinfo);
1972 	}
1973 
1974 	acl_free(acl);
1975 	return (error);
1976 }
1977 
1978 /*
1979  * smb_fsop_aclwrite
1980  *
1981  * Stores the filesystem ACL provided in fs_sd->sd_acl.
1982  */
1983 int
1984 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1985     smb_fssd_t *fs_sd)
1986 {
1987 	int target_flavor;
1988 	int error = 0;
1989 	int flags = 0;
1990 	int access = 0;
1991 	acl_t *acl, *dacl, *sacl;
1992 	smb_node_t *unnamed_node;
1993 
1994 	ASSERT(cr);
1995 
1996 	ASSERT(sr);
1997 	ASSERT(sr->tid_tree);
1998 	if (SMB_TREE_IS_READONLY(sr))
1999 		return (EROFS);
2000 
2001 	if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0)
2002 		return (EACCES);
2003 
2004 	if (sr->fid_ofile) {
2005 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2006 			access = WRITE_DAC;
2007 
2008 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2009 			access |= ACCESS_SYSTEM_SECURITY;
2010 
2011 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2012 		if (error != NT_STATUS_SUCCESS)
2013 			return (EACCES);
2014 	}
2015 
2016 	switch (sr->tid_tree->t_acltype) {
2017 	case ACLENT_T:
2018 		target_flavor = _ACL_ACLENT_ENABLED;
2019 		break;
2020 
2021 	case ACE_T:
2022 		target_flavor = _ACL_ACE_ENABLED;
2023 		break;
2024 	default:
2025 		return (EINVAL);
2026 	}
2027 
2028 	unnamed_node = SMB_IS_STREAM(snode);
2029 	if (unnamed_node) {
2030 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2031 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2032 		/*
2033 		 * Streams don't have ACL, any write ACL attempt on a stream
2034 		 * should be performed on the unnamed stream.
2035 		 */
2036 		snode = unnamed_node;
2037 	}
2038 
2039 	dacl = fs_sd->sd_zdacl;
2040 	sacl = fs_sd->sd_zsacl;
2041 
2042 	ASSERT(dacl || sacl);
2043 	if ((dacl == NULL) && (sacl == NULL))
2044 		return (EINVAL);
2045 
2046 	if (dacl && sacl)
2047 		acl = smb_fsacl_merge(dacl, sacl);
2048 	else if (dacl)
2049 		acl = dacl;
2050 	else
2051 		acl = sacl;
2052 
2053 	error = acl_translate(acl, target_flavor, smb_node_is_dir(snode),
2054 	    fs_sd->sd_uid, fs_sd->sd_gid);
2055 	if (error == 0) {
2056 		if (smb_tree_has_feature(sr->tid_tree,
2057 		    SMB_TREE_ACEMASKONACCESS))
2058 			flags = ATTR_NOACLCHECK;
2059 
2060 		error = smb_vop_acl_write(snode->vp, acl, flags, cr);
2061 	}
2062 
2063 	if (dacl && sacl)
2064 		acl_free(acl);
2065 
2066 	return (error);
2067 }
2068 
2069 acl_type_t
2070 smb_fsop_acltype(smb_node_t *snode)
2071 {
2072 	return (smb_vop_acl_type(snode->vp));
2073 }
2074 
2075 /*
2076  * smb_fsop_sdread
2077  *
2078  * Read the requested security descriptor items from filesystem.
2079  * The items are specified in fs_sd->sd_secinfo.
2080  */
2081 int
2082 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2083     smb_fssd_t *fs_sd)
2084 {
2085 	int error = 0;
2086 	int getowner = 0;
2087 	cred_t *ga_cred;
2088 	smb_attr_t attr;
2089 
2090 	ASSERT(cr);
2091 	ASSERT(fs_sd);
2092 
2093 	/*
2094 	 * File's uid/gid is fetched in two cases:
2095 	 *
2096 	 * 1. it's explicitly requested
2097 	 *
2098 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
2099 	 *    owner@/group@ entries. In this case kcred should be used
2100 	 *    because uid/gid are fetched on behalf of smb server.
2101 	 */
2102 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
2103 		getowner = 1;
2104 		ga_cred = cr;
2105 	} else if (sr->tid_tree->t_acltype == ACE_T) {
2106 		getowner = 1;
2107 		ga_cred = kcred;
2108 	}
2109 
2110 	if (getowner) {
2111 		/*
2112 		 * Windows require READ_CONTROL to read owner/group SID since
2113 		 * they're part of Security Descriptor.
2114 		 * ZFS only requires read_attribute. Need to have a explicit
2115 		 * access check here.
2116 		 */
2117 		if (sr->fid_ofile == NULL) {
2118 			error = smb_fsop_access(sr, ga_cred, snode,
2119 			    READ_CONTROL);
2120 			if (error)
2121 				return (EACCES);
2122 		}
2123 
2124 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2125 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2126 		if (error == 0) {
2127 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2128 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2129 		} else {
2130 			return (error);
2131 		}
2132 	}
2133 
2134 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2135 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2136 	}
2137 
2138 	return (error);
2139 }
2140 
2141 /*
2142  * smb_fsop_sdmerge
2143  *
2144  * From SMB point of view DACL and SACL are two separate list
2145  * which can be manipulated independently without one affecting
2146  * the other, but entries for both DACL and SACL will end up
2147  * in the same ACL if target filesystem supports ACE_T ACLs.
2148  *
2149  * So, if either DACL or SACL is present in the client set request
2150  * the entries corresponding to the non-present ACL shouldn't
2151  * be touched in the FS ACL.
2152  *
2153  * fs_sd parameter contains DACL and SACL specified by SMB
2154  * client to be set on a file/directory. The client could
2155  * specify both or one of these ACLs (if none is specified
2156  * we don't get this far). When both DACL and SACL are given
2157  * by client the existing ACL should be overwritten. If only
2158  * one of them is specified the entries corresponding to the other
2159  * ACL should not be touched. For example, if only DACL
2160  * is specified in input fs_sd, the function reads audit entries
2161  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2162  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2163  * function is called the passed fs_sd would point to the specified
2164  * DACL by client and fetched SACL from filesystem, so the file
2165  * will end up with correct ACL.
2166  */
2167 static int
2168 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2169 {
2170 	smb_fssd_t cur_sd;
2171 	int error = 0;
2172 
2173 	if (sr->tid_tree->t_acltype != ACE_T)
2174 		/* Don't bother if target FS doesn't support ACE_T */
2175 		return (0);
2176 
2177 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2178 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2179 			/*
2180 			 * Don't overwrite existing audit entries
2181 			 */
2182 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2183 			    fs_sd->sd_flags);
2184 
2185 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2186 			if (error == 0) {
2187 				ASSERT(fs_sd->sd_zsacl == NULL);
2188 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2189 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2190 					fs_sd->sd_zsacl->acl_flags =
2191 					    fs_sd->sd_zdacl->acl_flags;
2192 			}
2193 		} else {
2194 			/*
2195 			 * Don't overwrite existing access entries
2196 			 */
2197 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2198 			    fs_sd->sd_flags);
2199 
2200 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2201 			if (error == 0) {
2202 				ASSERT(fs_sd->sd_zdacl == NULL);
2203 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2204 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2205 					fs_sd->sd_zdacl->acl_flags =
2206 					    fs_sd->sd_zsacl->acl_flags;
2207 			}
2208 		}
2209 
2210 		if (error)
2211 			smb_fssd_term(&cur_sd);
2212 	}
2213 
2214 	return (error);
2215 }
2216 
2217 /*
2218  * smb_fsop_sdwrite
2219  *
2220  * Stores the given uid, gid and acl in filesystem.
2221  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2222  *
2223  * A SMB security descriptor could contain owner, primary group,
2224  * DACL and SACL. Setting an SD should be atomic but here it has to
2225  * be done via two separate FS operations: VOP_SETATTR and
2226  * VOP_SETSECATTR. Therefore, this function has to simulate the
2227  * atomicity as well as it can.
2228  *
2229  * Get the current uid, gid before setting the new uid/gid
2230  * so if smb_fsop_aclwrite fails they can be restored. root cred is
2231  * used to get currend uid/gid since this operation is performed on
2232  * behalf of the server not the user.
2233  *
2234  * If setting uid/gid fails with EPERM it means that and invalid
2235  * owner has been specified. Callers should translate this to
2236  * STATUS_INVALID_OWNER which is not the normal mapping for EPERM
2237  * in upper layers, so EPERM is mapped to EBADE.
2238  */
2239 int
2240 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2241     smb_fssd_t *fs_sd, int overwrite)
2242 {
2243 	int error = 0;
2244 	int access = 0;
2245 	smb_attr_t set_attr;
2246 	smb_attr_t orig_attr;
2247 
2248 	ASSERT(cr);
2249 	ASSERT(fs_sd);
2250 
2251 	ASSERT(sr);
2252 	ASSERT(sr->tid_tree);
2253 	if (SMB_TREE_IS_READONLY(sr))
2254 		return (EROFS);
2255 
2256 	bzero(&set_attr, sizeof (smb_attr_t));
2257 
2258 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2259 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2260 		set_attr.sa_mask |= SMB_AT_UID;
2261 		access |= WRITE_OWNER;
2262 	}
2263 
2264 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2265 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2266 		set_attr.sa_mask |= SMB_AT_GID;
2267 		access |= WRITE_OWNER;
2268 	}
2269 
2270 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2271 		access |= WRITE_DAC;
2272 
2273 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2274 		access |= ACCESS_SYSTEM_SECURITY;
2275 
2276 	if (sr->fid_ofile)
2277 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2278 	else
2279 		error = smb_fsop_access(sr, cr, snode, access);
2280 
2281 	if (error)
2282 		return (EACCES);
2283 
2284 	if (set_attr.sa_mask) {
2285 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2286 		error = smb_fsop_getattr(sr, kcred, snode, &orig_attr);
2287 		if (error == 0) {
2288 			error = smb_fsop_setattr(sr, cr, snode, &set_attr);
2289 			if (error == EPERM)
2290 				error = EBADE;
2291 		}
2292 
2293 		if (error)
2294 			return (error);
2295 	}
2296 
2297 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2298 		if (overwrite == 0) {
2299 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2300 			if (error)
2301 				return (error);
2302 		}
2303 
2304 		error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2305 		if (error) {
2306 			/*
2307 			 * Revert uid/gid changes if required.
2308 			 */
2309 			if (set_attr.sa_mask) {
2310 				orig_attr.sa_mask = set_attr.sa_mask;
2311 				(void) smb_fsop_setattr(sr, kcred, snode,
2312 				    &orig_attr);
2313 			}
2314 		}
2315 	}
2316 
2317 	return (error);
2318 }
2319 
2320 /*
2321  * smb_fsop_sdinherit
2322  *
2323  * Inherit the security descriptor from the parent container.
2324  * This function is called after FS has created the file/folder
2325  * so if this doesn't do anything it means FS inheritance is
2326  * in place.
2327  *
2328  * Do inheritance for ZFS internally.
2329  *
2330  * If we want to let ZFS does the inheritance the
2331  * following setting should be true:
2332  *
2333  *  - aclinherit = passthrough
2334  *  - aclmode = passthrough
2335  *  - smbd umask = 0777
2336  *
2337  * This will result in right effective permissions but
2338  * ZFS will always add 6 ACEs for owner, owning group
2339  * and others to be POSIX compliant. This is not what
2340  * Windows clients/users expect, so we decided that CIFS
2341  * implements Windows rules and overwrite whatever ZFS
2342  * comes up with. This way we also don't have to care
2343  * about ZFS aclinherit and aclmode settings.
2344  */
2345 static int
2346 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2347 {
2348 	acl_t *dacl = NULL;
2349 	acl_t *sacl = NULL;
2350 	int is_dir;
2351 	int error;
2352 
2353 	ASSERT(fs_sd);
2354 
2355 	if (sr->tid_tree->t_acltype != ACE_T) {
2356 		/*
2357 		 * No forced inheritance for non-ZFS filesystems.
2358 		 */
2359 		fs_sd->sd_secinfo = 0;
2360 		return (0);
2361 	}
2362 
2363 
2364 	/* Fetch parent directory's ACL */
2365 	error = smb_fsop_sdread(sr, kcred, dnode, fs_sd);
2366 	if (error) {
2367 		return (error);
2368 	}
2369 
2370 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2371 	dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO,
2372 	    sr->user_cr);
2373 	sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO,
2374 	    sr->user_cr);
2375 
2376 	if (sacl == NULL)
2377 		fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO;
2378 
2379 	smb_fsacl_free(fs_sd->sd_zdacl);
2380 	smb_fsacl_free(fs_sd->sd_zsacl);
2381 
2382 	fs_sd->sd_zdacl = dacl;
2383 	fs_sd->sd_zsacl = sacl;
2384 
2385 	return (0);
2386 }
2387 
2388 /*
2389  * smb_fsop_eaccess
2390  *
2391  * Returns the effective permission of the given credential for the
2392  * specified object.
2393  *
2394  * This is just a workaround. We need VFS/FS support for this.
2395  */
2396 void
2397 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2398     uint32_t *eaccess)
2399 {
2400 	int access = 0;
2401 	vnode_t *dir_vp;
2402 	smb_node_t *unnamed_node;
2403 
2404 	ASSERT(cr);
2405 	ASSERT(snode);
2406 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2407 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2408 
2409 	unnamed_node = SMB_IS_STREAM(snode);
2410 	if (unnamed_node) {
2411 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2412 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2413 		/*
2414 		 * Streams authorization should be performed against the
2415 		 * unnamed stream.
2416 		 */
2417 		snode = unnamed_node;
2418 	}
2419 
2420 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) {
2421 		dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL;
2422 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2423 		    cr);
2424 		return;
2425 	}
2426 
2427 	/*
2428 	 * FS doesn't understand 32-bit mask
2429 	 */
2430 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2431 	access &= sr->tid_tree->t_access;
2432 
2433 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2434 
2435 	if (access & VREAD)
2436 		*eaccess |= FILE_READ_DATA;
2437 
2438 	if (access & VEXEC)
2439 		*eaccess |= FILE_EXECUTE;
2440 
2441 	if (access & VWRITE)
2442 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2443 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2444 }
2445 
2446 /*
2447  * smb_fsop_shrlock
2448  *
2449  * For the current open request, check file sharing rules
2450  * against existing opens.
2451  *
2452  * Returns NT_STATUS_SHARING_VIOLATION if there is any
2453  * sharing conflict.  Returns NT_STATUS_SUCCESS otherwise.
2454  *
2455  * Full system-wide share reservation synchronization is available
2456  * when the nbmand (non-blocking mandatory) mount option is set
2457  * (i.e. nbl_need_crit() is true) and nbmand critical regions are used.
2458  * This provides synchronization with NFS and local processes.  The
2459  * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called
2460  * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well
2461  * as the CIFS rename and delete paths.
2462  *
2463  * The CIFS server will also enter the nbl critical region in the open,
2464  * rename, and delete paths when nbmand is not set.  There is limited
2465  * coordination with local and VFS share reservations in this case.
2466  * Note that when the nbmand mount option is not set, the VFS layer
2467  * only processes advisory reservations and the delete mode is not checked.
2468  *
2469  * Whether or not the nbmand mount option is set, intra-CIFS share
2470  * checking is done in the open, delete, and rename paths using a CIFS
2471  * critical region (node->n_share_lock).
2472  */
2473 uint32_t
2474 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid,
2475     uint32_t desired_access, uint32_t share_access)
2476 {
2477 	int rc;
2478 
2479 	/* Allow access if the request is just for meta data */
2480 	if ((desired_access & FILE_DATA_ALL) == 0)
2481 		return (NT_STATUS_SUCCESS);
2482 
2483 	rc = smb_node_open_check(node, desired_access, share_access);
2484 	if (rc)
2485 		return (NT_STATUS_SHARING_VIOLATION);
2486 
2487 	rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access,
2488 	    cr);
2489 	if (rc)
2490 		return (NT_STATUS_SHARING_VIOLATION);
2491 
2492 	return (NT_STATUS_SUCCESS);
2493 }
2494 
2495 void
2496 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid)
2497 {
2498 	(void) smb_vop_unshrlock(node->vp, uniq_fid, cr);
2499 }
2500 
2501 int
2502 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock,
2503     cred_t *cr)
2504 {
2505 	flock64_t bf;
2506 	int flag = F_REMOTELOCK;
2507 
2508 	/*
2509 	 * VOP_FRLOCK() will not be called if:
2510 	 *
2511 	 * 1) The lock has a range of zero bytes. The semantics of Windows and
2512 	 *    POSIX are different. In the case of POSIX it asks for the locking
2513 	 *    of all the bytes from the offset provided until the end of the
2514 	 *    file. In the case of Windows a range of zero locks nothing and
2515 	 *    doesn't conflict with any other lock.
2516 	 *
2517 	 * 2) The lock rolls over (start + lenght < start). Solaris will assert
2518 	 *    if such a request is submitted. This will not create
2519 	 *    incompatibilities between POSIX and Windows. In the Windows world,
2520 	 *    if a client submits such a lock, the server will not lock any
2521 	 *    bytes. Interestingly if the same lock (same offset and length) is
2522 	 *    resubmitted Windows will consider that there is an overlap and
2523 	 *    the granting rules will then apply.
2524 	 */
2525 	if ((lock->l_length == 0) ||
2526 	    ((lock->l_start + lock->l_length - 1) < lock->l_start))
2527 		return (0);
2528 
2529 	bzero(&bf, sizeof (bf));
2530 
2531 	if (unlock) {
2532 		bf.l_type = F_UNLCK;
2533 	} else if (lock->l_type == SMB_LOCK_TYPE_READONLY) {
2534 		bf.l_type = F_RDLCK;
2535 		flag |= FREAD;
2536 	} else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) {
2537 		bf.l_type = F_WRLCK;
2538 		flag |= FWRITE;
2539 	}
2540 
2541 	bf.l_start = lock->l_start;
2542 	bf.l_len = lock->l_length;
2543 	bf.l_pid = lock->l_file->f_uniqid;
2544 	bf.l_sysid = smb_ct.cc_sysid;
2545 
2546 	return (smb_vop_frlock(node->vp, cr, flag, &bf));
2547 }
2548