xref: /titanic_50/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision 275c9da86e89f8abf71135cf63d9fc23671b2e60)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/sid.h>
29 #include <sys/nbmlock.h>
30 #include <smbsrv/smb_fsops.h>
31 #include <smbsrv/smb_kproto.h>
32 #include <smbsrv/ntstatus.h>
33 #include <smbsrv/ntaccess.h>
34 #include <smbsrv/smb_incl.h>
35 #include <acl/acl_common.h>
36 #include <sys/fcntl.h>
37 #include <sys/flock.h>
38 #include <fs/fs_subr.h>
39 
40 extern caller_context_t smb_ct;
41 
42 static int smb_fsop_amask_to_omode(uint32_t granted_access);
43 static int smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode,
44     smb_fssd_t *fs_sd);
45 
46 static callb_cpr_t *smb_fsop_frlock_callback(flk_cb_when_t when, void *error);
47 
48 /*
49  * The smb_fsop_* functions have knowledge of CIFS semantics.
50  *
51  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
52  * serve as an interface to the VFS layer.
53  *
54  * Hence, smb_request_t and smb_node_t structures should not be passed
55  * from the smb_fsop_* layer to the smb_vop_* layer.
56  *
57  * In general, CIFS service code should only ever call smb_fsop_*
58  * functions directly, and never smb_vop_* functions directly.
59  *
60  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
61  * of their smb_fsop_* counterparts.  However, there are times when
62  * this cannot be avoided.
63  */
64 
65 /*
66  * Note: Stream names cannot be mangled.
67  */
68 
69 int
70 smb_fsop_open(smb_ofile_t *of)
71 {
72 	int mode;
73 
74 	mode = smb_fsop_amask_to_omode(of->f_granted_access);
75 
76 	/*
77 	 * Assuming that same vnode is returned as we had before
78 	 * (i.e. no special vnodes)
79 	 */
80 	return (smb_vop_open(&of->f_node->vp, mode, of->f_cr));
81 }
82 
83 int
84 smb_fsop_close(smb_ofile_t *of)
85 {
86 	int mode;
87 
88 	mode = smb_fsop_amask_to_omode(of->f_granted_access);
89 
90 	return (smb_vop_close(of->f_node->vp, mode, of->f_cr));
91 }
92 
93 static int
94 smb_fsop_amask_to_omode(uint32_t granted_access)
95 {
96 	int mode = 0;
97 
98 	if (granted_access & (ACE_READ_DATA | ACE_EXECUTE))
99 		mode |= FREAD;
100 
101 	if (granted_access & (ACE_WRITE_DATA | ACE_APPEND_DATA))
102 		mode |= FWRITE;
103 
104 	if (granted_access & ACE_APPEND_DATA)
105 		mode |= FAPPEND;
106 
107 	return (mode);
108 }
109 
110 static int
111 smb_fsop_create_with_sd(
112 	smb_request_t *sr,
113 	cred_t *cr,
114 	smb_node_t *snode,
115 	char *name,
116 	smb_attr_t *attr,
117 	smb_node_t **ret_snode,
118 	smb_attr_t *ret_attr,
119 	smb_fssd_t *fs_sd)
120 {
121 	vsecattr_t *vsap;
122 	vsecattr_t vsecattr;
123 	acl_t *acl, *dacl, *sacl;
124 	smb_attr_t set_attr;
125 	vnode_t *vp;
126 	int aclbsize = 0;	/* size of acl list in bytes */
127 	int flags = 0;
128 	int is_dir;
129 	int rc;
130 	boolean_t no_xvattr = B_FALSE;
131 
132 	ASSERT(fs_sd);
133 
134 	if (SMB_TREE_CASE_INSENSITIVE(sr))
135 		flags = SMB_IGNORE_CASE;
136 
137 	ASSERT(cr);
138 
139 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
140 
141 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACLONCREATE) {
142 		if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
143 			dacl = fs_sd->sd_zdacl;
144 			sacl = fs_sd->sd_zsacl;
145 			ASSERT(dacl || sacl);
146 			if (dacl && sacl) {
147 				acl = smb_fsacl_merge(dacl, sacl);
148 			} else if (dacl) {
149 				acl = dacl;
150 			} else {
151 				acl = sacl;
152 			}
153 
154 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
155 
156 			if (dacl && sacl)
157 				acl_free(acl);
158 
159 			if (rc)
160 				return (rc);
161 
162 			vsap = &vsecattr;
163 		}
164 		else
165 			vsap = NULL;
166 
167 		if (is_dir) {
168 			rc = smb_vop_mkdir(snode->vp, name, attr, &vp, flags,
169 			    cr, vsap);
170 		} else {
171 			rc = smb_vop_create(snode->vp, name, attr, &vp, flags,
172 			    cr, vsap);
173 		}
174 
175 		if (vsap != NULL)
176 			kmem_free(vsap->vsa_aclentp, aclbsize);
177 
178 		if (rc != 0)
179 			return (rc);
180 
181 		set_attr.sa_mask = 0;
182 
183 		/*
184 		 * Ideally we should be able to specify the owner and owning
185 		 * group at create time along with the ACL. Since we cannot
186 		 * do that right now, kcred is passed to smb_vop_setattr so it
187 		 * doesn't fail due to lack of permission.
188 		 */
189 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
190 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
191 			set_attr.sa_mask |= SMB_AT_UID;
192 		}
193 
194 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
195 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
196 			set_attr.sa_mask |= SMB_AT_GID;
197 		}
198 
199 		if (set_attr.sa_mask) {
200 			if (sr && sr->tid_tree)
201 				if (sr->tid_tree->t_flags & SMB_TREE_FLAG_UFS)
202 					no_xvattr = B_TRUE;
203 			rc = smb_vop_setattr(snode->vp, NULL, &set_attr,
204 			    0, kcred, no_xvattr);
205 		}
206 
207 	} else {
208 		/*
209 		 * For filesystems that don't support ACL-on-create, try
210 		 * to set the specified SD after create, which could actually
211 		 * fail because of conflicts between inherited security
212 		 * attributes upon creation and the specified SD.
213 		 *
214 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
215 		 */
216 
217 		if (is_dir) {
218 			rc = smb_vop_mkdir(snode->vp, name, attr, &vp, flags,
219 			    cr, NULL);
220 		} else {
221 			rc = smb_vop_create(snode->vp, name, attr, &vp, flags,
222 			    cr, NULL);
223 		}
224 
225 		if (rc != 0)
226 			return (rc);
227 
228 		if ((sr->tid_tree->t_flags & SMB_TREE_FLAG_NFS_MOUNTED) == 0)
229 			rc = smb_fsop_sdwrite(sr, kcred, snode, fs_sd, 1);
230 	}
231 
232 	if (rc == 0) {
233 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, name,
234 		    snode, NULL, ret_attr);
235 
236 		if (*ret_snode == NULL) {
237 			VN_RELE(vp);
238 			rc = ENOMEM;
239 		}
240 	}
241 
242 	if (rc != 0) {
243 		if (is_dir) {
244 			(void) smb_vop_rmdir(snode->vp, name, flags, cr);
245 		} else {
246 			(void) smb_vop_remove(snode->vp, name, flags, cr);
247 		}
248 	}
249 
250 	return (rc);
251 }
252 
253 
254 /*
255  * smb_fsop_create
256  *
257  * All SMB functions should use this wrapper to ensure that
258  * all the smb_vop_creates are performed with the appropriate credentials.
259  * Please document any direct calls to explain the reason
260  * for avoiding this wrapper.
261  *
262  * It is assumed that a reference exists on snode coming into this routine.
263  *
264  * *ret_snode is returned with a reference upon success.  No reference is
265  * taken if an error is returned.
266  */
267 
268 int
269 smb_fsop_create(
270     smb_request_t	*sr,
271     cred_t		*cr,
272     smb_node_t		*dir_snode,
273     char		*name,
274     smb_attr_t		*attr,
275     smb_node_t		**ret_snode,
276     smb_attr_t		*ret_attr)
277 {
278 	struct open_param *op = &sr->arg.open;
279 	boolean_t	no_xvattr = B_FALSE;
280 	smb_node_t	*fnode;
281 	smb_attr_t	file_attr;
282 	vnode_t		*xattrdirvp;
283 	vnode_t		*vp;
284 	char		*longname = NULL;
285 	char		*namep;
286 	char		*fname;
287 	char		*sname;
288 	int		is_stream;
289 	int		flags = 0;
290 	int		rc = 0;
291 	smb_fssd_t	fs_sd;
292 	uint32_t	secinfo;
293 	uint32_t	status;
294 
295 	ASSERT(cr);
296 	ASSERT(dir_snode);
297 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
298 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
299 
300 	ASSERT(ret_snode);
301 	*ret_snode = 0;
302 
303 	ASSERT(name);
304 	if (*name == 0)
305 		return (EINVAL);
306 
307 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
308 		return (EACCES);
309 
310 	ASSERT(sr);
311 	ASSERT(sr->tid_tree);
312 	if (SMB_TREE_IS_READ_ONLY(sr))
313 		return (EROFS);
314 
315 	if (SMB_TREE_CASE_INSENSITIVE(sr))
316 		flags = SMB_IGNORE_CASE;
317 
318 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
319 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
320 
321 	is_stream = smb_stream_parse_name(name, fname, sname);
322 
323 	if (is_stream)
324 		namep = fname;
325 	else
326 		namep = name;
327 
328 	if (smb_maybe_mangled_name(namep)) {
329 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
330 
331 		rc = smb_unmangle_name(sr, cr, dir_snode, namep, longname,
332 		    MAXNAMELEN, NULL, NULL, 1);
333 
334 		if ((is_stream == 0) && (rc == 0))
335 			rc = EEXIST;
336 
337 		if ((is_stream && rc) ||
338 		    ((is_stream == 0) && (rc != ENOENT))) {
339 			kmem_free(longname, MAXNAMELEN);
340 			kmem_free(fname, MAXNAMELEN);
341 			kmem_free(sname, MAXNAMELEN);
342 			return (rc);
343 		}
344 
345 		if (is_stream)
346 			namep = longname;
347 		else
348 			kmem_free(longname, MAXNAMELEN);
349 	}
350 
351 	if (is_stream) {
352 		/*
353 		 * Look up the unnamed stream.
354 		 *
355 		 * Mangle processing in smb_fsop_lookup() for the unnamed
356 		 * stream won't be needed (as it was done above), but
357 		 * it may be needed on any link target (which
358 		 * smb_fsop_lookup() will provide).
359 		 */
360 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
361 		    sr->tid_tree->t_snode, dir_snode, namep, &fnode, &file_attr,
362 		    0, 0);
363 
364 		if (longname) {
365 			kmem_free(longname, MAXNAMELEN);
366 			namep = NULL;
367 		}
368 
369 		if (rc != 0) {
370 			kmem_free(fname, MAXNAMELEN);
371 			kmem_free(sname, MAXNAMELEN);
372 			return (rc);
373 		}
374 
375 		rc = smb_vop_stream_create(fnode->vp, sname, attr, &vp,
376 		    &xattrdirvp, flags, cr);
377 
378 		if (rc != 0) {
379 			smb_node_release(fnode);
380 			kmem_free(fname, MAXNAMELEN);
381 			kmem_free(sname, MAXNAMELEN);
382 			return (rc);
383 		}
384 
385 		if (sr && sr->tid_tree)
386 			if (sr->tid_tree->t_flags & SMB_TREE_FLAG_UFS)
387 				no_xvattr = B_TRUE;
388 
389 		attr->sa_vattr.va_uid = file_attr.sa_vattr.va_uid;
390 		attr->sa_vattr.va_gid = file_attr.sa_vattr.va_gid;
391 		attr->sa_mask = SMB_AT_UID | SMB_AT_GID;
392 
393 		/*
394 		 * The second parameter of smb_vop_setattr() is set to
395 		 * NULL, even though an unnamed stream exists.  This is
396 		 * because we want to set the UID and GID on the named
397 		 * stream in this case for consistency with the (unnamed
398 		 * stream) file (see comments for smb_vop_setattr()).
399 		 */
400 
401 		rc = smb_vop_setattr(vp, NULL, attr, 0, kcred, no_xvattr);
402 
403 		if (rc != 0) {
404 			smb_node_release(fnode);
405 			kmem_free(fname, MAXNAMELEN);
406 			kmem_free(sname, MAXNAMELEN);
407 			return (rc);
408 		}
409 
410 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
411 		    vp, sname, ret_attr);
412 
413 		smb_node_release(fnode);
414 
415 		if (*ret_snode == NULL) {
416 			VN_RELE(xattrdirvp);
417 			VN_RELE(vp);
418 			kmem_free(fname, MAXNAMELEN);
419 			kmem_free(sname, MAXNAMELEN);
420 			return (ENOMEM);
421 		}
422 	} else {
423 		if (op->sd) {
424 			/*
425 			 * SD sent by client in Windows format. Needs to be
426 			 * converted to FS format. No inheritance.
427 			 */
428 			secinfo = smb_sd_get_secinfo(op->sd);
429 			smb_fssd_init(&fs_sd, secinfo, 0);
430 
431 			status = smb_sd_tofs(op->sd, &fs_sd);
432 			if (status == NT_STATUS_SUCCESS) {
433 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
434 				    name, attr, ret_snode, ret_attr, &fs_sd);
435 			}
436 			else
437 				rc = EINVAL;
438 			smb_fssd_term(&fs_sd);
439 		} else if (sr->tid_tree->t_acltype == ACE_T) {
440 			/*
441 			 * No incoming SD and filesystem is ZFS
442 			 * Server applies Windows inheritance rules,
443 			 * see smb_fsop_sdinherit() comments as to why.
444 			 */
445 			smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0);
446 			rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
447 			if (rc == 0) {
448 				rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
449 				    name, attr, ret_snode, ret_attr, &fs_sd);
450 			}
451 
452 			smb_fssd_term(&fs_sd);
453 		} else {
454 			/*
455 			 * No incoming SD and filesystem is not ZFS
456 			 * let the filesystem handles the inheritance.
457 			 */
458 			rc = smb_vop_create(dir_snode->vp, name, attr, &vp,
459 			    flags, cr, NULL);
460 
461 			if (rc == 0) {
462 				*ret_snode = smb_node_lookup(sr, op, cr, vp,
463 				    name, dir_snode, NULL, ret_attr);
464 
465 				if (*ret_snode == NULL) {
466 					VN_RELE(vp);
467 					rc = ENOMEM;
468 				}
469 			}
470 
471 		}
472 	}
473 
474 	kmem_free(fname, MAXNAMELEN);
475 	kmem_free(sname, MAXNAMELEN);
476 	return (rc);
477 }
478 
479 /*
480  * smb_fsop_mkdir
481  *
482  * All SMB functions should use this wrapper to ensure that
483  * the the calls are performed with the appropriate credentials.
484  * Please document any direct call to explain the reason
485  * for avoiding this wrapper.
486  *
487  * It is assumed that a reference exists on snode coming into this routine.
488  *
489  * *ret_snode is returned with a reference upon success.  No reference is
490  * taken if an error is returned.
491  */
492 int
493 smb_fsop_mkdir(
494     smb_request_t *sr,
495     cred_t *cr,
496     smb_node_t *dir_snode,
497     char *name,
498     smb_attr_t *attr,
499     smb_node_t **ret_snode,
500     smb_attr_t *ret_attr)
501 {
502 	struct open_param *op = &sr->arg.open;
503 	char *longname;
504 	vnode_t *vp;
505 	int flags = 0;
506 	smb_fssd_t fs_sd;
507 	uint32_t secinfo;
508 	uint32_t status;
509 	int rc;
510 	ASSERT(cr);
511 	ASSERT(dir_snode);
512 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
513 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
514 
515 	ASSERT(ret_snode);
516 	*ret_snode = 0;
517 
518 	ASSERT(name);
519 	if (*name == 0)
520 		return (EINVAL);
521 
522 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
523 		return (EACCES);
524 
525 	ASSERT(sr);
526 	ASSERT(sr->tid_tree);
527 	if (SMB_TREE_IS_READ_ONLY(sr))
528 		return (EROFS);
529 
530 	if (smb_maybe_mangled_name(name)) {
531 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
532 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
533 		    MAXNAMELEN, NULL, NULL, 1);
534 
535 		kmem_free(longname, MAXNAMELEN);
536 
537 		/*
538 		 * If the name passed in by the client has an unmangled
539 		 * equivalent that is found in the specified directory,
540 		 * then the mkdir cannot succeed.  Return EEXIST.
541 		 *
542 		 * Only if ENOENT is returned will a mkdir be attempted.
543 		 */
544 
545 		if (rc == 0)
546 			rc = EEXIST;
547 
548 		if (rc != ENOENT)
549 			return (rc);
550 	}
551 
552 	if (SMB_TREE_CASE_INSENSITIVE(sr))
553 		flags = SMB_IGNORE_CASE;
554 
555 	if (op->sd) {
556 		/*
557 		 * SD sent by client in Windows format. Needs to be
558 		 * converted to FS format. No inheritance.
559 		 */
560 		secinfo = smb_sd_get_secinfo(op->sd);
561 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
562 
563 		status = smb_sd_tofs(op->sd, &fs_sd);
564 		if (status == NT_STATUS_SUCCESS) {
565 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
566 			    name, attr, ret_snode, ret_attr, &fs_sd);
567 		}
568 		else
569 			rc = EINVAL;
570 		smb_fssd_term(&fs_sd);
571 	} else if (sr->tid_tree->t_acltype == ACE_T) {
572 		/*
573 		 * No incoming SD and filesystem is ZFS
574 		 * Server applies Windows inheritance rules,
575 		 * see smb_fsop_sdinherit() comments as to why.
576 		 */
577 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR);
578 		rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd);
579 		if (rc == 0) {
580 			rc = smb_fsop_create_with_sd(sr, cr, dir_snode,
581 			    name, attr, ret_snode, ret_attr, &fs_sd);
582 		}
583 
584 		smb_fssd_term(&fs_sd);
585 
586 	} else {
587 		rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, flags, cr,
588 		    NULL);
589 
590 		if (rc == 0) {
591 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
592 			    dir_snode, NULL, ret_attr);
593 
594 			if (*ret_snode == NULL) {
595 				VN_RELE(vp);
596 				rc = ENOMEM;
597 			}
598 		}
599 	}
600 
601 	return (rc);
602 }
603 
604 /*
605  * smb_fsop_remove
606  *
607  * All SMB functions should use this wrapper to ensure that
608  * the the calls are performed with the appropriate credentials.
609  * Please document any direct call to explain the reason
610  * for avoiding this wrapper.
611  *
612  * It is assumed that a reference exists on snode coming into this routine.
613  *
614  * od: This means that the name passed in is an on-disk name.
615  * A null smb_request might be passed to this function.
616  */
617 
618 int
619 smb_fsop_remove(
620     smb_request_t	*sr,
621     cred_t		*cr,
622     smb_node_t		*dir_snode,
623     char		*name,
624     int			od)
625 {
626 	smb_node_t	*fnode;
627 	smb_attr_t	file_attr;
628 	char		*longname;
629 	char		*fname;
630 	char		*sname;
631 	int		flags = 0;
632 	int		rc;
633 
634 	ASSERT(cr);
635 	/*
636 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
637 	 * function is called during the deletion of the node (because of
638 	 * DELETE_ON_CLOSE).
639 	 */
640 	ASSERT(dir_snode);
641 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
642 
643 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
644 		return (EACCES);
645 
646 	if (SMB_TREE_IS_READ_ONLY(sr))
647 		return (EROFS);
648 
649 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
650 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
651 
652 	/*
653 	 * If the passed-in name is an on-disk name,
654 	 * then we need to do a case-sensitive remove.
655 	 * This is important if the on-disk name
656 	 * corresponds to a mangled name passed in by
657 	 * the client.  We want to make sure to remove
658 	 * the exact file specified by the client,
659 	 * instead of letting the underlying file system
660 	 * do a remove on the "first match."
661 	 */
662 
663 	if ((od == 0) && SMB_TREE_CASE_INSENSITIVE(sr))
664 		flags = SMB_IGNORE_CASE;
665 
666 	if (dir_snode->flags & NODE_XATTR_DIR) {
667 		rc = smb_vop_stream_remove(dir_snode->dir_snode->vp,
668 		    name, flags, cr);
669 	} else if (smb_stream_parse_name(name, fname, sname)) {
670 		/*
671 		 * It is assumed that "name" corresponds to the path
672 		 * passed in by the client, and no need of suppressing
673 		 * case-insensitive lookups is needed.
674 		 */
675 
676 		ASSERT(od == 0);
677 
678 		/*
679 		 * Look up the unnamed stream (i.e. fname).
680 		 * Unmangle processing will be done on fname
681 		 * as well as any link target.
682 		 */
683 
684 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
685 		    sr->tid_tree->t_snode, dir_snode, fname, &fnode, &file_attr,
686 		    0, 0);
687 
688 		if (rc != 0) {
689 			kmem_free(fname, MAXNAMELEN);
690 			kmem_free(sname, MAXNAMELEN);
691 			return (rc);
692 		}
693 
694 		/*
695 		 * XXX
696 		 * Need to find out what permission is required by NTFS
697 		 * to remove a stream.
698 		 */
699 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr);
700 
701 		smb_node_release(fnode);
702 	} else {
703 		rc = smb_vop_remove(dir_snode->vp, name, flags, cr);
704 
705 		if (rc == ENOENT) {
706 			if (smb_maybe_mangled_name(name) == 0) {
707 				kmem_free(fname, MAXNAMELEN);
708 				kmem_free(sname, MAXNAMELEN);
709 				return (rc);
710 			}
711 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
712 
713 			rc = smb_unmangle_name(sr, cr, dir_snode, name,
714 			    longname, MAXNAMELEN, NULL, NULL, 1);
715 
716 			if (rc == 0) {
717 				/*
718 				 * We passed "1" as the "od" parameter
719 				 * to smb_unmangle_name(), such that longname
720 				 * is the real (case-sensitive) on-disk name.
721 				 * We make sure we do a remove on this exact
722 				 * name, as the name was mangled and denotes
723 				 * a unique file.
724 				 */
725 				flags &= ~SMB_IGNORE_CASE;
726 				rc = smb_vop_remove(dir_snode->vp, longname,
727 				    flags, cr);
728 			}
729 
730 			kmem_free(longname, MAXNAMELEN);
731 		}
732 	}
733 
734 	kmem_free(fname, MAXNAMELEN);
735 	kmem_free(sname, MAXNAMELEN);
736 	return (rc);
737 }
738 
739 /*
740  * smb_fsop_remove_streams
741  *
742  * This function removes a file's streams without removing the
743  * file itself.
744  *
745  * It is assumed that snode is not a link.
746  */
747 int
748 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode)
749 {
750 	struct fs_stream_info stream_info;
751 	uint32_t cookie = 0;
752 	int flags = 0;
753 	int rc;
754 
755 	ASSERT(cr);
756 	ASSERT(fnode);
757 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
758 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
759 
760 	if (SMB_TREE_ROOT_FS(sr, fnode) == 0)
761 		return (EACCES);
762 
763 	if (SMB_TREE_IS_READ_ONLY(sr))
764 		return (EROFS);
765 
766 	if (SMB_TREE_CASE_INSENSITIVE(sr))
767 		flags = SMB_IGNORE_CASE;
768 
769 	for (;;) {
770 		rc = smb_vop_stream_readdir(fnode->vp, &cookie, &stream_info,
771 		    NULL, NULL, flags, cr);
772 
773 		if ((rc != 0) || (cookie == SMB_EOF))
774 			break;
775 
776 		(void) smb_vop_stream_remove(fnode->vp, stream_info.name, flags,
777 		    cr);
778 	}
779 	return (rc);
780 }
781 
782 /*
783  * smb_fsop_rmdir
784  *
785  * All SMB functions should use this wrapper to ensure that
786  * the the calls are performed with the appropriate credentials.
787  * Please document any direct call to explain the reason
788  * for avoiding this wrapper.
789  *
790  * It is assumed that a reference exists on snode coming into this routine.
791  *
792  * od: This means that the name passed in is an on-disk name.
793  */
794 
795 int
796 smb_fsop_rmdir(
797     smb_request_t	*sr,
798     cred_t		*cr,
799     smb_node_t		*dir_snode,
800     char		*name,
801     int			od)
802 {
803 	int		rc;
804 	int		flags = 0;
805 	char		*longname;
806 
807 	ASSERT(cr);
808 	/*
809 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
810 	 * function is called during the deletion of the node (because of
811 	 * DELETE_ON_CLOSE).
812 	 */
813 	ASSERT(dir_snode);
814 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
815 
816 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
817 		return (EACCES);
818 
819 	if (SMB_TREE_IS_READ_ONLY(sr))
820 		return (EROFS);
821 
822 	/*
823 	 * If the passed-in name is an on-disk name,
824 	 * then we need to do a case-sensitive rmdir.
825 	 * This is important if the on-disk name
826 	 * corresponds to a mangled name passed in by
827 	 * the client.  We want to make sure to remove
828 	 * the exact directory specified by the client,
829 	 * instead of letting the underlying file system
830 	 * do a rmdir on the "first match."
831 	 */
832 
833 	if ((od == 0) && SMB_TREE_CASE_INSENSITIVE(sr))
834 		flags = SMB_IGNORE_CASE;
835 
836 	rc = smb_vop_rmdir(dir_snode->vp, name, flags, cr);
837 
838 	if (rc == ENOENT) {
839 		if (smb_maybe_mangled_name(name) == 0)
840 			return (rc);
841 
842 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
843 
844 		rc = smb_unmangle_name(sr, cr, dir_snode,
845 		    name, longname, MAXNAMELEN, NULL,
846 		    NULL, 1);
847 
848 		if (rc == 0) {
849 			/*
850 			 * We passed "1" as the "od" parameter
851 			 * to smb_unmangle_name(), such that longname
852 			 * is the real (case-sensitive) on-disk name.
853 			 * We make sure we do a rmdir on this exact
854 			 * name, as the name was mangled and denotes
855 			 * a unique directory.
856 			 */
857 			flags &= ~SMB_IGNORE_CASE;
858 			rc = smb_vop_rmdir(dir_snode->vp, longname, flags, cr);
859 		}
860 
861 		kmem_free(longname, MAXNAMELEN);
862 	}
863 
864 	return (rc);
865 }
866 
867 /*
868  * smb_fsop_getattr
869  *
870  * All SMB functions should use this wrapper to ensure that
871  * the the calls are performed with the appropriate credentials.
872  * Please document any direct call to explain the reason
873  * for avoiding this wrapper.
874  *
875  * It is assumed that a reference exists on snode coming into this routine.
876  */
877 int
878 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
879     smb_attr_t *attr)
880 {
881 	smb_node_t *unnamed_node;
882 	vnode_t *unnamed_vp = NULL;
883 	uint32_t status;
884 	uint32_t access = 0;
885 	int flags = 0;
886 	int rc;
887 
888 	ASSERT(cr);
889 	ASSERT(snode);
890 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
891 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
892 
893 	if (SMB_TREE_ROOT_FS(sr, snode) == 0)
894 		return (EACCES);
895 
896 	if (sr->fid_ofile) {
897 		/* if uid and/or gid is requested */
898 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
899 			access |= READ_CONTROL;
900 
901 		/* if anything else is also requested */
902 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
903 			access |= FILE_READ_ATTRIBUTES;
904 
905 		status = smb_ofile_access(sr->fid_ofile, cr, access);
906 		if (status != NT_STATUS_SUCCESS)
907 			return (EACCES);
908 
909 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
910 			flags = ATTR_NOACLCHECK;
911 	}
912 
913 	unnamed_node = SMB_IS_STREAM(snode);
914 
915 	if (unnamed_node) {
916 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
917 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
918 		unnamed_vp = unnamed_node->vp;
919 	}
920 
921 	rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr);
922 	if (rc == 0)
923 		snode->attr = *attr;
924 
925 	return (rc);
926 }
927 
928 /*
929  * smb_fsop_readdir
930  *
931  * All SMB functions should use this smb_fsop_readdir wrapper to ensure that
932  * the smb_vop_readdir is performed with the appropriate credentials.
933  * Please document any direct call to smb_vop_readdir to explain the reason
934  * for avoiding this wrapper.
935  *
936  * It is assumed that a reference exists on snode coming into this routine.
937  */
938 int
939 smb_fsop_readdir(
940     smb_request_t *sr,
941     cred_t *cr,
942     smb_node_t *dir_snode,
943     uint32_t *cookie,
944     char *name,
945     int *namelen,
946     ino64_t *fileid,
947     struct fs_stream_info *stream_info,
948     smb_node_t **ret_snode,
949     smb_attr_t *ret_attr)
950 {
951 	smb_node_t	*ret_snodep;
952 	smb_node_t	*fnode;
953 	smb_attr_t	tmp_attr;
954 	vnode_t		*xattrdirvp;
955 	vnode_t		*fvp;
956 	vnode_t		*vp = NULL;
957 	char		*od_name;
958 	int		rc;
959 	int		flags = 0;
960 
961 	ASSERT(cr);
962 	ASSERT(dir_snode);
963 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
964 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
965 
966 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
967 		return (EACCES);
968 
969 	if (*cookie == SMB_EOF) {
970 		*namelen = 0;
971 		return (0);
972 	}
973 
974 	if (SMB_TREE_CASE_INSENSITIVE(sr))
975 		flags = SMB_IGNORE_CASE;
976 
977 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
978 
979 	if (stream_info) {
980 		rc = smb_vop_lookup(dir_snode->vp, name, &fvp, od_name,
981 		    SMB_FOLLOW_LINKS, sr->tid_tree->t_snode->vp, cr);
982 
983 		if (rc != 0) {
984 			kmem_free(od_name, MAXNAMELEN);
985 			return (rc);
986 		}
987 
988 		fnode = smb_node_lookup(sr, NULL, cr, fvp, od_name, dir_snode,
989 		    NULL, ret_attr);
990 
991 		kmem_free(od_name, MAXNAMELEN);
992 
993 		if (fnode == NULL) {
994 			VN_RELE(fvp);
995 			return (ENOMEM);
996 		}
997 
998 		/*
999 		 * XXX
1000 		 * Need to find out what permission(s) NTFS requires for getting
1001 		 * a file's streams list.
1002 		 *
1003 		 * Might have to use kcred.
1004 		 */
1005 		rc = smb_vop_stream_readdir(fvp, cookie, stream_info, &vp,
1006 		    &xattrdirvp, flags, cr);
1007 
1008 		if ((rc != 0) || (*cookie == SMB_EOF)) {
1009 			smb_node_release(fnode);
1010 			return (rc);
1011 		}
1012 
1013 		ret_snodep = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1014 		    vp, stream_info->name, &tmp_attr);
1015 
1016 		smb_node_release(fnode);
1017 
1018 		if (ret_snodep == NULL) {
1019 			VN_RELE(xattrdirvp);
1020 			VN_RELE(vp);
1021 			return (ENOMEM);
1022 		}
1023 
1024 		stream_info->size = tmp_attr.sa_vattr.va_size;
1025 
1026 		if (ret_attr)
1027 			*ret_attr = tmp_attr;
1028 
1029 		if (ret_snode)
1030 			*ret_snode = ret_snodep;
1031 		else
1032 			smb_node_release(ret_snodep);
1033 
1034 	} else {
1035 		rc = smb_vop_readdir(dir_snode->vp, cookie, name, namelen,
1036 		    fileid, &vp, od_name, flags, cr);
1037 
1038 		if (rc != 0) {
1039 			kmem_free(od_name, MAXNAMELEN);
1040 			return (rc);
1041 		}
1042 
1043 		if (*namelen) {
1044 			ASSERT(vp);
1045 			if (ret_attr || ret_snode) {
1046 				ret_snodep = smb_node_lookup(sr, NULL, cr, vp,
1047 				    od_name, dir_snode, NULL, &tmp_attr);
1048 
1049 				if (ret_snodep == NULL) {
1050 					kmem_free(od_name, MAXNAMELEN);
1051 					VN_RELE(vp);
1052 					return (ENOMEM);
1053 				}
1054 
1055 				if (ret_attr)
1056 					*ret_attr = tmp_attr;
1057 
1058 				if (ret_snode)
1059 					*ret_snode = ret_snodep;
1060 				else
1061 					smb_node_release(ret_snodep);
1062 			}
1063 		}
1064 
1065 		kmem_free(od_name, MAXNAMELEN);
1066 	}
1067 
1068 	return (rc);
1069 }
1070 
1071 /*
1072  * smb_fsop_getdents
1073  *
1074  * All SMB functions should use this smb_vop_getdents wrapper to ensure that
1075  * the smb_vop_getdents is performed with the appropriate credentials.
1076  * Please document any direct call to smb_vop_getdents to explain the reason
1077  * for avoiding this wrapper.
1078  *
1079  * It is assumed that a reference exists on snode coming into this routine.
1080  */
1081 /*ARGSUSED*/
1082 int
1083 smb_fsop_getdents(
1084     struct smb_request *sr,
1085     cred_t *cr,
1086     smb_node_t *dir_snode,
1087     uint32_t *cookie,
1088     uint64_t *verifierp,
1089     int32_t	*maxcnt,
1090     char *args,
1091     char *pattern)
1092 {
1093 	int flags = 0;
1094 
1095 	ASSERT(cr);
1096 	ASSERT(dir_snode);
1097 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1098 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1099 
1100 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
1101 		return (EACCES);
1102 
1103 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1104 		flags = SMB_IGNORE_CASE;
1105 
1106 	return (smb_vop_getdents(dir_snode, cookie, 0, maxcnt, args, pattern,
1107 	    flags, sr, cr));
1108 }
1109 
1110 /*
1111  * smb_fsop_rename
1112  *
1113  * All SMB functions should use this smb_vop_rename wrapper to ensure that
1114  * the smb_vop_rename is performed with the appropriate credentials.
1115  * Please document any direct call to smb_vop_rename to explain the reason
1116  * for avoiding this wrapper.
1117  *
1118  * It is assumed that references exist on from_dir_snode and to_dir_snode coming
1119  * into this routine.
1120  */
1121 int
1122 smb_fsop_rename(
1123     smb_request_t *sr,
1124     cred_t *cr,
1125     smb_node_t *from_dir_snode,
1126     char *from_name,
1127     smb_node_t *to_dir_snode,
1128     char *to_name)
1129 {
1130 	smb_node_t *from_snode;
1131 	smb_attr_t tmp_attr;
1132 	vnode_t *from_vp;
1133 	int flags = 0;
1134 	int rc;
1135 
1136 	ASSERT(cr);
1137 	ASSERT(from_dir_snode);
1138 	ASSERT(from_dir_snode->n_magic == SMB_NODE_MAGIC);
1139 	ASSERT(from_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1140 
1141 	ASSERT(to_dir_snode);
1142 	ASSERT(to_dir_snode->n_magic == SMB_NODE_MAGIC);
1143 	ASSERT(to_dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1144 
1145 	if (SMB_TREE_ROOT_FS(sr, from_dir_snode) == 0)
1146 		return (EACCES);
1147 
1148 	if (SMB_TREE_ROOT_FS(sr, to_dir_snode) == 0)
1149 		return (EACCES);
1150 
1151 	ASSERT(sr);
1152 	ASSERT(sr->tid_tree);
1153 	if (SMB_TREE_IS_READ_ONLY(sr))
1154 		return (EROFS);
1155 
1156 	/*
1157 	 * Note: There is no need to check SMB_TREE_CASE_INSENSITIVE(sr)
1158 	 * here.
1159 	 *
1160 	 * A case-sensitive rename is always done in this routine
1161 	 * because we are using the on-disk name from an earlier lookup.
1162 	 * If a mangled name was passed in by the caller (denoting a
1163 	 * deterministic lookup), then the exact file must be renamed
1164 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1165 	 * else the underlying file system might return a "first-match"
1166 	 * on this on-disk name, possibly resulting in the wrong file).
1167 	 */
1168 
1169 	/*
1170 	 * XXX: Lock required through smb_node_release() below?
1171 	 */
1172 
1173 	rc = smb_vop_lookup(from_dir_snode->vp, from_name, &from_vp, NULL, 0,
1174 	    NULL, cr);
1175 
1176 	if (rc != 0)
1177 		return (rc);
1178 
1179 	rc = smb_vop_rename(from_dir_snode->vp, from_name, to_dir_snode->vp,
1180 	    to_name, flags, cr);
1181 
1182 	if (rc == 0) {
1183 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1184 		    from_dir_snode, NULL, &tmp_attr);
1185 
1186 		if (from_snode == NULL) {
1187 			VN_RELE(from_vp);
1188 			return (ENOMEM);
1189 		}
1190 
1191 		(void) smb_node_rename(from_dir_snode, from_snode, to_dir_snode,
1192 		    to_name);
1193 
1194 		smb_node_release(from_snode);
1195 	} else {
1196 		VN_RELE(from_vp);
1197 	}
1198 
1199 	/* XXX: unlock */
1200 
1201 	return (rc);
1202 }
1203 
1204 /*
1205  * smb_fsop_setattr
1206  *
1207  * All SMB functions should use this wrapper to ensure that
1208  * the the calls are performed with the appropriate credentials.
1209  * Please document any direct call to explain the reason
1210  * for avoiding this wrapper.
1211  *
1212  * It is assumed that a reference exists on snode coming into this routine.
1213  * A null smb_request might be passed to this function.
1214  */
1215 int
1216 smb_fsop_setattr(
1217     smb_request_t	*sr,
1218     cred_t		*cr,
1219     smb_node_t		*snode,
1220     smb_attr_t		*set_attr,
1221     smb_attr_t		*ret_attr)
1222 {
1223 	smb_node_t *unnamed_node;
1224 	vnode_t *unnamed_vp = NULL;
1225 	uint32_t status;
1226 	uint32_t access = 0;
1227 	int rc = 0;
1228 	int flags = 0;
1229 	boolean_t no_xvattr = B_FALSE;
1230 
1231 	ASSERT(cr);
1232 	ASSERT(snode);
1233 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1234 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1235 
1236 	if (SMB_TREE_ROOT_FS(sr, snode) == 0)
1237 		return (EACCES);
1238 
1239 	if (SMB_TREE_IS_READ_ONLY(sr))
1240 		return (EROFS);
1241 
1242 	/* sr could be NULL in some cases */
1243 	if (sr && sr->fid_ofile) {
1244 		/* if uid and/or gid is requested */
1245 		if (set_attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
1246 			access |= WRITE_OWNER;
1247 
1248 		/* if anything else is also requested */
1249 		if (set_attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
1250 			access |= FILE_WRITE_ATTRIBUTES;
1251 
1252 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1253 		if (status != NT_STATUS_SUCCESS)
1254 			return (EACCES);
1255 
1256 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
1257 			flags = ATTR_NOACLCHECK;
1258 	}
1259 
1260 	unnamed_node = SMB_IS_STREAM(snode);
1261 
1262 	if (unnamed_node) {
1263 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1264 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1265 		unnamed_vp = unnamed_node->vp;
1266 	}
1267 	if (sr && sr->tid_tree)
1268 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_UFS)
1269 			no_xvattr = B_TRUE;
1270 
1271 	rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr,
1272 	    no_xvattr);
1273 
1274 	if ((rc == 0) && ret_attr) {
1275 		/*
1276 		 * Use kcred to update the node attr because this
1277 		 * call is not being made on behalf of the user.
1278 		 */
1279 		ret_attr->sa_mask = SMB_AT_ALL;
1280 		rc = smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0, kcred);
1281 		if (rc == 0)
1282 			snode->attr = *ret_attr;
1283 	}
1284 
1285 	return (rc);
1286 }
1287 
1288 /*
1289  * smb_fsop_read
1290  *
1291  * All SMB functions should use this wrapper to ensure that
1292  * the the calls are performed with the appropriate credentials.
1293  * Please document any direct call to explain the reason
1294  * for avoiding this wrapper.
1295  *
1296  * It is assumed that a reference exists on snode coming into this routine.
1297  */
1298 int
1299 smb_fsop_read(
1300     struct smb_request *sr,
1301     cred_t *cr,
1302     smb_node_t *snode,
1303     uio_t *uio,
1304     smb_attr_t *ret_attr)
1305 {
1306 	smb_node_t *unnamed_node;
1307 	vnode_t *unnamed_vp = NULL;
1308 	int svmand;
1309 	int rc;
1310 
1311 	ASSERT(cr);
1312 	ASSERT(snode);
1313 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1314 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1315 
1316 	ASSERT(sr);
1317 	ASSERT(sr->fid_ofile);
1318 
1319 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA);
1320 	if (rc != NT_STATUS_SUCCESS) {
1321 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE);
1322 		if (rc != NT_STATUS_SUCCESS)
1323 			return (EACCES);
1324 	}
1325 
1326 	unnamed_node = SMB_IS_STREAM(snode);
1327 	if (unnamed_node) {
1328 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1329 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1330 		unnamed_vp = unnamed_node->vp;
1331 		/*
1332 		 * Streams permission are checked against the unnamed stream,
1333 		 * but in FS level they have their own permissions. To avoid
1334 		 * rejection by FS due to lack of permission on the actual
1335 		 * extended attr kcred is passed for streams.
1336 		 */
1337 		cr = kcred;
1338 	}
1339 
1340 	smb_node_start_crit(snode, RW_READER);
1341 	rc = nbl_svmand(snode->vp, cr, &svmand);
1342 	if (rc) {
1343 		smb_node_end_crit(snode);
1344 		return (rc);
1345 	}
1346 
1347 	rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset,
1348 	    uio->uio_iov->iov_len, svmand, &smb_ct);
1349 
1350 	if (rc) {
1351 		smb_node_end_crit(snode);
1352 		return (rc);
1353 	}
1354 	rc = smb_vop_read(snode->vp, uio, cr);
1355 
1356 	if (rc == 0 && ret_attr) {
1357 		/*
1358 		 * Use kcred to update the node attr because this
1359 		 * call is not being made on behalf of the user.
1360 		 */
1361 		ret_attr->sa_mask = SMB_AT_ALL;
1362 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1363 		    kcred) == 0) {
1364 			snode->attr = *ret_attr;
1365 		}
1366 	}
1367 
1368 	smb_node_end_crit(snode);
1369 
1370 	return (rc);
1371 }
1372 
1373 /*
1374  * smb_fsop_write
1375  *
1376  * This is a wrapper function used for smb_write and smb_write_raw operations.
1377  *
1378  * It is assumed that a reference exists on snode coming into this routine.
1379  */
1380 int
1381 smb_fsop_write(
1382     smb_request_t *sr,
1383     cred_t *cr,
1384     smb_node_t *snode,
1385     uio_t *uio,
1386     uint32_t *lcount,
1387     smb_attr_t *ret_attr,
1388     uint32_t *flag)
1389 {
1390 	smb_node_t *unnamed_node;
1391 	vnode_t *unnamed_vp = NULL;
1392 	int svmand;
1393 	int rc;
1394 
1395 	ASSERT(cr);
1396 	ASSERT(snode);
1397 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1398 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1399 
1400 	ASSERT(sr);
1401 	ASSERT(sr->tid_tree);
1402 	ASSERT(sr->fid_ofile);
1403 
1404 	if (SMB_TREE_IS_READ_ONLY(sr))
1405 		return (EROFS);
1406 
1407 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA);
1408 	if (rc != NT_STATUS_SUCCESS) {
1409 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA);
1410 		if (rc != NT_STATUS_SUCCESS)
1411 			return (EACCES);
1412 	}
1413 
1414 	unnamed_node = SMB_IS_STREAM(snode);
1415 
1416 	if (unnamed_node) {
1417 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1418 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1419 		unnamed_vp = unnamed_node->vp;
1420 		/*
1421 		 * Streams permission are checked against the unnamed stream,
1422 		 * but in FS level they have their own permissions. To avoid
1423 		 * rejection by FS due to lack of permission on the actual
1424 		 * extended attr kcred is passed for streams.
1425 		 */
1426 		cr = kcred;
1427 	}
1428 
1429 	smb_node_start_crit(snode, RW_READER);
1430 	rc = nbl_svmand(snode->vp, cr, &svmand);
1431 	if (rc) {
1432 		smb_node_end_crit(snode);
1433 		return (rc);
1434 	}
1435 	rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset,
1436 	    uio->uio_iov->iov_len, svmand, &smb_ct);
1437 
1438 	if (rc) {
1439 		smb_node_end_crit(snode);
1440 		return (rc);
1441 	}
1442 	rc = smb_vop_write(snode->vp, uio, flag, lcount, cr);
1443 
1444 	if (rc == 0 && ret_attr) {
1445 		/*
1446 		 * Use kcred to update the node attr because this
1447 		 * call is not being made on behalf of the user.
1448 		 */
1449 		ret_attr->sa_mask = SMB_AT_ALL;
1450 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1451 		    kcred) == 0) {
1452 			snode->attr = *ret_attr;
1453 		}
1454 	}
1455 
1456 	smb_node_end_crit(snode);
1457 
1458 	return (rc);
1459 }
1460 
1461 /*
1462  * smb_fsop_statfs
1463  *
1464  * This is a wrapper function used for stat operations.
1465  */
1466 int
1467 smb_fsop_statfs(
1468     cred_t *cr,
1469     smb_node_t *snode,
1470     struct statvfs64 *statp)
1471 {
1472 	ASSERT(cr);
1473 	ASSERT(snode);
1474 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1475 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1476 
1477 	return (smb_vop_statfs(snode->vp, statp, cr));
1478 }
1479 
1480 /*
1481  * smb_fsop_access
1482  */
1483 int
1484 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1485     uint32_t faccess)
1486 {
1487 	int access = 0;
1488 	int error;
1489 	vnode_t *dir_vp;
1490 	boolean_t acl_check = B_TRUE;
1491 	smb_node_t *unnamed_node;
1492 
1493 	ASSERT(cr);
1494 	ASSERT(snode);
1495 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1496 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1497 
1498 	if (faccess == 0)
1499 		return (NT_STATUS_SUCCESS);
1500 
1501 	if (SMB_TREE_IS_READ_ONLY(sr)) {
1502 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1503 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1504 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1505 			return (NT_STATUS_ACCESS_DENIED);
1506 		}
1507 	}
1508 
1509 	unnamed_node = SMB_IS_STREAM(snode);
1510 	if (unnamed_node) {
1511 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1512 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1513 		/*
1514 		 * Streams authorization should be performed against the
1515 		 * unnamed stream.
1516 		 */
1517 		snode = unnamed_node;
1518 	}
1519 
1520 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1521 		/*
1522 		 * This permission is required for reading/writing SACL and
1523 		 * it's not part of DACL. It's only granted via proper
1524 		 * privileges.
1525 		 */
1526 		if ((sr->uid_user->u_privileges &
1527 		    (SMB_USER_PRIV_BACKUP |
1528 		    SMB_USER_PRIV_RESTORE |
1529 		    SMB_USER_PRIV_SECURITY)) == 0)
1530 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1531 
1532 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1533 	}
1534 
1535 	/* Links don't have ACL */
1536 	if (((sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS) == 0) ||
1537 	    (snode->attr.sa_vattr.va_type == VLNK))
1538 		acl_check = B_FALSE;
1539 
1540 	if (acl_check) {
1541 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
1542 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1543 		    cr);
1544 	} else {
1545 		/*
1546 		 * FS doesn't understand 32-bit mask, need to map
1547 		 */
1548 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1549 			access |= VWRITE;
1550 
1551 		if (faccess & FILE_READ_DATA)
1552 			access |= VREAD;
1553 
1554 		if (faccess & FILE_EXECUTE)
1555 			access |= VEXEC;
1556 
1557 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1558 	}
1559 
1560 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1561 }
1562 
1563 /*
1564  * smb_fsop_lookup_name()
1565  *
1566  * Sanity checks on dir_snode done in smb_fsop_lookup().
1567  *
1568  * Note: This function is called only from the open path.
1569  * It will check if the file is a stream.
1570  * It will also return an error if the looked-up file is in
1571  * a child mount.
1572  */
1573 
1574 int
1575 smb_fsop_lookup_name(
1576     smb_request_t *sr,
1577     cred_t	*cr,
1578     int		flags,
1579     smb_node_t	*root_node,
1580     smb_node_t	*dir_snode,
1581     char	*name,
1582     smb_node_t	**ret_snode,
1583     smb_attr_t	*ret_attr)
1584 {
1585 	smb_node_t	*fnode;
1586 	smb_attr_t	file_attr;
1587 	vnode_t		*xattrdirvp;
1588 	vnode_t		*vp;
1589 	char		*od_name;
1590 	char		*fname;
1591 	char		*sname;
1592 	int		rc;
1593 
1594 	ASSERT(cr);
1595 	ASSERT(dir_snode);
1596 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1597 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1598 
1599 	/*
1600 	 * The following check is required for streams processing, below
1601 	 */
1602 
1603 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1604 		flags |= SMB_IGNORE_CASE;
1605 
1606 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1607 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1608 
1609 	if (smb_stream_parse_name(name, fname, sname)) {
1610 		/*
1611 		 * Look up the unnamed stream (i.e. fname).
1612 		 * Unmangle processing will be done on fname
1613 		 * as well as any link target.
1614 		 */
1615 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, fname,
1616 		    &fnode, &file_attr, NULL, NULL);
1617 
1618 		if (rc != 0) {
1619 			kmem_free(fname, MAXNAMELEN);
1620 			kmem_free(sname, MAXNAMELEN);
1621 			return (rc);
1622 		}
1623 
1624 		od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1625 
1626 		/*
1627 		 * od_name is the on-disk name of the stream, except
1628 		 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1629 		 */
1630 
1631 		/*
1632 		 * XXX
1633 		 * What permissions NTFS requires for stream lookup if any?
1634 		 */
1635 		rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1636 		    &xattrdirvp, flags, root_node->vp, cr);
1637 
1638 		if (rc != 0) {
1639 			smb_node_release(fnode);
1640 			kmem_free(fname, MAXNAMELEN);
1641 			kmem_free(sname, MAXNAMELEN);
1642 			kmem_free(od_name, MAXNAMELEN);
1643 			return (rc);
1644 		}
1645 
1646 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1647 		    vp, od_name, ret_attr);
1648 
1649 		kmem_free(od_name, MAXNAMELEN);
1650 		smb_node_release(fnode);
1651 
1652 		if (*ret_snode == NULL) {
1653 			VN_RELE(xattrdirvp);
1654 			VN_RELE(vp);
1655 			kmem_free(fname, MAXNAMELEN);
1656 			kmem_free(sname, MAXNAMELEN);
1657 			return (ENOMEM);
1658 		}
1659 	} else {
1660 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, name,
1661 		    ret_snode, ret_attr, NULL, NULL);
1662 	}
1663 
1664 	if (rc == 0) {
1665 		ASSERT(ret_snode);
1666 		if (SMB_TREE_ROOT_FS(sr, *ret_snode) == 0) {
1667 			smb_node_release(*ret_snode);
1668 			*ret_snode = NULL;
1669 			rc = EACCES;
1670 		}
1671 	}
1672 
1673 	kmem_free(fname, MAXNAMELEN);
1674 	kmem_free(sname, MAXNAMELEN);
1675 
1676 	return (rc);
1677 }
1678 
1679 /*
1680  * smb_fsop_lookup
1681  *
1682  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1683  * the smb_vop_lookup is performed with the appropriate credentials and using
1684  * case insensitive compares. Please document any direct call to smb_vop_lookup
1685  * to explain the reason for avoiding this wrapper.
1686  *
1687  * It is assumed that a reference exists on dir_snode coming into this routine
1688  * (and that it is safe from deallocation).
1689  *
1690  * Same with the root_node.
1691  *
1692  * *ret_snode is returned with a reference upon success.  No reference is
1693  * taken if an error is returned.
1694  *
1695  * Note: The returned ret_snode may be in a child mount.  This is ok for
1696  * readdir and getdents.
1697  *
1698  * Other smb_fsop_* routines will call SMB_TREE_ROOT_FS() to prevent
1699  * operations on files not in the parent mount.
1700  */
1701 int
1702 smb_fsop_lookup(
1703     smb_request_t *sr,
1704     cred_t	*cr,
1705     int		flags,
1706     smb_node_t	*root_node,
1707     smb_node_t	*dir_snode,
1708     char	*name,
1709     smb_node_t	**ret_snode,
1710     smb_attr_t	*ret_attr,
1711     char	*ret_shortname, /* Must be at least MANGLE_NAMELEN chars */
1712     char	*ret_name83)    /* Must be at least MANGLE_NAMELEN chars */
1713 {
1714 	smb_node_t *lnk_target_node;
1715 	smb_node_t *lnk_dnode;
1716 	char *longname;
1717 	char *od_name;
1718 	vnode_t *vp;
1719 	int rc;
1720 
1721 	ASSERT(cr);
1722 	ASSERT(dir_snode);
1723 	ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC);
1724 	ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING);
1725 
1726 	if (name == NULL)
1727 		return (EINVAL);
1728 
1729 	if (SMB_TREE_ROOT_FS(sr, dir_snode) == 0)
1730 		return (EACCES);
1731 
1732 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1733 		flags |= SMB_IGNORE_CASE;
1734 
1735 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1736 
1737 	rc = smb_vop_lookup(dir_snode->vp, name, &vp, od_name, flags,
1738 	    root_node ? root_node->vp : NULL, cr);
1739 
1740 	if (rc != 0) {
1741 		if (smb_maybe_mangled_name(name) == 0) {
1742 			kmem_free(od_name, MAXNAMELEN);
1743 			return (rc);
1744 		}
1745 
1746 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1747 
1748 		rc = smb_unmangle_name(sr, cr, dir_snode, name, longname,
1749 		    MAXNAMELEN, ret_shortname, ret_name83, 1);
1750 
1751 		if (rc != 0) {
1752 			kmem_free(od_name, MAXNAMELEN);
1753 			kmem_free(longname, MAXNAMELEN);
1754 			return (rc);
1755 		}
1756 
1757 		/*
1758 		 * We passed "1" as the "od" parameter
1759 		 * to smb_unmangle_name(), such that longname
1760 		 * is the real (case-sensitive) on-disk name.
1761 		 * We make sure we do a lookup on this exact
1762 		 * name, as the name was mangled and denotes
1763 		 * a unique file.
1764 		 */
1765 
1766 		if (flags & SMB_IGNORE_CASE)
1767 			flags &= ~SMB_IGNORE_CASE;
1768 
1769 		rc = smb_vop_lookup(dir_snode->vp, longname, &vp, od_name,
1770 		    flags, root_node ? root_node->vp : NULL, cr);
1771 
1772 		kmem_free(longname, MAXNAMELEN);
1773 
1774 		if (rc != 0) {
1775 			kmem_free(od_name, MAXNAMELEN);
1776 			return (rc);
1777 		}
1778 	}
1779 
1780 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) {
1781 
1782 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dir_snode,
1783 		    &lnk_dnode, &lnk_target_node, cr);
1784 
1785 		if (rc != 0) {
1786 			/*
1787 			 * The link is assumed to be for the last component
1788 			 * of a path.  Hence any ENOTDIR error will be returned
1789 			 * as ENOENT.
1790 			 */
1791 			if (rc == ENOTDIR)
1792 				rc = ENOENT;
1793 
1794 			VN_RELE(vp);
1795 			kmem_free(od_name, MAXNAMELEN);
1796 			return (rc);
1797 		}
1798 
1799 		/*
1800 		 * Release the original VLNK vnode
1801 		 */
1802 
1803 		VN_RELE(vp);
1804 		vp = lnk_target_node->vp;
1805 
1806 		rc = smb_vop_traverse_check(&vp);
1807 
1808 		if (rc != 0) {
1809 			smb_node_release(lnk_dnode);
1810 			smb_node_release(lnk_target_node);
1811 			kmem_free(od_name, MAXNAMELEN);
1812 			return (rc);
1813 		}
1814 
1815 		/*
1816 		 * smb_vop_traverse_check() may have returned a different vnode
1817 		 */
1818 
1819 		if (lnk_target_node->vp == vp) {
1820 			*ret_snode = lnk_target_node;
1821 			*ret_attr = (*ret_snode)->attr;
1822 		} else {
1823 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
1824 			    lnk_target_node->od_name, lnk_dnode, NULL,
1825 			    ret_attr);
1826 
1827 			if (*ret_snode == NULL) {
1828 				VN_RELE(vp);
1829 				rc = ENOMEM;
1830 			}
1831 			smb_node_release(lnk_target_node);
1832 		}
1833 
1834 		smb_node_release(lnk_dnode);
1835 
1836 	} else {
1837 
1838 		rc = smb_vop_traverse_check(&vp);
1839 		if (rc) {
1840 			VN_RELE(vp);
1841 			kmem_free(od_name, MAXNAMELEN);
1842 			return (rc);
1843 		}
1844 
1845 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
1846 		    dir_snode, NULL, ret_attr);
1847 
1848 		if (*ret_snode == NULL) {
1849 			VN_RELE(vp);
1850 			rc = ENOMEM;
1851 		}
1852 	}
1853 
1854 	kmem_free(od_name, MAXNAMELEN);
1855 	return (rc);
1856 }
1857 
1858 /*
1859  * smb_fsop_stream_readdir()
1860  *
1861  * ret_snode and ret_attr are optional parameters (i.e. NULL may be passed in)
1862  *
1863  * This routine will return only NTFS streams.  If an NTFS stream is not
1864  * found at the offset specified, the directory will be read until an NTFS
1865  * stream is found or until EOF.
1866  *
1867  * Note: Sanity checks done in caller
1868  * (smb_fsop_readdir(), smb_fsop_remove_streams())
1869  */
1870 
1871 int
1872 smb_fsop_stream_readdir(smb_request_t *sr, cred_t *cr, smb_node_t *fnode,
1873     uint32_t *cookiep, struct fs_stream_info *stream_info,
1874     smb_node_t **ret_snode, smb_attr_t *ret_attr)
1875 {
1876 	smb_node_t *ret_snodep = NULL;
1877 	smb_attr_t tmp_attr;
1878 	vnode_t *xattrdirvp;
1879 	vnode_t *vp;
1880 	int rc = 0;
1881 	int flags = 0;
1882 
1883 	/*
1884 	 * XXX NTFS permission requirements if any?
1885 	 */
1886 	ASSERT(cr);
1887 	ASSERT(fnode);
1888 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
1889 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
1890 
1891 	if (SMB_TREE_CASE_INSENSITIVE(sr))
1892 		flags = SMB_IGNORE_CASE;
1893 
1894 	rc = smb_vop_stream_readdir(fnode->vp, cookiep, stream_info, &vp,
1895 	    &xattrdirvp, flags, cr);
1896 
1897 	if ((rc != 0) || *cookiep == SMB_EOF)
1898 		return (rc);
1899 
1900 	ret_snodep = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, vp,
1901 	    stream_info->name, &tmp_attr);
1902 
1903 	if (ret_snodep == NULL) {
1904 		VN_RELE(xattrdirvp);
1905 		VN_RELE(vp);
1906 		return (ENOMEM);
1907 	}
1908 
1909 	stream_info->size = tmp_attr.sa_vattr.va_size;
1910 
1911 	if (ret_attr)
1912 		*ret_attr = tmp_attr;
1913 
1914 	if (ret_snode)
1915 		*ret_snode = ret_snodep;
1916 	else
1917 		smb_node_release(ret_snodep);
1918 
1919 	return (rc);
1920 }
1921 
1922 int /*ARGSUSED*/
1923 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
1924 {
1925 	ASSERT(cr);
1926 	ASSERT(snode);
1927 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1928 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1929 
1930 	ASSERT(sr);
1931 	ASSERT(sr->tid_tree);
1932 	if (SMB_TREE_IS_READ_ONLY(sr))
1933 		return (EROFS);
1934 
1935 	return (smb_vop_commit(snode->vp, cr));
1936 }
1937 
1938 /*
1939  * smb_fsop_aclread
1940  *
1941  * Retrieve filesystem ACL. Depends on requested ACLs in
1942  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
1943  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
1944  * the corresponding field in fs_sd should be non-NULL upon
1945  * return, since the target ACL might not contain that type of
1946  * entries.
1947  *
1948  * Returned ACL is always in ACE_T (aka ZFS) format.
1949  * If successful the allocated memory for the ACL should be freed
1950  * using smb_fsacl_free() or smb_fssd_term()
1951  */
1952 int
1953 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1954     smb_fssd_t *fs_sd)
1955 {
1956 	int error = 0;
1957 	int flags = 0;
1958 	int access = 0;
1959 	acl_t *acl;
1960 	smb_node_t *unnamed_node;
1961 
1962 	ASSERT(cr);
1963 
1964 	if (sr->fid_ofile) {
1965 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1966 			access = READ_CONTROL;
1967 
1968 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1969 			access |= ACCESS_SYSTEM_SECURITY;
1970 
1971 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1972 		if (error != NT_STATUS_SUCCESS) {
1973 			return (EACCES);
1974 		}
1975 	}
1976 
1977 	unnamed_node = SMB_IS_STREAM(snode);
1978 	if (unnamed_node) {
1979 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1980 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1981 		/*
1982 		 * Streams don't have ACL, any read ACL attempt on a stream
1983 		 * should be performed on the unnamed stream.
1984 		 */
1985 		snode = unnamed_node;
1986 	}
1987 
1988 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
1989 		flags = ATTR_NOACLCHECK;
1990 
1991 	error = smb_vop_acl_read(snode->vp, &acl, flags,
1992 	    sr->tid_tree->t_acltype, cr);
1993 	if (error != 0) {
1994 		return (error);
1995 	}
1996 
1997 	error = acl_translate(acl, _ACL_ACE_ENABLED,
1998 	    (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid);
1999 
2000 	if (error == 0) {
2001 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
2002 		    fs_sd->sd_secinfo);
2003 	}
2004 
2005 	acl_free(acl);
2006 	return (error);
2007 }
2008 
2009 /*
2010  * smb_fsop_aclwrite
2011  *
2012  * Stores the filesystem ACL provided in fs_sd->sd_acl.
2013  */
2014 int
2015 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2016     smb_fssd_t *fs_sd)
2017 {
2018 	int target_flavor;
2019 	int error = 0;
2020 	int flags = 0;
2021 	int access = 0;
2022 	acl_t *acl, *dacl, *sacl;
2023 	smb_node_t *unnamed_node;
2024 
2025 	ASSERT(cr);
2026 
2027 	ASSERT(sr);
2028 	ASSERT(sr->tid_tree);
2029 	if (SMB_TREE_IS_READ_ONLY(sr))
2030 		return (EROFS);
2031 
2032 	if (sr->fid_ofile) {
2033 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2034 			access = WRITE_DAC;
2035 
2036 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2037 			access |= ACCESS_SYSTEM_SECURITY;
2038 
2039 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2040 		if (error != NT_STATUS_SUCCESS)
2041 			return (EACCES);
2042 	}
2043 
2044 	switch (sr->tid_tree->t_acltype) {
2045 	case ACLENT_T:
2046 		target_flavor = _ACL_ACLENT_ENABLED;
2047 		break;
2048 
2049 	case ACE_T:
2050 		target_flavor = _ACL_ACE_ENABLED;
2051 		break;
2052 	default:
2053 		return (EINVAL);
2054 	}
2055 
2056 	unnamed_node = SMB_IS_STREAM(snode);
2057 	if (unnamed_node) {
2058 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2059 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2060 		/*
2061 		 * Streams don't have ACL, any write ACL attempt on a stream
2062 		 * should be performed on the unnamed stream.
2063 		 */
2064 		snode = unnamed_node;
2065 	}
2066 
2067 	dacl = fs_sd->sd_zdacl;
2068 	sacl = fs_sd->sd_zsacl;
2069 
2070 	ASSERT(dacl || sacl);
2071 	if ((dacl == NULL) && (sacl == NULL))
2072 		return (EINVAL);
2073 
2074 	if (dacl && sacl)
2075 		acl = smb_fsacl_merge(dacl, sacl);
2076 	else if (dacl)
2077 		acl = dacl;
2078 	else
2079 		acl = sacl;
2080 
2081 	error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR),
2082 	    fs_sd->sd_uid, fs_sd->sd_gid);
2083 	if (error == 0) {
2084 		if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS)
2085 			flags = ATTR_NOACLCHECK;
2086 
2087 		error = smb_vop_acl_write(snode->vp, acl, flags, cr);
2088 	}
2089 
2090 	if (dacl && sacl)
2091 		acl_free(acl);
2092 
2093 	return (error);
2094 }
2095 
2096 acl_type_t
2097 smb_fsop_acltype(smb_node_t *snode)
2098 {
2099 	return (smb_vop_acl_type(snode->vp));
2100 }
2101 
2102 /*
2103  * smb_fsop_sdread
2104  *
2105  * Read the requested security descriptor items from filesystem.
2106  * The items are specified in fs_sd->sd_secinfo.
2107  */
2108 int
2109 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2110     smb_fssd_t *fs_sd)
2111 {
2112 	int error = 0;
2113 	int getowner = 0;
2114 	cred_t *ga_cred;
2115 	smb_attr_t attr;
2116 
2117 	ASSERT(cr);
2118 	ASSERT(fs_sd);
2119 
2120 	/*
2121 	 * File's uid/gid is fetched in two cases:
2122 	 *
2123 	 * 1. it's explicitly requested
2124 	 *
2125 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
2126 	 *    owner@/group@ entries. In this case kcred should be used
2127 	 *    because uid/gid are fetched on behalf of smb server.
2128 	 */
2129 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
2130 		getowner = 1;
2131 		ga_cred = cr;
2132 	} else if (sr->tid_tree->t_acltype == ACE_T) {
2133 		getowner = 1;
2134 		ga_cred = kcred;
2135 	}
2136 
2137 	if (getowner) {
2138 		/*
2139 		 * Windows require READ_CONTROL to read owner/group SID since
2140 		 * they're part of Security Descriptor.
2141 		 * ZFS only requires read_attribute. Need to have a explicit
2142 		 * access check here.
2143 		 */
2144 		if (sr->fid_ofile == NULL) {
2145 			error = smb_fsop_access(sr, ga_cred, snode,
2146 			    READ_CONTROL);
2147 			if (error)
2148 				return (error);
2149 		}
2150 
2151 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2152 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2153 		if (error == 0) {
2154 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2155 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2156 		} else {
2157 			return (error);
2158 		}
2159 	}
2160 
2161 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2162 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2163 	}
2164 
2165 	return (error);
2166 }
2167 
2168 /*
2169  * smb_fsop_sdmerge
2170  *
2171  * From SMB point of view DACL and SACL are two separate list
2172  * which can be manipulated independently without one affecting
2173  * the other, but entries for both DACL and SACL will end up
2174  * in the same ACL if target filesystem supports ACE_T ACLs.
2175  *
2176  * So, if either DACL or SACL is present in the client set request
2177  * the entries corresponding to the non-present ACL shouldn't
2178  * be touched in the FS ACL.
2179  *
2180  * fs_sd parameter contains DACL and SACL specified by SMB
2181  * client to be set on a file/directory. The client could
2182  * specify both or one of these ACLs (if none is specified
2183  * we don't get this far). When both DACL and SACL are given
2184  * by client the existing ACL should be overwritten. If only
2185  * one of them is specified the entries corresponding to the other
2186  * ACL should not be touched. For example, if only DACL
2187  * is specified in input fs_sd, the function reads audit entries
2188  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2189  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2190  * function is called the passed fs_sd would point to the specified
2191  * DACL by client and fetched SACL from filesystem, so the file
2192  * will end up with correct ACL.
2193  */
2194 static int
2195 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2196 {
2197 	smb_fssd_t cur_sd;
2198 	int error = 0;
2199 
2200 	if (sr->tid_tree->t_acltype != ACE_T)
2201 		/* Don't bother if target FS doesn't support ACE_T */
2202 		return (0);
2203 
2204 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2205 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2206 			/*
2207 			 * Don't overwrite existing audit entries
2208 			 */
2209 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2210 			    fs_sd->sd_flags);
2211 
2212 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2213 			if (error == 0) {
2214 				ASSERT(fs_sd->sd_zsacl == NULL);
2215 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2216 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2217 					fs_sd->sd_zsacl->acl_flags =
2218 					    fs_sd->sd_zdacl->acl_flags;
2219 			}
2220 		} else {
2221 			/*
2222 			 * Don't overwrite existing access entries
2223 			 */
2224 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2225 			    fs_sd->sd_flags);
2226 
2227 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2228 			if (error == 0) {
2229 				ASSERT(fs_sd->sd_zdacl == NULL);
2230 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2231 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2232 					fs_sd->sd_zdacl->acl_flags =
2233 					    fs_sd->sd_zsacl->acl_flags;
2234 			}
2235 		}
2236 
2237 		if (error)
2238 			smb_fssd_term(&cur_sd);
2239 	}
2240 
2241 	return (error);
2242 }
2243 
2244 /*
2245  * smb_fsop_sdwrite
2246  *
2247  * Stores the given uid, gid and acl in filesystem.
2248  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2249  *
2250  * A SMB security descriptor could contain owner, primary group,
2251  * DACL and SACL. Setting an SD should be atomic but here it has to
2252  * be done via two separate FS operations: VOP_SETATTR and
2253  * VOP_SETSECATTR. Therefore, this function has to simulate the
2254  * atomicity as well as it can.
2255  */
2256 int
2257 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2258     smb_fssd_t *fs_sd, int overwrite)
2259 {
2260 	int error = 0;
2261 	int access = 0;
2262 	smb_attr_t set_attr;
2263 	smb_attr_t orig_attr;
2264 
2265 	ASSERT(cr);
2266 	ASSERT(fs_sd);
2267 
2268 	ASSERT(sr);
2269 	ASSERT(sr->tid_tree);
2270 	if (SMB_TREE_IS_READ_ONLY(sr))
2271 		return (EROFS);
2272 
2273 	bzero(&set_attr, sizeof (smb_attr_t));
2274 
2275 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2276 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2277 		set_attr.sa_mask |= SMB_AT_UID;
2278 	}
2279 
2280 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2281 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2282 		set_attr.sa_mask |= SMB_AT_GID;
2283 	}
2284 
2285 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2286 		access |= WRITE_DAC;
2287 
2288 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2289 		access |= ACCESS_SYSTEM_SECURITY;
2290 
2291 	if (sr->fid_ofile)
2292 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2293 	else
2294 		error = smb_fsop_access(sr, cr, snode, access);
2295 
2296 	if (error)
2297 		return (EACCES);
2298 
2299 	if (set_attr.sa_mask) {
2300 		/*
2301 		 * Get the current uid, gid so if smb_fsop_aclwrite fails
2302 		 * we can revert uid, gid changes.
2303 		 *
2304 		 * We use root cred here so the operation doesn't fail
2305 		 * due to lack of permission for the user to read the attrs
2306 		 */
2307 
2308 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2309 		error = smb_fsop_getattr(sr, kcred, snode, &orig_attr);
2310 		if (error == 0)
2311 			error = smb_fsop_setattr(sr, cr, snode, &set_attr,
2312 			    NULL);
2313 
2314 		if (error)
2315 			return (error);
2316 	}
2317 
2318 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2319 		if (overwrite == 0) {
2320 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2321 			if (error)
2322 				return (error);
2323 		}
2324 
2325 		error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2326 		if (error) {
2327 			/*
2328 			 * Revert uid/gid changes if required.
2329 			 */
2330 			if (set_attr.sa_mask) {
2331 				orig_attr.sa_mask = set_attr.sa_mask;
2332 				(void) smb_fsop_setattr(sr, kcred, snode,
2333 				    &orig_attr, NULL);
2334 			}
2335 		}
2336 	}
2337 
2338 	return (error);
2339 }
2340 
2341 /*
2342  * smb_fsop_sdinherit
2343  *
2344  * Inherit the security descriptor from the parent container.
2345  * This function is called after FS has created the file/folder
2346  * so if this doesn't do anything it means FS inheritance is
2347  * in place.
2348  *
2349  * Do inheritance for ZFS internally.
2350  *
2351  * If we want to let ZFS does the inheritance the
2352  * following setting should be true:
2353  *
2354  *  - aclinherit = passthrough
2355  *  - aclmode = passthrough
2356  *  - smbd umask = 0777
2357  *
2358  * This will result in right effective permissions but
2359  * ZFS will always add 6 ACEs for owner, owning group
2360  * and others to be POSIX compliant. This is not what
2361  * Windows clients/users expect, so we decided that CIFS
2362  * implements Windows rules and overwrite whatever ZFS
2363  * comes up with. This way we also don't have to care
2364  * about ZFS aclinherit and aclmode settings.
2365  */
2366 static int
2367 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2368 {
2369 	int is_dir;
2370 	acl_t *dacl = NULL;
2371 	acl_t *sacl = NULL;
2372 	ksid_t *owner_sid;
2373 	int error;
2374 
2375 	ASSERT(fs_sd);
2376 
2377 	if (sr->tid_tree->t_acltype != ACE_T) {
2378 		/*
2379 		 * No forced inheritance for non-ZFS filesystems.
2380 		 */
2381 		fs_sd->sd_secinfo = 0;
2382 		return (0);
2383 	}
2384 
2385 
2386 	/* Fetch parent directory's ACL */
2387 	error = smb_fsop_sdread(sr, kcred, dnode, fs_sd);
2388 	if (error) {
2389 		return (error);
2390 	}
2391 
2392 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2393 	owner_sid = crgetsid(sr->user_cr, KSID_OWNER);
2394 	ASSERT(owner_sid);
2395 	dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO,
2396 	    owner_sid->ks_id);
2397 	sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO,
2398 	    (uid_t)-1);
2399 
2400 	if (sacl == NULL)
2401 		fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO;
2402 
2403 	smb_fsacl_free(fs_sd->sd_zdacl);
2404 	smb_fsacl_free(fs_sd->sd_zsacl);
2405 
2406 	fs_sd->sd_zdacl = dacl;
2407 	fs_sd->sd_zsacl = sacl;
2408 
2409 	return (0);
2410 }
2411 
2412 /*
2413  * smb_fsop_eaccess
2414  *
2415  * Returns the effective permission of the given credential for the
2416  * specified object.
2417  *
2418  * This is just a workaround. We need VFS/FS support for this.
2419  */
2420 void
2421 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2422     uint32_t *eaccess)
2423 {
2424 	int access = 0;
2425 	vnode_t *dir_vp;
2426 	smb_node_t *unnamed_node;
2427 
2428 	ASSERT(cr);
2429 	ASSERT(snode);
2430 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2431 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2432 
2433 	unnamed_node = SMB_IS_STREAM(snode);
2434 	if (unnamed_node) {
2435 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2436 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2437 		/*
2438 		 * Streams authorization should be performed against the
2439 		 * unnamed stream.
2440 		 */
2441 		snode = unnamed_node;
2442 	}
2443 
2444 	if (sr->tid_tree->t_flags & SMB_TREE_FLAG_ACEMASKONACCESS) {
2445 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
2446 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2447 		    cr);
2448 		return;
2449 	}
2450 
2451 	/*
2452 	 * FS doesn't understand 32-bit mask
2453 	 */
2454 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2455 
2456 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2457 
2458 	if (access & VREAD)
2459 		*eaccess |= FILE_READ_DATA;
2460 
2461 	if (access & VEXEC)
2462 		*eaccess |= FILE_EXECUTE;
2463 
2464 	if (access & VWRITE)
2465 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2466 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2467 }
2468 
2469 /*
2470  * smb_fsop_shrlock
2471  *
2472  * For the current open request, check file sharing rules
2473  * against existing opens.
2474  *
2475  * Returns NT_STATUS_SHARING_VIOLATION if there is any
2476  * sharing conflict.  Returns NT_STATUS_SUCCESS otherwise.
2477  *
2478  * Full system-wide share reservation synchronization is available
2479  * when the nbmand (non-blocking mandatory) mount option is set
2480  * (i.e. nbl_need_crit() is true) and nbmand critical regions are used.
2481  * This provides synchronization with NFS and local processes.  The
2482  * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called
2483  * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well
2484  * as the CIFS rename and delete paths.
2485  *
2486  * The CIFS server will also enter the nbl critical region in the open,
2487  * rename, and delete paths when nbmand is not set.  There is limited
2488  * coordination with local and VFS share reservations in this case.
2489  * Note that when the nbmand mount option is not set, the VFS layer
2490  * only processes advisory reservations and the delete mode is not checked.
2491  *
2492  * Whether or not the nbmand mount option is set, intra-CIFS share
2493  * checking is done in the open, delete, and rename paths using a CIFS
2494  * critical region (node->n_share_lock).
2495  */
2496 
2497 uint32_t
2498 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid,
2499     uint32_t desired_access, uint32_t share_access)
2500 {
2501 	int rc;
2502 
2503 	if (node->attr.sa_vattr.va_type == VDIR)
2504 		return (NT_STATUS_SUCCESS);
2505 
2506 	/* Allow access if the request is just for meta data */
2507 	if ((desired_access & FILE_DATA_ALL) == 0)
2508 		return (NT_STATUS_SUCCESS);
2509 
2510 	rc = smb_node_open_check(node, cr, desired_access, share_access);
2511 	if (rc)
2512 		return (NT_STATUS_SHARING_VIOLATION);
2513 
2514 	rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access,
2515 	    cr);
2516 	if (rc)
2517 		return (NT_STATUS_SHARING_VIOLATION);
2518 
2519 	return (NT_STATUS_SUCCESS);
2520 }
2521 
2522 void
2523 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid)
2524 {
2525 	if (node->attr.sa_vattr.va_type == VDIR)
2526 		return;
2527 
2528 	(void) smb_vop_unshrlock(node->vp, uniq_fid, cr);
2529 }
2530 
2531 /*
2532  * smb_fsop_frlock_callback
2533  *
2534  * smb wrapper function for fs_frlock
2535  * this should never happen, as we are not attempting
2536  * to set Mandatory Locks, cmd = F_SETLK_NBMAND
2537  *
2538  */
2539 
2540 static callb_cpr_t *
2541 /* ARGSUSED */
2542 smb_fsop_frlock_callback(flk_cb_when_t when, void *error)
2543 {
2544 	return (0);
2545 }
2546 
2547 /*
2548  * smb_fs_frlock
2549  *
2550  * smb wrapper function for fs_frlock
2551  */
2552 
2553 int
2554 smb_fsop_frlock(smb_request_t *sr, smb_node_t *node, smb_lock_t *lock,
2555     boolean_t unlock)
2556 {
2557 	vnode_t		*vp;
2558 	flock64_t	bf;
2559 	cred_t		*cr;
2560 	int		cmd;
2561 	flk_callback_t	flk_cb;
2562 	offset_t	offset = 0;
2563 	int		flag;
2564 	int		error;
2565 	int		i;
2566 
2567 	flk_init_callback(&flk_cb, smb_fsop_frlock_callback, &error);
2568 	cr = sr->user_cr;
2569 	vp = node->vp;
2570 	cmd = F_SETLK;
2571 
2572 	if (unlock == B_TRUE) {
2573 		bf.l_type = F_UNLCK;
2574 		flag = 0;
2575 	} else if (lock->l_type == SMB_LOCK_TYPE_READONLY) {
2576 		bf.l_type = F_RDLCK;
2577 		flag = FREAD;
2578 	} else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) {
2579 		bf.l_type = F_WRLCK;
2580 		flag = FWRITE;
2581 	}
2582 
2583 	bf.l_start = lock->l_start;
2584 	bf.l_len = lock->l_length;
2585 	bf.l_whence = 0;  /* SEEK_SET */
2586 	bf.l_pid = lock->l_pid;
2587 	bf.l_sysid = 0;
2588 
2589 	for (i = 0; i < 4; i++)
2590 		bf.l_pad[i] = 0;
2591 
2592 	error = fs_frlock(vp, cmd, &bf, flag, offset, &flk_cb, cr, &smb_ct);
2593 	return (error);
2594 }
2595