xref: /titanic_50/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision 5e1c72e1529d41fe7e1babf69acebeed897f9610)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/sid.h>
27 #include <sys/nbmlock.h>
28 #include <smbsrv/smb_fsops.h>
29 #include <smbsrv/smb_kproto.h>
30 #include <smbsrv/ntstatus.h>
31 #include <smbsrv/ntaccess.h>
32 #include <smbsrv/smb_incl.h>
33 #include <acl/acl_common.h>
34 #include <sys/fcntl.h>
35 #include <sys/flock.h>
36 #include <fs/fs_subr.h>
37 
38 extern caller_context_t smb_ct;
39 
40 extern int smb_fem_oplock_install(smb_node_t *);
41 extern void smb_fem_oplock_uninstall(smb_node_t *);
42 
43 extern int smb_vop_other_opens(vnode_t *, int);
44 
45 static int smb_fsop_create_stream(smb_request_t *, cred_t *, smb_node_t *,
46     char *, char *, int, smb_attr_t *, smb_node_t **, smb_attr_t *);
47 
48 static int smb_fsop_create_file(smb_request_t *, cred_t *, smb_node_t *,
49     char *, int, smb_attr_t *, smb_node_t **, smb_attr_t *);
50 
51 static int smb_fsop_create_with_sd(smb_request_t *, cred_t *, smb_node_t *,
52     char *, smb_attr_t *, smb_node_t **, smb_attr_t *, smb_fssd_t *);
53 
54 static int smb_fsop_sdinherit(smb_request_t *, smb_node_t *, smb_fssd_t *);
55 
56 /*
57  * The smb_fsop_* functions have knowledge of CIFS semantics.
58  *
59  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
60  * serve as an interface to the VFS layer.
61  *
62  * Hence, smb_request_t and smb_node_t structures should not be passed
63  * from the smb_fsop_* layer to the smb_vop_* layer.
64  *
65  * In general, CIFS service code should only ever call smb_fsop_*
66  * functions directly, and never smb_vop_* functions directly.
67  *
68  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
69  * of their smb_fsop_* counterparts.  However, there are times when
70  * this cannot be avoided.
71  */
72 
73 /*
74  * Note: Stream names cannot be mangled.
75  */
76 
77 /*
78  * smb_fsop_amask_to_omode
79  *
80  * Convert the access mask to the open mode (for use
81  * with the VOP_OPEN call).
82  *
83  * Note that opening a file for attribute only access
84  * will also translate into an FREAD or FWRITE open mode
85  * (i.e., it's not just for data).
86  *
87  * This is needed so that opens are tracked appropriately
88  * for oplock processing.
89  */
90 
91 int
92 smb_fsop_amask_to_omode(uint32_t access)
93 {
94 	int mode = 0;
95 
96 	if (access & (FILE_READ_DATA | FILE_EXECUTE |
97 	    FILE_READ_ATTRIBUTES | FILE_READ_EA))
98 		mode |= FREAD;
99 
100 	if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA |
101 	    FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA))
102 		mode |= FWRITE;
103 
104 	if (access & FILE_APPEND_DATA)
105 		mode |= FAPPEND;
106 
107 	return (mode);
108 }
109 
110 int
111 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred)
112 {
113 	/*
114 	 * Assuming that the same vnode is returned as we had before.
115 	 * (I.e., with certain types of files or file systems, a
116 	 * different vnode might be returned by VOP_OPEN)
117 	 */
118 	return (smb_vop_open(&node->vp, mode, cred));
119 }
120 
121 void
122 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred)
123 {
124 	smb_vop_close(node->vp, mode, cred);
125 }
126 
127 int
128 smb_fsop_oplock_install(smb_node_t *node, int mode)
129 {
130 	int rc;
131 
132 	if (smb_vop_other_opens(node->vp, mode))
133 		return (EMFILE);
134 
135 	if ((rc = smb_fem_oplock_install(node)))
136 		return (rc);
137 
138 	if (smb_vop_other_opens(node->vp, mode)) {
139 		(void) smb_fem_oplock_uninstall(node);
140 		return (EMFILE);
141 	}
142 
143 	return (0);
144 }
145 
146 void
147 smb_fsop_oplock_uninstall(smb_node_t *node)
148 {
149 	smb_fem_oplock_uninstall(node);
150 }
151 
152 static int
153 smb_fsop_create_with_sd(smb_request_t *sr, cred_t *cr,
154     smb_node_t *dnode, char *name,
155     smb_attr_t *attr, smb_node_t **ret_snode, smb_attr_t *ret_attr,
156     smb_fssd_t *fs_sd)
157 {
158 	vsecattr_t *vsap;
159 	vsecattr_t vsecattr;
160 	acl_t *acl, *dacl, *sacl;
161 	smb_attr_t set_attr;
162 	vnode_t *vp;
163 	int aclbsize = 0;	/* size of acl list in bytes */
164 	int flags = 0;
165 	int rc;
166 	boolean_t is_dir;
167 
168 	ASSERT(fs_sd);
169 
170 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
171 		flags = SMB_IGNORE_CASE;
172 	if (SMB_TREE_SUPPORTS_CATIA(sr))
173 		flags |= SMB_CATIA;
174 
175 	ASSERT(cr);
176 
177 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
178 
179 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) {
180 		if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
181 			dacl = fs_sd->sd_zdacl;
182 			sacl = fs_sd->sd_zsacl;
183 			ASSERT(dacl || sacl);
184 			if (dacl && sacl) {
185 				acl = smb_fsacl_merge(dacl, sacl);
186 			} else if (dacl) {
187 				acl = dacl;
188 			} else {
189 				acl = sacl;
190 			}
191 
192 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
193 
194 			if (dacl && sacl)
195 				acl_free(acl);
196 
197 			if (rc != 0)
198 				return (rc);
199 
200 			vsap = &vsecattr;
201 		} else {
202 			vsap = NULL;
203 		}
204 
205 		/* The tree ACEs may prevent a create */
206 		rc = EACCES;
207 		if (is_dir) {
208 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0)
209 				rc = smb_vop_mkdir(dnode->vp, name, attr,
210 				    &vp, flags, cr, vsap);
211 		} else {
212 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0)
213 				rc = smb_vop_create(dnode->vp, name, attr,
214 				    &vp, flags, cr, vsap);
215 		}
216 
217 		if (vsap != NULL)
218 			kmem_free(vsap->vsa_aclentp, aclbsize);
219 
220 		if (rc != 0)
221 			return (rc);
222 
223 		set_attr.sa_mask = 0;
224 
225 		/*
226 		 * Ideally we should be able to specify the owner and owning
227 		 * group at create time along with the ACL. Since we cannot
228 		 * do that right now, kcred is passed to smb_vop_setattr so it
229 		 * doesn't fail due to lack of permission.
230 		 */
231 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
232 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
233 			set_attr.sa_mask |= SMB_AT_UID;
234 		}
235 
236 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
237 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
238 			set_attr.sa_mask |= SMB_AT_GID;
239 		}
240 
241 		if (set_attr.sa_mask)
242 			rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred);
243 
244 		if (rc == 0) {
245 			*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
246 			    name, dnode, NULL, ret_attr);
247 
248 			if (*ret_snode == NULL)
249 				rc = ENOMEM;
250 
251 			VN_RELE(vp);
252 		}
253 	} else {
254 		/*
255 		 * For filesystems that don't support ACL-on-create, try
256 		 * to set the specified SD after create, which could actually
257 		 * fail because of conflicts between inherited security
258 		 * attributes upon creation and the specified SD.
259 		 *
260 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
261 		 */
262 
263 		if (is_dir) {
264 			rc = smb_vop_mkdir(dnode->vp, name, attr, &vp,
265 			    flags, cr, NULL);
266 		} else {
267 			rc = smb_vop_create(dnode->vp, name, attr, &vp,
268 			    flags, cr, NULL);
269 		}
270 
271 		if (rc != 0)
272 			return (rc);
273 
274 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
275 		    name, dnode, NULL, ret_attr);
276 
277 		if (*ret_snode != NULL) {
278 			if (!smb_tree_has_feature(sr->tid_tree,
279 			    SMB_TREE_NFS_MOUNTED))
280 				rc = smb_fsop_sdwrite(sr, kcred, *ret_snode,
281 				    fs_sd, 1);
282 		} else {
283 			rc = ENOMEM;
284 		}
285 
286 		VN_RELE(vp);
287 	}
288 
289 	if (rc != 0) {
290 		if (is_dir)
291 			(void) smb_vop_rmdir(dnode->vp, name, flags, cr);
292 		else
293 			(void) smb_vop_remove(dnode->vp, name, flags, cr);
294 	}
295 
296 	return (rc);
297 }
298 
299 /*
300  * smb_fsop_create
301  *
302  * All SMB functions should use this wrapper to ensure that
303  * all the smb_vop_creates are performed with the appropriate credentials.
304  * Please document any direct calls to explain the reason for avoiding
305  * this wrapper.
306  *
307  * *ret_snode is returned with a reference upon success.  No reference is
308  * taken if an error is returned.
309  */
310 int
311 smb_fsop_create(smb_request_t *sr, cred_t *cr,
312     smb_node_t *dnode, char *name,
313     smb_attr_t *attr, smb_node_t **ret_snode, smb_attr_t *ret_attr)
314 {
315 	int	rc = 0;
316 	int	flags = 0;
317 	char	*fname, *sname;
318 	char	*longname = NULL;
319 
320 	ASSERT(cr);
321 	ASSERT(dnode);
322 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
323 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
324 
325 	ASSERT(ret_snode);
326 	*ret_snode = 0;
327 
328 	ASSERT(name);
329 	if (*name == 0)
330 		return (EINVAL);
331 
332 	ASSERT(sr);
333 	ASSERT(sr->tid_tree);
334 
335 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
336 		return (EACCES);
337 
338 	if (SMB_TREE_IS_READONLY(sr))
339 		return (EROFS);
340 
341 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
342 		flags = SMB_IGNORE_CASE;
343 	if (SMB_TREE_SUPPORTS_CATIA(sr))
344 		flags |= SMB_CATIA;
345 
346 	if (smb_is_stream_name(name)) {
347 		fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
348 		sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
349 		smb_stream_parse_name(name, fname, sname);
350 
351 		rc = smb_fsop_create_stream(sr, cr, dnode,
352 		    fname, sname, flags, attr, ret_snode, ret_attr);
353 
354 		kmem_free(fname, MAXNAMELEN);
355 		kmem_free(sname, MAXNAMELEN);
356 		return (rc);
357 	}
358 
359 	/* Not a named stream */
360 
361 	if (smb_maybe_mangled_name(name)) {
362 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
363 		rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN);
364 		kmem_free(longname, MAXNAMELEN);
365 
366 		if (rc == 0)
367 			rc = EEXIST;
368 		if (rc != ENOENT)
369 			return (rc);
370 	}
371 
372 	rc = smb_fsop_create_file(sr, cr, dnode, name, flags,
373 	    attr, ret_snode, ret_attr);
374 	return (rc);
375 
376 }
377 
378 
379 /*
380  * smb_fsop_create_stream
381  *
382  * Create NTFS named stream file (sname) on unnamed stream
383  * file (fname), creating the unnamed stream file if it
384  * doesn't exist.
385  * If we created the unnamed stream file and then creation
386  * of the named stream file fails, we delete the unnamed stream.
387  * Since we use the real file name for the smb_vop_remove we
388  * clear the SMB_IGNORE_CASE flag to ensure a case sensitive
389  * match.
390  *
391  * The second parameter of smb_vop_setattr() is set to
392  * NULL, even though an unnamed stream exists.  This is
393  * because we want to set the UID and GID on the named
394  * stream in this case for consistency with the (unnamed
395  * stream) file (see comments for smb_vop_setattr()).
396  */
397 static int
398 smb_fsop_create_stream(smb_request_t *sr, cred_t *cr,
399     smb_node_t *dnode, char *fname, char *sname, int flags,
400     smb_attr_t *attr, smb_node_t **ret_snode, smb_attr_t *ret_attr)
401 {
402 	smb_node_t	*fnode;
403 	smb_attr_t	fattr;
404 	vnode_t		*xattrdvp;
405 	vnode_t		*vp;
406 	int		rc = 0;
407 	boolean_t	fcreate = B_FALSE;
408 
409 	/* Look up / create the unnamed stream, fname */
410 	rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
411 	    sr->tid_tree->t_snode, dnode, fname,
412 	    &fnode, &fattr);
413 	if (rc == ENOENT) {
414 		fcreate = B_TRUE;
415 		rc = smb_fsop_create_file(sr, cr, dnode, fname, flags,
416 		    attr, &fnode, &fattr);
417 	}
418 	if (rc != 0)
419 		return (rc);
420 
421 	/* create the named stream, sname */
422 	rc = smb_vop_stream_create(fnode->vp, sname, attr, &vp,
423 	    &xattrdvp, flags, cr);
424 	if (rc != 0) {
425 		if (fcreate) {
426 			flags &= ~SMB_IGNORE_CASE;
427 			(void) smb_vop_remove(dnode->vp,
428 			    fnode->od_name, flags, cr);
429 		}
430 		smb_node_release(fnode);
431 		return (rc);
432 	}
433 
434 	attr->sa_vattr.va_uid = fattr.sa_vattr.va_uid;
435 	attr->sa_vattr.va_gid = fattr.sa_vattr.va_gid;
436 	attr->sa_mask = SMB_AT_UID | SMB_AT_GID;
437 
438 	rc = smb_vop_setattr(vp, NULL, attr, 0, kcred);
439 	if (rc != 0) {
440 		smb_node_release(fnode);
441 		return (rc);
442 	}
443 
444 	*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdvp,
445 	    vp, sname, ret_attr);
446 
447 	smb_node_release(fnode);
448 	VN_RELE(xattrdvp);
449 	VN_RELE(vp);
450 
451 	if (*ret_snode == NULL)
452 		rc = ENOMEM;
453 
454 	return (rc);
455 }
456 
457 /*
458  * smb_fsop_create_file
459  */
460 static int
461 smb_fsop_create_file(smb_request_t *sr, cred_t *cr,
462     smb_node_t *dnode, char *name, int flags,
463     smb_attr_t *attr, smb_node_t **ret_snode, smb_attr_t *ret_attr)
464 {
465 	open_param_t	*op = &sr->arg.open;
466 	vnode_t		*vp;
467 	smb_fssd_t	fs_sd;
468 	uint32_t	secinfo;
469 	uint32_t	status;
470 	int		rc = 0;
471 
472 	if (op->sd) {
473 		/*
474 		 * SD sent by client in Windows format. Needs to be
475 		 * converted to FS format. No inheritance.
476 		 */
477 		secinfo = smb_sd_get_secinfo(op->sd);
478 		smb_fssd_init(&fs_sd, secinfo, 0);
479 
480 		status = smb_sd_tofs(op->sd, &fs_sd);
481 		if (status == NT_STATUS_SUCCESS) {
482 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
483 			    name, attr, ret_snode, ret_attr, &fs_sd);
484 		} else {
485 			rc = EINVAL;
486 		}
487 		smb_fssd_term(&fs_sd);
488 	} else if (sr->tid_tree->t_acltype == ACE_T) {
489 		/*
490 		 * No incoming SD and filesystem is ZFS
491 		 * Server applies Windows inheritance rules,
492 		 * see smb_fsop_sdinherit() comments as to why.
493 		 */
494 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0);
495 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
496 		if (rc == 0) {
497 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
498 			    name, attr, ret_snode, ret_attr, &fs_sd);
499 		}
500 
501 		smb_fssd_term(&fs_sd);
502 	} else {
503 		/*
504 		 * No incoming SD and filesystem is not ZFS
505 		 * let the filesystem handles the inheritance.
506 		 */
507 		rc = smb_vop_create(dnode->vp, name, attr, &vp,
508 		    flags, cr, NULL);
509 
510 		if (rc == 0) {
511 			*ret_snode = smb_node_lookup(sr, op, cr, vp,
512 			    name, dnode, NULL, ret_attr);
513 
514 			if (*ret_snode == NULL)
515 				rc = ENOMEM;
516 
517 			VN_RELE(vp);
518 		}
519 
520 	}
521 	return (rc);
522 }
523 
524 /*
525  * smb_fsop_mkdir
526  *
527  * All SMB functions should use this wrapper to ensure that
528  * the the calls are performed with the appropriate credentials.
529  * Please document any direct call to explain the reason
530  * for avoiding this wrapper.
531  *
532  * It is assumed that a reference exists on snode coming into this routine.
533  *
534  * *ret_snode is returned with a reference upon success.  No reference is
535  * taken if an error is returned.
536  */
537 int
538 smb_fsop_mkdir(
539     smb_request_t *sr,
540     cred_t *cr,
541     smb_node_t *dnode,
542     char *name,
543     smb_attr_t *attr,
544     smb_node_t **ret_snode,
545     smb_attr_t *ret_attr)
546 {
547 	struct open_param *op = &sr->arg.open;
548 	char *longname;
549 	vnode_t *vp;
550 	int flags = 0;
551 	smb_fssd_t fs_sd;
552 	uint32_t secinfo;
553 	uint32_t status;
554 	int rc;
555 	ASSERT(cr);
556 	ASSERT(dnode);
557 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
558 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
559 
560 	ASSERT(ret_snode);
561 	*ret_snode = 0;
562 
563 	ASSERT(name);
564 	if (*name == 0)
565 		return (EINVAL);
566 
567 	ASSERT(sr);
568 	ASSERT(sr->tid_tree);
569 
570 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
571 		return (EACCES);
572 
573 	if (SMB_TREE_IS_READONLY(sr))
574 		return (EROFS);
575 	if (SMB_TREE_SUPPORTS_CATIA(sr))
576 		flags |= SMB_CATIA;
577 
578 	if (smb_maybe_mangled_name(name)) {
579 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
580 		rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN);
581 		kmem_free(longname, MAXNAMELEN);
582 
583 		/*
584 		 * If the name passed in by the client has an unmangled
585 		 * equivalent that is found in the specified directory,
586 		 * then the mkdir cannot succeed.  Return EEXIST.
587 		 *
588 		 * Only if ENOENT is returned will a mkdir be attempted.
589 		 */
590 
591 		if (rc == 0)
592 			rc = EEXIST;
593 
594 		if (rc != ENOENT)
595 			return (rc);
596 	}
597 
598 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
599 		flags = SMB_IGNORE_CASE;
600 
601 	if (op->sd) {
602 		/*
603 		 * SD sent by client in Windows format. Needs to be
604 		 * converted to FS format. No inheritance.
605 		 */
606 		secinfo = smb_sd_get_secinfo(op->sd);
607 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
608 
609 		status = smb_sd_tofs(op->sd, &fs_sd);
610 		if (status == NT_STATUS_SUCCESS) {
611 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
612 			    name, attr, ret_snode, ret_attr, &fs_sd);
613 		}
614 		else
615 			rc = EINVAL;
616 		smb_fssd_term(&fs_sd);
617 	} else if (sr->tid_tree->t_acltype == ACE_T) {
618 		/*
619 		 * No incoming SD and filesystem is ZFS
620 		 * Server applies Windows inheritance rules,
621 		 * see smb_fsop_sdinherit() comments as to why.
622 		 */
623 		smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR);
624 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
625 		if (rc == 0) {
626 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
627 			    name, attr, ret_snode, ret_attr, &fs_sd);
628 		}
629 
630 		smb_fssd_term(&fs_sd);
631 
632 	} else {
633 		rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, flags, cr,
634 		    NULL);
635 
636 		if (rc == 0) {
637 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
638 			    dnode, NULL, ret_attr);
639 
640 			if (*ret_snode == NULL)
641 				rc = ENOMEM;
642 
643 			VN_RELE(vp);
644 		}
645 	}
646 
647 	return (rc);
648 }
649 
650 /*
651  * smb_fsop_remove
652  *
653  * All SMB functions should use this wrapper to ensure that
654  * the the calls are performed with the appropriate credentials.
655  * Please document any direct call to explain the reason
656  * for avoiding this wrapper.
657  *
658  * It is assumed that a reference exists on snode coming into this routine.
659  *
660  * A null smb_request might be passed to this function.
661  */
662 int
663 smb_fsop_remove(
664     smb_request_t	*sr,
665     cred_t		*cr,
666     smb_node_t		*dnode,
667     char		*name,
668     uint32_t		flags)
669 {
670 	smb_node_t	*fnode;
671 	smb_attr_t	file_attr;
672 	char		*longname;
673 	char		*fname;
674 	char		*sname;
675 	int		rc;
676 
677 	ASSERT(cr);
678 	/*
679 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
680 	 * function is called during the deletion of the node (because of
681 	 * DELETE_ON_CLOSE).
682 	 */
683 	ASSERT(dnode);
684 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
685 
686 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
687 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0)
688 		return (EACCES);
689 
690 	if (SMB_TREE_IS_READONLY(sr))
691 		return (EROFS);
692 
693 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
694 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
695 
696 	if (dnode->flags & NODE_XATTR_DIR) {
697 		rc = smb_vop_stream_remove(dnode->dir_snode->vp,
698 		    name, flags, cr);
699 	} else if (smb_is_stream_name(name)) {
700 		smb_stream_parse_name(name, fname, sname);
701 
702 		/*
703 		 * Look up the unnamed stream (i.e. fname).
704 		 * Unmangle processing will be done on fname
705 		 * as well as any link target.
706 		 */
707 
708 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
709 		    sr->tid_tree->t_snode, dnode, fname,
710 		    &fnode, &file_attr);
711 
712 		if (rc != 0) {
713 			kmem_free(fname, MAXNAMELEN);
714 			kmem_free(sname, MAXNAMELEN);
715 			return (rc);
716 		}
717 
718 		/*
719 		 * XXX
720 		 * Need to find out what permission is required by NTFS
721 		 * to remove a stream.
722 		 */
723 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr);
724 
725 		smb_node_release(fnode);
726 	} else {
727 		rc = smb_vop_remove(dnode->vp, name, flags, cr);
728 
729 		if (rc == ENOENT) {
730 			if (smb_maybe_mangled_name(name) == 0) {
731 				kmem_free(fname, MAXNAMELEN);
732 				kmem_free(sname, MAXNAMELEN);
733 				return (rc);
734 			}
735 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
736 
737 			rc = smb_unmangle_name(dnode, name,
738 			    longname, MAXNAMELEN);
739 
740 			if (rc == 0) {
741 				/*
742 				 * longname is the real (case-sensitive)
743 				 * on-disk name.
744 				 * We make sure we do a remove on this exact
745 				 * name, as the name was mangled and denotes
746 				 * a unique file.
747 				 */
748 				flags &= ~SMB_IGNORE_CASE;
749 				rc = smb_vop_remove(dnode->vp, longname,
750 				    flags, cr);
751 			}
752 
753 			kmem_free(longname, MAXNAMELEN);
754 		}
755 	}
756 
757 	kmem_free(fname, MAXNAMELEN);
758 	kmem_free(sname, MAXNAMELEN);
759 	return (rc);
760 }
761 
762 /*
763  * smb_fsop_remove_streams
764  *
765  * This function removes a file's streams without removing the
766  * file itself.
767  *
768  * It is assumed that fnode is not a link.
769  */
770 int
771 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode)
772 {
773 	int rc, flags = 0;
774 	uint16_t odid;
775 	smb_odir_t *od;
776 	smb_odirent_t *odirent;
777 	boolean_t eos;
778 
779 	ASSERT(sr);
780 	ASSERT(cr);
781 	ASSERT(fnode);
782 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
783 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
784 
785 	if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) {
786 		smbsr_errno(sr, EACCES);
787 		return (-1);
788 	}
789 
790 	if (SMB_TREE_IS_READONLY(sr)) {
791 		smbsr_errno(sr, EROFS);
792 		return (-1);
793 	}
794 
795 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
796 		flags = SMB_IGNORE_CASE;
797 
798 	if (SMB_TREE_SUPPORTS_CATIA(sr))
799 		flags |= SMB_CATIA;
800 
801 	if ((odid = smb_odir_openat(sr, fnode)) == 0) {
802 		smbsr_errno(sr, ENOENT);
803 		return (-1);
804 	}
805 
806 	if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) {
807 		smbsr_errno(sr, ENOENT);
808 		return (-1);
809 	}
810 
811 	odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP);
812 	for (;;) {
813 		rc = smb_odir_read(sr, od, odirent, &eos);
814 		if ((rc != 0) || (eos))
815 			break;
816 		(void) smb_vop_remove(od->d_dnode->vp, odirent->od_name,
817 		    flags, cr);
818 	}
819 	kmem_free(odirent, sizeof (smb_odirent_t));
820 
821 	smb_odir_close(od);
822 	smb_odir_release(od);
823 	return (rc);
824 }
825 
826 /*
827  * smb_fsop_rmdir
828  *
829  * All SMB functions should use this wrapper to ensure that
830  * the the calls are performed with the appropriate credentials.
831  * Please document any direct call to explain the reason
832  * for avoiding this wrapper.
833  *
834  * It is assumed that a reference exists on snode coming into this routine.
835  */
836 int
837 smb_fsop_rmdir(
838     smb_request_t	*sr,
839     cred_t		*cr,
840     smb_node_t		*dnode,
841     char		*name,
842     uint32_t		flags)
843 {
844 	int		rc;
845 	char		*longname;
846 
847 	ASSERT(cr);
848 	/*
849 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
850 	 * function is called during the deletion of the node (because of
851 	 * DELETE_ON_CLOSE).
852 	 */
853 	ASSERT(dnode);
854 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
855 
856 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
857 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0)
858 		return (EACCES);
859 
860 	if (SMB_TREE_IS_READONLY(sr))
861 		return (EROFS);
862 
863 	rc = smb_vop_rmdir(dnode->vp, name, flags, cr);
864 
865 	if (rc == ENOENT) {
866 		if (smb_maybe_mangled_name(name) == 0)
867 			return (rc);
868 
869 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
870 		rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN);
871 
872 		if (rc == 0) {
873 			/*
874 			 * longname is the real (case-sensitive)
875 			 * on-disk name.
876 			 * We make sure we do a rmdir on this exact
877 			 * name, as the name was mangled and denotes
878 			 * a unique directory.
879 			 */
880 			flags &= ~SMB_IGNORE_CASE;
881 			rc = smb_vop_rmdir(dnode->vp, longname, flags, cr);
882 		}
883 
884 		kmem_free(longname, MAXNAMELEN);
885 	}
886 
887 	return (rc);
888 }
889 
890 /*
891  * smb_fsop_getattr
892  *
893  * All SMB functions should use this wrapper to ensure that
894  * the the calls are performed with the appropriate credentials.
895  * Please document any direct call to explain the reason
896  * for avoiding this wrapper.
897  *
898  * It is assumed that a reference exists on snode coming into this routine.
899  */
900 int
901 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
902     smb_attr_t *attr)
903 {
904 	smb_node_t *unnamed_node;
905 	vnode_t *unnamed_vp = NULL;
906 	uint32_t status;
907 	uint32_t access = 0;
908 	int flags = 0;
909 	int rc;
910 
911 	ASSERT(cr);
912 	ASSERT(snode);
913 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
914 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
915 
916 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 ||
917 	    SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0)
918 		return (EACCES);
919 
920 	if (sr->fid_ofile) {
921 		/* if uid and/or gid is requested */
922 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
923 			access |= READ_CONTROL;
924 
925 		/* if anything else is also requested */
926 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
927 			access |= FILE_READ_ATTRIBUTES;
928 
929 		status = smb_ofile_access(sr->fid_ofile, cr, access);
930 		if (status != NT_STATUS_SUCCESS)
931 			return (EACCES);
932 
933 		if (smb_tree_has_feature(sr->tid_tree,
934 		    SMB_TREE_ACEMASKONACCESS))
935 			flags = ATTR_NOACLCHECK;
936 	}
937 
938 	unnamed_node = SMB_IS_STREAM(snode);
939 
940 	if (unnamed_node) {
941 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
942 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
943 		unnamed_vp = unnamed_node->vp;
944 	}
945 
946 	rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr);
947 	if (rc == 0)
948 		snode->attr = *attr;
949 
950 	return (rc);
951 }
952 
953 /*
954  * smb_fsop_rename
955  *
956  * All SMB functions should use this smb_vop_rename wrapper to ensure that
957  * the smb_vop_rename is performed with the appropriate credentials.
958  * Please document any direct call to smb_vop_rename to explain the reason
959  * for avoiding this wrapper.
960  *
961  * It is assumed that references exist on from_dnode and to_dnode coming
962  * into this routine.
963  */
964 int
965 smb_fsop_rename(
966     smb_request_t *sr,
967     cred_t *cr,
968     smb_node_t *from_dnode,
969     char *from_name,
970     smb_node_t *to_dnode,
971     char *to_name)
972 {
973 	smb_node_t *from_snode;
974 	smb_attr_t tmp_attr;
975 	vnode_t *from_vp;
976 	int flags = 0, ret_flags;
977 	int rc;
978 	boolean_t isdir;
979 
980 	ASSERT(cr);
981 	ASSERT(from_dnode);
982 	ASSERT(from_dnode->n_magic == SMB_NODE_MAGIC);
983 	ASSERT(from_dnode->n_state != SMB_NODE_STATE_DESTROYING);
984 
985 	ASSERT(to_dnode);
986 	ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC);
987 	ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING);
988 
989 	if (SMB_TREE_CONTAINS_NODE(sr, from_dnode) == 0)
990 		return (EACCES);
991 
992 	if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0)
993 		return (EACCES);
994 
995 	ASSERT(sr);
996 	ASSERT(sr->tid_tree);
997 	if (SMB_TREE_IS_READONLY(sr))
998 		return (EROFS);
999 
1000 	/*
1001 	 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE
1002 	 * here.
1003 	 *
1004 	 * A case-sensitive rename is always done in this routine
1005 	 * because we are using the on-disk name from an earlier lookup.
1006 	 * If a mangled name was passed in by the caller (denoting a
1007 	 * deterministic lookup), then the exact file must be renamed
1008 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1009 	 * else the underlying file system might return a "first-match"
1010 	 * on this on-disk name, possibly resulting in the wrong file).
1011 	 */
1012 
1013 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1014 		flags |= SMB_CATIA;
1015 
1016 	/*
1017 	 * XXX: Lock required through smb_node_release() below?
1018 	 */
1019 
1020 	rc = smb_vop_lookup(from_dnode->vp, from_name, &from_vp, NULL,
1021 	    flags, &ret_flags, NULL, cr);
1022 
1023 	if (rc != 0)
1024 		return (rc);
1025 
1026 	isdir = from_vp->v_type == VDIR;
1027 
1028 	if ((isdir && SMB_TREE_HAS_ACCESS(sr,
1029 	    ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) !=
1030 	    (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) ||
1031 	    (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) !=
1032 	    (ACE_DELETE | ACE_ADD_FILE)))
1033 		return (EACCES);
1034 
1035 	rc = smb_vop_rename(from_dnode->vp, from_name, to_dnode->vp,
1036 	    to_name, flags, cr);
1037 
1038 	if (rc == 0) {
1039 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1040 		    from_dnode, NULL, &tmp_attr);
1041 
1042 		if (from_snode == NULL) {
1043 			rc = ENOMEM;
1044 		} else {
1045 			smb_node_rename(from_dnode, from_snode,
1046 			    to_dnode, to_name);
1047 			smb_node_release(from_snode);
1048 		}
1049 	}
1050 	VN_RELE(from_vp);
1051 
1052 	/* XXX: unlock */
1053 
1054 	return (rc);
1055 }
1056 
1057 /*
1058  * smb_fsop_setattr
1059  *
1060  * All SMB functions should use this wrapper to ensure that
1061  * the the calls are performed with the appropriate credentials.
1062  * Please document any direct call to explain the reason
1063  * for avoiding this wrapper.
1064  *
1065  * It is assumed that a reference exists on snode coming into this routine.
1066  * A null smb_request might be passed to this function.
1067  */
1068 int
1069 smb_fsop_setattr(
1070     smb_request_t	*sr,
1071     cred_t		*cr,
1072     smb_node_t		*snode,
1073     smb_attr_t		*set_attr,
1074     smb_attr_t		*ret_attr)
1075 {
1076 	smb_node_t *unnamed_node;
1077 	vnode_t *unnamed_vp = NULL;
1078 	uint32_t status;
1079 	uint32_t access;
1080 	int rc = 0;
1081 	int flags = 0;
1082 	uint_t sa_mask;
1083 
1084 	ASSERT(cr);
1085 	ASSERT(snode);
1086 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1087 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1088 
1089 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0)
1090 		return (EACCES);
1091 
1092 	if (SMB_TREE_IS_READONLY(sr))
1093 		return (EROFS);
1094 
1095 	if (SMB_TREE_HAS_ACCESS(sr,
1096 	    ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0)
1097 		return (EACCES);
1098 
1099 	if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) {
1100 		if (sr->fid_ofile) {
1101 			if (SMB_OFILE_IS_READONLY(sr->fid_ofile))
1102 				return (EACCES);
1103 		} else {
1104 			if (SMB_PATHFILE_IS_READONLY(sr, snode))
1105 				return (EACCES);
1106 		}
1107 	}
1108 
1109 	/* sr could be NULL in some cases */
1110 	if (sr && sr->fid_ofile) {
1111 		sa_mask = set_attr->sa_mask;
1112 		access = 0;
1113 
1114 		if (sa_mask & SMB_AT_SIZE) {
1115 			access |= FILE_WRITE_DATA;
1116 			sa_mask &= ~SMB_AT_SIZE;
1117 		}
1118 
1119 		if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) {
1120 			access |= WRITE_OWNER;
1121 			sa_mask &= ~(SMB_AT_UID|SMB_AT_GID);
1122 		}
1123 
1124 		if (sa_mask)
1125 			access |= FILE_WRITE_ATTRIBUTES;
1126 
1127 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1128 		if (status != NT_STATUS_SUCCESS)
1129 			return (EACCES);
1130 
1131 		if (smb_tree_has_feature(sr->tid_tree,
1132 		    SMB_TREE_ACEMASKONACCESS))
1133 			flags = ATTR_NOACLCHECK;
1134 	}
1135 
1136 	unnamed_node = SMB_IS_STREAM(snode);
1137 
1138 	if (unnamed_node) {
1139 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1140 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1141 		unnamed_vp = unnamed_node->vp;
1142 	}
1143 
1144 	rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr);
1145 
1146 	if ((rc == 0) && ret_attr) {
1147 		/*
1148 		 * Use kcred to update the node attr because this
1149 		 * call is not being made on behalf of the user.
1150 		 */
1151 		ret_attr->sa_mask = SMB_AT_ALL;
1152 		rc = smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, flags,
1153 		    kcred);
1154 		if (rc == 0)
1155 			snode->attr = *ret_attr;
1156 	}
1157 
1158 	return (rc);
1159 }
1160 
1161 /*
1162  * smb_fsop_read
1163  *
1164  * All SMB functions should use this wrapper to ensure that
1165  * the the calls are performed with the appropriate credentials.
1166  * Please document any direct call to explain the reason
1167  * for avoiding this wrapper.
1168  *
1169  * It is assumed that a reference exists on snode coming into this routine.
1170  */
1171 int
1172 smb_fsop_read(
1173     struct smb_request *sr,
1174     cred_t *cr,
1175     smb_node_t *snode,
1176     uio_t *uio,
1177     smb_attr_t *ret_attr)
1178 {
1179 	smb_node_t *unnamed_node;
1180 	vnode_t *unnamed_vp = NULL;
1181 	caller_context_t ct;
1182 	int svmand;
1183 	int rc;
1184 
1185 	ASSERT(cr);
1186 	ASSERT(snode);
1187 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1188 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1189 
1190 	ASSERT(sr);
1191 	ASSERT(sr->fid_ofile);
1192 
1193 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0)
1194 		return (EACCES);
1195 
1196 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA);
1197 	if (rc != NT_STATUS_SUCCESS) {
1198 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE);
1199 		if (rc != NT_STATUS_SUCCESS)
1200 			return (EACCES);
1201 	}
1202 
1203 	unnamed_node = SMB_IS_STREAM(snode);
1204 	if (unnamed_node) {
1205 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1206 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1207 		unnamed_vp = unnamed_node->vp;
1208 		/*
1209 		 * Streams permission are checked against the unnamed stream,
1210 		 * but in FS level they have their own permissions. To avoid
1211 		 * rejection by FS due to lack of permission on the actual
1212 		 * extended attr kcred is passed for streams.
1213 		 */
1214 		cr = kcred;
1215 	}
1216 
1217 	smb_node_start_crit(snode, RW_READER);
1218 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1219 	if (rc) {
1220 		smb_node_end_crit(snode);
1221 		return (rc);
1222 	}
1223 
1224 	ct = smb_ct;
1225 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1226 	rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset,
1227 	    uio->uio_iov->iov_len, svmand, &ct);
1228 
1229 	if (rc) {
1230 		smb_node_end_crit(snode);
1231 		return (ERANGE);
1232 	}
1233 	rc = smb_vop_read(snode->vp, uio, cr);
1234 
1235 	if (rc == 0 && ret_attr) {
1236 		/*
1237 		 * Use kcred to update the node attr because this
1238 		 * call is not being made on behalf of the user.
1239 		 */
1240 		ret_attr->sa_mask = SMB_AT_ALL;
1241 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1242 		    kcred) == 0) {
1243 			snode->attr = *ret_attr;
1244 		}
1245 	}
1246 
1247 	smb_node_end_crit(snode);
1248 
1249 	return (rc);
1250 }
1251 
1252 /*
1253  * smb_fsop_write
1254  *
1255  * This is a wrapper function used for smb_write and smb_write_raw operations.
1256  *
1257  * It is assumed that a reference exists on snode coming into this routine.
1258  */
1259 int
1260 smb_fsop_write(
1261     smb_request_t *sr,
1262     cred_t *cr,
1263     smb_node_t *snode,
1264     uio_t *uio,
1265     uint32_t *lcount,
1266     smb_attr_t *ret_attr,
1267     int ioflag)
1268 {
1269 	smb_node_t *unnamed_node;
1270 	vnode_t *unnamed_vp = NULL;
1271 	caller_context_t ct;
1272 	int svmand;
1273 	int rc;
1274 
1275 	ASSERT(cr);
1276 	ASSERT(snode);
1277 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1278 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1279 
1280 	ASSERT(sr);
1281 	ASSERT(sr->tid_tree);
1282 	ASSERT(sr->fid_ofile);
1283 
1284 	if (SMB_TREE_IS_READONLY(sr))
1285 		return (EROFS);
1286 
1287 	if (SMB_OFILE_IS_READONLY(sr->fid_ofile) ||
1288 	    SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0)
1289 		return (EACCES);
1290 
1291 	rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA);
1292 	if (rc != NT_STATUS_SUCCESS) {
1293 		rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA);
1294 		if (rc != NT_STATUS_SUCCESS)
1295 			return (EACCES);
1296 	}
1297 
1298 	unnamed_node = SMB_IS_STREAM(snode);
1299 
1300 	if (unnamed_node) {
1301 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1302 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1303 		unnamed_vp = unnamed_node->vp;
1304 		/*
1305 		 * Streams permission are checked against the unnamed stream,
1306 		 * but in FS level they have their own permissions. To avoid
1307 		 * rejection by FS due to lack of permission on the actual
1308 		 * extended attr kcred is passed for streams.
1309 		 */
1310 		cr = kcred;
1311 	}
1312 
1313 	smb_node_start_crit(snode, RW_READER);
1314 	rc = nbl_svmand(snode->vp, kcred, &svmand);
1315 	if (rc) {
1316 		smb_node_end_crit(snode);
1317 		return (rc);
1318 	}
1319 
1320 	ct = smb_ct;
1321 	ct.cc_pid = sr->fid_ofile->f_uniqid;
1322 	rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset,
1323 	    uio->uio_iov->iov_len, svmand, &ct);
1324 
1325 	if (rc) {
1326 		smb_node_end_crit(snode);
1327 		return (ERANGE);
1328 	}
1329 	rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr);
1330 
1331 	if (rc == 0 && ret_attr) {
1332 		/*
1333 		 * Use kcred to update the node attr because this
1334 		 * call is not being made on behalf of the user.
1335 		 */
1336 		ret_attr->sa_mask = SMB_AT_ALL;
1337 		if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0,
1338 		    kcred) == 0) {
1339 			snode->attr = *ret_attr;
1340 		}
1341 	}
1342 
1343 	smb_node_end_crit(snode);
1344 
1345 	return (rc);
1346 }
1347 
1348 /*
1349  * smb_fsop_statfs
1350  *
1351  * This is a wrapper function used for stat operations.
1352  */
1353 int
1354 smb_fsop_statfs(
1355     cred_t *cr,
1356     smb_node_t *snode,
1357     struct statvfs64 *statp)
1358 {
1359 	ASSERT(cr);
1360 	ASSERT(snode);
1361 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1362 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1363 
1364 	return (smb_vop_statfs(snode->vp, statp, cr));
1365 }
1366 
1367 /*
1368  * smb_fsop_access
1369  *
1370  * Named streams do not have separate permissions from the associated
1371  * unnamed stream.  Thus, if node is a named stream, the permissions
1372  * check will be performed on the associated unnamed stream.
1373  *
1374  * However, our named streams do have their own quarantine attribute,
1375  * separate from that on the unnamed stream. If READ or EXECUTE
1376  * access has been requested on a named stream, an additional access
1377  * check is performed on the named stream in case it has been
1378  * quarantined.  kcred is used to avoid issues with the permissions
1379  * set on the extended attribute file representing the named stream.
1380  */
1381 int
1382 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1383     uint32_t faccess)
1384 {
1385 	int access = 0;
1386 	int error;
1387 	vnode_t *dir_vp;
1388 	boolean_t acl_check = B_TRUE;
1389 	smb_node_t *unnamed_node;
1390 
1391 	ASSERT(sr);
1392 	ASSERT(cr);
1393 	ASSERT(snode);
1394 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1395 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1396 
1397 	if (faccess == 0)
1398 		return (NT_STATUS_SUCCESS);
1399 
1400 	if (SMB_TREE_IS_READONLY(sr)) {
1401 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1402 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1403 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1404 			return (NT_STATUS_ACCESS_DENIED);
1405 		}
1406 	}
1407 
1408 	unnamed_node = SMB_IS_STREAM(snode);
1409 	if (unnamed_node) {
1410 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1411 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1412 
1413 		/*
1414 		 * Perform VREAD access check on the named stream in case it
1415 		 * is quarantined. kcred is passed to smb_vop_access so it
1416 		 * doesn't fail due to lack of permission.
1417 		 */
1418 		if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) {
1419 			error = smb_vop_access(snode->vp, VREAD,
1420 			    0, NULL, kcred);
1421 			if (error)
1422 				return (NT_STATUS_ACCESS_DENIED);
1423 		}
1424 
1425 		/*
1426 		 * Streams authorization should be performed against the
1427 		 * unnamed stream.
1428 		 */
1429 		snode = unnamed_node;
1430 	}
1431 
1432 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1433 		/*
1434 		 * This permission is required for reading/writing SACL and
1435 		 * it's not part of DACL. It's only granted via proper
1436 		 * privileges.
1437 		 */
1438 		if ((sr->uid_user->u_privileges &
1439 		    (SMB_USER_PRIV_BACKUP |
1440 		    SMB_USER_PRIV_RESTORE |
1441 		    SMB_USER_PRIV_SECURITY)) == 0)
1442 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1443 
1444 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1445 	}
1446 
1447 	/* Links don't have ACL */
1448 	if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) ||
1449 	    (snode->attr.sa_vattr.va_type == VLNK))
1450 		acl_check = B_FALSE;
1451 
1452 	/*
1453 	 * Use the most restrictive parts of both faccess and the
1454 	 * share access.  An AND of the two value masks gives us that
1455 	 * since we've already converted to a mask of what we "can"
1456 	 * do.
1457 	 */
1458 	faccess &= sr->tid_tree->t_access;
1459 
1460 	if (acl_check) {
1461 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
1462 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1463 		    cr);
1464 	} else {
1465 		/*
1466 		 * FS doesn't understand 32-bit mask, need to map
1467 		 */
1468 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1469 			access |= VWRITE;
1470 
1471 		if (faccess & FILE_READ_DATA)
1472 			access |= VREAD;
1473 
1474 		if (faccess & FILE_EXECUTE)
1475 			access |= VEXEC;
1476 
1477 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1478 	}
1479 
1480 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1481 }
1482 
1483 /*
1484  * smb_fsop_lookup_name()
1485  *
1486  * If name indicates that the file is a stream file, perform
1487  * stream specific lookup, otherwise call smb_fsop_lookup.
1488  *
1489  * Return an error if the looked-up file is in outside the tree.
1490  * (Required when invoked from open path.)
1491  */
1492 
1493 int
1494 smb_fsop_lookup_name(
1495     smb_request_t *sr,
1496     cred_t	*cr,
1497     int		flags,
1498     smb_node_t	*root_node,
1499     smb_node_t	*dnode,
1500     char	*name,
1501     smb_node_t	**ret_snode,
1502     smb_attr_t	*ret_attr)
1503 {
1504 	smb_node_t	*fnode;
1505 	smb_attr_t	file_attr;
1506 	vnode_t		*xattrdirvp;
1507 	vnode_t		*vp;
1508 	char		*od_name;
1509 	char		*fname;
1510 	char		*sname;
1511 	int		rc;
1512 
1513 	ASSERT(cr);
1514 	ASSERT(dnode);
1515 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
1516 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
1517 
1518 	/*
1519 	 * The following check is required for streams processing, below
1520 	 */
1521 
1522 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1523 		flags |= SMB_IGNORE_CASE;
1524 
1525 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1526 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1527 
1528 	if (smb_is_stream_name(name)) {
1529 		smb_stream_parse_name(name, fname, sname);
1530 
1531 		/*
1532 		 * Look up the unnamed stream (i.e. fname).
1533 		 * Unmangle processing will be done on fname
1534 		 * as well as any link target.
1535 		 */
1536 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, fname,
1537 		    &fnode, &file_attr);
1538 
1539 		if (rc != 0) {
1540 			kmem_free(fname, MAXNAMELEN);
1541 			kmem_free(sname, MAXNAMELEN);
1542 			return (rc);
1543 		}
1544 
1545 		od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1546 
1547 		/*
1548 		 * od_name is the on-disk name of the stream, except
1549 		 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1550 		 */
1551 
1552 		/*
1553 		 * XXX
1554 		 * What permissions NTFS requires for stream lookup if any?
1555 		 */
1556 		rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1557 		    &xattrdirvp, flags, root_node->vp, cr);
1558 
1559 		if (rc != 0) {
1560 			smb_node_release(fnode);
1561 			kmem_free(fname, MAXNAMELEN);
1562 			kmem_free(sname, MAXNAMELEN);
1563 			kmem_free(od_name, MAXNAMELEN);
1564 			return (rc);
1565 		}
1566 
1567 		*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1568 		    vp, od_name, ret_attr);
1569 
1570 		kmem_free(od_name, MAXNAMELEN);
1571 		smb_node_release(fnode);
1572 		VN_RELE(xattrdirvp);
1573 		VN_RELE(vp);
1574 
1575 		if (*ret_snode == NULL) {
1576 			kmem_free(fname, MAXNAMELEN);
1577 			kmem_free(sname, MAXNAMELEN);
1578 			return (ENOMEM);
1579 		}
1580 	} else {
1581 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, name,
1582 		    ret_snode, ret_attr);
1583 	}
1584 
1585 	if (rc == 0) {
1586 		ASSERT(ret_snode);
1587 		if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) {
1588 			smb_node_release(*ret_snode);
1589 			*ret_snode = NULL;
1590 			rc = EACCES;
1591 		}
1592 	}
1593 
1594 	kmem_free(fname, MAXNAMELEN);
1595 	kmem_free(sname, MAXNAMELEN);
1596 
1597 	return (rc);
1598 }
1599 
1600 /*
1601  * smb_fsop_lookup
1602  *
1603  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1604  * the smb_vop_lookup is performed with the appropriate credentials and using
1605  * case insensitive compares. Please document any direct call to smb_vop_lookup
1606  * to explain the reason for avoiding this wrapper.
1607  *
1608  * It is assumed that a reference exists on dnode coming into this routine
1609  * (and that it is safe from deallocation).
1610  *
1611  * Same with the root_node.
1612  *
1613  * *ret_snode is returned with a reference upon success.  No reference is
1614  * taken if an error is returned.
1615  *
1616  * Note: The returned ret_snode may be in a child mount.  This is ok for
1617  * readdir.
1618  *
1619  * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent
1620  * operations on files not in the parent mount.
1621  */
1622 int
1623 smb_fsop_lookup(
1624     smb_request_t *sr,
1625     cred_t	*cr,
1626     int		flags,
1627     smb_node_t	*root_node,
1628     smb_node_t	*dnode,
1629     char	*name,
1630     smb_node_t	**ret_snode,
1631     smb_attr_t	*ret_attr)
1632 {
1633 	smb_node_t *lnk_target_node;
1634 	smb_node_t *lnk_dnode;
1635 	char *longname;
1636 	char *od_name;
1637 	vnode_t *vp;
1638 	int rc;
1639 	int ret_flags;
1640 
1641 	ASSERT(cr);
1642 	ASSERT(dnode);
1643 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
1644 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
1645 
1646 	if (name == NULL)
1647 		return (EINVAL);
1648 
1649 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
1650 		return (EACCES);
1651 
1652 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1653 		flags |= SMB_IGNORE_CASE;
1654 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1655 		flags |= SMB_CATIA;
1656 
1657 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1658 
1659 	rc = smb_vop_lookup(dnode->vp, name, &vp, od_name, flags,
1660 	    &ret_flags, root_node ? root_node->vp : NULL, cr);
1661 
1662 	if (rc != 0) {
1663 		if (smb_maybe_mangled_name(name) == 0) {
1664 			kmem_free(od_name, MAXNAMELEN);
1665 			return (rc);
1666 		}
1667 
1668 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1669 		rc = smb_unmangle_name(dnode, name, longname, MAXNAMELEN);
1670 		if (rc != 0) {
1671 			kmem_free(od_name, MAXNAMELEN);
1672 			kmem_free(longname, MAXNAMELEN);
1673 			return (rc);
1674 		}
1675 
1676 		/*
1677 		 * longname is the real (case-sensitive)
1678 		 * on-disk name.
1679 		 * We make sure we do a lookup on this exact
1680 		 * name, as the name was mangled and denotes
1681 		 * a unique file.
1682 		 */
1683 
1684 		if (flags & SMB_IGNORE_CASE)
1685 			flags &= ~SMB_IGNORE_CASE;
1686 
1687 		rc = smb_vop_lookup(dnode->vp, longname, &vp, od_name,
1688 		    flags, &ret_flags, root_node ? root_node->vp : NULL, cr);
1689 
1690 		kmem_free(longname, MAXNAMELEN);
1691 
1692 		if (rc != 0) {
1693 			kmem_free(od_name, MAXNAMELEN);
1694 			return (rc);
1695 		}
1696 	}
1697 
1698 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) {
1699 
1700 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dnode,
1701 		    &lnk_dnode, &lnk_target_node, cr);
1702 
1703 		if (rc != 0) {
1704 			/*
1705 			 * The link is assumed to be for the last component
1706 			 * of a path.  Hence any ENOTDIR error will be returned
1707 			 * as ENOENT.
1708 			 */
1709 			if (rc == ENOTDIR)
1710 				rc = ENOENT;
1711 
1712 			VN_RELE(vp);
1713 			kmem_free(od_name, MAXNAMELEN);
1714 			return (rc);
1715 		}
1716 
1717 		/*
1718 		 * Release the original VLNK vnode
1719 		 */
1720 
1721 		VN_RELE(vp);
1722 		vp = lnk_target_node->vp;
1723 
1724 		rc = smb_vop_traverse_check(&vp);
1725 
1726 		if (rc != 0) {
1727 			smb_node_release(lnk_dnode);
1728 			smb_node_release(lnk_target_node);
1729 			kmem_free(od_name, MAXNAMELEN);
1730 			return (rc);
1731 		}
1732 
1733 		/*
1734 		 * smb_vop_traverse_check() may have returned a different vnode
1735 		 */
1736 
1737 		if (lnk_target_node->vp == vp) {
1738 			*ret_snode = lnk_target_node;
1739 			*ret_attr = (*ret_snode)->attr;
1740 		} else {
1741 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
1742 			    lnk_target_node->od_name, lnk_dnode, NULL,
1743 			    ret_attr);
1744 			VN_RELE(vp);
1745 
1746 			if (*ret_snode == NULL)
1747 				rc = ENOMEM;
1748 			smb_node_release(lnk_target_node);
1749 		}
1750 
1751 		smb_node_release(lnk_dnode);
1752 
1753 	} else {
1754 
1755 		rc = smb_vop_traverse_check(&vp);
1756 		if (rc) {
1757 			VN_RELE(vp);
1758 			kmem_free(od_name, MAXNAMELEN);
1759 			return (rc);
1760 		}
1761 
1762 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
1763 		    dnode, NULL, ret_attr);
1764 		VN_RELE(vp);
1765 
1766 		if (*ret_snode == NULL)
1767 			rc = ENOMEM;
1768 	}
1769 
1770 	kmem_free(od_name, MAXNAMELEN);
1771 	return (rc);
1772 }
1773 
1774 int /*ARGSUSED*/
1775 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
1776 {
1777 	ASSERT(cr);
1778 	ASSERT(snode);
1779 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1780 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1781 
1782 	ASSERT(sr);
1783 	ASSERT(sr->tid_tree);
1784 	if (SMB_TREE_IS_READONLY(sr))
1785 		return (EROFS);
1786 
1787 	return (smb_vop_commit(snode->vp, cr));
1788 }
1789 
1790 /*
1791  * smb_fsop_aclread
1792  *
1793  * Retrieve filesystem ACL. Depends on requested ACLs in
1794  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
1795  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
1796  * the corresponding field in fs_sd should be non-NULL upon
1797  * return, since the target ACL might not contain that type of
1798  * entries.
1799  *
1800  * Returned ACL is always in ACE_T (aka ZFS) format.
1801  * If successful the allocated memory for the ACL should be freed
1802  * using smb_fsacl_free() or smb_fssd_term()
1803  */
1804 int
1805 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1806     smb_fssd_t *fs_sd)
1807 {
1808 	int error = 0;
1809 	int flags = 0;
1810 	int access = 0;
1811 	acl_t *acl;
1812 	smb_node_t *unnamed_node;
1813 
1814 	ASSERT(cr);
1815 
1816 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0)
1817 		return (EACCES);
1818 
1819 	if (sr->fid_ofile) {
1820 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1821 			access = READ_CONTROL;
1822 
1823 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1824 			access |= ACCESS_SYSTEM_SECURITY;
1825 
1826 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1827 		if (error != NT_STATUS_SUCCESS) {
1828 			return (EACCES);
1829 		}
1830 	}
1831 
1832 	unnamed_node = SMB_IS_STREAM(snode);
1833 	if (unnamed_node) {
1834 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1835 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1836 		/*
1837 		 * Streams don't have ACL, any read ACL attempt on a stream
1838 		 * should be performed on the unnamed stream.
1839 		 */
1840 		snode = unnamed_node;
1841 	}
1842 
1843 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS))
1844 		flags = ATTR_NOACLCHECK;
1845 
1846 	error = smb_vop_acl_read(snode->vp, &acl, flags,
1847 	    sr->tid_tree->t_acltype, cr);
1848 	if (error != 0) {
1849 		return (error);
1850 	}
1851 
1852 	error = acl_translate(acl, _ACL_ACE_ENABLED,
1853 	    (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid);
1854 
1855 	if (error == 0) {
1856 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
1857 		    fs_sd->sd_secinfo);
1858 	}
1859 
1860 	acl_free(acl);
1861 	return (error);
1862 }
1863 
1864 /*
1865  * smb_fsop_aclwrite
1866  *
1867  * Stores the filesystem ACL provided in fs_sd->sd_acl.
1868  */
1869 int
1870 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1871     smb_fssd_t *fs_sd)
1872 {
1873 	int target_flavor;
1874 	int error = 0;
1875 	int flags = 0;
1876 	int access = 0;
1877 	acl_t *acl, *dacl, *sacl;
1878 	smb_node_t *unnamed_node;
1879 
1880 	ASSERT(cr);
1881 
1882 	ASSERT(sr);
1883 	ASSERT(sr->tid_tree);
1884 	if (SMB_TREE_IS_READONLY(sr))
1885 		return (EROFS);
1886 
1887 	if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0)
1888 		return (EACCES);
1889 
1890 	if (sr->fid_ofile) {
1891 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
1892 			access = WRITE_DAC;
1893 
1894 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
1895 			access |= ACCESS_SYSTEM_SECURITY;
1896 
1897 		error = smb_ofile_access(sr->fid_ofile, cr, access);
1898 		if (error != NT_STATUS_SUCCESS)
1899 			return (EACCES);
1900 	}
1901 
1902 	switch (sr->tid_tree->t_acltype) {
1903 	case ACLENT_T:
1904 		target_flavor = _ACL_ACLENT_ENABLED;
1905 		break;
1906 
1907 	case ACE_T:
1908 		target_flavor = _ACL_ACE_ENABLED;
1909 		break;
1910 	default:
1911 		return (EINVAL);
1912 	}
1913 
1914 	unnamed_node = SMB_IS_STREAM(snode);
1915 	if (unnamed_node) {
1916 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1917 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1918 		/*
1919 		 * Streams don't have ACL, any write ACL attempt on a stream
1920 		 * should be performed on the unnamed stream.
1921 		 */
1922 		snode = unnamed_node;
1923 	}
1924 
1925 	dacl = fs_sd->sd_zdacl;
1926 	sacl = fs_sd->sd_zsacl;
1927 
1928 	ASSERT(dacl || sacl);
1929 	if ((dacl == NULL) && (sacl == NULL))
1930 		return (EINVAL);
1931 
1932 	if (dacl && sacl)
1933 		acl = smb_fsacl_merge(dacl, sacl);
1934 	else if (dacl)
1935 		acl = dacl;
1936 	else
1937 		acl = sacl;
1938 
1939 	error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR),
1940 	    fs_sd->sd_uid, fs_sd->sd_gid);
1941 	if (error == 0) {
1942 		if (smb_tree_has_feature(sr->tid_tree,
1943 		    SMB_TREE_ACEMASKONACCESS))
1944 			flags = ATTR_NOACLCHECK;
1945 
1946 		error = smb_vop_acl_write(snode->vp, acl, flags, cr);
1947 	}
1948 
1949 	if (dacl && sacl)
1950 		acl_free(acl);
1951 
1952 	return (error);
1953 }
1954 
1955 acl_type_t
1956 smb_fsop_acltype(smb_node_t *snode)
1957 {
1958 	return (smb_vop_acl_type(snode->vp));
1959 }
1960 
1961 /*
1962  * smb_fsop_sdread
1963  *
1964  * Read the requested security descriptor items from filesystem.
1965  * The items are specified in fs_sd->sd_secinfo.
1966  */
1967 int
1968 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1969     smb_fssd_t *fs_sd)
1970 {
1971 	int error = 0;
1972 	int getowner = 0;
1973 	cred_t *ga_cred;
1974 	smb_attr_t attr;
1975 
1976 	ASSERT(cr);
1977 	ASSERT(fs_sd);
1978 
1979 	/*
1980 	 * File's uid/gid is fetched in two cases:
1981 	 *
1982 	 * 1. it's explicitly requested
1983 	 *
1984 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
1985 	 *    owner@/group@ entries. In this case kcred should be used
1986 	 *    because uid/gid are fetched on behalf of smb server.
1987 	 */
1988 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
1989 		getowner = 1;
1990 		ga_cred = cr;
1991 	} else if (sr->tid_tree->t_acltype == ACE_T) {
1992 		getowner = 1;
1993 		ga_cred = kcred;
1994 	}
1995 
1996 	if (getowner) {
1997 		/*
1998 		 * Windows require READ_CONTROL to read owner/group SID since
1999 		 * they're part of Security Descriptor.
2000 		 * ZFS only requires read_attribute. Need to have a explicit
2001 		 * access check here.
2002 		 */
2003 		if (sr->fid_ofile == NULL) {
2004 			error = smb_fsop_access(sr, ga_cred, snode,
2005 			    READ_CONTROL);
2006 			if (error)
2007 				return (error);
2008 		}
2009 
2010 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2011 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2012 		if (error == 0) {
2013 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2014 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2015 		} else {
2016 			return (error);
2017 		}
2018 	}
2019 
2020 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2021 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2022 	}
2023 
2024 	return (error);
2025 }
2026 
2027 /*
2028  * smb_fsop_sdmerge
2029  *
2030  * From SMB point of view DACL and SACL are two separate list
2031  * which can be manipulated independently without one affecting
2032  * the other, but entries for both DACL and SACL will end up
2033  * in the same ACL if target filesystem supports ACE_T ACLs.
2034  *
2035  * So, if either DACL or SACL is present in the client set request
2036  * the entries corresponding to the non-present ACL shouldn't
2037  * be touched in the FS ACL.
2038  *
2039  * fs_sd parameter contains DACL and SACL specified by SMB
2040  * client to be set on a file/directory. The client could
2041  * specify both or one of these ACLs (if none is specified
2042  * we don't get this far). When both DACL and SACL are given
2043  * by client the existing ACL should be overwritten. If only
2044  * one of them is specified the entries corresponding to the other
2045  * ACL should not be touched. For example, if only DACL
2046  * is specified in input fs_sd, the function reads audit entries
2047  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2048  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2049  * function is called the passed fs_sd would point to the specified
2050  * DACL by client and fetched SACL from filesystem, so the file
2051  * will end up with correct ACL.
2052  */
2053 static int
2054 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2055 {
2056 	smb_fssd_t cur_sd;
2057 	int error = 0;
2058 
2059 	if (sr->tid_tree->t_acltype != ACE_T)
2060 		/* Don't bother if target FS doesn't support ACE_T */
2061 		return (0);
2062 
2063 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2064 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2065 			/*
2066 			 * Don't overwrite existing audit entries
2067 			 */
2068 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2069 			    fs_sd->sd_flags);
2070 
2071 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2072 			if (error == 0) {
2073 				ASSERT(fs_sd->sd_zsacl == NULL);
2074 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2075 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2076 					fs_sd->sd_zsacl->acl_flags =
2077 					    fs_sd->sd_zdacl->acl_flags;
2078 			}
2079 		} else {
2080 			/*
2081 			 * Don't overwrite existing access entries
2082 			 */
2083 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2084 			    fs_sd->sd_flags);
2085 
2086 			error = smb_fsop_sdread(sr, kcred, snode, &cur_sd);
2087 			if (error == 0) {
2088 				ASSERT(fs_sd->sd_zdacl == NULL);
2089 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2090 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2091 					fs_sd->sd_zdacl->acl_flags =
2092 					    fs_sd->sd_zsacl->acl_flags;
2093 			}
2094 		}
2095 
2096 		if (error)
2097 			smb_fssd_term(&cur_sd);
2098 	}
2099 
2100 	return (error);
2101 }
2102 
2103 /*
2104  * smb_fsop_sdwrite
2105  *
2106  * Stores the given uid, gid and acl in filesystem.
2107  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2108  *
2109  * A SMB security descriptor could contain owner, primary group,
2110  * DACL and SACL. Setting an SD should be atomic but here it has to
2111  * be done via two separate FS operations: VOP_SETATTR and
2112  * VOP_SETSECATTR. Therefore, this function has to simulate the
2113  * atomicity as well as it can.
2114  *
2115  * Get the current uid, gid before setting the new uid/gid
2116  * so if smb_fsop_aclwrite fails they can be restored. root cred is
2117  * used to get currend uid/gid since this operation is performed on
2118  * behalf of the server not the user.
2119  *
2120  * If setting uid/gid fails with EPERM it means that and invalid
2121  * owner has been specified. Callers should translate this to
2122  * STATUS_INVALID_OWNER which is not the normal mapping for EPERM
2123  * in upper layers, so EPERM is mapped to EBADE.
2124  */
2125 int
2126 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2127     smb_fssd_t *fs_sd, int overwrite)
2128 {
2129 	int error = 0;
2130 	int access = 0;
2131 	smb_attr_t set_attr;
2132 	smb_attr_t orig_attr;
2133 
2134 	ASSERT(cr);
2135 	ASSERT(fs_sd);
2136 
2137 	ASSERT(sr);
2138 	ASSERT(sr->tid_tree);
2139 	if (SMB_TREE_IS_READONLY(sr))
2140 		return (EROFS);
2141 
2142 	bzero(&set_attr, sizeof (smb_attr_t));
2143 
2144 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2145 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2146 		set_attr.sa_mask |= SMB_AT_UID;
2147 		access |= WRITE_OWNER;
2148 	}
2149 
2150 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2151 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2152 		set_attr.sa_mask |= SMB_AT_GID;
2153 		access |= WRITE_OWNER;
2154 	}
2155 
2156 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2157 		access |= WRITE_DAC;
2158 
2159 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2160 		access |= ACCESS_SYSTEM_SECURITY;
2161 
2162 	if (sr->fid_ofile)
2163 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2164 	else
2165 		error = smb_fsop_access(sr, cr, snode, access);
2166 
2167 	if (error)
2168 		return (EACCES);
2169 
2170 	if (set_attr.sa_mask) {
2171 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2172 		error = smb_fsop_getattr(sr, kcred, snode, &orig_attr);
2173 		if (error == 0) {
2174 			error = smb_fsop_setattr(sr, cr, snode, &set_attr,
2175 			    NULL);
2176 			if (error == EPERM)
2177 				error = EBADE;
2178 		}
2179 
2180 		if (error)
2181 			return (error);
2182 	}
2183 
2184 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2185 		if (overwrite == 0) {
2186 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2187 			if (error)
2188 				return (error);
2189 		}
2190 
2191 		error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2192 		if (error) {
2193 			/*
2194 			 * Revert uid/gid changes if required.
2195 			 */
2196 			if (set_attr.sa_mask) {
2197 				orig_attr.sa_mask = set_attr.sa_mask;
2198 				(void) smb_fsop_setattr(sr, kcred, snode,
2199 				    &orig_attr, NULL);
2200 			}
2201 		}
2202 	}
2203 
2204 	return (error);
2205 }
2206 
2207 /*
2208  * smb_fsop_sdinherit
2209  *
2210  * Inherit the security descriptor from the parent container.
2211  * This function is called after FS has created the file/folder
2212  * so if this doesn't do anything it means FS inheritance is
2213  * in place.
2214  *
2215  * Do inheritance for ZFS internally.
2216  *
2217  * If we want to let ZFS does the inheritance the
2218  * following setting should be true:
2219  *
2220  *  - aclinherit = passthrough
2221  *  - aclmode = passthrough
2222  *  - smbd umask = 0777
2223  *
2224  * This will result in right effective permissions but
2225  * ZFS will always add 6 ACEs for owner, owning group
2226  * and others to be POSIX compliant. This is not what
2227  * Windows clients/users expect, so we decided that CIFS
2228  * implements Windows rules and overwrite whatever ZFS
2229  * comes up with. This way we also don't have to care
2230  * about ZFS aclinherit and aclmode settings.
2231  */
2232 static int
2233 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2234 {
2235 	int is_dir;
2236 	acl_t *dacl = NULL;
2237 	acl_t *sacl = NULL;
2238 	ksid_t *owner_sid;
2239 	int error;
2240 
2241 	ASSERT(fs_sd);
2242 
2243 	if (sr->tid_tree->t_acltype != ACE_T) {
2244 		/*
2245 		 * No forced inheritance for non-ZFS filesystems.
2246 		 */
2247 		fs_sd->sd_secinfo = 0;
2248 		return (0);
2249 	}
2250 
2251 
2252 	/* Fetch parent directory's ACL */
2253 	error = smb_fsop_sdread(sr, kcred, dnode, fs_sd);
2254 	if (error) {
2255 		return (error);
2256 	}
2257 
2258 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2259 	owner_sid = crgetsid(sr->user_cr, KSID_OWNER);
2260 	ASSERT(owner_sid);
2261 	dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO,
2262 	    owner_sid->ks_id);
2263 	sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO,
2264 	    (uid_t)-1);
2265 
2266 	if (sacl == NULL)
2267 		fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO;
2268 
2269 	smb_fsacl_free(fs_sd->sd_zdacl);
2270 	smb_fsacl_free(fs_sd->sd_zsacl);
2271 
2272 	fs_sd->sd_zdacl = dacl;
2273 	fs_sd->sd_zsacl = sacl;
2274 
2275 	return (0);
2276 }
2277 
2278 /*
2279  * smb_fsop_eaccess
2280  *
2281  * Returns the effective permission of the given credential for the
2282  * specified object.
2283  *
2284  * This is just a workaround. We need VFS/FS support for this.
2285  */
2286 void
2287 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2288     uint32_t *eaccess)
2289 {
2290 	int access = 0;
2291 	vnode_t *dir_vp;
2292 	smb_node_t *unnamed_node;
2293 
2294 	ASSERT(cr);
2295 	ASSERT(snode);
2296 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2297 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2298 
2299 	unnamed_node = SMB_IS_STREAM(snode);
2300 	if (unnamed_node) {
2301 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2302 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2303 		/*
2304 		 * Streams authorization should be performed against the
2305 		 * unnamed stream.
2306 		 */
2307 		snode = unnamed_node;
2308 	}
2309 
2310 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) {
2311 		dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL;
2312 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2313 		    cr);
2314 		return;
2315 	}
2316 
2317 	/*
2318 	 * FS doesn't understand 32-bit mask
2319 	 */
2320 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2321 	access &= sr->tid_tree->t_access;
2322 
2323 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2324 
2325 	if (access & VREAD)
2326 		*eaccess |= FILE_READ_DATA;
2327 
2328 	if (access & VEXEC)
2329 		*eaccess |= FILE_EXECUTE;
2330 
2331 	if (access & VWRITE)
2332 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2333 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2334 }
2335 
2336 /*
2337  * smb_fsop_shrlock
2338  *
2339  * For the current open request, check file sharing rules
2340  * against existing opens.
2341  *
2342  * Returns NT_STATUS_SHARING_VIOLATION if there is any
2343  * sharing conflict.  Returns NT_STATUS_SUCCESS otherwise.
2344  *
2345  * Full system-wide share reservation synchronization is available
2346  * when the nbmand (non-blocking mandatory) mount option is set
2347  * (i.e. nbl_need_crit() is true) and nbmand critical regions are used.
2348  * This provides synchronization with NFS and local processes.  The
2349  * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called
2350  * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well
2351  * as the CIFS rename and delete paths.
2352  *
2353  * The CIFS server will also enter the nbl critical region in the open,
2354  * rename, and delete paths when nbmand is not set.  There is limited
2355  * coordination with local and VFS share reservations in this case.
2356  * Note that when the nbmand mount option is not set, the VFS layer
2357  * only processes advisory reservations and the delete mode is not checked.
2358  *
2359  * Whether or not the nbmand mount option is set, intra-CIFS share
2360  * checking is done in the open, delete, and rename paths using a CIFS
2361  * critical region (node->n_share_lock).
2362  */
2363 
2364 uint32_t
2365 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid,
2366     uint32_t desired_access, uint32_t share_access)
2367 {
2368 	int rc;
2369 
2370 	if (node->attr.sa_vattr.va_type == VDIR)
2371 		return (NT_STATUS_SUCCESS);
2372 
2373 	/* Allow access if the request is just for meta data */
2374 	if ((desired_access & FILE_DATA_ALL) == 0)
2375 		return (NT_STATUS_SUCCESS);
2376 
2377 	rc = smb_node_open_check(node, cr, desired_access, share_access);
2378 	if (rc)
2379 		return (NT_STATUS_SHARING_VIOLATION);
2380 
2381 	rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access,
2382 	    cr);
2383 	if (rc)
2384 		return (NT_STATUS_SHARING_VIOLATION);
2385 
2386 	return (NT_STATUS_SUCCESS);
2387 }
2388 
2389 void
2390 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid)
2391 {
2392 	if (node->attr.sa_vattr.va_type == VDIR)
2393 		return;
2394 
2395 	(void) smb_vop_unshrlock(node->vp, uniq_fid, cr);
2396 }
2397 
2398 int
2399 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock,
2400     cred_t *cr)
2401 {
2402 	flock64_t bf;
2403 	int flag = F_REMOTELOCK;
2404 
2405 	/*
2406 	 * VOP_FRLOCK() will not be called if:
2407 	 *
2408 	 * 1) The lock has a range of zero bytes. The semantics of Windows and
2409 	 *    POSIX are different. In the case of POSIX it asks for the locking
2410 	 *    of all the bytes from the offset provided until the end of the
2411 	 *    file. In the case of Windows a range of zero locks nothing and
2412 	 *    doesn't conflict with any other lock.
2413 	 *
2414 	 * 2) The lock rolls over (start + lenght < start). Solaris will assert
2415 	 *    if such a request is submitted. This will not create
2416 	 *    incompatibilities between POSIX and Windows. In the Windows world,
2417 	 *    if a client submits such a lock, the server will not lock any
2418 	 *    bytes. Interestingly if the same lock (same offset and length) is
2419 	 *    resubmitted Windows will consider that there is an overlap and
2420 	 *    the granting rules will then apply.
2421 	 */
2422 	if ((lock->l_length == 0) ||
2423 	    ((lock->l_start + lock->l_length - 1) < lock->l_start))
2424 		return (0);
2425 
2426 	bzero(&bf, sizeof (bf));
2427 
2428 	if (unlock) {
2429 		bf.l_type = F_UNLCK;
2430 	} else if (lock->l_type == SMB_LOCK_TYPE_READONLY) {
2431 		bf.l_type = F_RDLCK;
2432 		flag |= FREAD;
2433 	} else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) {
2434 		bf.l_type = F_WRLCK;
2435 		flag |= FWRITE;
2436 	}
2437 
2438 	bf.l_start = lock->l_start;
2439 	bf.l_len = lock->l_length;
2440 	bf.l_pid = lock->l_file->f_uniqid;
2441 	bf.l_sysid = smb_ct.cc_sysid;
2442 
2443 	return (smb_vop_frlock(node->vp, cr, flag, &bf));
2444 }
2445