xref: /titanic_44/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision c36fc3365c8ef629c99a28be2838084646c30c33)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/sid.h>
29 #include <smbsrv/smb_fsops.h>
30 #include <smbsrv/smb_kproto.h>
31 #include <smbsrv/smbvar.h>
32 #include <smbsrv/ntstatus.h>
33 #include <smbsrv/ntaccess.h>
34 #include <acl/acl_common.h>
35 
36 u_longlong_t smb_caller_id;
37 
38 static int smb_fsop_amask_to_omode(uint32_t granted_access);
39 static int smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode,
40     smb_fssd_t *fs_sd);
41 
42 /*
43  * The smb_fsop_* functions have knowledge of CIFS semantics.
44  *
45  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
46  * serve as an interface to the VFS layer.
47  *
48  * Hence, smb_request_t and smb_node_t structures should not be passed
49  * from the smb_fsop_* layer to the smb_vop_* layer.
50  *
51  * In general, CIFS service code should only ever call smb_fsop_*
52  * functions directly, and never smb_vop_* functions directly.
53  *
54  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
55  * of their smb_fsop_* counterparts.  However, there are times when
56  * this cannot be avoided.
57  */
58 
59 /*
60  * Note: Stream names cannot be mangled.
61  */
62 
63 int
64 smb_fsop_start()
65 {
66 	int error;
67 
68 	smb_caller_id = fs_new_caller_id();
69 	error = smb_node_root_init();
70 
71 	if (error == 0)
72 		error = smb_fem_init();
73 
74 	return (error);
75 }
76 
77 void
78 smb_fsop_stop()
79 {
80 	smb_fem_shutdown();
81 	smb_vfs_rele_all();
82 	smb_node_root_fini();
83 }
84 
85 int
86 smb_fsop_open(smb_ofile_t *of)
87 {
88 	caller_context_t ct;
89 	int mode;
90 
91 	mode = smb_fsop_amask_to_omode(of->f_granted_access);
92 
93 	smb_get_caller_context(NULL, &ct);
94 
95 	/*
96 	 * Assuming that same vnode is returned as we had before
97 	 * (i.e. no special vnodes)
98 	 */
99 
100 	return (smb_vop_open(&of->f_node->vp, mode, of->f_cr, &ct));
101 }
102 
103 int
104 smb_fsop_close(smb_ofile_t *of)
105 {
106 	caller_context_t ct;
107 	int mode;
108 
109 	mode = smb_fsop_amask_to_omode(of->f_granted_access);
110 
111 	smb_get_caller_context(NULL, &ct);
112 
113 	return (smb_vop_close(of->f_node->vp, mode, of->f_cr, &ct));
114 }
115 
116 static int
117 smb_fsop_amask_to_omode(uint32_t granted_access)
118 {
119 	int mode = 0;
120 
121 	if (granted_access & (ACE_READ_DATA | ACE_EXECUTE))
122 		mode |= FREAD;
123 
124 	if (granted_access & (ACE_WRITE_DATA | ACE_APPEND_DATA))
125 		mode |= FWRITE;
126 
127 	if (granted_access & ACE_APPEND_DATA)
128 		mode |= FAPPEND;
129 
130 	return (mode);
131 }
132 
133 static int
134 smb_fsop_create_with_sd(
135 	struct smb_request *sr,
136 	cred_t *cr,
137 	smb_node_t *snode,
138 	char *name,
139 	smb_attr_t *attr,
140 	smb_node_t **ret_snode,
141 	smb_attr_t *ret_attr,
142 	smb_fssd_t *fs_sd)
143 {
144 	caller_context_t ct;
145 	vsecattr_t *vsap;
146 	vsecattr_t vsecattr;
147 	acl_t *acl, *dacl, *sacl;
148 	smb_attr_t set_attr;
149 	vnode_t *vp;
150 	int aclbsize = 0;	/* size of acl list in bytes */
151 	int flags = 0;
152 	int is_dir;
153 	int rc;
154 	boolean_t no_xvattr = B_FALSE;
155 
156 	ASSERT(fs_sd);
157 
158 	if (SMB_TREE_CASE_INSENSITIVE(sr))
159 		flags = SMB_IGNORE_CASE;
160 
161 	ASSERT(cr);
162 	smb_get_caller_context(sr, &ct);
163 
164 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
165 
166 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACLONCREATE) {
167 		if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
168 			dacl = fs_sd->sd_zdacl;
169 			sacl = fs_sd->sd_zsacl;
170 			ASSERT(dacl || sacl);
171 			if (dacl && sacl) {
172 				acl = smb_fsacl_merge(dacl, sacl);
173 			} else if (dacl) {
174 				acl = dacl;
175 			} else {
176 				acl = sacl;
177 			}
178 
179 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
180 
181 			if (dacl && sacl)
182 				acl_free(acl);
183 
184 			if (rc)
185 				return (rc);
186 
187 			vsap = &vsecattr;
188 		}
189 		else
190 			vsap = NULL;
191 
192 		if (is_dir) {
193 			rc = smb_vop_mkdir(snode->vp, name, attr, &vp, flags,
194 			    cr, &ct, vsap);
195 		} else {
196 			rc = smb_vop_create(snode->vp, name, attr, &vp, flags,
197 			    cr, &ct, vsap);
198 		}
199 
200 		if (vsap != NULL)
201 			kmem_free(vsap->vsa_aclentp, aclbsize);
202 
203 		if (rc != 0)
204 			return (rc);
205 
206 		set_attr.sa_mask = 0;
207 
208 		/*
209 		 * Ideally we should be able to specify the owner and owning
210 		 * group at create time along with the ACL. Since we cannot
211 		 * do that right now, kcred is passed to smb_vop_setattr so it
212 		 * doesn't fail due to lack of permission.
213 		 */
214 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
215 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
216 			set_attr.sa_mask |= SMB_AT_UID;
217 		}
218 
219 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
220 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
221 			set_attr.sa_mask |= SMB_AT_GID;
222 		}
223 
224 		if (set_attr.sa_mask) {
225 			if (sr && sr->tid_tree)
226 				if (sr->tid_tree->t_flags & SMB_TREE_FLAG_UFS)
227 					no_xvattr = B_TRUE;
228 			rc = smb_vop_setattr(snode->vp, NULL, &set_attr,
229 			    0, kcred, no_xvattr, &ct);
230 		}
231 
232 	} else {
233 		/*
234 		 * For filesystems that don't support ACL-on-create, try
235 		 * to set the specified SD after create, which could actually
236 		 * fail because of conflicts between inherited security
237 		 * attributes upon creation and the specified SD.
238 		 *
239 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
240 		 */
241 
242 		if (is_dir) {
243 			rc = smb_vop_mkdir(snode->vp, name, attr, &vp, flags,
244 			    cr, &ct, NULL);
245 		} else {
246 			rc = smb_vop_create(snode->vp, name, attr, &vp, flags,
247 			    cr, &ct, NULL);
248 		}
249 
250 		if (rc != 0)
251 			return (rc);
252 
253 		if ((sr->tid_tree->t_flags & SMB_TREE_FLAG_NFS_MOUNTED) == 0)
254 			rc = smb_fsop_sdwrite(sr, kcred, snode, fs_sd, 1);
255 	}
256 
257 	if (rc == 0) {
258 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, name,
259 		    snode, NULL, ret_attr);
260 
261 		if (*ret_snode == NULL) {
262 			VN_RELE(vp);
263 			rc = ENOMEM;
264 		}
265 	}
266 
267 	if (rc != 0) {
268 		if (is_dir) {
269 			(void) smb_vop_rmdir(snode->vp, name, flags, cr, &ct);
270 		} else {
271 			(void) smb_vop_remove(snode->vp, name, flags, cr, &ct);
272 		}
273 	}
274 
275 	return (rc);
276 }
277 
278 
279 /*
280  * smb_fsop_create
281  *
282  * All SMB functions should use this wrapper to ensure that
283  * all the smb_vop_creates are performed with the appropriate credentials.
284  * Please document any direct calls to explain the reason
285  * for avoiding this wrapper.
286  *
287  * It is assumed that a reference exists on snode coming into this routine.
288  *
289  * *ret_snode is returned with a reference upon success.  No reference is
290  * taken if an error is returned.
291  */
292 
293 int
294 smb_fsop_create(
295     struct smb_request *sr,
296     cred_t *cr,
297     smb_node_t *dir_snode,
298     char *name,
299     smb_attr_t *attr,
300     smb_node_t **ret_snode,
301     smb_attr_t *ret_attr)
302 {
303 	struct open_param *op = &sr->arg.open;
304 	smb_node_t *fnode;
305 	smb_attr_t file_attr;
306 	caller_context_t ct;
307 	vnode_t *xattrdirvp;
308 	vnode_t *vp;
309 	char *longname = NULL;
310 	char *namep;
311 	char *fname;
312 	char *sname;
313 	int is_stream;
314 	int flags = 0;
315 	int rc = 0;
316 	smb_fssd_t fs_sd;
317 	uint32_t secinfo;
318 	uint32_t status;
319 
320 	ASSERT(cr);
321 	ASSERT(dir_snode);
322 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
323 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
324 
325 	ASSERT(ret_snode);
326 	*ret_snode = 0;
327 
328 	ASSERT(name);
329 	if (*name == 0)
330 		return (EINVAL);
331 
332 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
333 		return (EACCES);
334 
335 	ASSERT(sr);
336 	ASSERT(sr->tid_tree);
337 	if (SMB_TREE_IS_READ_ONLY(sr))
338 		return (EROFS);
339 
340 	if (SMB_TREE_CASE_INSENSITIVE(sr))
341 		flags = SMB_IGNORE_CASE;
342 
343 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
344 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
345 
346 	is_stream = smb_stream_parse_name(name, fname, sname);
347 
348 	if (is_stream)
349 		namep = fname;
350 	else
351 		namep = name;
352 
353 	if (smb_maybe_mangled_name(namep)) {
354 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
355 
356 		rc = smb_unmangle_name(sr, cr, dir_snode, namep, longname,
357 		    MAXNAMELEN, NULL, NULL, 1);
358 
359 		if ((is_stream == 0) && (rc == 0))
360 			rc = EEXIST;
361 
362 		if ((is_stream && rc) ||
363 		    ((is_stream == 0) && (rc != ENOENT))) {
364 			kmem_free(longname, MAXNAMELEN);
365 			kmem_free(fname, MAXNAMELEN);
366 			kmem_free(sname, MAXNAMELEN);
367 			return (rc);
368 		}
369 
370 		if (is_stream)
371 			namep = longname;
372 		else
373 			kmem_free(longname, MAXNAMELEN);
374 	}
375 
376 	if (is_stream) {
377 		/*
378 		 * Look up the unnamed stream.
379 		 *
380 		 * Mangle processing in smb_fsop_lookup() for the unnamed
381 		 * stream won't be needed (as it was done above), but
382 		 * it may be needed on any link target (which
383 		 * smb_fsop_lookup() will provide).
384 		 */
385 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
386 		    sr->tid_tree->t_snode, dir_snode, namep, &fnode, &file_attr,
387 		    0, 0);
388 
389 		if (longname) {
390 			kmem_free(longname, MAXNAMELEN);
391 			namep = NULL;
392 		}
393 
394 		if (rc != 0) {
395 			kmem_free(fname, MAXNAMELEN);
396 			kmem_free(sname, MAXNAMELEN);
397 			return (rc);
398 		}
399 
400 		smb_get_caller_context(sr, &ct);
401 
402 		rc = smb_vop_stream_create(fnode->vp, sname, attr, &vp,
403 		    &xattrdirvp, flags, cr, &ct);
404 
405 		if (rc != 0) {
406 			smb_node_release(fnode);
407 			kmem_free(fname, MAXNAMELEN);
408 			kmem_free(sname, MAXNAMELEN);
409 			return (rc);
410 		}
411 
412 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
413 		    vp, sname, ret_attr);
414 
415 		smb_node_release(fnode);
416 
417 		if (*ret_snode == NULL) {
418 			VN_RELE(xattrdirvp);
419 			VN_RELE(vp);
420 			kmem_free(fname, MAXNAMELEN);
421 			kmem_free(sname, MAXNAMELEN);
422 			return (ENOMEM);
423 		}
424 	} else {
425 		if (op->sd) {
426 			/*
427 			 * SD sent by client in Windows format. Needs to be
428 			 * converted to FS format. No inheritance.
429 			 */
430 			secinfo = smb_sd_get_secinfo(op->sd);
431 			smb_fssd_init(&fs_sd, secinfo, 0);
432 
433 			status = smb_sd_tofs(op->sd, &fs_sd);
434 			if (status == NT_STATUS_SUCCESS) {
435 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
436 				    name, attr, ret_snode, ret_attr, &fs_sd);
437 			}
438 			else
439 				rc = EINVAL;
440 			smb_fssd_term(&fs_sd);
441 		} else if (sr->tid_tree->t_acltype == ACE_T) {
442 			/*
443 			 * No incoming SD and filesystem is ZFS
444 			 * Server applies Windows inheritance rules,
445 			 * see smb_fsop_sdinherit() comments as to why.
446 			 */
447 			smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0);
448 			rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
449 			if (rc == 0) {
450 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
451 				    name, attr, ret_snode, ret_attr, &fs_sd);
452 			}
453 
454 			smb_fssd_term(&fs_sd);
455 		} else {
456 			/*
457 			 * No incoming SD and filesystem is not ZFS
458 			 * let the filesystem handles the inheritance.
459 			 */
460 			smb_get_caller_context(sr, &ct);
461 			rc = smb_vop_create(dir_snode->vp, name, attr, &vp,
462 			    flags, cr, &ct, NULL);
463 
464 			if (rc == 0) {
465 				*ret_snode = smb_node_lookup(sr, op, cr, vp,
466 				    name, dir_snode, NULL, ret_attr);
467 
468 				if (*ret_snode == NULL) {
469 					VN_RELE(vp);
470 					rc = ENOMEM;
471 				}
472 			}
473 
474 		}
475 	}
476 
477 	kmem_free(fname, MAXNAMELEN);
478 	kmem_free(sname, MAXNAMELEN);
479 	return (rc);
480 }
481 
482 /*
483  * smb_fsop_mkdir
484  *
485  * All SMB functions should use this wrapper to ensure that
486  * the the calls are performed with the appropriate credentials.
487  * Please document any direct call to explain the reason
488  * for avoiding this wrapper.
489  *
490  * It is assumed that a reference exists on snode coming into this routine.
491  *
492  * *ret_snode is returned with a reference upon success.  No reference is
493  * taken if an error is returned.
494  */
495 int
496 smb_fsop_mkdir(
497     struct smb_request *sr,
498     cred_t *cr,
499     smb_node_t *dir_snode,
500     char *name,
501     smb_attr_t *attr,
502     smb_node_t **ret_snode,
503     smb_attr_t *ret_attr)
504 {
505 	struct open_param *op = &sr->arg.open;
506 	caller_context_t ct;
507 	char *longname;
508 	vnode_t *vp;
509 	int flags = 0;
510 	smb_fssd_t fs_sd;
511 	uint32_t secinfo;
512 	uint32_t status;
513 	int rc;
514 
515 	ASSERT(cr);
516 	ASSERT(dir_snode);
517 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
518 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
519 
520 	ASSERT(ret_snode);
521 	*ret_snode = 0;
522 
523 	ASSERT(name);
524 	if (*name == 0)
525 		return (EINVAL);
526 
527 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
528 		return (EACCES);
529 
530 	ASSERT(sr);
531 	ASSERT(sr->tid_tree);
532 	if (SMB_TREE_IS_READ_ONLY(sr))
533 		return (EROFS);
534 
535 	if (smb_maybe_mangled_name(name)) {
536 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
537 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
538 		    MAXNAMELEN, NULL, NULL, 1);
539 
540 		kmem_free(longname, MAXNAMELEN);
541 
542 		/*
543 		 * If the name passed in by the client has an unmangled
544 		 * equivalent that is found in the specified directory,
545 		 * then the mkdir cannot succeed.  Return EEXIST.
546 		 *
547 		 * Only if ENOENT is returned will a mkdir be attempted.
548 		 */
549 
550 		if (rc == 0)
551 			rc = EEXIST;
552 
553 		if (rc != ENOENT)
554 			return (rc);
555 	}
556 
557 	if (SMB_TREE_CASE_INSENSITIVE(sr))
558 		flags = SMB_IGNORE_CASE;
559 
560 	smb_get_caller_context(sr, &ct);
561 
562 	if (op->sd) {
563 		/*
564 		 * SD sent by client in Windows format. Needs to be
565 		 * converted to FS format. No inheritance.
566 		 */
567 		secinfo = smb_sd_get_secinfo(op->sd);
568 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
569 
570 		status = smb_sd_tofs(op->sd, &fs_sd);
571 		if (status == NT_STATUS_SUCCESS) {
572 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
573 			    name, attr, ret_snode, ret_attr, &fs_sd);
574 		}
575 		else
576 			rc = EINVAL;
577 		smb_fssd_term(&fs_sd);
578 	} else if (sr->tid_tree->t_acltype == ACE_T) {
579 		/*
580 		 * No incoming SD and filesystem is ZFS
581 		 * Server applies Windows inheritance rules,
582 		 * see smb_fsop_sdinherit() comments as to why.
583 		 */
584 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR);
585 		rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
586 		if (rc == 0) {
587 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
588 			    name, attr, ret_snode, ret_attr, &fs_sd);
589 		}
590 
591 		smb_fssd_term(&fs_sd);
592 
593 	} else {
594 		rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, flags, cr,
595 		    &ct, NULL);
596 
597 		if (rc == 0) {
598 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
599 			    dir_snode, NULL, ret_attr);
600 
601 			if (*ret_snode == NULL) {
602 				VN_RELE(vp);
603 				rc = ENOMEM;
604 			}
605 		}
606 	}
607 
608 	return (rc);
609 }
610 
611 /*
612  * smb_fsop_remove
613  *
614  * All SMB functions should use this wrapper to ensure that
615  * the the calls are performed with the appropriate credentials.
616  * Please document any direct call to explain the reason
617  * for avoiding this wrapper.
618  *
619  * It is assumed that a reference exists on snode coming into this routine.
620  *
621  * od: This means that the name passed in is an on-disk name.
622  * A null smb_request might be passed to this function.
623  */
624 
625 int
626 smb_fsop_remove(
627     struct smb_request *sr,
628     cred_t *cr,
629     smb_node_t *dir_snode,
630     char *name,
631     int od)
632 {
633 	smb_node_t *fnode;
634 	smb_attr_t file_attr;
635 	caller_context_t ct;
636 	char *longname;
637 	char *fname;
638 	char *sname;
639 	int flags = 0;
640 	int rc;
641 
642 	ASSERT(cr);
643 	/*
644 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
645 	 * function is called during the deletion of the node (because of
646 	 * DELETE_ON_CLOSE).
647 	 */
648 	ASSERT(dir_snode);
649 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
650 
651 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
652 		return (EACCES);
653 
654 	if (SMB_TREE_IS_READ_ONLY(sr))
655 		return (EROFS);
656 
657 	smb_get_caller_context(sr, &ct);
658 
659 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
660 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
661 
662 	if (smb_stream_parse_name(name, fname, sname)) {
663 
664 		ASSERT(od == 0);
665 
666 		if (SMB_TREE_CASE_INSENSITIVE(sr))
667 			flags = SMB_IGNORE_CASE;
668 
669 		/*
670 		 * Look up the unnamed stream (i.e. fname).
671 		 * Unmangle processing will be done on fname
672 		 * as well as any link target.
673 		 */
674 
675 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
676 		    sr->tid_tree->t_snode, dir_snode, fname, &fnode, &file_attr,
677 		    0, 0);
678 
679 		if (rc != 0) {
680 			kmem_free(fname, MAXNAMELEN);
681 			kmem_free(sname, MAXNAMELEN);
682 			return (rc);
683 		}
684 
685 		/*
686 		 * XXX
687 		 * Need to find out what permission is required by NTFS
688 		 * to remove a stream.
689 		 */
690 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr, &ct);
691 
692 		smb_node_release(fnode);
693 	} else {
694 		/*
695 		 * If the passed-in name is an on-disk name,
696 		 * then we need to do a case-sensitive remove.
697 		 * This is important if the on-disk name
698 		 * corresponds to a mangled name passed in by
699 		 * the client.  We want to make sure to remove
700 		 * the exact file specified by the client,
701 		 * instead of letting the underlying file system
702 		 * do a remove on the "first match."
703 		 */
704 
705 		if ((od == 0) && SMB_TREE_CASE_INSENSITIVE(sr))
706 			flags = SMB_IGNORE_CASE;
707 
708 		rc = smb_vop_remove(dir_snode->vp, name, flags, cr, &ct);
709 
710 		if (rc == ENOENT) {
711 			if (smb_maybe_mangled_name(name) == 0) {
712 				kmem_free(fname, MAXNAMELEN);
713 				kmem_free(sname, MAXNAMELEN);
714 				return (rc);
715 			}
716 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
717 
718 			rc = smb_unmangle_name(sr, cr, dir_snode, name,
719 			    longname, MAXNAMELEN, NULL, NULL, 1);
720 
721 			if (rc == 0) {
722 				/*
723 				 * We passed "1" as the "od" parameter
724 				 * to smb_unmangle_name(), such that longname
725 				 * is the real (case-sensitive) on-disk name.
726 				 * We make sure we do a remove on this exact
727 				 * name, as the name was mangled and denotes
728 				 * a unique file.
729 				 */
730 				flags &= ~SMB_IGNORE_CASE;
731 				rc = smb_vop_remove(dir_snode->vp, longname,
732 				    flags, cr, &ct);
733 			}
734 
735 			kmem_free(longname, MAXNAMELEN);
736 		}
737 	}
738 
739 	kmem_free(fname, MAXNAMELEN);
740 	kmem_free(sname, MAXNAMELEN);
741 	return (rc);
742 }
743 
744 /*
745  * smb_fsop_remove_streams
746  *
747  * This function removes a file's streams without removing the
748  * file itself.
749  *
750  * It is assumed that snode is not a link.
751  */
752 int
753 smb_fsop_remove_streams(struct smb_request *sr, cred_t *cr,
754     smb_node_t *fnode)
755 {
756 	struct fs_stream_info stream_info;
757 	caller_context_t ct;
758 	uint32_t cookie = 0;
759 	int flags = 0;
760 	int rc;
761 
762 	ASSERT(cr);
763 	ASSERT(fnode);
764 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
765 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
766 
767 	if (SMB_TREE_ROOT_FS(sr, fnode) == 0)
768 		return (EACCES);
769 
770 	if (SMB_TREE_IS_READ_ONLY(sr))
771 		return (EROFS);
772 
773 	if (SMB_TREE_CASE_INSENSITIVE(sr))
774 		flags = SMB_IGNORE_CASE;
775 
776 	smb_get_caller_context(sr, &ct);
777 
778 	for (;;) {
779 		rc = smb_vop_stream_readdir(fnode->vp, &cookie, &stream_info,
780 		    NULL, NULL, flags, cr, &ct);
781 
782 		if ((rc != 0) || (cookie == SMB_EOF))
783 			break;
784 
785 		(void) smb_vop_stream_remove(fnode->vp, stream_info.name, flags,
786 		    cr, &ct);
787 	}
788 	return (rc);
789 }
790 
791 /*
792  * smb_fsop_rmdir
793  *
794  * All SMB functions should use this wrapper to ensure that
795  * the the calls are performed with the appropriate credentials.
796  * Please document any direct call to explain the reason
797  * for avoiding this wrapper.
798  *
799  * It is assumed that a reference exists on snode coming into this routine.
800  *
801  * od: This means that the name passed in is an on-disk name.
802  */
803 
804 int
805 smb_fsop_rmdir(
806     struct smb_request *sr,
807     cred_t *cr,
808     smb_node_t *dir_snode,
809     char *name,
810     int od)
811 {
812 	caller_context_t ct;
813 	int rc;
814 	int flags = 0;
815 	char *longname;
816 
817 	ASSERT(cr);
818 	/*
819 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
820 	 * function is called during the deletion of the node (because of
821 	 * DELETE_ON_CLOSE).
822 	 */
823 	ASSERT(dir_snode);
824 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
825 
826 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
827 		return (EACCES);
828 
829 	if (SMB_TREE_IS_READ_ONLY(sr))
830 		return (EROFS);
831 
832 	/*
833 	 * If the passed-in name is an on-disk name,
834 	 * then we need to do a case-sensitive rmdir.
835 	 * This is important if the on-disk name
836 	 * corresponds to a mangled name passed in by
837 	 * the client.  We want to make sure to remove
838 	 * the exact directory specified by the client,
839 	 * instead of letting the underlying file system
840 	 * do a rmdir on the "first match."
841 	 */
842 
843 	if ((od == 0) && SMB_TREE_CASE_INSENSITIVE(sr))
844 		flags = SMB_IGNORE_CASE;
845 
846 	smb_get_caller_context(sr, &ct);
847 
848 	rc = smb_vop_rmdir(dir_snode->vp, name, flags, cr, &ct);
849 
850 	if (rc == ENOENT) {
851 		if (smb_maybe_mangled_name(name) == 0)
852 			return (rc);
853 
854 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
855 
856 		rc = smb_unmangle_name(sr, cr, dir_snode,
857 		    name, longname, MAXNAMELEN, NULL,
858 		    NULL, 1);
859 
860 		if (rc == 0) {
861 			/*
862 			 * We passed "1" as the "od" parameter
863 			 * to smb_unmangle_name(), such that longname
864 			 * is the real (case-sensitive) on-disk name.
865 			 * We make sure we do a rmdir on this exact
866 			 * name, as the name was mangled and denotes
867 			 * a unique directory.
868 			 */
869 			flags &= ~SMB_IGNORE_CASE;
870 			rc = smb_vop_rmdir(dir_snode->vp, longname, flags, cr,
871 			    &ct);
872 		}
873 
874 		kmem_free(longname, MAXNAMELEN);
875 	}
876 
877 	return (rc);
878 }
879 
880 /*
881  * smb_fsop_getattr
882  *
883  * All SMB functions should use this wrapper to ensure that
884  * the the calls are performed with the appropriate credentials.
885  * Please document any direct call to explain the reason
886  * for avoiding this wrapper.
887  *
888  * It is assumed that a reference exists on snode coming into this routine.
889  */
890 int
891 smb_fsop_getattr(struct smb_request *sr, cred_t *cr, smb_node_t *snode,
892     smb_attr_t *attr)
893 {
894 	smb_node_t *unnamed_node;
895 	vnode_t *unnamed_vp = NULL;
896 	caller_context_t ct;
897 	uint32_t status;
898 	uint32_t access = 0;
899 	int flags = 0;
900 
901 	ASSERT(cr);
902 	ASSERT(snode);
903 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
904 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
905 
906 	if (SMB_TREE_ROOT_FS(sr, snode) == 0)
907 		return (EACCES);
908 
909 	if (sr->fid_ofile) {
910 		/* if uid and/or gid is requested */
911 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
912 			access |= READ_CONTROL;
913 
914 		/* if anything else is also requested */
915 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
916 			access |= FILE_READ_ATTRIBUTES;
917 
918 		status = smb_ofile_access(sr->fid_ofile, cr, access);
919 		if (status != NT_STATUS_SUCCESS)
920 			return (EACCES);
921 
922 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
923 			flags = ATTR_NOACLCHECK;
924 	}
925 
926 	smb_get_caller_context(sr, &ct);
927 
928 	unnamed_node = SMB_IS_STREAM(snode);
929 
930 	if (unnamed_node) {
931 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
932 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
933 		unnamed_vp = unnamed_node->vp;
934 	}
935 
936 	return (smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr, &ct));
937 }
938 
939 /*
940  * smb_fsop_readdir
941  *
942  * All SMB functions should use this smb_fsop_readdir wrapper to ensure that
943  * the smb_vop_readdir is performed with the appropriate credentials.
944  * Please document any direct call to smb_vop_readdir to explain the reason
945  * for avoiding this wrapper.
946  *
947  * It is assumed that a reference exists on snode coming into this routine.
948  */
949 int
950 smb_fsop_readdir(
951     struct smb_request *sr,
952     cred_t *cr,
953     smb_node_t *dir_snode,
954     uint32_t *cookie,
955     char *name,
956     int *namelen,
957     ino64_t *fileid,
958     struct fs_stream_info *stream_info,
959     smb_node_t **ret_snode,
960     smb_attr_t *ret_attr)
961 {
962 	caller_context_t ct;
963 	smb_node_t *ret_snodep;
964 	smb_node_t *fnode;
965 	smb_attr_t tmp_attr;
966 	vnode_t *xattrdirvp;
967 	vnode_t *fvp;
968 	vnode_t *vp = NULL;
969 	char *od_name;
970 	int rc;
971 	int flags = 0;
972 
973 	ASSERT(cr);
974 	ASSERT(dir_snode);
975 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
976 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
977 
978 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
979 		return (EACCES);
980 
981 	if (*cookie == SMB_EOF) {
982 		*namelen = 0;
983 		return (0);
984 	}
985 
986 	if (SMB_TREE_CASE_INSENSITIVE(sr))
987 		flags = SMB_IGNORE_CASE;
988 
989 	smb_get_caller_context(sr, &ct);
990 
991 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
992 
993 	if (stream_info) {
994 		rc = smb_vop_lookup(dir_snode->vp, name, &fvp, od_name,
995 		    SMB_FOLLOW_LINKS, sr->tid_tree->t_snode->vp, cr, &ct);
996 
997 		if (rc != 0) {
998 			kmem_free(od_name, MAXNAMELEN);
999 			return (rc);
1000 		}
1001 
1002 		fnode = smb_node_lookup(sr, NULL, cr, fvp, od_name, dir_snode,
1003 		    NULL, ret_attr);
1004 
1005 		kmem_free(od_name, MAXNAMELEN);
1006 
1007 		if (fnode == NULL) {
1008 			VN_RELE(fvp);
1009 			return (ENOMEM);
1010 		}
1011 
1012 		/*
1013 		 * XXX
1014 		 * Need to find out what permission(s) NTFS requires for getting
1015 		 * a file's streams list.
1016 		 *
1017 		 * Might have to use kcred.
1018 		 */
1019 		rc = smb_vop_stream_readdir(fvp, cookie, stream_info, &vp,
1020 		    &xattrdirvp, flags, cr, &ct);
1021 
1022 		if ((rc != 0) || (*cookie == SMB_EOF)) {
1023 			smb_node_release(fnode);
1024 			return (rc);
1025 		}
1026 
1027 		ret_snodep = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1028 		    vp, stream_info->name, &tmp_attr);
1029 
1030 		smb_node_release(fnode);
1031 
1032 		if (ret_snodep == NULL) {
1033 			VN_RELE(xattrdirvp);
1034 			VN_RELE(vp);
1035 			return (ENOMEM);
1036 		}
1037 
1038 		stream_info->size = tmp_attr.sa_vattr.va_size;
1039 
1040 		if (ret_attr)
1041 			*ret_attr = tmp_attr;
1042 
1043 		if (ret_snode)
1044 			*ret_snode = ret_snodep;
1045 		else
1046 			smb_node_release(ret_snodep);
1047 
1048 	} else {
1049 		rc = smb_vop_readdir(dir_snode->vp, cookie, name, namelen,
1050 		    fileid, &vp, od_name, flags, cr, &ct);
1051 
1052 		if (rc != 0) {
1053 			kmem_free(od_name, MAXNAMELEN);
1054 			return (rc);
1055 		}
1056 
1057 		if (*namelen) {
1058 			ASSERT(vp);
1059 			if (ret_attr || ret_snode) {
1060 				ret_snodep = smb_node_lookup(sr, NULL, cr, vp,
1061 				    od_name, dir_snode, NULL, &tmp_attr);
1062 
1063 				if (ret_snodep == NULL) {
1064 					kmem_free(od_name, MAXNAMELEN);
1065 					VN_RELE(vp);
1066 					return (ENOMEM);
1067 				}
1068 
1069 				if (ret_attr)
1070 					*ret_attr = tmp_attr;
1071 
1072 				if (ret_snode)
1073 					*ret_snode = ret_snodep;
1074 				else
1075 					smb_node_release(ret_snodep);
1076 			}
1077 		}
1078 
1079 		kmem_free(od_name, MAXNAMELEN);
1080 	}
1081 
1082 	return (rc);
1083 }
1084 
1085 /*
1086  * smb_fsop_getdents
1087  *
1088  * All SMB functions should use this smb_vop_getdents wrapper to ensure that
1089  * the smb_vop_getdents is performed with the appropriate credentials.
1090  * Please document any direct call to smb_vop_getdents to explain the reason
1091  * for avoiding this wrapper.
1092  *
1093  * It is assumed that a reference exists on snode coming into this routine.
1094  */
1095 /*ARGSUSED*/
1096 int
1097 smb_fsop_getdents(
1098     struct smb_request *sr,
1099     cred_t *cr,
1100     smb_node_t *dir_snode,
1101     uint32_t *cookie,
1102     uint64_t *verifierp,
1103     int32_t	*maxcnt,
1104     char *args,
1105     char *pattern)
1106 {
1107 	caller_context_t ct;
1108 	int flags = 0;
1109 
1110 	ASSERT(cr);
1111 	ASSERT(dir_snode);
1112 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1113 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1114 
1115 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
1116 		return (EACCES);
1117 
1118 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1119 		flags = SMB_IGNORE_CASE;
1120 
1121 	smb_get_caller_context(sr, &ct);
1122 
1123 	return (smb_vop_getdents(dir_snode, cookie, 0, maxcnt, args, pattern,
1124 	    flags, sr, cr, &ct));
1125 }
1126 
1127 /*
1128  * smb_fsop_rename
1129  *
1130  * All SMB functions should use this smb_vop_rename wrapper to ensure that
1131  * the smb_vop_rename is performed with the appropriate credentials.
1132  * Please document any direct call to smb_vop_rename to explain the reason
1133  * for avoiding this wrapper.
1134  *
1135  * It is assumed that references exist on from_dir_snode and to_dir_snode coming
1136  * into this routine.
1137  */
1138 int
1139 smb_fsop_rename(
1140     struct smb_request *sr,
1141     cred_t *cr,
1142     smb_node_t *from_dir_snode,
1143     char *from_name,
1144     smb_node_t *to_dir_snode,
1145     char *to_name)
1146 {
1147 	smb_node_t *from_snode;
1148 	caller_context_t ct;
1149 	smb_attr_t tmp_attr;
1150 	vnode_t *from_vp;
1151 	int flags = 0;
1152 	int rc;
1153 
1154 	ASSERT(cr);
1155 	ASSERT(from_dir_snode);
1156 	ASSERT(from_dir_snode->n_magic == SMB_NODE_MAGIC);
1157 	ASSERT(from_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1158 
1159 	ASSERT(to_dir_snode);
1160 	ASSERT(to_dir_snode->n_magic == SMB_NODE_MAGIC);
1161 	ASSERT(to_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1162 
1163 	if (SMB_TREE_ROOT_FS(sr, from_dir_snode) == 0)
1164 		return (EACCES);
1165 
1166 	if (SMB_TREE_ROOT_FS(sr, to_dir_snode) == 0)
1167 		return (EACCES);
1168 
1169 	ASSERT(sr);
1170 	ASSERT(sr->tid_tree);
1171 	if (SMB_TREE_IS_READ_ONLY(sr))
1172 		return (EROFS);
1173 
1174 	/*
1175 	 * Note: There is no need to check SMB_TREE_CASE_INSENSITIVE(sr)
1176 	 * here.
1177 	 *
1178 	 * A case-sensitive rename is always done in this routine
1179 	 * because we are using the on-disk name from an earlier lookup.
1180 	 * If a mangled name was passed in by the caller (denoting a
1181 	 * deterministic lookup), then the exact file must be renamed
1182 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1183 	 * else the underlying file system might return a "first-match"
1184 	 * on this on-disk name, possibly resulting in the wrong file).
1185 	 */
1186 
1187 	/*
1188 	 * XXX: Lock required through smb_node_release() below?
1189 	 */
1190 
1191 	smb_get_caller_context(sr, &ct);
1192 
1193 	rc = smb_vop_lookup(from_dir_snode->vp, from_name, &from_vp, NULL, 0,
1194 	    NULL, cr, &ct);
1195 
1196 	if (rc != 0)
1197 		return (rc);
1198 
1199 	rc = smb_vop_rename(from_dir_snode->vp, from_name, to_dir_snode->vp,
1200 	    to_name, flags, cr, &ct);
1201 
1202 	if (rc == 0) {
1203 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1204 		    from_dir_snode, NULL, &tmp_attr);
1205 
1206 		if (from_snode == NULL) {
1207 			VN_RELE(from_vp);
1208 			return (ENOMEM);
1209 		}
1210 
1211 		(void) smb_node_rename(from_dir_snode, from_snode, to_dir_snode,
1212 		    to_name);
1213 
1214 		smb_node_release(from_snode);
1215 	} else {
1216 		VN_RELE(from_vp);
1217 	}
1218 
1219 	/* XXX: unlock */
1220 
1221 	return (rc);
1222 }
1223 
1224 /*
1225  * smb_fsop_setattr
1226  *
1227  * All SMB functions should use this wrapper to ensure that
1228  * the the calls are performed with the appropriate credentials.
1229  * Please document any direct call to explain the reason
1230  * for avoiding this wrapper.
1231  *
1232  * It is assumed that a reference exists on snode coming into this routine.
1233  * A null smb_request might be passed to this function.
1234  */
1235 int
1236 smb_fsop_setattr(
1237     smb_request_t *sr,
1238     cred_t *cr,
1239     smb_node_t *snode,
1240     smb_attr_t *set_attr,
1241     smb_attr_t *ret_attr)
1242 {
1243 	smb_node_t *unnamed_node;
1244 	vnode_t *unnamed_vp = NULL;
1245 	caller_context_t ct;
1246 	uint32_t status;
1247 	uint32_t access = 0;
1248 	int rc = 0;
1249 	int flags = 0;
1250 	boolean_t no_xvattr = B_FALSE;
1251 
1252 	ASSERT(cr);
1253 	ASSERT(snode);
1254 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1255 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1256 
1257 	if (SMB_TREE_ROOT_FS(sr, snode) == 0)
1258 		return (EACCES);
1259 
1260 	if (SMB_TREE_IS_READ_ONLY(sr))
1261 		return (EROFS);
1262 
1263 	/* sr could be NULL in some cases */
1264 	if (sr && sr->fid_ofile) {
1265 		/* if uid and/or gid is requested */
1266 		if (set_attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
1267 			access |= WRITE_OWNER;
1268 
1269 		/* if anything else is also requested */
1270 		if (set_attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
1271 			access |= FILE_WRITE_ATTRIBUTES;
1272 
1273 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1274 		if (status != NT_STATUS_SUCCESS)
1275 			return (EACCES);
1276 
1277 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
1278 			flags = ATTR_NOACLCHECK;
1279 	}
1280 
1281 	smb_get_caller_context(sr, &ct);
1282 
1283 	unnamed_node = SMB_IS_STREAM(snode);
1284 
1285 	if (unnamed_node) {
1286 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1287 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1288 		unnamed_vp = unnamed_node->vp;
1289 	}
1290 	if (sr && sr->tid_tree)
1291 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_UFS)
1292 			no_xvattr = B_TRUE;
1293 
1294 	rc = smb_vop_setattr(snode->vp, unnamed_vp,
1295 	    set_attr, flags, cr, no_xvattr, &ct);
1296 
1297 	if ((rc == 0) && ret_attr) {
1298 		/*
1299 		 * This is an operation on behalf of CIFS service (to update
1300 		 * smb node's attr) not on behalf of the user so it's done
1301 		 * using kcred and the return value is intentionally ignored.
1302 		 */
1303 		ret_attr->sa_mask = SMB_AT_ALL;
1304 		(void) smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1305 		    kcred, &ct);
1306 	}
1307 
1308 	return (rc);
1309 }
1310 
1311 /*
1312  * smb_fsop_read
1313  *
1314  * All SMB functions should use this wrapper to ensure that
1315  * the the calls are performed with the appropriate credentials.
1316  * Please document any direct call to explain the reason
1317  * for avoiding this wrapper.
1318  *
1319  * It is assumed that a reference exists on snode coming into this routine.
1320  */
1321 int
1322 smb_fsop_read(
1323     struct smb_request *sr,
1324     cred_t *cr,
1325     smb_node_t *snode,
1326     uio_t *uio,
1327     smb_attr_t *ret_attr)
1328 {
1329 	smb_node_t *unnamed_node;
1330 	vnode_t *unnamed_vp = NULL;
1331 	caller_context_t ct;
1332 	int rc;
1333 
1334 	ASSERT(cr);
1335 	ASSERT(snode);
1336 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1337 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1338 
1339 	ASSERT(sr);
1340 	ASSERT(sr->fid_ofile);
1341 
1342 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA);
1343 	if (rc != NT_STATUS_SUCCESS) {
1344 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE);
1345 		if (rc != NT_STATUS_SUCCESS)
1346 			return (EACCES);
1347 	}
1348 
1349 	unnamed_node = SMB_IS_STREAM(snode);
1350 	if (unnamed_node) {
1351 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1352 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1353 		unnamed_vp = unnamed_node->vp;
1354 		/*
1355 		 * Streams permission are checked against the unnamed stream,
1356 		 * but in FS level they have their own permissions. To avoid
1357 		 * rejection by FS due to lack of permission on the actual
1358 		 * extended attr kcred is passed for streams.
1359 		 */
1360 		cr = kcred;
1361 	}
1362 
1363 	smb_get_caller_context(sr, &ct);
1364 	rc = smb_vop_read(snode->vp, uio, cr, &ct);
1365 
1366 	if (rc == 0) {
1367 		/*
1368 		 * This is an operation on behalf of CIFS service (to update
1369 		 * smb node's attr) not on behalf of the user so it's done
1370 		 * using kcred and the return value is intentionally ignored.
1371 		 */
1372 		ret_attr->sa_mask = SMB_AT_ALL;
1373 		(void) smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1374 		    kcred, &ct);
1375 	}
1376 
1377 	return (rc);
1378 }
1379 
1380 /*
1381  * smb_fsop_write
1382  *
1383  * This is a wrapper function used for smb_write and smb_write_raw operations.
1384  *
1385  * It is assumed that a reference exists on snode coming into this routine.
1386  */
1387 int
1388 smb_fsop_write(
1389     struct smb_request *sr,
1390     cred_t *cr,
1391     smb_node_t *snode,
1392     uio_t *uio,
1393     uint32_t *lcount,
1394     smb_attr_t *ret_attr,
1395     uint32_t *flag)
1396 {
1397 	smb_node_t *unnamed_node;
1398 	vnode_t *unnamed_vp = NULL;
1399 	caller_context_t ct;
1400 	int rc;
1401 
1402 	ASSERT(cr);
1403 	ASSERT(snode);
1404 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1405 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1406 
1407 	ASSERT(sr);
1408 	ASSERT(sr->tid_tree);
1409 	ASSERT(sr->fid_ofile);
1410 
1411 	if (SMB_TREE_IS_READ_ONLY(sr))
1412 		return (EROFS);
1413 	/*
1414 	 * XXX what if the file has been opened only with
1415 	 * FILE_APPEND_DATA?
1416 	 */
1417 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA);
1418 	if (rc != NT_STATUS_SUCCESS)
1419 		return (EACCES);
1420 
1421 	smb_get_caller_context(sr, &ct);
1422 
1423 	unnamed_node = SMB_IS_STREAM(snode);
1424 
1425 	if (unnamed_node) {
1426 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1427 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1428 		unnamed_vp = unnamed_node->vp;
1429 		/*
1430 		 * Streams permission are checked against the unnamed stream,
1431 		 * but in FS level they have their own permissions. To avoid
1432 		 * rejection by FS due to lack of permission on the actual
1433 		 * extended attr kcred is passed for streams.
1434 		 */
1435 		cr = kcred;
1436 	}
1437 
1438 	rc = smb_vop_write(snode->vp, uio, flag, lcount, cr, &ct);
1439 
1440 	if (rc == 0) {
1441 		/*
1442 		 * This is an operation on behalf of CIFS service (to update
1443 		 * smb node's attr) not on behalf of the user so it's done
1444 		 * using kcred and the return value is intentionally ignored.
1445 		 */
1446 		ret_attr->sa_mask = SMB_AT_ALL;
1447 		(void) smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1448 		    kcred, &ct);
1449 	}
1450 
1451 	return (rc);
1452 }
1453 
1454 /*
1455  * smb_fsop_statfs
1456  *
1457  * This is a wrapper function used for stat operations.
1458  */
1459 int
1460 smb_fsop_statfs(
1461     cred_t *cr,
1462     smb_node_t *snode,
1463     struct statvfs64 *statp)
1464 {
1465 	ASSERT(cr);
1466 	ASSERT(snode);
1467 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1468 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1469 
1470 	return (smb_vop_statfs(snode->vp, statp, cr));
1471 }
1472 
1473 /*
1474  * smb_fsop_access
1475  */
1476 int
1477 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1478     uint32_t faccess)
1479 {
1480 	int access = 0;
1481 	int error;
1482 	vnode_t *dir_vp;
1483 	boolean_t acl_check = B_TRUE;
1484 	smb_node_t *unnamed_node;
1485 
1486 	ASSERT(cr);
1487 	ASSERT(snode);
1488 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1489 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1490 
1491 	if (faccess == 0)
1492 		return (NT_STATUS_SUCCESS);
1493 
1494 	if (SMB_TREE_IS_READ_ONLY(sr)) {
1495 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1496 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1497 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1498 			return (NT_STATUS_ACCESS_DENIED);
1499 		}
1500 	}
1501 
1502 	unnamed_node = SMB_IS_STREAM(snode);
1503 	if (unnamed_node) {
1504 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1505 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1506 		/*
1507 		 * Streams authorization should be performed against the
1508 		 * unnamed stream.
1509 		 */
1510 		snode = unnamed_node;
1511 	}
1512 
1513 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1514 		/*
1515 		 * This permission is required for reading/writing SACL and
1516 		 * it's not part of DACL. It's only granted via proper
1517 		 * privileges.
1518 		 */
1519 		if ((sr->uid_user->u_privileges &
1520 		    (SMB_USER_PRIV_BACKUP |
1521 		    SMB_USER_PRIV_RESTORE |
1522 		    SMB_USER_PRIV_SECURITY)) == 0)
1523 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1524 
1525 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1526 	}
1527 
1528 	/* Links don't have ACL */
1529 	if (((sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS) == 0) ||
1530 	    (snode->attr.sa_vattr.va_type == VLNK))
1531 		acl_check = B_FALSE;
1532 
1533 	if (acl_check) {
1534 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
1535 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1536 		    cr);
1537 	} else {
1538 		/*
1539 		 * FS doesn't understand 32-bit mask, need to map
1540 		 */
1541 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1542 			access |= VWRITE;
1543 
1544 		if (faccess & FILE_READ_DATA)
1545 			access |= VREAD;
1546 
1547 		if (faccess & FILE_EXECUTE)
1548 			access |= VEXEC;
1549 
1550 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1551 	}
1552 
1553 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1554 }
1555 
1556 /*
1557  * smb_fsop_lookup_name()
1558  *
1559  * Sanity checks on dir_snode done in smb_fsop_lookup().
1560  *
1561  * Note: This function is called only from the open path.
1562  * It will check if the file is a stream.
1563  * It will also return an error if the looked-up file is in
1564  * a child mount.
1565  */
1566 
1567 int
1568 smb_fsop_lookup_name(
1569     struct smb_request *sr,
1570     cred_t	*cr,
1571     int		flags,
1572     smb_node_t	*root_node,
1573     smb_node_t	*dir_snode,
1574     char	*name,
1575     smb_node_t	**ret_snode,
1576     smb_attr_t	*ret_attr)
1577 {
1578 	smb_node_t *fnode;
1579 	smb_attr_t file_attr;
1580 	caller_context_t ct;
1581 	vnode_t *xattrdirvp;
1582 	vnode_t *vp;
1583 	char *od_name;
1584 	char *fname;
1585 	char *sname;
1586 	int rc;
1587 
1588 	ASSERT(cr);
1589 	ASSERT(dir_snode);
1590 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1591 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1592 
1593 	/*
1594 	 * The following check is required for streams processing, below
1595 	 */
1596 
1597 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1598 		flags |= SMB_IGNORE_CASE;
1599 
1600 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1601 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1602 
1603 	if (smb_stream_parse_name(name, fname, sname)) {
1604 		/*
1605 		 * Look up the unnamed stream (i.e. fname).
1606 		 * Unmangle processing will be done on fname
1607 		 * as well as any link target.
1608 		 */
1609 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, fname,
1610 		    &fnode, &file_attr, NULL, NULL);
1611 
1612 		if (rc != 0) {
1613 			kmem_free(fname, MAXNAMELEN);
1614 			kmem_free(sname, MAXNAMELEN);
1615 			return (rc);
1616 		}
1617 
1618 		od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1619 
1620 		/*
1621 		 * od_name is the on-disk name of the stream, except
1622 		 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1623 		 */
1624 
1625 		/*
1626 		 * XXX
1627 		 * What permissions NTFS requires for stream lookup if any?
1628 		 */
1629 		rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1630 		    &xattrdirvp, flags, root_node->vp, cr, &ct);
1631 
1632 		if (rc != 0) {
1633 			smb_node_release(fnode);
1634 			kmem_free(fname, MAXNAMELEN);
1635 			kmem_free(sname, MAXNAMELEN);
1636 			kmem_free(od_name, MAXNAMELEN);
1637 			return (rc);
1638 		}
1639 
1640 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1641 		    vp, od_name, ret_attr);
1642 
1643 		kmem_free(od_name, MAXNAMELEN);
1644 		smb_node_release(fnode);
1645 
1646 		if (*ret_snode == NULL) {
1647 			VN_RELE(xattrdirvp);
1648 			VN_RELE(vp);
1649 			kmem_free(fname, MAXNAMELEN);
1650 			kmem_free(sname, MAXNAMELEN);
1651 			return (ENOMEM);
1652 		}
1653 	} else {
1654 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, name,
1655 		    ret_snode, ret_attr, NULL, NULL);
1656 	}
1657 
1658 	if (rc == 0) {
1659 		ASSERT(ret_snode);
1660 		if (SMB_TREE_ROOT_FS(sr, *ret_snode) == 0) {
1661 			smb_node_release(*ret_snode);
1662 			*ret_snode = NULL;
1663 			rc = EACCES;
1664 		}
1665 	}
1666 
1667 	kmem_free(fname, MAXNAMELEN);
1668 	kmem_free(sname, MAXNAMELEN);
1669 
1670 	return (rc);
1671 }
1672 
1673 /*
1674  * smb_fsop_lookup
1675  *
1676  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1677  * the smb_vop_lookup is performed with the appropriate credentials and using
1678  * case insensitive compares. Please document any direct call to smb_vop_lookup
1679  * to explain the reason for avoiding this wrapper.
1680  *
1681  * It is assumed that a reference exists on dir_snode coming into this routine
1682  * (and that it is safe from deallocation).
1683  *
1684  * Same with the root_node.
1685  *
1686  * *ret_snode is returned with a reference upon success.  No reference is
1687  * taken if an error is returned.
1688  *
1689  * Note: The returned ret_snode may be in a child mount.  This is ok for
1690  * readdir and getdents.
1691  *
1692  * Other smb_fsop_* routines will call SMB_TREE_ROOT_FS() to prevent
1693  * operations on files not in the parent mount.
1694  */
1695 int
1696 smb_fsop_lookup(
1697     struct smb_request *sr,
1698     cred_t	*cr,
1699     int		flags,
1700     smb_node_t	*root_node,
1701     smb_node_t	*dir_snode,
1702     char	*name,
1703     smb_node_t	**ret_snode,
1704     smb_attr_t	*ret_attr,
1705     char	*ret_shortname, /* Must be at least MANGLE_NAMELEN chars */
1706     char	*ret_name83)    /* Must be at least MANGLE_NAMELEN chars */
1707 {
1708 	smb_node_t *lnk_target_node;
1709 	smb_node_t *lnk_dnode;
1710 	caller_context_t ct;
1711 	char *longname;
1712 	char *od_name;
1713 	vnode_t *vp;
1714 	int rc;
1715 
1716 	ASSERT(cr);
1717 	ASSERT(dir_snode);
1718 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1719 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1720 
1721 	if (name == NULL)
1722 		return (EINVAL);
1723 
1724 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
1725 		return (EACCES);
1726 
1727 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1728 		flags |= SMB_IGNORE_CASE;
1729 
1730 	smb_get_caller_context(sr, &ct);
1731 
1732 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1733 
1734 	rc = smb_vop_lookup(dir_snode->vp, name, &vp, od_name, flags,
1735 	    root_node ? root_node->vp : NULL, cr, &ct);
1736 
1737 	if (rc != 0) {
1738 		if (smb_maybe_mangled_name(name) == 0) {
1739 			kmem_free(od_name, MAXNAMELEN);
1740 			return (rc);
1741 		}
1742 
1743 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1744 
1745 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
1746 		    MAXNAMELEN, ret_shortname, ret_name83, 1);
1747 
1748 		if (rc != 0) {
1749 			kmem_free(od_name, MAXNAMELEN);
1750 			kmem_free(longname, MAXNAMELEN);
1751 			return (rc);
1752 		}
1753 
1754 		/*
1755 		 * We passed "1" as the "od" parameter
1756 		 * to smb_unmangle_name(), such that longname
1757 		 * is the real (case-sensitive) on-disk name.
1758 		 * We make sure we do a lookup on this exact
1759 		 * name, as the name was mangled and denotes
1760 		 * a unique file.
1761 		 */
1762 
1763 		if (flags & SMB_IGNORE_CASE)
1764 			flags &= ~SMB_IGNORE_CASE;
1765 
1766 		rc = smb_vop_lookup(dir_snode->vp, longname, &vp, od_name,
1767 		    flags, root_node ? root_node->vp : NULL, cr, &ct);
1768 
1769 		kmem_free(longname, MAXNAMELEN);
1770 
1771 		if (rc != 0) {
1772 			kmem_free(od_name, MAXNAMELEN);
1773 			return (rc);
1774 		}
1775 	}
1776 
1777 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) {
1778 
1779 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dir_snode,
1780 		    &lnk_dnode, &lnk_target_node, cr);
1781 
1782 		if (rc != 0) {
1783 			/*
1784 			 * The link is assumed to be for the last component
1785 			 * of a path.  Hence any ENOTDIR error will be returned
1786 			 * as ENOENT.
1787 			 */
1788 			if (rc == ENOTDIR)
1789 				rc = ENOENT;
1790 
1791 			VN_RELE(vp);
1792 			kmem_free(od_name, MAXNAMELEN);
1793 			return (rc);
1794 		}
1795 
1796 		/*
1797 		 * Release the original VLNK vnode
1798 		 */
1799 
1800 		VN_RELE(vp);
1801 		vp = lnk_target_node->vp;
1802 
1803 		rc = smb_vop_traverse_check(&vp);
1804 
1805 		if (rc != 0) {
1806 			smb_node_release(lnk_dnode);
1807 			smb_node_release(lnk_target_node);
1808 			kmem_free(od_name, MAXNAMELEN);
1809 			return (rc);
1810 		}
1811 
1812 		/*
1813 		 * smb_vop_traverse_check() may have returned a different vnode
1814 		 */
1815 
1816 		if (lnk_target_node->vp == vp) {
1817 			*ret_snode = lnk_target_node;
1818 			*ret_attr = (*ret_snode)->attr;
1819 		} else {
1820 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
1821 			    lnk_target_node->od_name, lnk_dnode, NULL,
1822 			    ret_attr);
1823 
1824 			if (*ret_snode == NULL) {
1825 				VN_RELE(vp);
1826 				rc = ENOMEM;
1827 			}
1828 			smb_node_release(lnk_target_node);
1829 		}
1830 
1831 		smb_node_release(lnk_dnode);
1832 
1833 	} else {
1834 
1835 		rc = smb_vop_traverse_check(&vp);
1836 		if (rc) {
1837 			VN_RELE(vp);
1838 			kmem_free(od_name, MAXNAMELEN);
1839 			return (rc);
1840 		}
1841 
1842 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
1843 		    dir_snode, NULL, ret_attr);
1844 
1845 		if (*ret_snode == NULL) {
1846 			VN_RELE(vp);
1847 			rc = ENOMEM;
1848 		}
1849 	}
1850 
1851 	kmem_free(od_name, MAXNAMELEN);
1852 	return (rc);
1853 }
1854 
1855 /*
1856  * smb_fsop_stream_readdir()
1857  *
1858  * ret_snode and ret_attr are optional parameters (i.e. NULL may be passed in)
1859  *
1860  * This routine will return only NTFS streams.  If an NTFS stream is not
1861  * found at the offset specified, the directory will be read until an NTFS
1862  * stream is found or until EOF.
1863  *
1864  * Note: Sanity checks done in caller
1865  * (smb_fsop_readdir(), smb_fsop_remove_streams())
1866  */
1867 
1868 int
1869 smb_fsop_stream_readdir(struct smb_request *sr, cred_t *cr, smb_node_t *fnode,
1870     uint32_t *cookiep, struct fs_stream_info *stream_info,
1871     smb_node_t **ret_snode, smb_attr_t *ret_attr)
1872 {
1873 	smb_node_t *ret_snodep = NULL;
1874 	caller_context_t ct;
1875 	smb_attr_t tmp_attr;
1876 	vnode_t *xattrdirvp;
1877 	vnode_t *vp;
1878 	int rc = 0;
1879 	int flags = 0;
1880 
1881 	/*
1882 	 * XXX NTFS permission requirements if any?
1883 	 */
1884 	ASSERT(cr);
1885 	ASSERT(fnode);
1886 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
1887 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
1888 
1889 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1890 		flags = SMB_IGNORE_CASE;
1891 
1892 	smb_get_caller_context(sr, &ct);
1893 
1894 	rc = smb_vop_stream_readdir(fnode->vp, cookiep, stream_info, &vp,
1895 	    &xattrdirvp, flags, cr, &ct);
1896 
1897 	if ((rc != 0) || *cookiep == SMB_EOF)
1898 		return (rc);
1899 
1900 	ret_snodep = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, vp,
1901 	    stream_info->name, &tmp_attr);
1902 
1903 	if (ret_snodep == NULL) {
1904 		VN_RELE(xattrdirvp);
1905 		VN_RELE(vp);
1906 		return (ENOMEM);
1907 	}
1908 
1909 	stream_info->size = tmp_attr.sa_vattr.va_size;
1910 
1911 	if (ret_attr)
1912 		*ret_attr = tmp_attr;
1913 
1914 	if (ret_snode)
1915 		*ret_snode = ret_snodep;
1916 	else
1917 		smb_node_release(ret_snodep);
1918 
1919 	return (rc);
1920 }
1921 
1922 int /*ARGSUSED*/
1923 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
1924 {
1925 	caller_context_t ct;
1926 
1927 	ASSERT(cr);
1928 	ASSERT(snode);
1929 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1930 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1931 
1932 	ASSERT(sr);
1933 	ASSERT(sr->tid_tree);
1934 	if (SMB_TREE_IS_READ_ONLY(sr))
1935 		return (EROFS);
1936 
1937 	smb_get_caller_context(sr, &ct);
1938 
1939 	return (smb_vop_commit(snode->vp, cr, &ct));
1940 }
1941 
1942 /*
1943  * smb_fsop_aclread
1944  *
1945  * Retrieve filesystem ACL. Depends on requested ACLs in
1946  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
1947  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
1948  * the corresponding field in fs_sd should be non-NULL upon
1949  * return, since the target ACL might not contain that type of
1950  * entries.
1951  *
1952  * Returned ACL is always in ACE_T (aka ZFS) format.
1953  * If successful the allocated memory for the ACL should be freed
1954  * using smb_fsacl_free() or smb_fssd_term()
1955  */
1956 int
1957 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1958     smb_fssd_t *fs_sd)
1959 {
1960 	int error = 0;
1961 	int flags = 0;
1962 	int access = 0;
1963 	acl_t *acl;
1964 	caller_context_t ct;
1965 	smb_node_t *unnamed_node;
1966 
1967 	ASSERT(cr);
1968 
1969 	if (sr->fid_ofile) {
1970 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1971 			access = READ_CONTROL;
1972 
1973 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1974 			access |= ACCESS_SYSTEM_SECURITY;
1975 
1976 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1977 		if (error != NT_STATUS_SUCCESS) {
1978 			return (EACCES);
1979 		}
1980 	}
1981 
1982 	unnamed_node = SMB_IS_STREAM(snode);
1983 	if (unnamed_node) {
1984 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1985 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1986 		/*
1987 		 * Streams don't have ACL, any read ACL attempt on a stream
1988 		 * should be performed on the unnamed stream.
1989 		 */
1990 		snode = unnamed_node;
1991 	}
1992 
1993 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
1994 		flags = ATTR_NOACLCHECK;
1995 
1996 	smb_get_caller_context(sr, &ct);
1997 	error = smb_vop_acl_read(snode->vp, &acl, flags,
1998 	    sr->tid_tree->t_acltype, cr, &ct);
1999 	if (error != 0) {
2000 		return (error);
2001 	}
2002 
2003 	error = acl_translate(acl, _ACL_ACE_ENABLED,
2004 	    (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid);
2005 
2006 	if (error == 0) {
2007 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
2008 		    fs_sd->sd_secinfo);
2009 	}
2010 
2011 	acl_free(acl);
2012 	return (error);
2013 }
2014 
2015 /*
2016  * smb_fsop_aclwrite
2017  *
2018  * Stores the filesystem ACL provided in fs_sd->sd_acl.
2019  */
2020 int
2021 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2022     smb_fssd_t *fs_sd)
2023 {
2024 	int target_flavor;
2025 	int error = 0;
2026 	int flags = 0;
2027 	int access = 0;
2028 	caller_context_t ct;
2029 	acl_t *acl, *dacl, *sacl;
2030 	smb_node_t *unnamed_node;
2031 
2032 	ASSERT(cr);
2033 
2034 	ASSERT(sr);
2035 	ASSERT(sr->tid_tree);
2036 	if (SMB_TREE_IS_READ_ONLY(sr))
2037 		return (EROFS);
2038 
2039 	if (sr->fid_ofile) {
2040 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2041 			access = WRITE_DAC;
2042 
2043 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2044 			access |= ACCESS_SYSTEM_SECURITY;
2045 
2046 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2047 		if (error != NT_STATUS_SUCCESS)
2048 			return (EACCES);
2049 	}
2050 
2051 	switch (sr->tid_tree->t_acltype) {
2052 	case ACLENT_T:
2053 		target_flavor = _ACL_ACLENT_ENABLED;
2054 		break;
2055 
2056 	case ACE_T:
2057 		target_flavor = _ACL_ACE_ENABLED;
2058 		break;
2059 	default:
2060 		return (EINVAL);
2061 	}
2062 
2063 	unnamed_node = SMB_IS_STREAM(snode);
2064 	if (unnamed_node) {
2065 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2066 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2067 		/*
2068 		 * Streams don't have ACL, any write ACL attempt on a stream
2069 		 * should be performed on the unnamed stream.
2070 		 */
2071 		snode = unnamed_node;
2072 	}
2073 
2074 	dacl = fs_sd->sd_zdacl;
2075 	sacl = fs_sd->sd_zsacl;
2076 
2077 	ASSERT(dacl || sacl);
2078 	if ((dacl == NULL) && (sacl == NULL))
2079 		return (EINVAL);
2080 
2081 	if (dacl && sacl)
2082 		acl = smb_fsacl_merge(dacl, sacl);
2083 	else if (dacl)
2084 		acl = dacl;
2085 	else
2086 		acl = sacl;
2087 
2088 	error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR),
2089 	    fs_sd->sd_uid, fs_sd->sd_gid);
2090 	if (error == 0) {
2091 		smb_get_caller_context(sr, &ct);
2092 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
2093 			flags = ATTR_NOACLCHECK;
2094 
2095 		error = smb_vop_acl_write(snode->vp, acl, flags, cr, &ct);
2096 	}
2097 
2098 	if (dacl && sacl)
2099 		acl_free(acl);
2100 
2101 	return (error);
2102 }
2103 
2104 acl_type_t
2105 smb_fsop_acltype(smb_node_t *snode)
2106 {
2107 	return (smb_vop_acl_type(snode->vp));
2108 }
2109 
2110 /*
2111  * smb_fsop_sdread
2112  *
2113  * Read the requested security descriptor items from filesystem.
2114  * The items are specified in fs_sd->sd_secinfo.
2115  */
2116 int
2117 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2118     smb_fssd_t *fs_sd)
2119 {
2120 	int error = 0;
2121 	int getowner = 0;
2122 	cred_t *ga_cred;
2123 	smb_attr_t attr;
2124 
2125 	ASSERT(cr);
2126 	ASSERT(fs_sd);
2127 
2128 	/*
2129 	 * File's uid/gid is fetched in two cases:
2130 	 *
2131 	 * 1. it's explicitly requested
2132 	 *
2133 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
2134 	 *    owner@/group@ entries. In this case kcred should be used
2135 	 *    because uid/gid are fetched on behalf of smb server.
2136 	 */
2137 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
2138 		getowner = 1;
2139 		ga_cred = cr;
2140 	} else if (sr->tid_tree->t_acltype == ACE_T) {
2141 		getowner = 1;
2142 		ga_cred = kcred;
2143 	}
2144 
2145 	if (getowner) {
2146 		/*
2147 		 * Windows require READ_CONTROL to read owner/group SID since
2148 		 * they're part of Security Descriptor.
2149 		 * ZFS only requires read_attribute. Need to have a explicit
2150 		 * access check here.
2151 		 */
2152 		if (sr->fid_ofile == NULL) {
2153 			error = smb_fsop_access(sr, ga_cred, snode,
2154 			    READ_CONTROL);
2155 			if (error)
2156 				return (error);
2157 		}
2158 
2159 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2160 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2161 		if (error == 0) {
2162 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2163 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2164 		} else {
2165 			return (error);
2166 		}
2167 	}
2168 
2169 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2170 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2171 	}
2172 
2173 	return (error);
2174 }
2175 
2176 /*
2177  * smb_fsop_sdmerge
2178  *
2179  * From SMB point of view DACL and SACL are two separate list
2180  * which can be manipulated independently without one affecting
2181  * the other, but entries for both DACL and SACL will end up
2182  * in the same ACL if target filesystem supports ACE_T ACLs.
2183  *
2184  * So, if either DACL or SACL is present in the client set request
2185  * the entries corresponding to the non-present ACL shouldn't
2186  * be touched in the FS ACL.
2187  *
2188  * fs_sd parameter contains DACL and SACL specified by SMB
2189  * client to be set on a file/directory. The client could
2190  * specify both or one of these ACLs (if none is specified
2191  * we don't get this far). When both DACL and SACL are given
2192  * by client the existing ACL should be overwritten. If only
2193  * one of them is specified the entries corresponding to the other
2194  * ACL should not be touched. For example, if only DACL
2195  * is specified in input fs_sd, the function reads audit entries
2196  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2197  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2198  * function is called the passed fs_sd would point to the specified
2199  * DACL by client and fetched SACL from filesystem, so the file
2200  * will end up with correct ACL.
2201  */
2202 static int
2203 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2204 {
2205 	smb_fssd_t cur_sd;
2206 	int error = 0;
2207 
2208 	if (sr->tid_tree->t_acltype != ACE_T)
2209 		/* Don't bother if target FS doesn't support ACE_T */
2210 		return (0);
2211 
2212 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2213 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2214 			/*
2215 			 * Don't overwrite existing audit entries
2216 			 */
2217 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2218 			    fs_sd->sd_flags);
2219 
2220 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2221 			if (error == 0) {
2222 				ASSERT(fs_sd->sd_zsacl == NULL);
2223 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2224 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2225 					fs_sd->sd_zsacl->acl_flags =
2226 					    fs_sd->sd_zdacl->acl_flags;
2227 			}
2228 		} else {
2229 			/*
2230 			 * Don't overwrite existing access entries
2231 			 */
2232 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2233 			    fs_sd->sd_flags);
2234 
2235 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2236 			if (error == 0) {
2237 				ASSERT(fs_sd->sd_zdacl == NULL);
2238 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2239 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2240 					fs_sd->sd_zdacl->acl_flags =
2241 					    fs_sd->sd_zsacl->acl_flags;
2242 			}
2243 		}
2244 
2245 		if (error)
2246 			smb_fssd_term(&cur_sd);
2247 	}
2248 
2249 	return (error);
2250 }
2251 
2252 /*
2253  * smb_fsop_sdwrite
2254  *
2255  * Stores the given uid, gid and acl in filesystem.
2256  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2257  *
2258  * A SMB security descriptor could contain owner, primary group,
2259  * DACL and SACL. Setting an SD should be atomic but here it has to
2260  * be done via two separate FS operations: VOP_SETATTR and
2261  * VOP_SETSECATTR. Therefore, this function has to simulate the
2262  * atomicity as well as it can.
2263  */
2264 int
2265 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2266     smb_fssd_t *fs_sd, int overwrite)
2267 {
2268 	int error = 0;
2269 	int access = 0;
2270 	smb_attr_t set_attr;
2271 	smb_attr_t orig_attr;
2272 
2273 	ASSERT(cr);
2274 	ASSERT(fs_sd);
2275 
2276 	ASSERT(sr);
2277 	ASSERT(sr->tid_tree);
2278 	if (SMB_TREE_IS_READ_ONLY(sr))
2279 		return (EROFS);
2280 
2281 	bzero(&set_attr, sizeof (smb_attr_t));
2282 
2283 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2284 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2285 		set_attr.sa_mask |= SMB_AT_UID;
2286 	}
2287 
2288 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2289 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2290 		set_attr.sa_mask |= SMB_AT_GID;
2291 	}
2292 
2293 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2294 		access |= WRITE_DAC;
2295 
2296 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2297 		access |= ACCESS_SYSTEM_SECURITY;
2298 
2299 	if (sr->fid_ofile)
2300 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2301 	else
2302 		error = smb_fsop_access(sr, cr, snode, access);
2303 
2304 	if (error)
2305 		return (EACCES);
2306 
2307 	if (set_attr.sa_mask) {
2308 		/*
2309 		 * Get the current uid, gid so if smb_fsop_aclwrite fails
2310 		 * we can revert uid, gid changes.
2311 		 *
2312 		 * We use root cred here so the operation doesn't fail
2313 		 * due to lack of permission for the user to read the attrs
2314 		 */
2315 
2316 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2317 		error = smb_fsop_getattr(sr, kcred, snode, &orig_attr);
2318 		if (error == 0)
2319 			error = smb_fsop_setattr(sr, cr, snode, &set_attr,
2320 			    NULL);
2321 
2322 		if (error)
2323 			return (error);
2324 	}
2325 
2326 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2327 		if (overwrite == 0) {
2328 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2329 			if (error)
2330 				return (error);
2331 		}
2332 
2333 		error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2334 		if (error) {
2335 			/*
2336 			 * Revert uid/gid changes if required.
2337 			 */
2338 			if (set_attr.sa_mask) {
2339 				orig_attr.sa_mask = set_attr.sa_mask;
2340 				(void) smb_fsop_setattr(sr, kcred, snode,
2341 				    &orig_attr, NULL);
2342 			}
2343 		}
2344 	}
2345 
2346 	return (error);
2347 }
2348 
2349 /*
2350  * smb_fsop_sdinherit
2351  *
2352  * Inherit the security descriptor from the parent container.
2353  * This function is called after FS has created the file/folder
2354  * so if this doesn't do anything it means FS inheritance is
2355  * in place.
2356  *
2357  * Do inheritance for ZFS internally.
2358  *
2359  * If we want to let ZFS does the inheritance the
2360  * following setting should be true:
2361  *
2362  *  - aclinherit = passthrough
2363  *  - aclmode = passthrough
2364  *  - smbd umask = 0777
2365  *
2366  * This will result in right effective permissions but
2367  * ZFS will always add 6 ACEs for owner, owning group
2368  * and others to be POSIX compliant. This is not what
2369  * Windows clients/users expect, so we decided that CIFS
2370  * implements Windows rules and overwrite whatever ZFS
2371  * comes up with. This way we also don't have to care
2372  * about ZFS aclinherit and aclmode settings.
2373  */
2374 static int
2375 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2376 {
2377 	int is_dir;
2378 	acl_t *dacl = NULL;
2379 	acl_t *sacl = NULL;
2380 	ksid_t *owner_sid;
2381 	int error;
2382 
2383 	ASSERT(fs_sd);
2384 
2385 	if (sr->tid_tree->t_acltype != ACE_T) {
2386 		/*
2387 		 * No forced inheritance for non-ZFS filesystems.
2388 		 */
2389 		fs_sd->sd_secinfo = 0;
2390 		return (0);
2391 	}
2392 
2393 
2394 	/* Fetch parent directory's ACL */
2395 	error = smb_fsop_sdread(sr, kcred, dnode, fs_sd);
2396 	if (error) {
2397 		return (error);
2398 	}
2399 
2400 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2401 	owner_sid = crgetsid(sr->user_cr, KSID_OWNER);
2402 	ASSERT(owner_sid);
2403 	dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO,
2404 	    owner_sid->ks_id);
2405 	sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO,
2406 	    (uid_t)-1);
2407 
2408 	if (sacl == NULL)
2409 		fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO;
2410 
2411 	smb_fsacl_free(fs_sd->sd_zdacl);
2412 	smb_fsacl_free(fs_sd->sd_zsacl);
2413 
2414 	fs_sd->sd_zdacl = dacl;
2415 	fs_sd->sd_zsacl = sacl;
2416 
2417 	return (0);
2418 }
2419 
2420 /*
2421  * smb_fsop_eaccess
2422  *
2423  * Returns the effective permission of the given credential for the
2424  * specified object.
2425  *
2426  * This is just a workaround. We need VFS/FS support for this.
2427  */
2428 void
2429 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2430     uint32_t *eaccess)
2431 {
2432 	int access = 0;
2433 	vnode_t *dir_vp;
2434 	smb_node_t *unnamed_node;
2435 
2436 	ASSERT(cr);
2437 	ASSERT(snode);
2438 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2439 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2440 
2441 	unnamed_node = SMB_IS_STREAM(snode);
2442 	if (unnamed_node) {
2443 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2444 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2445 		/*
2446 		 * Streams authorization should be performed against the
2447 		 * unnamed stream.
2448 		 */
2449 		snode = unnamed_node;
2450 	}
2451 
2452 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS) {
2453 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
2454 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2455 		    cr);
2456 		return;
2457 	}
2458 
2459 	/*
2460 	 * FS doesn't understand 32-bit mask
2461 	 */
2462 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2463 
2464 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2465 
2466 	if (access & VREAD)
2467 		*eaccess |= FILE_READ_DATA;
2468 
2469 	if (access & VEXEC)
2470 		*eaccess |= FILE_EXECUTE;
2471 
2472 	if (access & VWRITE)
2473 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2474 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2475 }
2476 
2477 /*ARGSUSED*/
2478 void
2479 smb_get_caller_context(smb_request_t *sr, caller_context_t *ct)
2480 {
2481 	ct->cc_caller_id = smb_caller_id;
2482 	ct->cc_pid = 0;			/* TBD */
2483 	ct->cc_sysid = 0;		/* TBD */
2484 }
2485