1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/sid.h> 27 #include <sys/nbmlock.h> 28 #include <smbsrv/smb_fsops.h> 29 #include <smbsrv/smb_kproto.h> 30 #include <smbsrv/ntstatus.h> 31 #include <smbsrv/ntaccess.h> 32 #include <smbsrv/smb_incl.h> 33 #include <acl/acl_common.h> 34 #include <sys/fcntl.h> 35 #include <sys/flock.h> 36 #include <fs/fs_subr.h> 37 38 extern caller_context_t smb_ct; 39 40 extern int smb_fem_oplock_install(smb_node_t *); 41 extern void smb_fem_oplock_uninstall(smb_node_t *); 42 43 extern int smb_vop_other_opens(vnode_t *, int); 44 45 static int smb_fsop_create_stream(smb_request_t *, cred_t *, smb_node_t *, 46 char *, char *, int, smb_attr_t *, smb_node_t **); 47 48 static int smb_fsop_create_file(smb_request_t *, cred_t *, smb_node_t *, 49 char *, int, smb_attr_t *, smb_node_t **); 50 51 static int smb_fsop_create_with_sd(smb_request_t *, cred_t *, smb_node_t *, 52 char *, smb_attr_t *, smb_node_t **, smb_fssd_t *); 53 54 static int smb_fsop_sdinherit(smb_request_t *, smb_node_t *, smb_fssd_t *); 55 56 /* 57 * The smb_fsop_* functions have knowledge of CIFS semantics. 58 * 59 * The smb_vop_* functions have minimal knowledge of CIFS semantics and 60 * serve as an interface to the VFS layer. 61 * 62 * Hence, smb_request_t and smb_node_t structures should not be passed 63 * from the smb_fsop_* layer to the smb_vop_* layer. 64 * 65 * In general, CIFS service code should only ever call smb_fsop_* 66 * functions directly, and never smb_vop_* functions directly. 67 * 68 * smb_fsop_* functions should call smb_vop_* functions where possible, instead 69 * of their smb_fsop_* counterparts. However, there are times when 70 * this cannot be avoided. 71 */ 72 73 /* 74 * Note: Stream names cannot be mangled. 75 */ 76 77 /* 78 * smb_fsop_amask_to_omode 79 * 80 * Convert the access mask to the open mode (for use 81 * with the VOP_OPEN call). 82 * 83 * Note that opening a file for attribute only access 84 * will also translate into an FREAD or FWRITE open mode 85 * (i.e., it's not just for data). 86 * 87 * This is needed so that opens are tracked appropriately 88 * for oplock processing. 89 */ 90 91 int 92 smb_fsop_amask_to_omode(uint32_t access) 93 { 94 int mode = 0; 95 96 if (access & (FILE_READ_DATA | FILE_EXECUTE | 97 FILE_READ_ATTRIBUTES | FILE_READ_EA)) 98 mode |= FREAD; 99 100 if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA | 101 FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA)) 102 mode |= FWRITE; 103 104 if (access & FILE_APPEND_DATA) 105 mode |= FAPPEND; 106 107 return (mode); 108 } 109 110 int 111 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred) 112 { 113 /* 114 * Assuming that the same vnode is returned as we had before. 115 * (I.e., with certain types of files or file systems, a 116 * different vnode might be returned by VOP_OPEN) 117 */ 118 return (smb_vop_open(&node->vp, mode, cred)); 119 } 120 121 void 122 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred) 123 { 124 smb_vop_close(node->vp, mode, cred); 125 } 126 127 int 128 smb_fsop_oplock_install(smb_node_t *node, int mode) 129 { 130 int rc; 131 132 if (smb_vop_other_opens(node->vp, mode)) 133 return (EMFILE); 134 135 if ((rc = smb_fem_oplock_install(node))) 136 return (rc); 137 138 if (smb_vop_other_opens(node->vp, mode)) { 139 (void) smb_fem_oplock_uninstall(node); 140 return (EMFILE); 141 } 142 143 return (0); 144 } 145 146 void 147 smb_fsop_oplock_uninstall(smb_node_t *node) 148 { 149 smb_fem_oplock_uninstall(node); 150 } 151 152 static int 153 smb_fsop_create_with_sd(smb_request_t *sr, cred_t *cr, 154 smb_node_t *dnode, char *name, 155 smb_attr_t *attr, smb_node_t **ret_snode, smb_fssd_t *fs_sd) 156 { 157 vsecattr_t *vsap; 158 vsecattr_t vsecattr; 159 acl_t *acl, *dacl, *sacl; 160 smb_attr_t set_attr; 161 vnode_t *vp; 162 int aclbsize = 0; /* size of acl list in bytes */ 163 int flags = 0; 164 int rc; 165 boolean_t is_dir; 166 167 ASSERT(fs_sd); 168 169 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 170 flags = SMB_IGNORE_CASE; 171 if (SMB_TREE_SUPPORTS_CATIA(sr)) 172 flags |= SMB_CATIA; 173 174 ASSERT(cr); 175 176 is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0); 177 178 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) { 179 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 180 dacl = fs_sd->sd_zdacl; 181 sacl = fs_sd->sd_zsacl; 182 ASSERT(dacl || sacl); 183 if (dacl && sacl) { 184 acl = smb_fsacl_merge(dacl, sacl); 185 } else if (dacl) { 186 acl = dacl; 187 } else { 188 acl = sacl; 189 } 190 191 rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize); 192 193 if (dacl && sacl) 194 acl_free(acl); 195 196 if (rc != 0) 197 return (rc); 198 199 vsap = &vsecattr; 200 } else { 201 vsap = NULL; 202 } 203 204 /* The tree ACEs may prevent a create */ 205 rc = EACCES; 206 if (is_dir) { 207 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0) 208 rc = smb_vop_mkdir(dnode->vp, name, attr, 209 &vp, flags, cr, vsap); 210 } else { 211 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0) 212 rc = smb_vop_create(dnode->vp, name, attr, 213 &vp, flags, cr, vsap); 214 } 215 216 if (vsap != NULL) 217 kmem_free(vsap->vsa_aclentp, aclbsize); 218 219 if (rc != 0) 220 return (rc); 221 222 set_attr.sa_mask = 0; 223 224 /* 225 * Ideally we should be able to specify the owner and owning 226 * group at create time along with the ACL. Since we cannot 227 * do that right now, kcred is passed to smb_vop_setattr so it 228 * doesn't fail due to lack of permission. 229 */ 230 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 231 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 232 set_attr.sa_mask |= SMB_AT_UID; 233 } 234 235 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 236 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 237 set_attr.sa_mask |= SMB_AT_GID; 238 } 239 240 if (set_attr.sa_mask) 241 rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred); 242 243 if (rc == 0) { 244 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 245 name, dnode, NULL); 246 247 if (*ret_snode == NULL) 248 rc = ENOMEM; 249 250 VN_RELE(vp); 251 } 252 } else { 253 /* 254 * For filesystems that don't support ACL-on-create, try 255 * to set the specified SD after create, which could actually 256 * fail because of conflicts between inherited security 257 * attributes upon creation and the specified SD. 258 * 259 * Passing kcred to smb_fsop_sdwrite() to overcome this issue. 260 */ 261 262 if (is_dir) { 263 rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, 264 flags, cr, NULL); 265 } else { 266 rc = smb_vop_create(dnode->vp, name, attr, &vp, 267 flags, cr, NULL); 268 } 269 270 if (rc != 0) 271 return (rc); 272 273 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 274 name, dnode, NULL); 275 276 if (*ret_snode != NULL) { 277 if (!smb_tree_has_feature(sr->tid_tree, 278 SMB_TREE_NFS_MOUNTED)) 279 rc = smb_fsop_sdwrite(sr, kcred, *ret_snode, 280 fs_sd, 1); 281 } else { 282 rc = ENOMEM; 283 } 284 285 VN_RELE(vp); 286 } 287 288 if (rc != 0) { 289 if (is_dir) 290 (void) smb_vop_rmdir(dnode->vp, name, flags, cr); 291 else 292 (void) smb_vop_remove(dnode->vp, name, flags, cr); 293 } 294 295 return (rc); 296 } 297 298 /* 299 * smb_fsop_create 300 * 301 * All SMB functions should use this wrapper to ensure that 302 * all the smb_vop_creates are performed with the appropriate credentials. 303 * Please document any direct calls to explain the reason for avoiding 304 * this wrapper. 305 * 306 * *ret_snode is returned with a reference upon success. No reference is 307 * taken if an error is returned. 308 */ 309 int 310 smb_fsop_create(smb_request_t *sr, cred_t *cr, smb_node_t *dnode, 311 char *name, smb_attr_t *attr, smb_node_t **ret_snode) 312 { 313 int rc = 0; 314 int flags = 0; 315 char *fname, *sname; 316 char *longname = NULL; 317 318 ASSERT(cr); 319 ASSERT(dnode); 320 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 321 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 322 323 ASSERT(ret_snode); 324 *ret_snode = 0; 325 326 ASSERT(name); 327 if (*name == 0) 328 return (EINVAL); 329 330 ASSERT(sr); 331 ASSERT(sr->tid_tree); 332 333 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 334 return (EACCES); 335 336 if (SMB_TREE_IS_READONLY(sr)) 337 return (EROFS); 338 339 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 340 flags = SMB_IGNORE_CASE; 341 if (SMB_TREE_SUPPORTS_CATIA(sr)) 342 flags |= SMB_CATIA; 343 344 if (smb_is_stream_name(name)) { 345 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 346 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 347 smb_stream_parse_name(name, fname, sname); 348 349 rc = smb_fsop_create_stream(sr, cr, dnode, 350 fname, sname, flags, attr, ret_snode); 351 352 kmem_free(fname, MAXNAMELEN); 353 kmem_free(sname, MAXNAMELEN); 354 return (rc); 355 } 356 357 /* Not a named stream */ 358 359 if (smb_maybe_mangled_name(name)) { 360 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 361 rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN); 362 kmem_free(longname, MAXNAMELEN); 363 364 if (rc == 0) 365 rc = EEXIST; 366 if (rc != ENOENT) 367 return (rc); 368 } 369 370 rc = smb_fsop_create_file(sr, cr, dnode, name, flags, 371 attr, ret_snode); 372 return (rc); 373 374 } 375 376 377 /* 378 * smb_fsop_create_stream 379 * 380 * Create NTFS named stream file (sname) on unnamed stream 381 * file (fname), creating the unnamed stream file if it 382 * doesn't exist. 383 * If we created the unnamed stream file and then creation 384 * of the named stream file fails, we delete the unnamed stream. 385 * Since we use the real file name for the smb_vop_remove we 386 * clear the SMB_IGNORE_CASE flag to ensure a case sensitive 387 * match. 388 * 389 * The second parameter of smb_vop_setattr() is set to 390 * NULL, even though an unnamed stream exists. This is 391 * because we want to set the UID and GID on the named 392 * stream in this case for consistency with the (unnamed 393 * stream) file (see comments for smb_vop_setattr()). 394 */ 395 static int 396 smb_fsop_create_stream(smb_request_t *sr, cred_t *cr, 397 smb_node_t *dnode, char *fname, char *sname, int flags, 398 smb_attr_t *attr, smb_node_t **ret_snode) 399 { 400 smb_node_t *fnode; 401 smb_attr_t fattr; 402 vnode_t *xattrdvp; 403 vnode_t *vp; 404 int rc = 0; 405 boolean_t fcreate = B_FALSE; 406 407 /* Look up / create the unnamed stream, fname */ 408 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 409 sr->tid_tree->t_snode, dnode, fname, &fnode); 410 if (rc == ENOENT) { 411 fcreate = B_TRUE; 412 rc = smb_fsop_create_file(sr, cr, dnode, fname, flags, 413 attr, &fnode); 414 } 415 if (rc != 0) 416 return (rc); 417 418 fattr.sa_mask = SMB_AT_UID | SMB_AT_GID; 419 rc = smb_vop_getattr(fnode->vp, NULL, &fattr, 0, kcred); 420 421 if (rc == 0) { 422 /* create the named stream, sname */ 423 rc = smb_vop_stream_create(fnode->vp, sname, attr, 424 &vp, &xattrdvp, flags, cr); 425 } 426 if (rc != 0) { 427 if (fcreate) { 428 flags &= ~SMB_IGNORE_CASE; 429 (void) smb_vop_remove(dnode->vp, 430 fnode->od_name, flags, cr); 431 } 432 smb_node_release(fnode); 433 return (rc); 434 } 435 436 attr->sa_vattr.va_uid = fattr.sa_vattr.va_uid; 437 attr->sa_vattr.va_gid = fattr.sa_vattr.va_gid; 438 attr->sa_mask = SMB_AT_UID | SMB_AT_GID; 439 440 rc = smb_vop_setattr(vp, NULL, attr, 0, kcred); 441 if (rc != 0) { 442 smb_node_release(fnode); 443 return (rc); 444 } 445 446 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdvp, 447 vp, sname); 448 449 smb_node_release(fnode); 450 VN_RELE(xattrdvp); 451 VN_RELE(vp); 452 453 if (*ret_snode == NULL) 454 rc = ENOMEM; 455 456 return (rc); 457 } 458 459 /* 460 * smb_fsop_create_file 461 */ 462 static int 463 smb_fsop_create_file(smb_request_t *sr, cred_t *cr, 464 smb_node_t *dnode, char *name, int flags, 465 smb_attr_t *attr, smb_node_t **ret_snode) 466 { 467 open_param_t *op = &sr->arg.open; 468 vnode_t *vp; 469 smb_fssd_t fs_sd; 470 uint32_t secinfo; 471 uint32_t status; 472 int rc = 0; 473 474 if (op->sd) { 475 /* 476 * SD sent by client in Windows format. Needs to be 477 * converted to FS format. No inheritance. 478 */ 479 secinfo = smb_sd_get_secinfo(op->sd); 480 smb_fssd_init(&fs_sd, secinfo, 0); 481 482 status = smb_sd_tofs(op->sd, &fs_sd); 483 if (status == NT_STATUS_SUCCESS) { 484 rc = smb_fsop_create_with_sd(sr, cr, dnode, 485 name, attr, ret_snode, &fs_sd); 486 } else { 487 rc = EINVAL; 488 } 489 smb_fssd_term(&fs_sd); 490 } else if (sr->tid_tree->t_acltype == ACE_T) { 491 /* 492 * No incoming SD and filesystem is ZFS 493 * Server applies Windows inheritance rules, 494 * see smb_fsop_sdinherit() comments as to why. 495 */ 496 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0); 497 rc = smb_fsop_sdinherit(sr, dnode, &fs_sd); 498 if (rc == 0) { 499 rc = smb_fsop_create_with_sd(sr, cr, dnode, 500 name, attr, ret_snode, &fs_sd); 501 } 502 503 smb_fssd_term(&fs_sd); 504 } else { 505 /* 506 * No incoming SD and filesystem is not ZFS 507 * let the filesystem handles the inheritance. 508 */ 509 rc = smb_vop_create(dnode->vp, name, attr, &vp, 510 flags, cr, NULL); 511 512 if (rc == 0) { 513 *ret_snode = smb_node_lookup(sr, op, cr, vp, 514 name, dnode, NULL); 515 516 if (*ret_snode == NULL) 517 rc = ENOMEM; 518 519 VN_RELE(vp); 520 } 521 522 } 523 return (rc); 524 } 525 526 /* 527 * smb_fsop_mkdir 528 * 529 * All SMB functions should use this wrapper to ensure that 530 * the the calls are performed with the appropriate credentials. 531 * Please document any direct call to explain the reason 532 * for avoiding this wrapper. 533 * 534 * It is assumed that a reference exists on snode coming into this routine. 535 * 536 * *ret_snode is returned with a reference upon success. No reference is 537 * taken if an error is returned. 538 */ 539 int 540 smb_fsop_mkdir( 541 smb_request_t *sr, 542 cred_t *cr, 543 smb_node_t *dnode, 544 char *name, 545 smb_attr_t *attr, 546 smb_node_t **ret_snode) 547 { 548 struct open_param *op = &sr->arg.open; 549 char *longname; 550 vnode_t *vp; 551 int flags = 0; 552 smb_fssd_t fs_sd; 553 uint32_t secinfo; 554 uint32_t status; 555 int rc; 556 ASSERT(cr); 557 ASSERT(dnode); 558 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 559 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 560 561 ASSERT(ret_snode); 562 *ret_snode = 0; 563 564 ASSERT(name); 565 if (*name == 0) 566 return (EINVAL); 567 568 ASSERT(sr); 569 ASSERT(sr->tid_tree); 570 571 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 572 return (EACCES); 573 574 if (SMB_TREE_IS_READONLY(sr)) 575 return (EROFS); 576 if (SMB_TREE_SUPPORTS_CATIA(sr)) 577 flags |= SMB_CATIA; 578 579 if (smb_maybe_mangled_name(name)) { 580 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 581 rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN); 582 kmem_free(longname, MAXNAMELEN); 583 584 /* 585 * If the name passed in by the client has an unmangled 586 * equivalent that is found in the specified directory, 587 * then the mkdir cannot succeed. Return EEXIST. 588 * 589 * Only if ENOENT is returned will a mkdir be attempted. 590 */ 591 592 if (rc == 0) 593 rc = EEXIST; 594 595 if (rc != ENOENT) 596 return (rc); 597 } 598 599 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 600 flags = SMB_IGNORE_CASE; 601 602 if (op->sd) { 603 /* 604 * SD sent by client in Windows format. Needs to be 605 * converted to FS format. No inheritance. 606 */ 607 secinfo = smb_sd_get_secinfo(op->sd); 608 smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR); 609 610 status = smb_sd_tofs(op->sd, &fs_sd); 611 if (status == NT_STATUS_SUCCESS) { 612 rc = smb_fsop_create_with_sd(sr, cr, dnode, 613 name, attr, ret_snode, &fs_sd); 614 } 615 else 616 rc = EINVAL; 617 smb_fssd_term(&fs_sd); 618 } else if (sr->tid_tree->t_acltype == ACE_T) { 619 /* 620 * No incoming SD and filesystem is ZFS 621 * Server applies Windows inheritance rules, 622 * see smb_fsop_sdinherit() comments as to why. 623 */ 624 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR); 625 rc = smb_fsop_sdinherit(sr, dnode, &fs_sd); 626 if (rc == 0) { 627 rc = smb_fsop_create_with_sd(sr, cr, dnode, 628 name, attr, ret_snode, &fs_sd); 629 } 630 631 smb_fssd_term(&fs_sd); 632 633 } else { 634 rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, flags, cr, 635 NULL); 636 637 if (rc == 0) { 638 *ret_snode = smb_node_lookup(sr, op, cr, vp, name, 639 dnode, NULL); 640 641 if (*ret_snode == NULL) 642 rc = ENOMEM; 643 644 VN_RELE(vp); 645 } 646 } 647 648 return (rc); 649 } 650 651 /* 652 * smb_fsop_remove 653 * 654 * All SMB functions should use this wrapper to ensure that 655 * the the calls are performed with the appropriate credentials. 656 * Please document any direct call to explain the reason 657 * for avoiding this wrapper. 658 * 659 * It is assumed that a reference exists on snode coming into this routine. 660 * 661 * A null smb_request might be passed to this function. 662 */ 663 int 664 smb_fsop_remove( 665 smb_request_t *sr, 666 cred_t *cr, 667 smb_node_t *dnode, 668 char *name, 669 uint32_t flags) 670 { 671 smb_node_t *fnode; 672 char *longname; 673 char *fname; 674 char *sname; 675 int rc; 676 677 ASSERT(cr); 678 /* 679 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 680 * function is called during the deletion of the node (because of 681 * DELETE_ON_CLOSE). 682 */ 683 ASSERT(dnode); 684 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 685 686 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 || 687 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0) 688 return (EACCES); 689 690 if (SMB_TREE_IS_READONLY(sr)) 691 return (EROFS); 692 693 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 694 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 695 696 if (dnode->flags & NODE_XATTR_DIR) { 697 rc = smb_vop_stream_remove(dnode->n_dnode->vp, 698 name, flags, cr); 699 } else if (smb_is_stream_name(name)) { 700 smb_stream_parse_name(name, fname, sname); 701 702 /* 703 * Look up the unnamed stream (i.e. fname). 704 * Unmangle processing will be done on fname 705 * as well as any link target. 706 */ 707 708 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 709 sr->tid_tree->t_snode, dnode, fname, &fnode); 710 711 if (rc != 0) { 712 kmem_free(fname, MAXNAMELEN); 713 kmem_free(sname, MAXNAMELEN); 714 return (rc); 715 } 716 717 /* 718 * XXX 719 * Need to find out what permission is required by NTFS 720 * to remove a stream. 721 */ 722 rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr); 723 724 smb_node_release(fnode); 725 } else { 726 rc = smb_vop_remove(dnode->vp, name, flags, cr); 727 728 if (rc == ENOENT) { 729 if (smb_maybe_mangled_name(name) == 0) { 730 kmem_free(fname, MAXNAMELEN); 731 kmem_free(sname, MAXNAMELEN); 732 return (rc); 733 } 734 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 735 736 rc = smb_unmangle_name(dnode, name, 737 longname, MAXNAMELEN); 738 739 if (rc == 0) { 740 /* 741 * longname is the real (case-sensitive) 742 * on-disk name. 743 * We make sure we do a remove on this exact 744 * name, as the name was mangled and denotes 745 * a unique file. 746 */ 747 flags &= ~SMB_IGNORE_CASE; 748 rc = smb_vop_remove(dnode->vp, longname, 749 flags, cr); 750 } 751 752 kmem_free(longname, MAXNAMELEN); 753 } 754 } 755 756 kmem_free(fname, MAXNAMELEN); 757 kmem_free(sname, MAXNAMELEN); 758 return (rc); 759 } 760 761 /* 762 * smb_fsop_remove_streams 763 * 764 * This function removes a file's streams without removing the 765 * file itself. 766 * 767 * It is assumed that fnode is not a link. 768 */ 769 int 770 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode) 771 { 772 int rc, flags = 0; 773 uint16_t odid; 774 smb_odir_t *od; 775 smb_odirent_t *odirent; 776 boolean_t eos; 777 778 ASSERT(sr); 779 ASSERT(cr); 780 ASSERT(fnode); 781 ASSERT(fnode->n_magic == SMB_NODE_MAGIC); 782 ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING); 783 784 if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) { 785 smbsr_errno(sr, EACCES); 786 return (-1); 787 } 788 789 if (SMB_TREE_IS_READONLY(sr)) { 790 smbsr_errno(sr, EROFS); 791 return (-1); 792 } 793 794 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 795 flags = SMB_IGNORE_CASE; 796 797 if (SMB_TREE_SUPPORTS_CATIA(sr)) 798 flags |= SMB_CATIA; 799 800 if ((odid = smb_odir_openat(sr, fnode)) == 0) { 801 smbsr_errno(sr, ENOENT); 802 return (-1); 803 } 804 805 if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) { 806 smbsr_errno(sr, ENOENT); 807 return (-1); 808 } 809 810 odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP); 811 for (;;) { 812 rc = smb_odir_read(sr, od, odirent, &eos); 813 if ((rc != 0) || (eos)) 814 break; 815 (void) smb_vop_remove(od->d_dnode->vp, odirent->od_name, 816 flags, cr); 817 } 818 kmem_free(odirent, sizeof (smb_odirent_t)); 819 820 smb_odir_close(od); 821 smb_odir_release(od); 822 return (rc); 823 } 824 825 /* 826 * smb_fsop_rmdir 827 * 828 * All SMB functions should use this wrapper to ensure that 829 * the the calls are performed with the appropriate credentials. 830 * Please document any direct call to explain the reason 831 * for avoiding this wrapper. 832 * 833 * It is assumed that a reference exists on snode coming into this routine. 834 */ 835 int 836 smb_fsop_rmdir( 837 smb_request_t *sr, 838 cred_t *cr, 839 smb_node_t *dnode, 840 char *name, 841 uint32_t flags) 842 { 843 int rc; 844 char *longname; 845 846 ASSERT(cr); 847 /* 848 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 849 * function is called during the deletion of the node (because of 850 * DELETE_ON_CLOSE). 851 */ 852 ASSERT(dnode); 853 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 854 855 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 || 856 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0) 857 return (EACCES); 858 859 if (SMB_TREE_IS_READONLY(sr)) 860 return (EROFS); 861 862 rc = smb_vop_rmdir(dnode->vp, name, flags, cr); 863 864 if (rc == ENOENT) { 865 if (smb_maybe_mangled_name(name) == 0) 866 return (rc); 867 868 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 869 rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN); 870 871 if (rc == 0) { 872 /* 873 * longname is the real (case-sensitive) 874 * on-disk name. 875 * We make sure we do a rmdir on this exact 876 * name, as the name was mangled and denotes 877 * a unique directory. 878 */ 879 flags &= ~SMB_IGNORE_CASE; 880 rc = smb_vop_rmdir(dnode->vp, longname, flags, cr); 881 } 882 883 kmem_free(longname, MAXNAMELEN); 884 } 885 886 return (rc); 887 } 888 889 /* 890 * smb_fsop_getattr 891 * 892 * All SMB functions should use this wrapper to ensure that 893 * the the calls are performed with the appropriate credentials. 894 * Please document any direct call to explain the reason 895 * for avoiding this wrapper. 896 * 897 * It is assumed that a reference exists on snode coming into this routine. 898 */ 899 int 900 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 901 smb_attr_t *attr) 902 { 903 smb_node_t *unnamed_node; 904 vnode_t *unnamed_vp = NULL; 905 uint32_t status; 906 uint32_t access = 0; 907 int flags = 0; 908 int rc; 909 910 ASSERT(cr); 911 ASSERT(snode); 912 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 913 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 914 915 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 || 916 SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0) 917 return (EACCES); 918 919 /* sr could be NULL in some cases */ 920 if (sr && sr->fid_ofile) { 921 /* if uid and/or gid is requested */ 922 if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID)) 923 access |= READ_CONTROL; 924 925 /* if anything else is also requested */ 926 if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID)) 927 access |= FILE_READ_ATTRIBUTES; 928 929 status = smb_ofile_access(sr->fid_ofile, cr, access); 930 if (status != NT_STATUS_SUCCESS) 931 return (EACCES); 932 933 if (smb_tree_has_feature(sr->tid_tree, 934 SMB_TREE_ACEMASKONACCESS)) 935 flags = ATTR_NOACLCHECK; 936 } 937 938 unnamed_node = SMB_IS_STREAM(snode); 939 940 if (unnamed_node) { 941 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 942 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 943 unnamed_vp = unnamed_node->vp; 944 } 945 946 rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr); 947 return (rc); 948 } 949 950 /* 951 * smb_fsop_link 952 * 953 * All SMB functions should use this smb_vop_link wrapper to ensure that 954 * the smb_vop_link is performed with the appropriate credentials. 955 * Please document any direct call to smb_vop_link to explain the reason 956 * for avoiding this wrapper. 957 * 958 * It is assumed that references exist on from_dnode and to_dnode coming 959 * into this routine. 960 */ 961 int 962 smb_fsop_link(smb_request_t *sr, cred_t *cr, smb_node_t *to_dnode, 963 smb_node_t *from_fnode, char *to_name) 964 { 965 char *longname = NULL; 966 int flags = 0; 967 int rc; 968 969 ASSERT(sr); 970 ASSERT(sr->tid_tree); 971 ASSERT(cr); 972 ASSERT(to_dnode); 973 ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC); 974 ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING); 975 ASSERT(from_fnode); 976 ASSERT(from_fnode->n_magic == SMB_NODE_MAGIC); 977 ASSERT(from_fnode->n_state != SMB_NODE_STATE_DESTROYING); 978 979 if (SMB_TREE_CONTAINS_NODE(sr, from_fnode) == 0) 980 return (EACCES); 981 982 if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0) 983 return (EACCES); 984 985 if (SMB_TREE_IS_READONLY(sr)) 986 return (EROFS); 987 988 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 989 flags = SMB_IGNORE_CASE; 990 if (SMB_TREE_SUPPORTS_CATIA(sr)) 991 flags |= SMB_CATIA; 992 993 if (smb_maybe_mangled_name(to_name)) { 994 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 995 rc = smb_unmangle_name(to_dnode, to_name, longname, MAXNAMELEN); 996 kmem_free(longname, MAXNAMELEN); 997 998 if (rc == 0) 999 rc = EEXIST; 1000 if (rc != ENOENT) 1001 return (rc); 1002 } 1003 1004 rc = smb_vop_link(to_dnode->vp, from_fnode->vp, to_name, flags, cr); 1005 return (rc); 1006 } 1007 1008 /* 1009 * smb_fsop_rename 1010 * 1011 * All SMB functions should use this smb_vop_rename wrapper to ensure that 1012 * the smb_vop_rename is performed with the appropriate credentials. 1013 * Please document any direct call to smb_vop_rename to explain the reason 1014 * for avoiding this wrapper. 1015 * 1016 * It is assumed that references exist on from_dnode and to_dnode coming 1017 * into this routine. 1018 */ 1019 int 1020 smb_fsop_rename( 1021 smb_request_t *sr, 1022 cred_t *cr, 1023 smb_node_t *from_dnode, 1024 char *from_name, 1025 smb_node_t *to_dnode, 1026 char *to_name) 1027 { 1028 smb_node_t *from_snode; 1029 vnode_t *from_vp; 1030 int flags = 0, ret_flags; 1031 int rc; 1032 boolean_t isdir; 1033 1034 ASSERT(cr); 1035 ASSERT(from_dnode); 1036 ASSERT(from_dnode->n_magic == SMB_NODE_MAGIC); 1037 ASSERT(from_dnode->n_state != SMB_NODE_STATE_DESTROYING); 1038 1039 ASSERT(to_dnode); 1040 ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC); 1041 ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING); 1042 1043 if (SMB_TREE_CONTAINS_NODE(sr, from_dnode) == 0) 1044 return (EACCES); 1045 1046 if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0) 1047 return (EACCES); 1048 1049 ASSERT(sr); 1050 ASSERT(sr->tid_tree); 1051 if (SMB_TREE_IS_READONLY(sr)) 1052 return (EROFS); 1053 1054 /* 1055 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE 1056 * here. 1057 * 1058 * A case-sensitive rename is always done in this routine 1059 * because we are using the on-disk name from an earlier lookup. 1060 * If a mangled name was passed in by the caller (denoting a 1061 * deterministic lookup), then the exact file must be renamed 1062 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or 1063 * else the underlying file system might return a "first-match" 1064 * on this on-disk name, possibly resulting in the wrong file). 1065 */ 1066 1067 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1068 flags |= SMB_CATIA; 1069 1070 /* 1071 * XXX: Lock required through smb_node_release() below? 1072 */ 1073 1074 rc = smb_vop_lookup(from_dnode->vp, from_name, &from_vp, NULL, 1075 flags, &ret_flags, NULL, cr); 1076 1077 if (rc != 0) 1078 return (rc); 1079 1080 isdir = from_vp->v_type == VDIR; 1081 1082 if ((isdir && SMB_TREE_HAS_ACCESS(sr, 1083 ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) != 1084 (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) || 1085 (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) != 1086 (ACE_DELETE | ACE_ADD_FILE))) 1087 return (EACCES); 1088 1089 rc = smb_vop_rename(from_dnode->vp, from_name, to_dnode->vp, 1090 to_name, flags, cr); 1091 1092 if (rc == 0) { 1093 from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name, 1094 from_dnode, NULL); 1095 1096 if (from_snode == NULL) { 1097 rc = ENOMEM; 1098 } else { 1099 smb_node_rename(from_dnode, from_snode, 1100 to_dnode, to_name); 1101 smb_node_release(from_snode); 1102 } 1103 } 1104 VN_RELE(from_vp); 1105 1106 /* XXX: unlock */ 1107 1108 return (rc); 1109 } 1110 1111 /* 1112 * smb_fsop_setattr 1113 * 1114 * All SMB functions should use this wrapper to ensure that 1115 * the the calls are performed with the appropriate credentials. 1116 * Please document any direct call to explain the reason 1117 * for avoiding this wrapper. 1118 * 1119 * It is assumed that a reference exists on snode coming into this routine. 1120 * A null smb_request might be passed to this function. 1121 */ 1122 int 1123 smb_fsop_setattr( 1124 smb_request_t *sr, 1125 cred_t *cr, 1126 smb_node_t *snode, 1127 smb_attr_t *set_attr) 1128 { 1129 smb_node_t *unnamed_node; 1130 vnode_t *unnamed_vp = NULL; 1131 uint32_t status; 1132 uint32_t access; 1133 int rc = 0; 1134 int flags = 0; 1135 uint_t sa_mask; 1136 1137 ASSERT(cr); 1138 ASSERT(snode); 1139 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1140 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1141 1142 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0) 1143 return (EACCES); 1144 1145 if (SMB_TREE_IS_READONLY(sr)) 1146 return (EROFS); 1147 1148 if (SMB_TREE_HAS_ACCESS(sr, 1149 ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0) 1150 return (EACCES); 1151 1152 if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) { 1153 if (sr->fid_ofile) { 1154 if (SMB_OFILE_IS_READONLY(sr->fid_ofile)) 1155 return (EACCES); 1156 } else { 1157 if (SMB_PATHFILE_IS_READONLY(sr, snode)) 1158 return (EACCES); 1159 } 1160 } 1161 1162 /* sr could be NULL in some cases */ 1163 if (sr && sr->fid_ofile) { 1164 sa_mask = set_attr->sa_mask; 1165 access = 0; 1166 1167 if (sa_mask & SMB_AT_SIZE) { 1168 access |= FILE_WRITE_DATA; 1169 sa_mask &= ~SMB_AT_SIZE; 1170 } 1171 1172 if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) { 1173 access |= WRITE_OWNER; 1174 sa_mask &= ~(SMB_AT_UID|SMB_AT_GID); 1175 } 1176 1177 if (sa_mask) 1178 access |= FILE_WRITE_ATTRIBUTES; 1179 1180 status = smb_ofile_access(sr->fid_ofile, cr, access); 1181 if (status != NT_STATUS_SUCCESS) 1182 return (EACCES); 1183 1184 if (smb_tree_has_feature(sr->tid_tree, 1185 SMB_TREE_ACEMASKONACCESS)) 1186 flags = ATTR_NOACLCHECK; 1187 } 1188 1189 unnamed_node = SMB_IS_STREAM(snode); 1190 1191 if (unnamed_node) { 1192 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1193 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1194 unnamed_vp = unnamed_node->vp; 1195 } 1196 1197 rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr); 1198 return (rc); 1199 } 1200 1201 /* 1202 * smb_fsop_read 1203 * 1204 * All SMB functions should use this wrapper to ensure that 1205 * the the calls are performed with the appropriate credentials. 1206 * Please document any direct call to explain the reason 1207 * for avoiding this wrapper. 1208 * 1209 * It is assumed that a reference exists on snode coming into this routine. 1210 */ 1211 int 1212 smb_fsop_read(smb_request_t *sr, cred_t *cr, smb_node_t *snode, uio_t *uio) 1213 { 1214 caller_context_t ct; 1215 int svmand; 1216 int rc; 1217 1218 ASSERT(cr); 1219 ASSERT(snode); 1220 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1221 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1222 1223 ASSERT(sr); 1224 ASSERT(sr->fid_ofile); 1225 1226 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0) 1227 return (EACCES); 1228 1229 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA); 1230 if (rc != NT_STATUS_SUCCESS) { 1231 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE); 1232 if (rc != NT_STATUS_SUCCESS) 1233 return (EACCES); 1234 } 1235 1236 /* 1237 * Streams permission are checked against the unnamed stream, 1238 * but in FS level they have their own permissions. To avoid 1239 * rejection by FS due to lack of permission on the actual 1240 * extended attr kcred is passed for streams. 1241 */ 1242 if (SMB_IS_STREAM(snode)) 1243 cr = kcred; 1244 1245 smb_node_start_crit(snode, RW_READER); 1246 rc = nbl_svmand(snode->vp, kcred, &svmand); 1247 if (rc) { 1248 smb_node_end_crit(snode); 1249 return (rc); 1250 } 1251 1252 ct = smb_ct; 1253 ct.cc_pid = sr->fid_ofile->f_uniqid; 1254 rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset, 1255 uio->uio_iov->iov_len, svmand, &ct); 1256 1257 if (rc) { 1258 smb_node_end_crit(snode); 1259 return (ERANGE); 1260 } 1261 1262 rc = smb_vop_read(snode->vp, uio, cr); 1263 smb_node_end_crit(snode); 1264 1265 return (rc); 1266 } 1267 1268 /* 1269 * smb_fsop_write 1270 * 1271 * This is a wrapper function used for smb_write and smb_write_raw operations. 1272 * 1273 * It is assumed that a reference exists on snode coming into this routine. 1274 */ 1275 int 1276 smb_fsop_write( 1277 smb_request_t *sr, 1278 cred_t *cr, 1279 smb_node_t *snode, 1280 uio_t *uio, 1281 uint32_t *lcount, 1282 int ioflag) 1283 { 1284 caller_context_t ct; 1285 int svmand; 1286 int rc; 1287 1288 ASSERT(cr); 1289 ASSERT(snode); 1290 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1291 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1292 1293 ASSERT(sr); 1294 ASSERT(sr->tid_tree); 1295 ASSERT(sr->fid_ofile); 1296 1297 if (SMB_TREE_IS_READONLY(sr)) 1298 return (EROFS); 1299 1300 if (SMB_OFILE_IS_READONLY(sr->fid_ofile) || 1301 SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0) 1302 return (EACCES); 1303 1304 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA); 1305 if (rc != NT_STATUS_SUCCESS) { 1306 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA); 1307 if (rc != NT_STATUS_SUCCESS) 1308 return (EACCES); 1309 } 1310 1311 /* 1312 * Streams permission are checked against the unnamed stream, 1313 * but in FS level they have their own permissions. To avoid 1314 * rejection by FS due to lack of permission on the actual 1315 * extended attr kcred is passed for streams. 1316 */ 1317 if (SMB_IS_STREAM(snode)) 1318 cr = kcred; 1319 1320 smb_node_start_crit(snode, RW_READER); 1321 rc = nbl_svmand(snode->vp, kcred, &svmand); 1322 if (rc) { 1323 smb_node_end_crit(snode); 1324 return (rc); 1325 } 1326 1327 ct = smb_ct; 1328 ct.cc_pid = sr->fid_ofile->f_uniqid; 1329 rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset, 1330 uio->uio_iov->iov_len, svmand, &ct); 1331 1332 if (rc) { 1333 smb_node_end_crit(snode); 1334 return (ERANGE); 1335 } 1336 1337 rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr); 1338 smb_node_end_crit(snode); 1339 1340 return (rc); 1341 } 1342 1343 /* 1344 * smb_fsop_statfs 1345 * 1346 * This is a wrapper function used for stat operations. 1347 */ 1348 int 1349 smb_fsop_statfs( 1350 cred_t *cr, 1351 smb_node_t *snode, 1352 struct statvfs64 *statp) 1353 { 1354 ASSERT(cr); 1355 ASSERT(snode); 1356 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1357 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1358 1359 return (smb_vop_statfs(snode->vp, statp, cr)); 1360 } 1361 1362 /* 1363 * smb_fsop_access 1364 * 1365 * Named streams do not have separate permissions from the associated 1366 * unnamed stream. Thus, if node is a named stream, the permissions 1367 * check will be performed on the associated unnamed stream. 1368 * 1369 * However, our named streams do have their own quarantine attribute, 1370 * separate from that on the unnamed stream. If READ or EXECUTE 1371 * access has been requested on a named stream, an additional access 1372 * check is performed on the named stream in case it has been 1373 * quarantined. kcred is used to avoid issues with the permissions 1374 * set on the extended attribute file representing the named stream. 1375 */ 1376 int 1377 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1378 uint32_t faccess) 1379 { 1380 int access = 0; 1381 int error; 1382 vnode_t *dir_vp; 1383 boolean_t acl_check = B_TRUE; 1384 smb_node_t *unnamed_node; 1385 1386 ASSERT(sr); 1387 ASSERT(cr); 1388 ASSERT(snode); 1389 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1390 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1391 1392 if (faccess == 0) 1393 return (NT_STATUS_SUCCESS); 1394 1395 if (SMB_TREE_IS_READONLY(sr)) { 1396 if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA| 1397 FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES| 1398 DELETE|WRITE_DAC|WRITE_OWNER)) { 1399 return (NT_STATUS_ACCESS_DENIED); 1400 } 1401 } 1402 1403 unnamed_node = SMB_IS_STREAM(snode); 1404 if (unnamed_node) { 1405 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1406 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1407 1408 /* 1409 * Perform VREAD access check on the named stream in case it 1410 * is quarantined. kcred is passed to smb_vop_access so it 1411 * doesn't fail due to lack of permission. 1412 */ 1413 if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) { 1414 error = smb_vop_access(snode->vp, VREAD, 1415 0, NULL, kcred); 1416 if (error) 1417 return (NT_STATUS_ACCESS_DENIED); 1418 } 1419 1420 /* 1421 * Streams authorization should be performed against the 1422 * unnamed stream. 1423 */ 1424 snode = unnamed_node; 1425 } 1426 1427 if (faccess & ACCESS_SYSTEM_SECURITY) { 1428 /* 1429 * This permission is required for reading/writing SACL and 1430 * it's not part of DACL. It's only granted via proper 1431 * privileges. 1432 */ 1433 if ((sr->uid_user->u_privileges & 1434 (SMB_USER_PRIV_BACKUP | 1435 SMB_USER_PRIV_RESTORE | 1436 SMB_USER_PRIV_SECURITY)) == 0) 1437 return (NT_STATUS_PRIVILEGE_NOT_HELD); 1438 1439 faccess &= ~ACCESS_SYSTEM_SECURITY; 1440 } 1441 1442 /* Links don't have ACL */ 1443 if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) || 1444 smb_node_is_link(snode)) 1445 acl_check = B_FALSE; 1446 1447 /* 1448 * Use the most restrictive parts of both faccess and the 1449 * share access. An AND of the two value masks gives us that 1450 * since we've already converted to a mask of what we "can" 1451 * do. 1452 */ 1453 faccess &= sr->tid_tree->t_access; 1454 1455 if (acl_check) { 1456 dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL; 1457 error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp, 1458 cr); 1459 } else { 1460 /* 1461 * FS doesn't understand 32-bit mask, need to map 1462 */ 1463 if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA)) 1464 access |= VWRITE; 1465 1466 if (faccess & FILE_READ_DATA) 1467 access |= VREAD; 1468 1469 if (faccess & FILE_EXECUTE) 1470 access |= VEXEC; 1471 1472 error = smb_vop_access(snode->vp, access, 0, NULL, cr); 1473 } 1474 1475 return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS); 1476 } 1477 1478 /* 1479 * smb_fsop_lookup_name() 1480 * 1481 * If name indicates that the file is a stream file, perform 1482 * stream specific lookup, otherwise call smb_fsop_lookup. 1483 * 1484 * Return an error if the looked-up file is in outside the tree. 1485 * (Required when invoked from open path.) 1486 */ 1487 1488 int 1489 smb_fsop_lookup_name( 1490 smb_request_t *sr, 1491 cred_t *cr, 1492 int flags, 1493 smb_node_t *root_node, 1494 smb_node_t *dnode, 1495 char *name, 1496 smb_node_t **ret_snode) 1497 { 1498 smb_node_t *fnode; 1499 vnode_t *xattrdirvp; 1500 vnode_t *vp; 1501 char *od_name; 1502 char *fname; 1503 char *sname; 1504 int rc; 1505 1506 ASSERT(cr); 1507 ASSERT(dnode); 1508 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 1509 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 1510 1511 /* 1512 * The following check is required for streams processing, below 1513 */ 1514 1515 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1516 flags |= SMB_IGNORE_CASE; 1517 1518 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1519 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1520 1521 if (smb_is_stream_name(name)) { 1522 smb_stream_parse_name(name, fname, sname); 1523 1524 /* 1525 * Look up the unnamed stream (i.e. fname). 1526 * Unmangle processing will be done on fname 1527 * as well as any link target. 1528 */ 1529 rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, 1530 fname, &fnode); 1531 1532 if (rc != 0) { 1533 kmem_free(fname, MAXNAMELEN); 1534 kmem_free(sname, MAXNAMELEN); 1535 return (rc); 1536 } 1537 1538 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1539 1540 /* 1541 * od_name is the on-disk name of the stream, except 1542 * without the prepended stream prefix (SMB_STREAM_PREFIX) 1543 */ 1544 1545 /* 1546 * XXX 1547 * What permissions NTFS requires for stream lookup if any? 1548 */ 1549 rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name, 1550 &xattrdirvp, flags, root_node->vp, cr); 1551 1552 if (rc != 0) { 1553 smb_node_release(fnode); 1554 kmem_free(fname, MAXNAMELEN); 1555 kmem_free(sname, MAXNAMELEN); 1556 kmem_free(od_name, MAXNAMELEN); 1557 return (rc); 1558 } 1559 1560 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, 1561 vp, od_name); 1562 1563 kmem_free(od_name, MAXNAMELEN); 1564 smb_node_release(fnode); 1565 VN_RELE(xattrdirvp); 1566 VN_RELE(vp); 1567 1568 if (*ret_snode == NULL) { 1569 kmem_free(fname, MAXNAMELEN); 1570 kmem_free(sname, MAXNAMELEN); 1571 return (ENOMEM); 1572 } 1573 } else { 1574 rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, name, 1575 ret_snode); 1576 } 1577 1578 if (rc == 0) { 1579 ASSERT(ret_snode); 1580 if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) { 1581 smb_node_release(*ret_snode); 1582 *ret_snode = NULL; 1583 rc = EACCES; 1584 } 1585 } 1586 1587 kmem_free(fname, MAXNAMELEN); 1588 kmem_free(sname, MAXNAMELEN); 1589 1590 return (rc); 1591 } 1592 1593 /* 1594 * smb_fsop_lookup 1595 * 1596 * All SMB functions should use this smb_vop_lookup wrapper to ensure that 1597 * the smb_vop_lookup is performed with the appropriate credentials and using 1598 * case insensitive compares. Please document any direct call to smb_vop_lookup 1599 * to explain the reason for avoiding this wrapper. 1600 * 1601 * It is assumed that a reference exists on dnode coming into this routine 1602 * (and that it is safe from deallocation). 1603 * 1604 * Same with the root_node. 1605 * 1606 * *ret_snode is returned with a reference upon success. No reference is 1607 * taken if an error is returned. 1608 * 1609 * Note: The returned ret_snode may be in a child mount. This is ok for 1610 * readdir. 1611 * 1612 * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent 1613 * operations on files not in the parent mount. 1614 */ 1615 int 1616 smb_fsop_lookup( 1617 smb_request_t *sr, 1618 cred_t *cr, 1619 int flags, 1620 smb_node_t *root_node, 1621 smb_node_t *dnode, 1622 char *name, 1623 smb_node_t **ret_snode) 1624 { 1625 smb_node_t *lnk_target_node; 1626 smb_node_t *lnk_dnode; 1627 char *longname; 1628 char *od_name; 1629 vnode_t *vp; 1630 int rc; 1631 int ret_flags; 1632 1633 ASSERT(cr); 1634 ASSERT(dnode); 1635 ASSERT(dnode->n_magic == SMB_NODE_MAGIC); 1636 ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING); 1637 1638 if (name == NULL) 1639 return (EINVAL); 1640 1641 if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0) 1642 return (EACCES); 1643 1644 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1645 flags |= SMB_IGNORE_CASE; 1646 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1647 flags |= SMB_CATIA; 1648 1649 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1650 1651 rc = smb_vop_lookup(dnode->vp, name, &vp, od_name, flags, 1652 &ret_flags, root_node ? root_node->vp : NULL, cr); 1653 1654 if (rc != 0) { 1655 if (smb_maybe_mangled_name(name) == 0) { 1656 kmem_free(od_name, MAXNAMELEN); 1657 return (rc); 1658 } 1659 1660 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1661 rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN); 1662 if (rc != 0) { 1663 kmem_free(od_name, MAXNAMELEN); 1664 kmem_free(longname, MAXNAMELEN); 1665 return (rc); 1666 } 1667 1668 /* 1669 * longname is the real (case-sensitive) 1670 * on-disk name. 1671 * We make sure we do a lookup on this exact 1672 * name, as the name was mangled and denotes 1673 * a unique file. 1674 */ 1675 1676 if (flags & SMB_IGNORE_CASE) 1677 flags &= ~SMB_IGNORE_CASE; 1678 1679 rc = smb_vop_lookup(dnode->vp, longname, &vp, od_name, 1680 flags, &ret_flags, root_node ? root_node->vp : NULL, cr); 1681 1682 kmem_free(longname, MAXNAMELEN); 1683 1684 if (rc != 0) { 1685 kmem_free(od_name, MAXNAMELEN); 1686 return (rc); 1687 } 1688 } 1689 1690 if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) { 1691 1692 rc = smb_pathname(sr, od_name, FOLLOW, root_node, dnode, 1693 &lnk_dnode, &lnk_target_node, cr); 1694 1695 if (rc != 0) { 1696 /* 1697 * The link is assumed to be for the last component 1698 * of a path. Hence any ENOTDIR error will be returned 1699 * as ENOENT. 1700 */ 1701 if (rc == ENOTDIR) 1702 rc = ENOENT; 1703 1704 VN_RELE(vp); 1705 kmem_free(od_name, MAXNAMELEN); 1706 return (rc); 1707 } 1708 1709 /* 1710 * Release the original VLNK vnode 1711 */ 1712 1713 VN_RELE(vp); 1714 vp = lnk_target_node->vp; 1715 1716 rc = smb_vop_traverse_check(&vp); 1717 1718 if (rc != 0) { 1719 smb_node_release(lnk_dnode); 1720 smb_node_release(lnk_target_node); 1721 kmem_free(od_name, MAXNAMELEN); 1722 return (rc); 1723 } 1724 1725 /* 1726 * smb_vop_traverse_check() may have returned a different vnode 1727 */ 1728 1729 if (lnk_target_node->vp == vp) { 1730 *ret_snode = lnk_target_node; 1731 } else { 1732 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, 1733 lnk_target_node->od_name, lnk_dnode, NULL); 1734 VN_RELE(vp); 1735 1736 if (*ret_snode == NULL) 1737 rc = ENOMEM; 1738 smb_node_release(lnk_target_node); 1739 } 1740 1741 smb_node_release(lnk_dnode); 1742 1743 } else { 1744 1745 rc = smb_vop_traverse_check(&vp); 1746 if (rc) { 1747 VN_RELE(vp); 1748 kmem_free(od_name, MAXNAMELEN); 1749 return (rc); 1750 } 1751 1752 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name, 1753 dnode, NULL); 1754 VN_RELE(vp); 1755 1756 if (*ret_snode == NULL) 1757 rc = ENOMEM; 1758 } 1759 1760 kmem_free(od_name, MAXNAMELEN); 1761 return (rc); 1762 } 1763 1764 int /*ARGSUSED*/ 1765 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode) 1766 { 1767 ASSERT(cr); 1768 ASSERT(snode); 1769 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1770 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1771 1772 ASSERT(sr); 1773 ASSERT(sr->tid_tree); 1774 if (SMB_TREE_IS_READONLY(sr)) 1775 return (EROFS); 1776 1777 return (smb_vop_commit(snode->vp, cr)); 1778 } 1779 1780 /* 1781 * smb_fsop_aclread 1782 * 1783 * Retrieve filesystem ACL. Depends on requested ACLs in 1784 * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in 1785 * fs_sd. Note that requesting a DACL/SACL doesn't mean that 1786 * the corresponding field in fs_sd should be non-NULL upon 1787 * return, since the target ACL might not contain that type of 1788 * entries. 1789 * 1790 * Returned ACL is always in ACE_T (aka ZFS) format. 1791 * If successful the allocated memory for the ACL should be freed 1792 * using smb_fsacl_free() or smb_fssd_term() 1793 */ 1794 int 1795 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1796 smb_fssd_t *fs_sd) 1797 { 1798 int error = 0; 1799 int flags = 0; 1800 int access = 0; 1801 acl_t *acl; 1802 smb_node_t *unnamed_node; 1803 1804 ASSERT(cr); 1805 1806 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0) 1807 return (EACCES); 1808 1809 if (sr->fid_ofile) { 1810 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1811 access = READ_CONTROL; 1812 1813 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1814 access |= ACCESS_SYSTEM_SECURITY; 1815 1816 error = smb_ofile_access(sr->fid_ofile, cr, access); 1817 if (error != NT_STATUS_SUCCESS) { 1818 return (EACCES); 1819 } 1820 } 1821 1822 unnamed_node = SMB_IS_STREAM(snode); 1823 if (unnamed_node) { 1824 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1825 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1826 /* 1827 * Streams don't have ACL, any read ACL attempt on a stream 1828 * should be performed on the unnamed stream. 1829 */ 1830 snode = unnamed_node; 1831 } 1832 1833 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) 1834 flags = ATTR_NOACLCHECK; 1835 1836 error = smb_vop_acl_read(snode->vp, &acl, flags, 1837 sr->tid_tree->t_acltype, cr); 1838 if (error != 0) { 1839 return (error); 1840 } 1841 1842 error = acl_translate(acl, _ACL_ACE_ENABLED, 1843 (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid); 1844 1845 if (error == 0) { 1846 smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl, 1847 fs_sd->sd_secinfo); 1848 } 1849 1850 acl_free(acl); 1851 return (error); 1852 } 1853 1854 /* 1855 * smb_fsop_aclwrite 1856 * 1857 * Stores the filesystem ACL provided in fs_sd->sd_acl. 1858 */ 1859 int 1860 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1861 smb_fssd_t *fs_sd) 1862 { 1863 int target_flavor; 1864 int error = 0; 1865 int flags = 0; 1866 int access = 0; 1867 acl_t *acl, *dacl, *sacl; 1868 smb_node_t *unnamed_node; 1869 1870 ASSERT(cr); 1871 1872 ASSERT(sr); 1873 ASSERT(sr->tid_tree); 1874 if (SMB_TREE_IS_READONLY(sr)) 1875 return (EROFS); 1876 1877 if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0) 1878 return (EACCES); 1879 1880 if (sr->fid_ofile) { 1881 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1882 access = WRITE_DAC; 1883 1884 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1885 access |= ACCESS_SYSTEM_SECURITY; 1886 1887 error = smb_ofile_access(sr->fid_ofile, cr, access); 1888 if (error != NT_STATUS_SUCCESS) 1889 return (EACCES); 1890 } 1891 1892 switch (sr->tid_tree->t_acltype) { 1893 case ACLENT_T: 1894 target_flavor = _ACL_ACLENT_ENABLED; 1895 break; 1896 1897 case ACE_T: 1898 target_flavor = _ACL_ACE_ENABLED; 1899 break; 1900 default: 1901 return (EINVAL); 1902 } 1903 1904 unnamed_node = SMB_IS_STREAM(snode); 1905 if (unnamed_node) { 1906 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1907 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1908 /* 1909 * Streams don't have ACL, any write ACL attempt on a stream 1910 * should be performed on the unnamed stream. 1911 */ 1912 snode = unnamed_node; 1913 } 1914 1915 dacl = fs_sd->sd_zdacl; 1916 sacl = fs_sd->sd_zsacl; 1917 1918 ASSERT(dacl || sacl); 1919 if ((dacl == NULL) && (sacl == NULL)) 1920 return (EINVAL); 1921 1922 if (dacl && sacl) 1923 acl = smb_fsacl_merge(dacl, sacl); 1924 else if (dacl) 1925 acl = dacl; 1926 else 1927 acl = sacl; 1928 1929 error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR), 1930 fs_sd->sd_uid, fs_sd->sd_gid); 1931 if (error == 0) { 1932 if (smb_tree_has_feature(sr->tid_tree, 1933 SMB_TREE_ACEMASKONACCESS)) 1934 flags = ATTR_NOACLCHECK; 1935 1936 error = smb_vop_acl_write(snode->vp, acl, flags, cr); 1937 } 1938 1939 if (dacl && sacl) 1940 acl_free(acl); 1941 1942 return (error); 1943 } 1944 1945 acl_type_t 1946 smb_fsop_acltype(smb_node_t *snode) 1947 { 1948 return (smb_vop_acl_type(snode->vp)); 1949 } 1950 1951 /* 1952 * smb_fsop_sdread 1953 * 1954 * Read the requested security descriptor items from filesystem. 1955 * The items are specified in fs_sd->sd_secinfo. 1956 */ 1957 int 1958 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1959 smb_fssd_t *fs_sd) 1960 { 1961 int error = 0; 1962 int getowner = 0; 1963 cred_t *ga_cred; 1964 smb_attr_t attr; 1965 1966 ASSERT(cr); 1967 ASSERT(fs_sd); 1968 1969 /* 1970 * File's uid/gid is fetched in two cases: 1971 * 1972 * 1. it's explicitly requested 1973 * 1974 * 2. target ACL is ACE_T (ZFS ACL). They're needed for 1975 * owner@/group@ entries. In this case kcred should be used 1976 * because uid/gid are fetched on behalf of smb server. 1977 */ 1978 if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) { 1979 getowner = 1; 1980 ga_cred = cr; 1981 } else if (sr->tid_tree->t_acltype == ACE_T) { 1982 getowner = 1; 1983 ga_cred = kcred; 1984 } 1985 1986 if (getowner) { 1987 /* 1988 * Windows require READ_CONTROL to read owner/group SID since 1989 * they're part of Security Descriptor. 1990 * ZFS only requires read_attribute. Need to have a explicit 1991 * access check here. 1992 */ 1993 if (sr->fid_ofile == NULL) { 1994 error = smb_fsop_access(sr, ga_cred, snode, 1995 READ_CONTROL); 1996 if (error) 1997 return (EACCES); 1998 } 1999 2000 attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2001 error = smb_fsop_getattr(sr, ga_cred, snode, &attr); 2002 if (error == 0) { 2003 fs_sd->sd_uid = attr.sa_vattr.va_uid; 2004 fs_sd->sd_gid = attr.sa_vattr.va_gid; 2005 } else { 2006 return (error); 2007 } 2008 } 2009 2010 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2011 error = smb_fsop_aclread(sr, cr, snode, fs_sd); 2012 } 2013 2014 return (error); 2015 } 2016 2017 /* 2018 * smb_fsop_sdmerge 2019 * 2020 * From SMB point of view DACL and SACL are two separate list 2021 * which can be manipulated independently without one affecting 2022 * the other, but entries for both DACL and SACL will end up 2023 * in the same ACL if target filesystem supports ACE_T ACLs. 2024 * 2025 * So, if either DACL or SACL is present in the client set request 2026 * the entries corresponding to the non-present ACL shouldn't 2027 * be touched in the FS ACL. 2028 * 2029 * fs_sd parameter contains DACL and SACL specified by SMB 2030 * client to be set on a file/directory. The client could 2031 * specify both or one of these ACLs (if none is specified 2032 * we don't get this far). When both DACL and SACL are given 2033 * by client the existing ACL should be overwritten. If only 2034 * one of them is specified the entries corresponding to the other 2035 * ACL should not be touched. For example, if only DACL 2036 * is specified in input fs_sd, the function reads audit entries 2037 * of the existing ACL of the file and point fs_sd->sd_zsdacl 2038 * pointer to the fetched SACL, this way when smb_fsop_sdwrite() 2039 * function is called the passed fs_sd would point to the specified 2040 * DACL by client and fetched SACL from filesystem, so the file 2041 * will end up with correct ACL. 2042 */ 2043 static int 2044 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd) 2045 { 2046 smb_fssd_t cur_sd; 2047 int error = 0; 2048 2049 if (sr->tid_tree->t_acltype != ACE_T) 2050 /* Don't bother if target FS doesn't support ACE_T */ 2051 return (0); 2052 2053 if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) { 2054 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) { 2055 /* 2056 * Don't overwrite existing audit entries 2057 */ 2058 smb_fssd_init(&cur_sd, SMB_SACL_SECINFO, 2059 fs_sd->sd_flags); 2060 2061 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2062 if (error == 0) { 2063 ASSERT(fs_sd->sd_zsacl == NULL); 2064 fs_sd->sd_zsacl = cur_sd.sd_zsacl; 2065 if (fs_sd->sd_zsacl && fs_sd->sd_zdacl) 2066 fs_sd->sd_zsacl->acl_flags = 2067 fs_sd->sd_zdacl->acl_flags; 2068 } 2069 } else { 2070 /* 2071 * Don't overwrite existing access entries 2072 */ 2073 smb_fssd_init(&cur_sd, SMB_DACL_SECINFO, 2074 fs_sd->sd_flags); 2075 2076 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2077 if (error == 0) { 2078 ASSERT(fs_sd->sd_zdacl == NULL); 2079 fs_sd->sd_zdacl = cur_sd.sd_zdacl; 2080 if (fs_sd->sd_zdacl && fs_sd->sd_zsacl) 2081 fs_sd->sd_zdacl->acl_flags = 2082 fs_sd->sd_zsacl->acl_flags; 2083 } 2084 } 2085 2086 if (error) 2087 smb_fssd_term(&cur_sd); 2088 } 2089 2090 return (error); 2091 } 2092 2093 /* 2094 * smb_fsop_sdwrite 2095 * 2096 * Stores the given uid, gid and acl in filesystem. 2097 * Provided items in fs_sd are specified by fs_sd->sd_secinfo. 2098 * 2099 * A SMB security descriptor could contain owner, primary group, 2100 * DACL and SACL. Setting an SD should be atomic but here it has to 2101 * be done via two separate FS operations: VOP_SETATTR and 2102 * VOP_SETSECATTR. Therefore, this function has to simulate the 2103 * atomicity as well as it can. 2104 * 2105 * Get the current uid, gid before setting the new uid/gid 2106 * so if smb_fsop_aclwrite fails they can be restored. root cred is 2107 * used to get currend uid/gid since this operation is performed on 2108 * behalf of the server not the user. 2109 * 2110 * If setting uid/gid fails with EPERM it means that and invalid 2111 * owner has been specified. Callers should translate this to 2112 * STATUS_INVALID_OWNER which is not the normal mapping for EPERM 2113 * in upper layers, so EPERM is mapped to EBADE. 2114 */ 2115 int 2116 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2117 smb_fssd_t *fs_sd, int overwrite) 2118 { 2119 int error = 0; 2120 int access = 0; 2121 smb_attr_t set_attr; 2122 smb_attr_t orig_attr; 2123 2124 ASSERT(cr); 2125 ASSERT(fs_sd); 2126 2127 ASSERT(sr); 2128 ASSERT(sr->tid_tree); 2129 if (SMB_TREE_IS_READONLY(sr)) 2130 return (EROFS); 2131 2132 bzero(&set_attr, sizeof (smb_attr_t)); 2133 2134 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 2135 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 2136 set_attr.sa_mask |= SMB_AT_UID; 2137 access |= WRITE_OWNER; 2138 } 2139 2140 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 2141 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 2142 set_attr.sa_mask |= SMB_AT_GID; 2143 access |= WRITE_OWNER; 2144 } 2145 2146 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 2147 access |= WRITE_DAC; 2148 2149 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 2150 access |= ACCESS_SYSTEM_SECURITY; 2151 2152 if (sr->fid_ofile) 2153 error = smb_ofile_access(sr->fid_ofile, cr, access); 2154 else 2155 error = smb_fsop_access(sr, cr, snode, access); 2156 2157 if (error) 2158 return (EACCES); 2159 2160 if (set_attr.sa_mask) { 2161 orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2162 error = smb_fsop_getattr(sr, kcred, snode, &orig_attr); 2163 if (error == 0) { 2164 error = smb_fsop_setattr(sr, cr, snode, &set_attr); 2165 if (error == EPERM) 2166 error = EBADE; 2167 } 2168 2169 if (error) 2170 return (error); 2171 } 2172 2173 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2174 if (overwrite == 0) { 2175 error = smb_fsop_sdmerge(sr, snode, fs_sd); 2176 if (error) 2177 return (error); 2178 } 2179 2180 error = smb_fsop_aclwrite(sr, cr, snode, fs_sd); 2181 if (error) { 2182 /* 2183 * Revert uid/gid changes if required. 2184 */ 2185 if (set_attr.sa_mask) { 2186 orig_attr.sa_mask = set_attr.sa_mask; 2187 (void) smb_fsop_setattr(sr, kcred, snode, 2188 &orig_attr); 2189 } 2190 } 2191 } 2192 2193 return (error); 2194 } 2195 2196 /* 2197 * smb_fsop_sdinherit 2198 * 2199 * Inherit the security descriptor from the parent container. 2200 * This function is called after FS has created the file/folder 2201 * so if this doesn't do anything it means FS inheritance is 2202 * in place. 2203 * 2204 * Do inheritance for ZFS internally. 2205 * 2206 * If we want to let ZFS does the inheritance the 2207 * following setting should be true: 2208 * 2209 * - aclinherit = passthrough 2210 * - aclmode = passthrough 2211 * - smbd umask = 0777 2212 * 2213 * This will result in right effective permissions but 2214 * ZFS will always add 6 ACEs for owner, owning group 2215 * and others to be POSIX compliant. This is not what 2216 * Windows clients/users expect, so we decided that CIFS 2217 * implements Windows rules and overwrite whatever ZFS 2218 * comes up with. This way we also don't have to care 2219 * about ZFS aclinherit and aclmode settings. 2220 */ 2221 static int 2222 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd) 2223 { 2224 int is_dir; 2225 acl_t *dacl = NULL; 2226 acl_t *sacl = NULL; 2227 ksid_t *owner_sid; 2228 int error; 2229 2230 ASSERT(fs_sd); 2231 2232 if (sr->tid_tree->t_acltype != ACE_T) { 2233 /* 2234 * No forced inheritance for non-ZFS filesystems. 2235 */ 2236 fs_sd->sd_secinfo = 0; 2237 return (0); 2238 } 2239 2240 2241 /* Fetch parent directory's ACL */ 2242 error = smb_fsop_sdread(sr, kcred, dnode, fs_sd); 2243 if (error) { 2244 return (error); 2245 } 2246 2247 is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR); 2248 owner_sid = crgetsid(sr->user_cr, KSID_OWNER); 2249 ASSERT(owner_sid); 2250 dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO, 2251 owner_sid->ks_id); 2252 sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO, 2253 (uid_t)-1); 2254 2255 if (sacl == NULL) 2256 fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO; 2257 2258 smb_fsacl_free(fs_sd->sd_zdacl); 2259 smb_fsacl_free(fs_sd->sd_zsacl); 2260 2261 fs_sd->sd_zdacl = dacl; 2262 fs_sd->sd_zsacl = sacl; 2263 2264 return (0); 2265 } 2266 2267 /* 2268 * smb_fsop_eaccess 2269 * 2270 * Returns the effective permission of the given credential for the 2271 * specified object. 2272 * 2273 * This is just a workaround. We need VFS/FS support for this. 2274 */ 2275 void 2276 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2277 uint32_t *eaccess) 2278 { 2279 int access = 0; 2280 vnode_t *dir_vp; 2281 smb_node_t *unnamed_node; 2282 2283 ASSERT(cr); 2284 ASSERT(snode); 2285 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 2286 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 2287 2288 unnamed_node = SMB_IS_STREAM(snode); 2289 if (unnamed_node) { 2290 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 2291 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 2292 /* 2293 * Streams authorization should be performed against the 2294 * unnamed stream. 2295 */ 2296 snode = unnamed_node; 2297 } 2298 2299 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) { 2300 dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL; 2301 smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp, 2302 cr); 2303 return; 2304 } 2305 2306 /* 2307 * FS doesn't understand 32-bit mask 2308 */ 2309 smb_vop_eaccess(snode->vp, &access, 0, NULL, cr); 2310 access &= sr->tid_tree->t_access; 2311 2312 *eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES; 2313 2314 if (access & VREAD) 2315 *eaccess |= FILE_READ_DATA; 2316 2317 if (access & VEXEC) 2318 *eaccess |= FILE_EXECUTE; 2319 2320 if (access & VWRITE) 2321 *eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | 2322 FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD; 2323 } 2324 2325 /* 2326 * smb_fsop_shrlock 2327 * 2328 * For the current open request, check file sharing rules 2329 * against existing opens. 2330 * 2331 * Returns NT_STATUS_SHARING_VIOLATION if there is any 2332 * sharing conflict. Returns NT_STATUS_SUCCESS otherwise. 2333 * 2334 * Full system-wide share reservation synchronization is available 2335 * when the nbmand (non-blocking mandatory) mount option is set 2336 * (i.e. nbl_need_crit() is true) and nbmand critical regions are used. 2337 * This provides synchronization with NFS and local processes. The 2338 * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called 2339 * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well 2340 * as the CIFS rename and delete paths. 2341 * 2342 * The CIFS server will also enter the nbl critical region in the open, 2343 * rename, and delete paths when nbmand is not set. There is limited 2344 * coordination with local and VFS share reservations in this case. 2345 * Note that when the nbmand mount option is not set, the VFS layer 2346 * only processes advisory reservations and the delete mode is not checked. 2347 * 2348 * Whether or not the nbmand mount option is set, intra-CIFS share 2349 * checking is done in the open, delete, and rename paths using a CIFS 2350 * critical region (node->n_share_lock). 2351 */ 2352 2353 uint32_t 2354 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid, 2355 uint32_t desired_access, uint32_t share_access) 2356 { 2357 int rc; 2358 2359 if (smb_node_is_dir(node)) 2360 return (NT_STATUS_SUCCESS); 2361 2362 /* Allow access if the request is just for meta data */ 2363 if ((desired_access & FILE_DATA_ALL) == 0) 2364 return (NT_STATUS_SUCCESS); 2365 2366 rc = smb_node_open_check(node, cr, desired_access, share_access); 2367 if (rc) 2368 return (NT_STATUS_SHARING_VIOLATION); 2369 2370 rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access, 2371 cr); 2372 if (rc) 2373 return (NT_STATUS_SHARING_VIOLATION); 2374 2375 return (NT_STATUS_SUCCESS); 2376 } 2377 2378 void 2379 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid) 2380 { 2381 if (smb_node_is_dir(node)) 2382 return; 2383 2384 (void) smb_vop_unshrlock(node->vp, uniq_fid, cr); 2385 } 2386 2387 int 2388 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock, 2389 cred_t *cr) 2390 { 2391 flock64_t bf; 2392 int flag = F_REMOTELOCK; 2393 2394 /* 2395 * VOP_FRLOCK() will not be called if: 2396 * 2397 * 1) The lock has a range of zero bytes. The semantics of Windows and 2398 * POSIX are different. In the case of POSIX it asks for the locking 2399 * of all the bytes from the offset provided until the end of the 2400 * file. In the case of Windows a range of zero locks nothing and 2401 * doesn't conflict with any other lock. 2402 * 2403 * 2) The lock rolls over (start + lenght < start). Solaris will assert 2404 * if such a request is submitted. This will not create 2405 * incompatibilities between POSIX and Windows. In the Windows world, 2406 * if a client submits such a lock, the server will not lock any 2407 * bytes. Interestingly if the same lock (same offset and length) is 2408 * resubmitted Windows will consider that there is an overlap and 2409 * the granting rules will then apply. 2410 */ 2411 if ((lock->l_length == 0) || 2412 ((lock->l_start + lock->l_length - 1) < lock->l_start)) 2413 return (0); 2414 2415 bzero(&bf, sizeof (bf)); 2416 2417 if (unlock) { 2418 bf.l_type = F_UNLCK; 2419 } else if (lock->l_type == SMB_LOCK_TYPE_READONLY) { 2420 bf.l_type = F_RDLCK; 2421 flag |= FREAD; 2422 } else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) { 2423 bf.l_type = F_WRLCK; 2424 flag |= FWRITE; 2425 } 2426 2427 bf.l_start = lock->l_start; 2428 bf.l_len = lock->l_length; 2429 bf.l_pid = lock->l_file->f_uniqid; 2430 bf.l_sysid = smb_ct.cc_sysid; 2431 2432 return (smb_vop_frlock(node->vp, cr, flag, &bf)); 2433 } 2434