xref: /titanic_41/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision 8f588c8376a0fa02470fc4554ec83442b305020f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/sid.h>
27 #include <sys/nbmlock.h>
28 #include <smbsrv/smb_fsops.h>
29 #include <smbsrv/smb_kproto.h>
30 #include <smbsrv/ntstatus.h>
31 #include <smbsrv/ntaccess.h>
32 #include <smbsrv/smb_incl.h>
33 #include <acl/acl_common.h>
34 #include <sys/fcntl.h>
35 #include <sys/flock.h>
36 #include <fs/fs_subr.h>
37 
38 extern caller_context_t smb_ct;
39 
40 extern int smb_fem_oplock_install(smb_node_t *);
41 extern void smb_fem_oplock_uninstall(smb_node_t *);
42 
43 extern int smb_vop_other_opens(vnode_t *, int);
44 
45 static int smb_fsop_create_stream(smb_request_t *, cred_t *, smb_node_t *,
46     char *, char *, int, smb_attr_t *, smb_node_t **);
47 
48 static int smb_fsop_create_file(smb_request_t *, cred_t *, smb_node_t *,
49     char *, int, smb_attr_t *, smb_node_t **);
50 
51 static int smb_fsop_create_with_sd(smb_request_t *, cred_t *, smb_node_t *,
52     char *, smb_attr_t *, smb_node_t **, smb_fssd_t *);
53 
54 static int smb_fsop_sdinherit(smb_request_t *, smb_node_t *, smb_fssd_t *);
55 
56 /*
57  * The smb_fsop_* functions have knowledge of CIFS semantics.
58  *
59  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
60  * serve as an interface to the VFS layer.
61  *
62  * Hence, smb_request_t and smb_node_t structures should not be passed
63  * from the smb_fsop_* layer to the smb_vop_* layer.
64  *
65  * In general, CIFS service code should only ever call smb_fsop_*
66  * functions directly, and never smb_vop_* functions directly.
67  *
68  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
69  * of their smb_fsop_* counterparts.  However, there are times when
70  * this cannot be avoided.
71  */
72 
73 /*
74  * Note: Stream names cannot be mangled.
75  */
76 
77 /*
78  * smb_fsop_amask_to_omode
79  *
80  * Convert the access mask to the open mode (for use
81  * with the VOP_OPEN call).
82  *
83  * Note that opening a file for attribute only access
84  * will also translate into an FREAD or FWRITE open mode
85  * (i.e., it's not just for data).
86  *
87  * This is needed so that opens are tracked appropriately
88  * for oplock processing.
89  */
90 
91 int
92 smb_fsop_amask_to_omode(uint32_t access)
93 {
94 	int mode = 0;
95 
96 	if (access & (FILE_READ_DATA | FILE_EXECUTE |
97 	    FILE_READ_ATTRIBUTES | FILE_READ_EA))
98 		mode |= FREAD;
99 
100 	if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA |
101 	    FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA))
102 		mode |= FWRITE;
103 
104 	if (access & FILE_APPEND_DATA)
105 		mode |= FAPPEND;
106 
107 	return (mode);
108 }
109 
110 int
111 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred)
112 {
113 	/*
114 	 * Assuming that the same vnode is returned as we had before.
115 	 * (I.e., with certain types of files or file systems, a
116 	 * different vnode might be returned by VOP_OPEN)
117 	 */
118 	return (smb_vop_open(&node->vp, mode, cred));
119 }
120 
121 void
122 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred)
123 {
124 	smb_vop_close(node->vp, mode, cred);
125 }
126 
127 int
128 smb_fsop_oplock_install(smb_node_t *node, int mode)
129 {
130 	int rc;
131 
132 	if (smb_vop_other_opens(node->vp, mode))
133 		return (EMFILE);
134 
135 	if ((rc = smb_fem_oplock_install(node)))
136 		return (rc);
137 
138 	if (smb_vop_other_opens(node->vp, mode)) {
139 		(void) smb_fem_oplock_uninstall(node);
140 		return (EMFILE);
141 	}
142 
143 	return (0);
144 }
145 
146 void
147 smb_fsop_oplock_uninstall(smb_node_t *node)
148 {
149 	smb_fem_oplock_uninstall(node);
150 }
151 
152 static int
153 smb_fsop_create_with_sd(smb_request_t *sr, cred_t *cr,
154     smb_node_t *dnode, char *name,
155     smb_attr_t *attr, smb_node_t **ret_snode, smb_fssd_t *fs_sd)
156 {
157 	vsecattr_t *vsap;
158 	vsecattr_t vsecattr;
159 	acl_t *acl, *dacl, *sacl;
160 	smb_attr_t set_attr;
161 	vnode_t *vp;
162 	int aclbsize = 0;	/* size of acl list in bytes */
163 	int flags = 0;
164 	int rc;
165 	boolean_t is_dir;
166 
167 	ASSERT(fs_sd);
168 
169 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
170 		flags = SMB_IGNORE_CASE;
171 	if (SMB_TREE_SUPPORTS_CATIA(sr))
172 		flags |= SMB_CATIA;
173 
174 	ASSERT(cr);
175 
176 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
177 
178 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) {
179 		if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
180 			dacl = fs_sd->sd_zdacl;
181 			sacl = fs_sd->sd_zsacl;
182 			ASSERT(dacl || sacl);
183 			if (dacl && sacl) {
184 				acl = smb_fsacl_merge(dacl, sacl);
185 			} else if (dacl) {
186 				acl = dacl;
187 			} else {
188 				acl = sacl;
189 			}
190 
191 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
192 
193 			if (dacl && sacl)
194 				acl_free(acl);
195 
196 			if (rc != 0)
197 				return (rc);
198 
199 			vsap = &vsecattr;
200 		} else {
201 			vsap = NULL;
202 		}
203 
204 		/* The tree ACEs may prevent a create */
205 		rc = EACCES;
206 		if (is_dir) {
207 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0)
208 				rc = smb_vop_mkdir(dnode->vp, name, attr,
209 				    &vp, flags, cr, vsap);
210 		} else {
211 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0)
212 				rc = smb_vop_create(dnode->vp, name, attr,
213 				    &vp, flags, cr, vsap);
214 		}
215 
216 		if (vsap != NULL)
217 			kmem_free(vsap->vsa_aclentp, aclbsize);
218 
219 		if (rc != 0)
220 			return (rc);
221 
222 		set_attr.sa_mask = 0;
223 
224 		/*
225 		 * Ideally we should be able to specify the owner and owning
226 		 * group at create time along with the ACL. Since we cannot
227 		 * do that right now, kcred is passed to smb_vop_setattr so it
228 		 * doesn't fail due to lack of permission.
229 		 */
230 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
231 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
232 			set_attr.sa_mask |= SMB_AT_UID;
233 		}
234 
235 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
236 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
237 			set_attr.sa_mask |= SMB_AT_GID;
238 		}
239 
240 		if (set_attr.sa_mask)
241 			rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred);
242 
243 		if (rc == 0) {
244 			*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
245 			    name, dnode, NULL);
246 
247 			if (*ret_snode == NULL)
248 				rc = ENOMEM;
249 
250 			VN_RELE(vp);
251 		}
252 	} else {
253 		/*
254 		 * For filesystems that don't support ACL-on-create, try
255 		 * to set the specified SD after create, which could actually
256 		 * fail because of conflicts between inherited security
257 		 * attributes upon creation and the specified SD.
258 		 *
259 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
260 		 */
261 
262 		if (is_dir) {
263 			rc = smb_vop_mkdir(dnode->vp, name, attr, &vp,
264 			    flags, cr, NULL);
265 		} else {
266 			rc = smb_vop_create(dnode->vp, name, attr, &vp,
267 			    flags, cr, NULL);
268 		}
269 
270 		if (rc != 0)
271 			return (rc);
272 
273 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
274 		    name, dnode, NULL);
275 
276 		if (*ret_snode != NULL) {
277 			if (!smb_tree_has_feature(sr->tid_tree,
278 			    SMB_TREE_NFS_MOUNTED))
279 				rc = smb_fsop_sdwrite(sr, kcred, *ret_snode,
280 				    fs_sd, 1);
281 		} else {
282 			rc = ENOMEM;
283 		}
284 
285 		VN_RELE(vp);
286 	}
287 
288 	if (rc != 0) {
289 		if (is_dir)
290 			(void) smb_vop_rmdir(dnode->vp, name, flags, cr);
291 		else
292 			(void) smb_vop_remove(dnode->vp, name, flags, cr);
293 	}
294 
295 	return (rc);
296 }
297 
298 /*
299  * smb_fsop_create
300  *
301  * All SMB functions should use this wrapper to ensure that
302  * all the smb_vop_creates are performed with the appropriate credentials.
303  * Please document any direct calls to explain the reason for avoiding
304  * this wrapper.
305  *
306  * *ret_snode is returned with a reference upon success.  No reference is
307  * taken if an error is returned.
308  */
309 int
310 smb_fsop_create(smb_request_t *sr, cred_t *cr, smb_node_t *dnode,
311     char *name, smb_attr_t *attr, smb_node_t **ret_snode)
312 {
313 	int	rc = 0;
314 	int	flags = 0;
315 	char	*fname, *sname;
316 	char	*longname = NULL;
317 
318 	ASSERT(cr);
319 	ASSERT(dnode);
320 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
321 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
322 
323 	ASSERT(ret_snode);
324 	*ret_snode = 0;
325 
326 	ASSERT(name);
327 	if (*name == 0)
328 		return (EINVAL);
329 
330 	ASSERT(sr);
331 	ASSERT(sr->tid_tree);
332 
333 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
334 		return (EACCES);
335 
336 	if (SMB_TREE_IS_READONLY(sr))
337 		return (EROFS);
338 
339 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
340 		flags = SMB_IGNORE_CASE;
341 	if (SMB_TREE_SUPPORTS_CATIA(sr))
342 		flags |= SMB_CATIA;
343 	if (SMB_TREE_SUPPORTS_ABE(sr))
344 		flags |= SMB_ABE;
345 
346 	if (smb_is_stream_name(name)) {
347 		fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
348 		sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
349 		smb_stream_parse_name(name, fname, sname);
350 
351 		rc = smb_fsop_create_stream(sr, cr, dnode,
352 		    fname, sname, flags, attr, ret_snode);
353 
354 		kmem_free(fname, MAXNAMELEN);
355 		kmem_free(sname, MAXNAMELEN);
356 		return (rc);
357 	}
358 
359 	/* Not a named stream */
360 
361 	if (smb_maybe_mangled_name(name)) {
362 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
363 		rc = smb_unmangle_name(dnode, name, longname,
364 		    MAXNAMELEN, flags);
365 		kmem_free(longname, MAXNAMELEN);
366 
367 		if (rc == 0)
368 			rc = EEXIST;
369 		if (rc != ENOENT)
370 			return (rc);
371 	}
372 
373 	rc = smb_fsop_create_file(sr, cr, dnode, name, flags,
374 	    attr, ret_snode);
375 	return (rc);
376 
377 }
378 
379 
380 /*
381  * smb_fsop_create_stream
382  *
383  * Create NTFS named stream file (sname) on unnamed stream
384  * file (fname), creating the unnamed stream file if it
385  * doesn't exist.
386  * If we created the unnamed stream file and then creation
387  * of the named stream file fails, we delete the unnamed stream.
388  * Since we use the real file name for the smb_vop_remove we
389  * clear the SMB_IGNORE_CASE flag to ensure a case sensitive
390  * match.
391  *
392  * The second parameter of smb_vop_setattr() is set to
393  * NULL, even though an unnamed stream exists.  This is
394  * because we want to set the UID and GID on the named
395  * stream in this case for consistency with the (unnamed
396  * stream) file (see comments for smb_vop_setattr()).
397  */
398 static int
399 smb_fsop_create_stream(smb_request_t *sr, cred_t *cr,
400     smb_node_t *dnode, char *fname, char *sname, int flags,
401     smb_attr_t *attr, smb_node_t **ret_snode)
402 {
403 	smb_node_t	*fnode;
404 	smb_attr_t	fattr;
405 	vnode_t		*xattrdvp;
406 	vnode_t		*vp;
407 	int		rc = 0;
408 	boolean_t	fcreate = B_FALSE;
409 
410 	/* Look up / create the unnamed stream, fname */
411 	rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
412 	    sr->tid_tree->t_snode, dnode, fname, &fnode);
413 	if (rc == ENOENT) {
414 		fcreate = B_TRUE;
415 		rc = smb_fsop_create_file(sr, cr, dnode, fname, flags,
416 		    attr, &fnode);
417 	}
418 	if (rc != 0)
419 		return (rc);
420 
421 	fattr.sa_mask = SMB_AT_UID | SMB_AT_GID;
422 	rc = smb_vop_getattr(fnode->vp, NULL, &fattr, 0, kcred);
423 
424 	if (rc == 0) {
425 		/* create the named stream, sname */
426 		rc = smb_vop_stream_create(fnode->vp, sname, attr,
427 		    &vp, &xattrdvp, flags, cr);
428 	}
429 	if (rc != 0) {
430 		if (fcreate) {
431 			flags &= ~SMB_IGNORE_CASE;
432 			(void) smb_vop_remove(dnode->vp,
433 			    fnode->od_name, flags, cr);
434 		}
435 		smb_node_release(fnode);
436 		return (rc);
437 	}
438 
439 	attr->sa_vattr.va_uid = fattr.sa_vattr.va_uid;
440 	attr->sa_vattr.va_gid = fattr.sa_vattr.va_gid;
441 	attr->sa_mask = SMB_AT_UID | SMB_AT_GID;
442 
443 	rc = smb_vop_setattr(vp, NULL, attr, 0, kcred);
444 	if (rc != 0) {
445 		smb_node_release(fnode);
446 		return (rc);
447 	}
448 
449 	*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdvp,
450 	    vp, sname);
451 
452 	smb_node_release(fnode);
453 	VN_RELE(xattrdvp);
454 	VN_RELE(vp);
455 
456 	if (*ret_snode == NULL)
457 		rc = ENOMEM;
458 
459 	return (rc);
460 }
461 
462 /*
463  * smb_fsop_create_file
464  */
465 static int
466 smb_fsop_create_file(smb_request_t *sr, cred_t *cr,
467     smb_node_t *dnode, char *name, int flags,
468     smb_attr_t *attr, smb_node_t **ret_snode)
469 {
470 	open_param_t	*op = &sr->arg.open;
471 	vnode_t		*vp;
472 	smb_fssd_t	fs_sd;
473 	uint32_t	secinfo;
474 	uint32_t	status;
475 	int		rc = 0;
476 
477 	if (op->sd) {
478 		/*
479 		 * SD sent by client in Windows format. Needs to be
480 		 * converted to FS format. No inheritance.
481 		 */
482 		secinfo = smb_sd_get_secinfo(op->sd);
483 		smb_fssd_init(&fs_sd, secinfo, 0);
484 
485 		status = smb_sd_tofs(op->sd, &fs_sd);
486 		if (status == NT_STATUS_SUCCESS) {
487 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
488 			    name, attr, ret_snode, &fs_sd);
489 		} else {
490 			rc = EINVAL;
491 		}
492 		smb_fssd_term(&fs_sd);
493 	} else if (sr->tid_tree->t_acltype == ACE_T) {
494 		/*
495 		 * No incoming SD and filesystem is ZFS
496 		 * Server applies Windows inheritance rules,
497 		 * see smb_fsop_sdinherit() comments as to why.
498 		 */
499 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0);
500 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
501 		if (rc == 0) {
502 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
503 			    name, attr, ret_snode, &fs_sd);
504 		}
505 
506 		smb_fssd_term(&fs_sd);
507 	} else {
508 		/*
509 		 * No incoming SD and filesystem is not ZFS
510 		 * let the filesystem handles the inheritance.
511 		 */
512 		rc = smb_vop_create(dnode->vp, name, attr, &vp,
513 		    flags, cr, NULL);
514 
515 		if (rc == 0) {
516 			*ret_snode = smb_node_lookup(sr, op, cr, vp,
517 			    name, dnode, NULL);
518 
519 			if (*ret_snode == NULL)
520 				rc = ENOMEM;
521 
522 			VN_RELE(vp);
523 		}
524 
525 	}
526 	return (rc);
527 }
528 
529 /*
530  * smb_fsop_mkdir
531  *
532  * All SMB functions should use this wrapper to ensure that
533  * the the calls are performed with the appropriate credentials.
534  * Please document any direct call to explain the reason
535  * for avoiding this wrapper.
536  *
537  * It is assumed that a reference exists on snode coming into this routine.
538  *
539  * *ret_snode is returned with a reference upon success.  No reference is
540  * taken if an error is returned.
541  */
542 int
543 smb_fsop_mkdir(
544     smb_request_t *sr,
545     cred_t *cr,
546     smb_node_t *dnode,
547     char *name,
548     smb_attr_t *attr,
549     smb_node_t **ret_snode)
550 {
551 	struct open_param *op = &sr->arg.open;
552 	char *longname;
553 	vnode_t *vp;
554 	int flags = 0;
555 	smb_fssd_t fs_sd;
556 	uint32_t secinfo;
557 	uint32_t status;
558 	int rc;
559 	ASSERT(cr);
560 	ASSERT(dnode);
561 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
562 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
563 
564 	ASSERT(ret_snode);
565 	*ret_snode = 0;
566 
567 	ASSERT(name);
568 	if (*name == 0)
569 		return (EINVAL);
570 
571 	ASSERT(sr);
572 	ASSERT(sr->tid_tree);
573 
574 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
575 		return (EACCES);
576 
577 	if (SMB_TREE_IS_READONLY(sr))
578 		return (EROFS);
579 	if (SMB_TREE_SUPPORTS_CATIA(sr))
580 		flags |= SMB_CATIA;
581 	if (SMB_TREE_SUPPORTS_ABE(sr))
582 		flags |= SMB_ABE;
583 
584 	if (smb_maybe_mangled_name(name)) {
585 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
586 		rc = smb_unmangle_name(dnode, name, longname,
587 		    MAXNAMELEN, flags);
588 		kmem_free(longname, MAXNAMELEN);
589 
590 		/*
591 		 * If the name passed in by the client has an unmangled
592 		 * equivalent that is found in the specified directory,
593 		 * then the mkdir cannot succeed.  Return EEXIST.
594 		 *
595 		 * Only if ENOENT is returned will a mkdir be attempted.
596 		 */
597 
598 		if (rc == 0)
599 			rc = EEXIST;
600 
601 		if (rc != ENOENT)
602 			return (rc);
603 	}
604 
605 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
606 		flags = SMB_IGNORE_CASE;
607 
608 	if (op->sd) {
609 		/*
610 		 * SD sent by client in Windows format. Needs to be
611 		 * converted to FS format. No inheritance.
612 		 */
613 		secinfo = smb_sd_get_secinfo(op->sd);
614 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
615 
616 		status = smb_sd_tofs(op->sd, &fs_sd);
617 		if (status == NT_STATUS_SUCCESS) {
618 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
619 			    name, attr, ret_snode, &fs_sd);
620 		}
621 		else
622 			rc = EINVAL;
623 		smb_fssd_term(&fs_sd);
624 	} else if (sr->tid_tree->t_acltype == ACE_T) {
625 		/*
626 		 * No incoming SD and filesystem is ZFS
627 		 * Server applies Windows inheritance rules,
628 		 * see smb_fsop_sdinherit() comments as to why.
629 		 */
630 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR);
631 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
632 		if (rc == 0) {
633 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
634 			    name, attr, ret_snode, &fs_sd);
635 		}
636 
637 		smb_fssd_term(&fs_sd);
638 
639 	} else {
640 		rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, flags, cr,
641 		    NULL);
642 
643 		if (rc == 0) {
644 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
645 			    dnode, NULL);
646 
647 			if (*ret_snode == NULL)
648 				rc = ENOMEM;
649 
650 			VN_RELE(vp);
651 		}
652 	}
653 
654 	return (rc);
655 }
656 
657 /*
658  * smb_fsop_remove
659  *
660  * All SMB functions should use this wrapper to ensure that
661  * the the calls are performed with the appropriate credentials.
662  * Please document any direct call to explain the reason
663  * for avoiding this wrapper.
664  *
665  * It is assumed that a reference exists on snode coming into this routine.
666  *
667  * A null smb_request might be passed to this function.
668  */
669 int
670 smb_fsop_remove(
671     smb_request_t	*sr,
672     cred_t		*cr,
673     smb_node_t		*dnode,
674     char		*name,
675     uint32_t		flags)
676 {
677 	smb_node_t	*fnode;
678 	char		*longname;
679 	char		*fname;
680 	char		*sname;
681 	int		rc;
682 
683 	ASSERT(cr);
684 	/*
685 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
686 	 * function is called during the deletion of the node (because of
687 	 * DELETE_ON_CLOSE).
688 	 */
689 	ASSERT(dnode);
690 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
691 
692 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
693 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0)
694 		return (EACCES);
695 
696 	if (SMB_TREE_IS_READONLY(sr))
697 		return (EROFS);
698 
699 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
700 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
701 
702 	if (dnode->flags & NODE_XATTR_DIR) {
703 		rc = smb_vop_stream_remove(dnode->n_dnode->vp,
704 		    name, flags, cr);
705 	} else if (smb_is_stream_name(name)) {
706 		smb_stream_parse_name(name, fname, sname);
707 
708 		/*
709 		 * Look up the unnamed stream (i.e. fname).
710 		 * Unmangle processing will be done on fname
711 		 * as well as any link target.
712 		 */
713 
714 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
715 		    sr->tid_tree->t_snode, dnode, fname, &fnode);
716 
717 		if (rc != 0) {
718 			kmem_free(fname, MAXNAMELEN);
719 			kmem_free(sname, MAXNAMELEN);
720 			return (rc);
721 		}
722 
723 		/*
724 		 * XXX
725 		 * Need to find out what permission is required by NTFS
726 		 * to remove a stream.
727 		 */
728 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr);
729 
730 		smb_node_release(fnode);
731 	} else {
732 		rc = smb_vop_remove(dnode->vp, name, flags, cr);
733 
734 		if (rc == ENOENT) {
735 			if (smb_maybe_mangled_name(name) == 0) {
736 				kmem_free(fname, MAXNAMELEN);
737 				kmem_free(sname, MAXNAMELEN);
738 				return (rc);
739 			}
740 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
741 
742 			if (SMB_TREE_SUPPORTS_ABE(sr))
743 				flags |= SMB_ABE;
744 
745 			rc = smb_unmangle_name(dnode, name,
746 			    longname, MAXNAMELEN, flags);
747 
748 			if (rc == 0) {
749 				/*
750 				 * longname is the real (case-sensitive)
751 				 * on-disk name.
752 				 * We make sure we do a remove on this exact
753 				 * name, as the name was mangled and denotes
754 				 * a unique file.
755 				 */
756 				flags &= ~SMB_IGNORE_CASE;
757 				rc = smb_vop_remove(dnode->vp, longname,
758 				    flags, cr);
759 			}
760 
761 			kmem_free(longname, MAXNAMELEN);
762 		}
763 	}
764 
765 	kmem_free(fname, MAXNAMELEN);
766 	kmem_free(sname, MAXNAMELEN);
767 	return (rc);
768 }
769 
770 /*
771  * smb_fsop_remove_streams
772  *
773  * This function removes a file's streams without removing the
774  * file itself.
775  *
776  * It is assumed that fnode is not a link.
777  */
778 int
779 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode)
780 {
781 	int rc, flags = 0;
782 	uint16_t odid;
783 	smb_odir_t *od;
784 	smb_odirent_t *odirent;
785 	boolean_t eos;
786 
787 	ASSERT(sr);
788 	ASSERT(cr);
789 	ASSERT(fnode);
790 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
791 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
792 
793 	if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) {
794 		smbsr_errno(sr, EACCES);
795 		return (-1);
796 	}
797 
798 	if (SMB_TREE_IS_READONLY(sr)) {
799 		smbsr_errno(sr, EROFS);
800 		return (-1);
801 	}
802 
803 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
804 		flags = SMB_IGNORE_CASE;
805 
806 	if (SMB_TREE_SUPPORTS_CATIA(sr))
807 		flags |= SMB_CATIA;
808 
809 	if ((odid = smb_odir_openat(sr, fnode)) == 0) {
810 		smbsr_errno(sr, ENOENT);
811 		return (-1);
812 	}
813 
814 	if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) {
815 		smbsr_errno(sr, ENOENT);
816 		return (-1);
817 	}
818 
819 	odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP);
820 	for (;;) {
821 		rc = smb_odir_read(sr, od, odirent, &eos);
822 		if ((rc != 0) || (eos))
823 			break;
824 		(void) smb_vop_remove(od->d_dnode->vp, odirent->od_name,
825 		    flags, cr);
826 	}
827 	kmem_free(odirent, sizeof (smb_odirent_t));
828 
829 	smb_odir_close(od);
830 	smb_odir_release(od);
831 	return (rc);
832 }
833 
834 /*
835  * smb_fsop_rmdir
836  *
837  * All SMB functions should use this wrapper to ensure that
838  * the the calls are performed with the appropriate credentials.
839  * Please document any direct call to explain the reason
840  * for avoiding this wrapper.
841  *
842  * It is assumed that a reference exists on snode coming into this routine.
843  */
844 int
845 smb_fsop_rmdir(
846     smb_request_t	*sr,
847     cred_t		*cr,
848     smb_node_t		*dnode,
849     char		*name,
850     uint32_t		flags)
851 {
852 	int		rc;
853 	char		*longname;
854 
855 	ASSERT(cr);
856 	/*
857 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
858 	 * function is called during the deletion of the node (because of
859 	 * DELETE_ON_CLOSE).
860 	 */
861 	ASSERT(dnode);
862 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
863 
864 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
865 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0)
866 		return (EACCES);
867 
868 	if (SMB_TREE_IS_READONLY(sr))
869 		return (EROFS);
870 
871 	rc = smb_vop_rmdir(dnode->vp, name, flags, cr);
872 
873 	if (rc == ENOENT) {
874 		if (smb_maybe_mangled_name(name) == 0)
875 			return (rc);
876 
877 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
878 
879 		if (SMB_TREE_SUPPORTS_ABE(sr))
880 			flags |= SMB_ABE;
881 		rc = smb_unmangle_name(dnode, name, longname,
882 		    MAXNAMELEN, flags);
883 
884 		if (rc == 0) {
885 			/*
886 			 * longname is the real (case-sensitive)
887 			 * on-disk name.
888 			 * We make sure we do a rmdir on this exact
889 			 * name, as the name was mangled and denotes
890 			 * a unique directory.
891 			 */
892 			flags &= ~SMB_IGNORE_CASE;
893 			rc = smb_vop_rmdir(dnode->vp, longname, flags, cr);
894 		}
895 
896 		kmem_free(longname, MAXNAMELEN);
897 	}
898 
899 	return (rc);
900 }
901 
902 /*
903  * smb_fsop_getattr
904  *
905  * All SMB functions should use this wrapper to ensure that
906  * the the calls are performed with the appropriate credentials.
907  * Please document any direct call to explain the reason
908  * for avoiding this wrapper.
909  *
910  * It is assumed that a reference exists on snode coming into this routine.
911  */
912 int
913 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
914     smb_attr_t *attr)
915 {
916 	smb_node_t *unnamed_node;
917 	vnode_t *unnamed_vp = NULL;
918 	uint32_t status;
919 	uint32_t access = 0;
920 	int flags = 0;
921 	int rc;
922 
923 	ASSERT(cr);
924 	ASSERT(snode);
925 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
926 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
927 
928 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 ||
929 	    SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0)
930 		return (EACCES);
931 
932 	/* sr could be NULL in some cases */
933 	if (sr && sr->fid_ofile) {
934 		/* if uid and/or gid is requested */
935 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
936 			access |= READ_CONTROL;
937 
938 		/* if anything else is also requested */
939 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
940 			access |= FILE_READ_ATTRIBUTES;
941 
942 		status = smb_ofile_access(sr->fid_ofile, cr, access);
943 		if (status != NT_STATUS_SUCCESS)
944 			return (EACCES);
945 
946 		if (smb_tree_has_feature(sr->tid_tree,
947 		    SMB_TREE_ACEMASKONACCESS))
948 			flags = ATTR_NOACLCHECK;
949 	}
950 
951 	unnamed_node = SMB_IS_STREAM(snode);
952 
953 	if (unnamed_node) {
954 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
955 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
956 		unnamed_vp = unnamed_node->vp;
957 	}
958 
959 	rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr);
960 	return (rc);
961 }
962 
963 /*
964  * smb_fsop_link
965  *
966  * All SMB functions should use this smb_vop_link wrapper to ensure that
967  * the smb_vop_link is performed with the appropriate credentials.
968  * Please document any direct call to smb_vop_link to explain the reason
969  * for avoiding this wrapper.
970  *
971  * It is assumed that references exist on from_dnode and to_dnode coming
972  * into this routine.
973  */
974 int
975 smb_fsop_link(smb_request_t *sr, cred_t *cr, smb_node_t *to_dnode,
976     smb_node_t *from_fnode, char *to_name)
977 {
978 	char	*longname = NULL;
979 	int	flags = 0;
980 	int	rc;
981 
982 	ASSERT(sr);
983 	ASSERT(sr->tid_tree);
984 	ASSERT(cr);
985 	ASSERT(to_dnode);
986 	ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC);
987 	ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING);
988 	ASSERT(from_fnode);
989 	ASSERT(from_fnode->n_magic == SMB_NODE_MAGIC);
990 	ASSERT(from_fnode->n_state != SMB_NODE_STATE_DESTROYING);
991 
992 	if (SMB_TREE_CONTAINS_NODE(sr, from_fnode) == 0)
993 		return (EACCES);
994 
995 	if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0)
996 		return (EACCES);
997 
998 	if (SMB_TREE_IS_READONLY(sr))
999 		return (EROFS);
1000 
1001 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1002 		flags = SMB_IGNORE_CASE;
1003 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1004 		flags |= SMB_CATIA;
1005 	if (SMB_TREE_SUPPORTS_ABE(sr))
1006 		flags |= SMB_ABE;
1007 
1008 	if (smb_maybe_mangled_name(to_name)) {
1009 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1010 		rc = smb_unmangle_name(to_dnode, to_name,
1011 		    longname, MAXNAMELEN, flags);
1012 		kmem_free(longname, MAXNAMELEN);
1013 
1014 		if (rc == 0)
1015 			rc = EEXIST;
1016 		if (rc != ENOENT)
1017 			return (rc);
1018 	}
1019 
1020 	rc = smb_vop_link(to_dnode->vp, from_fnode->vp, to_name, flags, cr);
1021 	return (rc);
1022 }
1023 
1024 /*
1025  * smb_fsop_rename
1026  *
1027  * All SMB functions should use this smb_vop_rename wrapper to ensure that
1028  * the smb_vop_rename is performed with the appropriate credentials.
1029  * Please document any direct call to smb_vop_rename to explain the reason
1030  * for avoiding this wrapper.
1031  *
1032  * It is assumed that references exist on from_dnode and to_dnode coming
1033  * into this routine.
1034  */
1035 int
1036 smb_fsop_rename(
1037     smb_request_t *sr,
1038     cred_t *cr,
1039     smb_node_t *from_dnode,
1040     char *from_name,
1041     smb_node_t *to_dnode,
1042     char *to_name)
1043 {
1044 	smb_node_t *from_snode;
1045 	vnode_t *from_vp;
1046 	int flags = 0, ret_flags;
1047 	int rc;
1048 	boolean_t isdir;
1049 
1050 	ASSERT(cr);
1051 	ASSERT(from_dnode);
1052 	ASSERT(from_dnode->n_magic == SMB_NODE_MAGIC);
1053 	ASSERT(from_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1054 
1055 	ASSERT(to_dnode);
1056 	ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC);
1057 	ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1058 
1059 	if (SMB_TREE_CONTAINS_NODE(sr, from_dnode) == 0)
1060 		return (EACCES);
1061 
1062 	if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0)
1063 		return (EACCES);
1064 
1065 	ASSERT(sr);
1066 	ASSERT(sr->tid_tree);
1067 	if (SMB_TREE_IS_READONLY(sr))
1068 		return (EROFS);
1069 
1070 	/*
1071 	 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE
1072 	 * here.
1073 	 *
1074 	 * A case-sensitive rename is always done in this routine
1075 	 * because we are using the on-disk name from an earlier lookup.
1076 	 * If a mangled name was passed in by the caller (denoting a
1077 	 * deterministic lookup), then the exact file must be renamed
1078 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1079 	 * else the underlying file system might return a "first-match"
1080 	 * on this on-disk name, possibly resulting in the wrong file).
1081 	 */
1082 
1083 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1084 		flags |= SMB_CATIA;
1085 
1086 	/*
1087 	 * XXX: Lock required through smb_node_release() below?
1088 	 */
1089 
1090 	rc = smb_vop_lookup(from_dnode->vp, from_name, &from_vp, NULL,
1091 	    flags, &ret_flags, NULL, cr);
1092 
1093 	if (rc != 0)
1094 		return (rc);
1095 
1096 	isdir = from_vp->v_type == VDIR;
1097 
1098 	if ((isdir && SMB_TREE_HAS_ACCESS(sr,
1099 	    ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) !=
1100 	    (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) ||
1101 	    (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) !=
1102 	    (ACE_DELETE | ACE_ADD_FILE)))
1103 		return (EACCES);
1104 
1105 	rc = smb_vop_rename(from_dnode->vp, from_name, to_dnode->vp,
1106 	    to_name, flags, cr);
1107 
1108 	if (rc == 0) {
1109 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1110 		    from_dnode, NULL);
1111 
1112 		if (from_snode == NULL) {
1113 			rc = ENOMEM;
1114 		} else {
1115 			smb_node_rename(from_dnode, from_snode,
1116 			    to_dnode, to_name);
1117 			smb_node_release(from_snode);
1118 		}
1119 	}
1120 	VN_RELE(from_vp);
1121 
1122 	/* XXX: unlock */
1123 
1124 	return (rc);
1125 }
1126 
1127 /*
1128  * smb_fsop_setattr
1129  *
1130  * All SMB functions should use this wrapper to ensure that
1131  * the the calls are performed with the appropriate credentials.
1132  * Please document any direct call to explain the reason
1133  * for avoiding this wrapper.
1134  *
1135  * It is assumed that a reference exists on snode coming into
1136  * this function.
1137  * A null smb_request might be passed to this function.
1138  */
1139 int
1140 smb_fsop_setattr(
1141     smb_request_t	*sr,
1142     cred_t		*cr,
1143     smb_node_t		*snode,
1144     smb_attr_t		*set_attr)
1145 {
1146 	smb_node_t *unnamed_node;
1147 	vnode_t *unnamed_vp = NULL;
1148 	uint32_t status;
1149 	uint32_t access;
1150 	int rc = 0;
1151 	int flags = 0;
1152 	uint_t sa_mask;
1153 
1154 	ASSERT(cr);
1155 	ASSERT(snode);
1156 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1157 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1158 
1159 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0)
1160 		return (EACCES);
1161 
1162 	if (SMB_TREE_IS_READONLY(sr))
1163 		return (EROFS);
1164 
1165 	if (SMB_TREE_HAS_ACCESS(sr,
1166 	    ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0)
1167 		return (EACCES);
1168 
1169 	/*
1170 	 * The file system cannot detect pending READDONLY
1171 	 * (i.e. if the file has been opened readonly but
1172 	 * not yet closed) so we need to test READONLY here.
1173 	 */
1174 	if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) {
1175 		if (sr->fid_ofile) {
1176 			if (SMB_OFILE_IS_READONLY(sr->fid_ofile))
1177 				return (EACCES);
1178 		} else {
1179 			if (SMB_PATHFILE_IS_READONLY(sr, snode))
1180 				return (EACCES);
1181 		}
1182 	}
1183 
1184 	/*
1185 	 * SMB checks access on open and retains an access granted
1186 	 * mask for use while the file is open.  ACL changes should
1187 	 * not affect access to an open file.
1188 	 *
1189 	 * If the setattr is being performed on an ofile:
1190 	 * - Check the ofile's access granted mask to see if the
1191 	 *   setattr is permitted.
1192 	 *   UID, GID - require WRITE_OWNER
1193 	 *   SIZE, ALLOCSZ - require FILE_WRITE_DATA
1194 	 *   all other attributes require FILE_WRITE_ATTRIBUTES
1195 	 *
1196 	 * - If the file system does access checking, set the
1197 	 *   ATTR_NOACLCHECK flag to ensure that the file system
1198 	 *   does not check permissions on subsequent calls.
1199 	 */
1200 	if (sr && sr->fid_ofile) {
1201 		sa_mask = set_attr->sa_mask;
1202 		access = 0;
1203 
1204 		if (sa_mask & (SMB_AT_SIZE | SMB_AT_ALLOCSZ)) {
1205 			access |= FILE_WRITE_DATA;
1206 			sa_mask &= ~(SMB_AT_SIZE | SMB_AT_ALLOCSZ);
1207 		}
1208 
1209 		if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) {
1210 			access |= WRITE_OWNER;
1211 			sa_mask &= ~(SMB_AT_UID|SMB_AT_GID);
1212 		}
1213 
1214 		if (sa_mask)
1215 			access |= FILE_WRITE_ATTRIBUTES;
1216 
1217 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1218 		if (status != NT_STATUS_SUCCESS)
1219 			return (EACCES);
1220 
1221 		if (smb_tree_has_feature(sr->tid_tree,
1222 		    SMB_TREE_ACEMASKONACCESS))
1223 			flags = ATTR_NOACLCHECK;
1224 	}
1225 
1226 	unnamed_node = SMB_IS_STREAM(snode);
1227 
1228 	if (unnamed_node) {
1229 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1230 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1231 		unnamed_vp = unnamed_node->vp;
1232 	}
1233 
1234 	rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr);
1235 	return (rc);
1236 }
1237 
1238 /*
1239  * smb_fsop_read
1240  *
1241  * All SMB functions should use this wrapper to ensure that
1242  * the the calls are performed with the appropriate credentials.
1243  * Please document any direct call to explain the reason
1244  * for avoiding this wrapper.
1245  *
1246  * It is assumed that a reference exists on snode coming into this routine.
1247  */
1248 int
1249 smb_fsop_read(smb_request_t *sr, cred_t *cr, smb_node_t *snode, uio_t *uio)
1250 {
1251 	caller_context_t ct;
1252 	int svmand;
1253 	int rc;
1254 
1255 	ASSERT(cr);
1256 	ASSERT(snode);
1257 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1258 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1259 
1260 	ASSERT(sr);
1261 	ASSERT(sr->fid_ofile);
1262 
1263 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0)
1264 		return (EACCES);
1265 
1266 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA);
1267 	if (rc != NT_STATUS_SUCCESS) {
1268 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE);
1269 		if (rc != NT_STATUS_SUCCESS)
1270 			return (EACCES);
1271 	}
1272 
1273 	/*
1274 	 * Streams permission are checked against the unnamed stream,
1275 	 * but in FS level they have their own permissions. To avoid
1276 	 * rejection by FS due to lack of permission on the actual
1277 	 * extended attr kcred is passed for streams.
1278 	 */
1279 	if (SMB_IS_STREAM(snode))
1280 		cr = kcred;
1281 
1282 	smb_node_start_crit(snode, RW_READER);
1283 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1284 	if (rc) {
1285 		smb_node_end_crit(snode);
1286 		return (rc);
1287 	}
1288 
1289 	ct = smb_ct;
1290 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1291 	rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset,
1292 	    uio->uio_iov->iov_len, svmand, &ct);
1293 
1294 	if (rc) {
1295 		smb_node_end_crit(snode);
1296 		return (ERANGE);
1297 	}
1298 
1299 	rc = smb_vop_read(snode->vp, uio, cr);
1300 	smb_node_end_crit(snode);
1301 
1302 	return (rc);
1303 }
1304 
1305 /*
1306  * smb_fsop_write
1307  *
1308  * This is a wrapper function used for smb_write and smb_write_raw operations.
1309  *
1310  * It is assumed that a reference exists on snode coming into this routine.
1311  */
1312 int
1313 smb_fsop_write(
1314     smb_request_t *sr,
1315     cred_t *cr,
1316     smb_node_t *snode,
1317     uio_t *uio,
1318     uint32_t *lcount,
1319     int ioflag)
1320 {
1321 	caller_context_t ct;
1322 	int svmand;
1323 	int rc;
1324 
1325 	ASSERT(cr);
1326 	ASSERT(snode);
1327 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1328 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1329 
1330 	ASSERT(sr);
1331 	ASSERT(sr->tid_tree);
1332 	ASSERT(sr->fid_ofile);
1333 
1334 	if (SMB_TREE_IS_READONLY(sr))
1335 		return (EROFS);
1336 
1337 	if (SMB_OFILE_IS_READONLY(sr->fid_ofile) ||
1338 	    SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0)
1339 		return (EACCES);
1340 
1341 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA);
1342 	if (rc != NT_STATUS_SUCCESS) {
1343 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA);
1344 		if (rc != NT_STATUS_SUCCESS)
1345 			return (EACCES);
1346 	}
1347 
1348 	/*
1349 	 * Streams permission are checked against the unnamed stream,
1350 	 * but in FS level they have their own permissions. To avoid
1351 	 * rejection by FS due to lack of permission on the actual
1352 	 * extended attr kcred is passed for streams.
1353 	 */
1354 	if (SMB_IS_STREAM(snode))
1355 		cr = kcred;
1356 
1357 	smb_node_start_crit(snode, RW_READER);
1358 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1359 	if (rc) {
1360 		smb_node_end_crit(snode);
1361 		return (rc);
1362 	}
1363 
1364 	ct = smb_ct;
1365 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1366 	rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset,
1367 	    uio->uio_iov->iov_len, svmand, &ct);
1368 
1369 	if (rc) {
1370 		smb_node_end_crit(snode);
1371 		return (ERANGE);
1372 	}
1373 
1374 	rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr);
1375 	smb_node_end_crit(snode);
1376 
1377 	return (rc);
1378 }
1379 
1380 /*
1381  * smb_fsop_statfs
1382  *
1383  * This is a wrapper function used for stat operations.
1384  */
1385 int
1386 smb_fsop_statfs(
1387     cred_t *cr,
1388     smb_node_t *snode,
1389     struct statvfs64 *statp)
1390 {
1391 	ASSERT(cr);
1392 	ASSERT(snode);
1393 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1394 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1395 
1396 	return (smb_vop_statfs(snode->vp, statp, cr));
1397 }
1398 
1399 /*
1400  * smb_fsop_access
1401  *
1402  * Named streams do not have separate permissions from the associated
1403  * unnamed stream.  Thus, if node is a named stream, the permissions
1404  * check will be performed on the associated unnamed stream.
1405  *
1406  * However, our named streams do have their own quarantine attribute,
1407  * separate from that on the unnamed stream. If READ or EXECUTE
1408  * access has been requested on a named stream, an additional access
1409  * check is performed on the named stream in case it has been
1410  * quarantined.  kcred is used to avoid issues with the permissions
1411  * set on the extended attribute file representing the named stream.
1412  */
1413 int
1414 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1415     uint32_t faccess)
1416 {
1417 	int access = 0;
1418 	int error;
1419 	vnode_t *dir_vp;
1420 	boolean_t acl_check = B_TRUE;
1421 	smb_node_t *unnamed_node;
1422 
1423 	ASSERT(sr);
1424 	ASSERT(cr);
1425 	ASSERT(snode);
1426 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1427 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1428 
1429 	if (faccess == 0)
1430 		return (NT_STATUS_SUCCESS);
1431 
1432 	if (SMB_TREE_IS_READONLY(sr)) {
1433 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1434 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1435 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1436 			return (NT_STATUS_ACCESS_DENIED);
1437 		}
1438 	}
1439 
1440 	unnamed_node = SMB_IS_STREAM(snode);
1441 	if (unnamed_node) {
1442 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1443 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1444 
1445 		/*
1446 		 * Perform VREAD access check on the named stream in case it
1447 		 * is quarantined. kcred is passed to smb_vop_access so it
1448 		 * doesn't fail due to lack of permission.
1449 		 */
1450 		if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) {
1451 			error = smb_vop_access(snode->vp, VREAD,
1452 			    0, NULL, kcred);
1453 			if (error)
1454 				return (NT_STATUS_ACCESS_DENIED);
1455 		}
1456 
1457 		/*
1458 		 * Streams authorization should be performed against the
1459 		 * unnamed stream.
1460 		 */
1461 		snode = unnamed_node;
1462 	}
1463 
1464 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1465 		/*
1466 		 * This permission is required for reading/writing SACL and
1467 		 * it's not part of DACL. It's only granted via proper
1468 		 * privileges.
1469 		 */
1470 		if ((sr->uid_user->u_privileges &
1471 		    (SMB_USER_PRIV_BACKUP |
1472 		    SMB_USER_PRIV_RESTORE |
1473 		    SMB_USER_PRIV_SECURITY)) == 0)
1474 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1475 
1476 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1477 	}
1478 
1479 	/* Links don't have ACL */
1480 	if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) ||
1481 	    smb_node_is_link(snode))
1482 		acl_check = B_FALSE;
1483 
1484 	/*
1485 	 * Use the most restrictive parts of both faccess and the
1486 	 * share access.  An AND of the two value masks gives us that
1487 	 * since we've already converted to a mask of what we "can"
1488 	 * do.
1489 	 */
1490 	faccess &= sr->tid_tree->t_access;
1491 
1492 	if (acl_check) {
1493 		dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL;
1494 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1495 		    cr);
1496 	} else {
1497 		/*
1498 		 * FS doesn't understand 32-bit mask, need to map
1499 		 */
1500 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1501 			access |= VWRITE;
1502 
1503 		if (faccess & FILE_READ_DATA)
1504 			access |= VREAD;
1505 
1506 		if (faccess & FILE_EXECUTE)
1507 			access |= VEXEC;
1508 
1509 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1510 	}
1511 
1512 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1513 }
1514 
1515 /*
1516  * smb_fsop_lookup_name()
1517  *
1518  * If name indicates that the file is a stream file, perform
1519  * stream specific lookup, otherwise call smb_fsop_lookup.
1520  *
1521  * Return an error if the looked-up file is in outside the tree.
1522  * (Required when invoked from open path.)
1523  */
1524 
1525 int
1526 smb_fsop_lookup_name(
1527     smb_request_t *sr,
1528     cred_t	*cr,
1529     int		flags,
1530     smb_node_t	*root_node,
1531     smb_node_t	*dnode,
1532     char	*name,
1533     smb_node_t	**ret_snode)
1534 {
1535 	smb_node_t	*fnode;
1536 	vnode_t		*xattrdirvp;
1537 	vnode_t		*vp;
1538 	char		*od_name;
1539 	char		*fname;
1540 	char		*sname;
1541 	int		rc;
1542 
1543 	ASSERT(cr);
1544 	ASSERT(dnode);
1545 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
1546 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
1547 
1548 	/*
1549 	 * The following check is required for streams processing, below
1550 	 */
1551 
1552 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1553 		flags |= SMB_IGNORE_CASE;
1554 
1555 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1556 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1557 
1558 	if (smb_is_stream_name(name)) {
1559 		smb_stream_parse_name(name, fname, sname);
1560 
1561 		/*
1562 		 * Look up the unnamed stream (i.e. fname).
1563 		 * Unmangle processing will be done on fname
1564 		 * as well as any link target.
1565 		 */
1566 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode,
1567 		    fname, &fnode);
1568 
1569 		if (rc != 0) {
1570 			kmem_free(fname, MAXNAMELEN);
1571 			kmem_free(sname, MAXNAMELEN);
1572 			return (rc);
1573 		}
1574 
1575 		od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1576 
1577 		/*
1578 		 * od_name is the on-disk name of the stream, except
1579 		 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1580 		 */
1581 
1582 		/*
1583 		 * XXX
1584 		 * What permissions NTFS requires for stream lookup if any?
1585 		 */
1586 		rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1587 		    &xattrdirvp, flags, root_node->vp, cr);
1588 
1589 		if (rc != 0) {
1590 			smb_node_release(fnode);
1591 			kmem_free(fname, MAXNAMELEN);
1592 			kmem_free(sname, MAXNAMELEN);
1593 			kmem_free(od_name, MAXNAMELEN);
1594 			return (rc);
1595 		}
1596 
1597 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1598 		    vp, od_name);
1599 
1600 		kmem_free(od_name, MAXNAMELEN);
1601 		smb_node_release(fnode);
1602 		VN_RELE(xattrdirvp);
1603 		VN_RELE(vp);
1604 
1605 		if (*ret_snode == NULL) {
1606 			kmem_free(fname, MAXNAMELEN);
1607 			kmem_free(sname, MAXNAMELEN);
1608 			return (ENOMEM);
1609 		}
1610 	} else {
1611 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, name,
1612 		    ret_snode);
1613 	}
1614 
1615 	if (rc == 0) {
1616 		ASSERT(ret_snode);
1617 		if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) {
1618 			smb_node_release(*ret_snode);
1619 			*ret_snode = NULL;
1620 			rc = EACCES;
1621 		}
1622 	}
1623 
1624 	kmem_free(fname, MAXNAMELEN);
1625 	kmem_free(sname, MAXNAMELEN);
1626 
1627 	return (rc);
1628 }
1629 
1630 /*
1631  * smb_fsop_lookup
1632  *
1633  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1634  * the smb_vop_lookup is performed with the appropriate credentials and using
1635  * case insensitive compares. Please document any direct call to smb_vop_lookup
1636  * to explain the reason for avoiding this wrapper.
1637  *
1638  * It is assumed that a reference exists on dnode coming into this routine
1639  * (and that it is safe from deallocation).
1640  *
1641  * Same with the root_node.
1642  *
1643  * *ret_snode is returned with a reference upon success.  No reference is
1644  * taken if an error is returned.
1645  *
1646  * Note: The returned ret_snode may be in a child mount.  This is ok for
1647  * readdir.
1648  *
1649  * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent
1650  * operations on files not in the parent mount.
1651  */
1652 int
1653 smb_fsop_lookup(
1654     smb_request_t *sr,
1655     cred_t	*cr,
1656     int		flags,
1657     smb_node_t	*root_node,
1658     smb_node_t	*dnode,
1659     char	*name,
1660     smb_node_t	**ret_snode)
1661 {
1662 	smb_node_t *lnk_target_node;
1663 	smb_node_t *lnk_dnode;
1664 	char *longname;
1665 	char *od_name;
1666 	vnode_t *vp;
1667 	int rc;
1668 	int ret_flags;
1669 
1670 	ASSERT(cr);
1671 	ASSERT(dnode);
1672 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
1673 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
1674 
1675 	if (name == NULL)
1676 		return (EINVAL);
1677 
1678 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
1679 		return (EACCES);
1680 
1681 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1682 		flags |= SMB_IGNORE_CASE;
1683 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1684 		flags |= SMB_CATIA;
1685 	if (SMB_TREE_SUPPORTS_ABE(sr))
1686 		flags |= SMB_ABE;
1687 
1688 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1689 
1690 	rc = smb_vop_lookup(dnode->vp, name, &vp, od_name, flags,
1691 	    &ret_flags, root_node ? root_node->vp : NULL, cr);
1692 
1693 	if (rc != 0) {
1694 		if (smb_maybe_mangled_name(name) == 0) {
1695 			kmem_free(od_name, MAXNAMELEN);
1696 			return (rc);
1697 		}
1698 
1699 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1700 		rc = smb_unmangle_name(dnode, name, longname,
1701 		    MAXNAMELEN, flags);
1702 		if (rc != 0) {
1703 			kmem_free(od_name, MAXNAMELEN);
1704 			kmem_free(longname, MAXNAMELEN);
1705 			return (rc);
1706 		}
1707 
1708 		/*
1709 		 * longname is the real (case-sensitive)
1710 		 * on-disk name.
1711 		 * We make sure we do a lookup on this exact
1712 		 * name, as the name was mangled and denotes
1713 		 * a unique file.
1714 		 */
1715 
1716 		if (flags & SMB_IGNORE_CASE)
1717 			flags &= ~SMB_IGNORE_CASE;
1718 
1719 		rc = smb_vop_lookup(dnode->vp, longname, &vp, od_name,
1720 		    flags, &ret_flags, root_node ? root_node->vp : NULL, cr);
1721 
1722 		kmem_free(longname, MAXNAMELEN);
1723 
1724 		if (rc != 0) {
1725 			kmem_free(od_name, MAXNAMELEN);
1726 			return (rc);
1727 		}
1728 	}
1729 
1730 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) {
1731 
1732 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dnode,
1733 		    &lnk_dnode, &lnk_target_node, cr);
1734 
1735 		if (rc != 0) {
1736 			/*
1737 			 * The link is assumed to be for the last component
1738 			 * of a path.  Hence any ENOTDIR error will be returned
1739 			 * as ENOENT.
1740 			 */
1741 			if (rc == ENOTDIR)
1742 				rc = ENOENT;
1743 
1744 			VN_RELE(vp);
1745 			kmem_free(od_name, MAXNAMELEN);
1746 			return (rc);
1747 		}
1748 
1749 		/*
1750 		 * Release the original VLNK vnode
1751 		 */
1752 
1753 		VN_RELE(vp);
1754 		vp = lnk_target_node->vp;
1755 
1756 		rc = smb_vop_traverse_check(&vp);
1757 
1758 		if (rc != 0) {
1759 			smb_node_release(lnk_dnode);
1760 			smb_node_release(lnk_target_node);
1761 			kmem_free(od_name, MAXNAMELEN);
1762 			return (rc);
1763 		}
1764 
1765 		/*
1766 		 * smb_vop_traverse_check() may have returned a different vnode
1767 		 */
1768 
1769 		if (lnk_target_node->vp == vp) {
1770 			*ret_snode = lnk_target_node;
1771 		} else {
1772 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
1773 			    lnk_target_node->od_name, lnk_dnode, NULL);
1774 			VN_RELE(vp);
1775 
1776 			if (*ret_snode == NULL)
1777 				rc = ENOMEM;
1778 			smb_node_release(lnk_target_node);
1779 		}
1780 
1781 		smb_node_release(lnk_dnode);
1782 
1783 	} else {
1784 
1785 		rc = smb_vop_traverse_check(&vp);
1786 		if (rc) {
1787 			VN_RELE(vp);
1788 			kmem_free(od_name, MAXNAMELEN);
1789 			return (rc);
1790 		}
1791 
1792 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
1793 		    dnode, NULL);
1794 		VN_RELE(vp);
1795 
1796 		if (*ret_snode == NULL)
1797 			rc = ENOMEM;
1798 	}
1799 
1800 	kmem_free(od_name, MAXNAMELEN);
1801 	return (rc);
1802 }
1803 
1804 int /*ARGSUSED*/
1805 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
1806 {
1807 	ASSERT(cr);
1808 	ASSERT(snode);
1809 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1810 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1811 
1812 	ASSERT(sr);
1813 	ASSERT(sr->tid_tree);
1814 	if (SMB_TREE_IS_READONLY(sr))
1815 		return (EROFS);
1816 
1817 	return (smb_vop_commit(snode->vp, cr));
1818 }
1819 
1820 /*
1821  * smb_fsop_aclread
1822  *
1823  * Retrieve filesystem ACL. Depends on requested ACLs in
1824  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
1825  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
1826  * the corresponding field in fs_sd should be non-NULL upon
1827  * return, since the target ACL might not contain that type of
1828  * entries.
1829  *
1830  * Returned ACL is always in ACE_T (aka ZFS) format.
1831  * If successful the allocated memory for the ACL should be freed
1832  * using smb_fsacl_free() or smb_fssd_term()
1833  */
1834 int
1835 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1836     smb_fssd_t *fs_sd)
1837 {
1838 	int error = 0;
1839 	int flags = 0;
1840 	int access = 0;
1841 	acl_t *acl;
1842 	smb_node_t *unnamed_node;
1843 
1844 	ASSERT(cr);
1845 
1846 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0)
1847 		return (EACCES);
1848 
1849 	if (sr->fid_ofile) {
1850 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1851 			access = READ_CONTROL;
1852 
1853 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1854 			access |= ACCESS_SYSTEM_SECURITY;
1855 
1856 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1857 		if (error != NT_STATUS_SUCCESS) {
1858 			return (EACCES);
1859 		}
1860 	}
1861 
1862 	unnamed_node = SMB_IS_STREAM(snode);
1863 	if (unnamed_node) {
1864 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1865 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1866 		/*
1867 		 * Streams don't have ACL, any read ACL attempt on a stream
1868 		 * should be performed on the unnamed stream.
1869 		 */
1870 		snode = unnamed_node;
1871 	}
1872 
1873 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS))
1874 		flags = ATTR_NOACLCHECK;
1875 
1876 	error = smb_vop_acl_read(snode->vp, &acl, flags,
1877 	    sr->tid_tree->t_acltype, cr);
1878 	if (error != 0) {
1879 		return (error);
1880 	}
1881 
1882 	error = acl_translate(acl, _ACL_ACE_ENABLED,
1883 	    (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid);
1884 
1885 	if (error == 0) {
1886 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
1887 		    fs_sd->sd_secinfo);
1888 	}
1889 
1890 	acl_free(acl);
1891 	return (error);
1892 }
1893 
1894 /*
1895  * smb_fsop_aclwrite
1896  *
1897  * Stores the filesystem ACL provided in fs_sd->sd_acl.
1898  */
1899 int
1900 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1901     smb_fssd_t *fs_sd)
1902 {
1903 	int target_flavor;
1904 	int error = 0;
1905 	int flags = 0;
1906 	int access = 0;
1907 	acl_t *acl, *dacl, *sacl;
1908 	smb_node_t *unnamed_node;
1909 
1910 	ASSERT(cr);
1911 
1912 	ASSERT(sr);
1913 	ASSERT(sr->tid_tree);
1914 	if (SMB_TREE_IS_READONLY(sr))
1915 		return (EROFS);
1916 
1917 	if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0)
1918 		return (EACCES);
1919 
1920 	if (sr->fid_ofile) {
1921 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1922 			access = WRITE_DAC;
1923 
1924 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1925 			access |= ACCESS_SYSTEM_SECURITY;
1926 
1927 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1928 		if (error != NT_STATUS_SUCCESS)
1929 			return (EACCES);
1930 	}
1931 
1932 	switch (sr->tid_tree->t_acltype) {
1933 	case ACLENT_T:
1934 		target_flavor = _ACL_ACLENT_ENABLED;
1935 		break;
1936 
1937 	case ACE_T:
1938 		target_flavor = _ACL_ACE_ENABLED;
1939 		break;
1940 	default:
1941 		return (EINVAL);
1942 	}
1943 
1944 	unnamed_node = SMB_IS_STREAM(snode);
1945 	if (unnamed_node) {
1946 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1947 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1948 		/*
1949 		 * Streams don't have ACL, any write ACL attempt on a stream
1950 		 * should be performed on the unnamed stream.
1951 		 */
1952 		snode = unnamed_node;
1953 	}
1954 
1955 	dacl = fs_sd->sd_zdacl;
1956 	sacl = fs_sd->sd_zsacl;
1957 
1958 	ASSERT(dacl || sacl);
1959 	if ((dacl == NULL) && (sacl == NULL))
1960 		return (EINVAL);
1961 
1962 	if (dacl && sacl)
1963 		acl = smb_fsacl_merge(dacl, sacl);
1964 	else if (dacl)
1965 		acl = dacl;
1966 	else
1967 		acl = sacl;
1968 
1969 	error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR),
1970 	    fs_sd->sd_uid, fs_sd->sd_gid);
1971 	if (error == 0) {
1972 		if (smb_tree_has_feature(sr->tid_tree,
1973 		    SMB_TREE_ACEMASKONACCESS))
1974 			flags = ATTR_NOACLCHECK;
1975 
1976 		error = smb_vop_acl_write(snode->vp, acl, flags, cr);
1977 	}
1978 
1979 	if (dacl && sacl)
1980 		acl_free(acl);
1981 
1982 	return (error);
1983 }
1984 
1985 acl_type_t
1986 smb_fsop_acltype(smb_node_t *snode)
1987 {
1988 	return (smb_vop_acl_type(snode->vp));
1989 }
1990 
1991 /*
1992  * smb_fsop_sdread
1993  *
1994  * Read the requested security descriptor items from filesystem.
1995  * The items are specified in fs_sd->sd_secinfo.
1996  */
1997 int
1998 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1999     smb_fssd_t *fs_sd)
2000 {
2001 	int error = 0;
2002 	int getowner = 0;
2003 	cred_t *ga_cred;
2004 	smb_attr_t attr;
2005 
2006 	ASSERT(cr);
2007 	ASSERT(fs_sd);
2008 
2009 	/*
2010 	 * File's uid/gid is fetched in two cases:
2011 	 *
2012 	 * 1. it's explicitly requested
2013 	 *
2014 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
2015 	 *    owner@/group@ entries. In this case kcred should be used
2016 	 *    because uid/gid are fetched on behalf of smb server.
2017 	 */
2018 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
2019 		getowner = 1;
2020 		ga_cred = cr;
2021 	} else if (sr->tid_tree->t_acltype == ACE_T) {
2022 		getowner = 1;
2023 		ga_cred = kcred;
2024 	}
2025 
2026 	if (getowner) {
2027 		/*
2028 		 * Windows require READ_CONTROL to read owner/group SID since
2029 		 * they're part of Security Descriptor.
2030 		 * ZFS only requires read_attribute. Need to have a explicit
2031 		 * access check here.
2032 		 */
2033 		if (sr->fid_ofile == NULL) {
2034 			error = smb_fsop_access(sr, ga_cred, snode,
2035 			    READ_CONTROL);
2036 			if (error)
2037 				return (EACCES);
2038 		}
2039 
2040 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2041 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2042 		if (error == 0) {
2043 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2044 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2045 		} else {
2046 			return (error);
2047 		}
2048 	}
2049 
2050 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2051 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2052 	}
2053 
2054 	return (error);
2055 }
2056 
2057 /*
2058  * smb_fsop_sdmerge
2059  *
2060  * From SMB point of view DACL and SACL are two separate list
2061  * which can be manipulated independently without one affecting
2062  * the other, but entries for both DACL and SACL will end up
2063  * in the same ACL if target filesystem supports ACE_T ACLs.
2064  *
2065  * So, if either DACL or SACL is present in the client set request
2066  * the entries corresponding to the non-present ACL shouldn't
2067  * be touched in the FS ACL.
2068  *
2069  * fs_sd parameter contains DACL and SACL specified by SMB
2070  * client to be set on a file/directory. The client could
2071  * specify both or one of these ACLs (if none is specified
2072  * we don't get this far). When both DACL and SACL are given
2073  * by client the existing ACL should be overwritten. If only
2074  * one of them is specified the entries corresponding to the other
2075  * ACL should not be touched. For example, if only DACL
2076  * is specified in input fs_sd, the function reads audit entries
2077  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2078  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2079  * function is called the passed fs_sd would point to the specified
2080  * DACL by client and fetched SACL from filesystem, so the file
2081  * will end up with correct ACL.
2082  */
2083 static int
2084 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2085 {
2086 	smb_fssd_t cur_sd;
2087 	int error = 0;
2088 
2089 	if (sr->tid_tree->t_acltype != ACE_T)
2090 		/* Don't bother if target FS doesn't support ACE_T */
2091 		return (0);
2092 
2093 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2094 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2095 			/*
2096 			 * Don't overwrite existing audit entries
2097 			 */
2098 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2099 			    fs_sd->sd_flags);
2100 
2101 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2102 			if (error == 0) {
2103 				ASSERT(fs_sd->sd_zsacl == NULL);
2104 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2105 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2106 					fs_sd->sd_zsacl->acl_flags =
2107 					    fs_sd->sd_zdacl->acl_flags;
2108 			}
2109 		} else {
2110 			/*
2111 			 * Don't overwrite existing access entries
2112 			 */
2113 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2114 			    fs_sd->sd_flags);
2115 
2116 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2117 			if (error == 0) {
2118 				ASSERT(fs_sd->sd_zdacl == NULL);
2119 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2120 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2121 					fs_sd->sd_zdacl->acl_flags =
2122 					    fs_sd->sd_zsacl->acl_flags;
2123 			}
2124 		}
2125 
2126 		if (error)
2127 			smb_fssd_term(&cur_sd);
2128 	}
2129 
2130 	return (error);
2131 }
2132 
2133 /*
2134  * smb_fsop_sdwrite
2135  *
2136  * Stores the given uid, gid and acl in filesystem.
2137  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2138  *
2139  * A SMB security descriptor could contain owner, primary group,
2140  * DACL and SACL. Setting an SD should be atomic but here it has to
2141  * be done via two separate FS operations: VOP_SETATTR and
2142  * VOP_SETSECATTR. Therefore, this function has to simulate the
2143  * atomicity as well as it can.
2144  *
2145  * Get the current uid, gid before setting the new uid/gid
2146  * so if smb_fsop_aclwrite fails they can be restored. root cred is
2147  * used to get currend uid/gid since this operation is performed on
2148  * behalf of the server not the user.
2149  *
2150  * If setting uid/gid fails with EPERM it means that and invalid
2151  * owner has been specified. Callers should translate this to
2152  * STATUS_INVALID_OWNER which is not the normal mapping for EPERM
2153  * in upper layers, so EPERM is mapped to EBADE.
2154  */
2155 int
2156 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2157     smb_fssd_t *fs_sd, int overwrite)
2158 {
2159 	int error = 0;
2160 	int access = 0;
2161 	smb_attr_t set_attr;
2162 	smb_attr_t orig_attr;
2163 
2164 	ASSERT(cr);
2165 	ASSERT(fs_sd);
2166 
2167 	ASSERT(sr);
2168 	ASSERT(sr->tid_tree);
2169 	if (SMB_TREE_IS_READONLY(sr))
2170 		return (EROFS);
2171 
2172 	bzero(&set_attr, sizeof (smb_attr_t));
2173 
2174 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2175 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2176 		set_attr.sa_mask |= SMB_AT_UID;
2177 		access |= WRITE_OWNER;
2178 	}
2179 
2180 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2181 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2182 		set_attr.sa_mask |= SMB_AT_GID;
2183 		access |= WRITE_OWNER;
2184 	}
2185 
2186 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2187 		access |= WRITE_DAC;
2188 
2189 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2190 		access |= ACCESS_SYSTEM_SECURITY;
2191 
2192 	if (sr->fid_ofile)
2193 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2194 	else
2195 		error = smb_fsop_access(sr, cr, snode, access);
2196 
2197 	if (error)
2198 		return (EACCES);
2199 
2200 	if (set_attr.sa_mask) {
2201 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2202 		error = smb_fsop_getattr(sr, kcred, snode, &orig_attr);
2203 		if (error == 0) {
2204 			error = smb_fsop_setattr(sr, cr, snode, &set_attr);
2205 			if (error == EPERM)
2206 				error = EBADE;
2207 		}
2208 
2209 		if (error)
2210 			return (error);
2211 	}
2212 
2213 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2214 		if (overwrite == 0) {
2215 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2216 			if (error)
2217 				return (error);
2218 		}
2219 
2220 		error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2221 		if (error) {
2222 			/*
2223 			 * Revert uid/gid changes if required.
2224 			 */
2225 			if (set_attr.sa_mask) {
2226 				orig_attr.sa_mask = set_attr.sa_mask;
2227 				(void) smb_fsop_setattr(sr, kcred, snode,
2228 				    &orig_attr);
2229 			}
2230 		}
2231 	}
2232 
2233 	return (error);
2234 }
2235 
2236 /*
2237  * smb_fsop_sdinherit
2238  *
2239  * Inherit the security descriptor from the parent container.
2240  * This function is called after FS has created the file/folder
2241  * so if this doesn't do anything it means FS inheritance is
2242  * in place.
2243  *
2244  * Do inheritance for ZFS internally.
2245  *
2246  * If we want to let ZFS does the inheritance the
2247  * following setting should be true:
2248  *
2249  *  - aclinherit = passthrough
2250  *  - aclmode = passthrough
2251  *  - smbd umask = 0777
2252  *
2253  * This will result in right effective permissions but
2254  * ZFS will always add 6 ACEs for owner, owning group
2255  * and others to be POSIX compliant. This is not what
2256  * Windows clients/users expect, so we decided that CIFS
2257  * implements Windows rules and overwrite whatever ZFS
2258  * comes up with. This way we also don't have to care
2259  * about ZFS aclinherit and aclmode settings.
2260  */
2261 static int
2262 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2263 {
2264 	int is_dir;
2265 	acl_t *dacl = NULL;
2266 	acl_t *sacl = NULL;
2267 	ksid_t *owner_sid;
2268 	int error;
2269 
2270 	ASSERT(fs_sd);
2271 
2272 	if (sr->tid_tree->t_acltype != ACE_T) {
2273 		/*
2274 		 * No forced inheritance for non-ZFS filesystems.
2275 		 */
2276 		fs_sd->sd_secinfo = 0;
2277 		return (0);
2278 	}
2279 
2280 
2281 	/* Fetch parent directory's ACL */
2282 	error = smb_fsop_sdread(sr, kcred, dnode, fs_sd);
2283 	if (error) {
2284 		return (error);
2285 	}
2286 
2287 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2288 	owner_sid = crgetsid(sr->user_cr, KSID_OWNER);
2289 	ASSERT(owner_sid);
2290 	dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO,
2291 	    owner_sid->ks_id);
2292 	sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO,
2293 	    (uid_t)-1);
2294 
2295 	if (sacl == NULL)
2296 		fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO;
2297 
2298 	smb_fsacl_free(fs_sd->sd_zdacl);
2299 	smb_fsacl_free(fs_sd->sd_zsacl);
2300 
2301 	fs_sd->sd_zdacl = dacl;
2302 	fs_sd->sd_zsacl = sacl;
2303 
2304 	return (0);
2305 }
2306 
2307 /*
2308  * smb_fsop_eaccess
2309  *
2310  * Returns the effective permission of the given credential for the
2311  * specified object.
2312  *
2313  * This is just a workaround. We need VFS/FS support for this.
2314  */
2315 void
2316 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2317     uint32_t *eaccess)
2318 {
2319 	int access = 0;
2320 	vnode_t *dir_vp;
2321 	smb_node_t *unnamed_node;
2322 
2323 	ASSERT(cr);
2324 	ASSERT(snode);
2325 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2326 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2327 
2328 	unnamed_node = SMB_IS_STREAM(snode);
2329 	if (unnamed_node) {
2330 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2331 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2332 		/*
2333 		 * Streams authorization should be performed against the
2334 		 * unnamed stream.
2335 		 */
2336 		snode = unnamed_node;
2337 	}
2338 
2339 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) {
2340 		dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL;
2341 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2342 		    cr);
2343 		return;
2344 	}
2345 
2346 	/*
2347 	 * FS doesn't understand 32-bit mask
2348 	 */
2349 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2350 	access &= sr->tid_tree->t_access;
2351 
2352 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2353 
2354 	if (access & VREAD)
2355 		*eaccess |= FILE_READ_DATA;
2356 
2357 	if (access & VEXEC)
2358 		*eaccess |= FILE_EXECUTE;
2359 
2360 	if (access & VWRITE)
2361 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2362 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2363 }
2364 
2365 /*
2366  * smb_fsop_shrlock
2367  *
2368  * For the current open request, check file sharing rules
2369  * against existing opens.
2370  *
2371  * Returns NT_STATUS_SHARING_VIOLATION if there is any
2372  * sharing conflict.  Returns NT_STATUS_SUCCESS otherwise.
2373  *
2374  * Full system-wide share reservation synchronization is available
2375  * when the nbmand (non-blocking mandatory) mount option is set
2376  * (i.e. nbl_need_crit() is true) and nbmand critical regions are used.
2377  * This provides synchronization with NFS and local processes.  The
2378  * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called
2379  * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well
2380  * as the CIFS rename and delete paths.
2381  *
2382  * The CIFS server will also enter the nbl critical region in the open,
2383  * rename, and delete paths when nbmand is not set.  There is limited
2384  * coordination with local and VFS share reservations in this case.
2385  * Note that when the nbmand mount option is not set, the VFS layer
2386  * only processes advisory reservations and the delete mode is not checked.
2387  *
2388  * Whether or not the nbmand mount option is set, intra-CIFS share
2389  * checking is done in the open, delete, and rename paths using a CIFS
2390  * critical region (node->n_share_lock).
2391  */
2392 
2393 uint32_t
2394 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid,
2395     uint32_t desired_access, uint32_t share_access)
2396 {
2397 	int rc;
2398 
2399 	if (smb_node_is_dir(node))
2400 		return (NT_STATUS_SUCCESS);
2401 
2402 	/* Allow access if the request is just for meta data */
2403 	if ((desired_access & FILE_DATA_ALL) == 0)
2404 		return (NT_STATUS_SUCCESS);
2405 
2406 	rc = smb_node_open_check(node, cr, desired_access, share_access);
2407 	if (rc)
2408 		return (NT_STATUS_SHARING_VIOLATION);
2409 
2410 	rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access,
2411 	    cr);
2412 	if (rc)
2413 		return (NT_STATUS_SHARING_VIOLATION);
2414 
2415 	return (NT_STATUS_SUCCESS);
2416 }
2417 
2418 void
2419 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid)
2420 {
2421 	if (smb_node_is_dir(node))
2422 		return;
2423 
2424 	(void) smb_vop_unshrlock(node->vp, uniq_fid, cr);
2425 }
2426 
2427 int
2428 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock,
2429     cred_t *cr)
2430 {
2431 	flock64_t bf;
2432 	int flag = F_REMOTELOCK;
2433 
2434 	/*
2435 	 * VOP_FRLOCK() will not be called if:
2436 	 *
2437 	 * 1) The lock has a range of zero bytes. The semantics of Windows and
2438 	 *    POSIX are different. In the case of POSIX it asks for the locking
2439 	 *    of all the bytes from the offset provided until the end of the
2440 	 *    file. In the case of Windows a range of zero locks nothing and
2441 	 *    doesn't conflict with any other lock.
2442 	 *
2443 	 * 2) The lock rolls over (start + lenght < start). Solaris will assert
2444 	 *    if such a request is submitted. This will not create
2445 	 *    incompatibilities between POSIX and Windows. In the Windows world,
2446 	 *    if a client submits such a lock, the server will not lock any
2447 	 *    bytes. Interestingly if the same lock (same offset and length) is
2448 	 *    resubmitted Windows will consider that there is an overlap and
2449 	 *    the granting rules will then apply.
2450 	 */
2451 	if ((lock->l_length == 0) ||
2452 	    ((lock->l_start + lock->l_length - 1) < lock->l_start))
2453 		return (0);
2454 
2455 	bzero(&bf, sizeof (bf));
2456 
2457 	if (unlock) {
2458 		bf.l_type = F_UNLCK;
2459 	} else if (lock->l_type == SMB_LOCK_TYPE_READONLY) {
2460 		bf.l_type = F_RDLCK;
2461 		flag |= FREAD;
2462 	} else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) {
2463 		bf.l_type = F_WRLCK;
2464 		flag |= FWRITE;
2465 	}
2466 
2467 	bf.l_start = lock->l_start;
2468 	bf.l_len = lock->l_length;
2469 	bf.l_pid = lock->l_file->f_uniqid;
2470 	bf.l_sysid = smb_ct.cc_sysid;
2471 
2472 	return (smb_vop_frlock(node->vp, cr, flag, &bf));
2473 }
2474