xref: /titanic_50/usr/src/uts/common/smbsrv/ntifs.h (revision e0e638160d72f8685f1481f6308bc368cd233c3f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMBSRV_NTIFS_H
27 #define	_SMBSRV_NTIFS_H
28 
29 /*
30  * This file provides definitions compatible with the NT Installable
31  * File System (IFS) interface. This header file also defines the Security
32  * Descriptor module from Windows.
33  */
34 
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38 
39 #include <sys/acl.h>
40 #include <sys/list.h>
41 #include <smbsrv/smb_sid.h>
42 
43 /*
44  * The Volume and Directory bits are for SMB rather than NT.
45  * NT has an explicit Normal bit; this bit is implied in SMB
46  * when the Hidden, System and Directory bits are not set.
47  *
48  * File attributes and creation flags share the same 32-bit
49  * space.
50  */
51 #define	FILE_ATTRIBUTE_READONLY			0x00000001
52 #define	FILE_ATTRIBUTE_HIDDEN			0x00000002
53 #define	FILE_ATTRIBUTE_SYSTEM			0x00000004
54 #define	FILE_ATTRIBUTE_VOLUME			0x00000008
55 #define	FILE_ATTRIBUTE_DIRECTORY		0x00000010
56 #define	FILE_ATTRIBUTE_ARCHIVE			0x00000020
57 #define	FILE_ATTRIBUTE_DEVICE			0x00000040
58 #define	FILE_ATTRIBUTE_NORMAL			0x00000080
59 #define	FILE_ATTRIBUTE_TEMPORARY		0x00000100
60 #define	FILE_ATTRIBUTE_SPARSE_FILE		0x00000200
61 #define	FILE_ATTRIBUTE_REPARSE_POINT		0x00000400
62 #define	FILE_ATTRIBUTE_COMPRESSED		0x00000800
63 #define	FILE_ATTRIBUTE_OFFLINE			0x00001000
64 #define	FILE_ATTRIBUTE_NOT_CONTENT_INDEXED	0x00002000
65 #define	FILE_ATTRIBUTE_ENCRYPTED		0x00004000
66 #define	FILE_ATTRIBUTE_VIRTUAL			0x00010000
67 #define	FILE_FLAG_OPEN_NO_RECALL		0x00100000
68 #define	FILE_FLAG_OPEN_REPARSE_POINT		0x00200000
69 #define	FILE_FLAG_POSIX_SEMANTICS		0x01000000
70 #define	FILE_FLAG_BACKUP_SEMANTICS		0x02000000
71 #define	FILE_FLAG_DELETE_ON_CLOSE		0x04000000
72 #define	FILE_FLAG_SEQUENTIAL_SCAN		0x08000000
73 #define	FILE_FLAG_RANDOM_ACCESS			0x10000000
74 #define	FILE_FLAG_NO_BUFFERING			0x20000000
75 #define	FILE_FLAG_OVERLAPPED			0x40000000
76 #define	FILE_FLAG_WRITE_THROUGH			0x80000000
77 
78 #define	FILE_ATTRIBUTE_VALID_FLAGS		0x00001fb7
79 #define	FILE_ATTRIBUTE_VALID_SET_FLAGS		0x00001fa7
80 #define	FILE_ATTRIBUTE_MASK			0x00003FFF
81 
82 /*
83  * The create/open option flags: used in NtCreateAndx and NtTransactCreate
84  * SMB requests.
85  *
86  * The CreateOptions specify the options to be applied when creating or
87  * opening the file, as a compatible combination of the following flags:
88  *
89  * FILE_DIRECTORY_FILE
90  *	The file being created or opened is a directory file. With this
91  *	flag, the Disposition parameter must be set to one of FILE_CREATE,
92  *	FILE_OPEN, or FILE_OPEN_IF. With this flag, other compatible
93  *	CreateOptions flags include only the following:
94  *			FILE_SYNCHRONOUS_IO_ALERT
95  *			FILE_SYNCHRONOUS_IO_NONALERT
96  *			FILE_WRITE_THROUGH
97  *			FILE_OPEN_FOR_BACKUP_INTENT
98  *			FILE_OPEN_BY_FILE_ID
99  *
100  * FILE_NON_DIRECTORY_FILE
101  *	The file being opened must not be a directory file or this call
102  *	will fail. The file object being opened can represent a data file,
103  *	a logical, virtual, or physical device, or a volume.
104  *
105  * FILE_WRITE_THROUGH
106  *	System services, FSDs, and drivers that write data to the file must
107  *	actually transfer the data into the file before any requested write
108  *	operation is considered complete. This flag is automatically set if
109  *	the CreateOptions flag FILE_NO_INTERMEDIATE _BUFFERING is set.
110  *
111  * FILE_SEQUENTIAL_ONLY
112  *	All accesses to the file will be sequential.
113  *
114  * FILE_RANDOM_ACCESS
115  *	Accesses to the file can be random, so no sequential read-ahead
116  *	operations should be performed on the file by FSDs or the system.
117  *	FILE_NO_INTERMEDIATE _BUFFERING	The file cannot be cached or
118  *	buffered in a driver's internal buffers. This flag is incompatible
119  *	with the DesiredAccess FILE_APPEND_DATA flag.
120  *
121  * FILE_SYNCHRONOUS_IO_ALERT
122  *	All operations on the file are performed synchronously. Any wait
123  *	on behalf of the caller is subject to premature termination from
124  *	alerts. This flag also causes the I/O system to maintain the file
125  *	position context. If this flag is set, the DesiredAccess
126  *	SYNCHRONIZE flag also must be set.
127  *
128  * FILE_SYNCHRONOUS_IO _NONALERT
129  *	All operations on the file are performed synchronously. Waits in
130  *	the system to synchronize I/O queuing and completion are not subject
131  *	to alerts. This flag also causes the I/O system to maintain the file
132  *	position context. If this flag is set, the DesiredAccess SYNCHRONIZE
133  *	flag also must be set.
134  *
135  * FILE_CREATE_TREE _CONNECTION
136  *	Create a tree connection for this file in order to open it over the
137  *	network. This flag is irrelevant to device and intermediate drivers.
138  *
139  * FILE_COMPLETE_IF_OPLOCKED
140  *	Complete this operation immediately with an alternate success code
141  *	if the target file is oplocked, rather than blocking the caller's
142  *	thread. If the file is oplocked, another caller already has access
143  *	to the file over the network. This flag is irrelevant to device and
144  *	intermediate drivers.
145  *
146  * FILE_NO_EA_KNOWLEDGE
147  *	If the extended attributes on an existing file being opened indicate
148  *	that the caller must understand EAs to properly interpret the file,
149  *	fail this request because the caller does not understand how to deal
150  *	with EAs. Device and intermediate drivers can ignore this flag.
151  *
152  * FILE_DELETE_ON_CLOSE
153  *	Delete the file when the last reference to it is passed to close.
154  *
155  * FILE_OPEN_BY_FILE_ID
156  *	The file name contains the name of a device and a 64-bit ID to
157  *	be used to open the file. This flag is irrelevant to device and
158  *	intermediate drivers.
159  *
160  * FILE_OPEN_FOR_BACKUP _INTENT
161  *	The file is being opened for backup intent, hence, the system should
162  *	check for certain access rights and grant the caller the appropriate
163  *	accesses to the file before checking the input DesiredAccess against
164  *	the file's security descriptor. This flag is irrelevant to device
165  *	and intermediate drivers.
166  */
167 #define	FILE_DIRECTORY_FILE			0x00000001
168 #define	FILE_WRITE_THROUGH			0x00000002
169 #define	FILE_SEQUENTIAL_ONLY			0x00000004
170 #define	FILE_NO_INTERMEDIATE_BUFFERING		0x00000008
171 
172 #define	FILE_SYNCHRONOUS_IO_ALERT		0x00000010
173 #define	FILE_SYNCHRONOUS_IO_NONALERT		0x00000020
174 #define	FILE_NON_DIRECTORY_FILE			0x00000040
175 #define	FILE_CREATE_TREE_CONNECTION		0x00000080
176 
177 #define	FILE_COMPLETE_IF_OPLOCKED		0x00000100
178 #define	FILE_NO_EA_KNOWLEDGE			0x00000200
179 /* UNUSED					0x00000400 */
180 #define	FILE_RANDOM_ACCESS			0x00000800
181 
182 #define	FILE_DELETE_ON_CLOSE			0x00001000
183 #define	FILE_OPEN_BY_FILE_ID			0x00002000
184 #define	FILE_OPEN_FOR_BACKUP_INTENT		0x00004000
185 #define	FILE_NO_COMPRESSION			0x00008000
186 
187 #define	FILE_RESERVE_OPFILTER			0x00100000
188 #define	FILE_RESERVED0				0x00200000
189 #define	FILE_RESERVED1				0x00400000
190 #define	FILE_RESERVED2				0x00800000
191 
192 #define	FILE_VALID_OPTION_FLAGS			0x007fffff
193 #define	FILE_VALID_PIPE_OPTION_FLAGS		0x00000032
194 #define	FILE_VALID_MAILSLOT_OPTION_FLAGS	0x00000032
195 #define	FILE_VALID_SET_FLAGS			0x00000036
196 
197 /*
198  * Define the file information class values used by the NT DDK and HAL.
199  */
200 typedef enum _FILE_INFORMATION_CLASS {
201 	FileDirectoryInformation	= 1,
202 	FileFullDirectoryInformation,	/* 2 */
203 	FileBothDirectoryInformation,	/* 3 */
204 	FileBasicInformation,		/* 4 */
205 	FileStandardInformation,	/* 5 */
206 	FileInternalInformation,	/* 6 */
207 	FileEaInformation,		/* 7 */
208 	FileAccessInformation,		/* 8 */
209 	FileNameInformation,		/* 9 */
210 	FileRenameInformation,		/* 10 */
211 	FileLinkInformation,		/* 11 */
212 	FileNamesInformation,		/* 12 */
213 	FileDispositionInformation,	/* 13 */
214 	FilePositionInformation,	/* 14 */
215 	FileFullEaInformation,		/* 15 */
216 	FileModeInformation,		/* 16 */
217 	FileAlignmentInformation,	/* 17 */
218 	FileAllInformation,		/* 18 */
219 	FileAllocationInformation,	/* 19 */
220 	FileEndOfFileInformation,	/* 20 */
221 	FileAlternateNameInformation,	/* 21 */
222 	FileStreamInformation,		/* 22 */
223 	FilePipeInformation,		/* 23 */
224 	FilePipeLocalInformation,	/* 24 */
225 	FilePipeRemoteInformation,	/* 25 */
226 	FileMailslotQueryInformation,	/* 26 */
227 	FileMailslotSetInformation,	/* 27 */
228 	FileCompressionInformation,	/* 28 */
229 	FileObjectIdInformation,	/* 29 */
230 	FileCompletionInformation,	/* 30 */
231 	FileMoveClusterInformation,	/* 31 */
232 	FileInformationReserved32,	/* 32 */
233 	FileInformationReserved33,	/* 33 */
234 	FileNetworkOpenInformation,	/* 34 */
235 	FileAttributeTagInformation,	/* 35 */
236 	FileMaximumInformation
237 } FILE_INFORMATION_CLASS;
238 
239 /*
240  * Discretionary Access Control List (DACL)
241  *
242  * A Discretionary Access Control List (DACL), often abbreviated to
243  * ACL, is a list of access controls which either allow or deny access
244  * for users or groups to a resource. There is a list header followed
245  * by a list of access control entries (ACE). Each ACE specifies the
246  * access allowed or denied to a single user or group (identified by
247  * a SID).
248  *
249  * There is another access control list object called a System Access
250  * Control List (SACL), which is used to control auditing, but no
251  * support is provideed for SACLs at this time.
252  *
253  * ACL header format:
254  *
255  *    3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
256  *    1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
257  *   +-------------------------------+---------------+---------------+
258  *   |            AclSize            |      Sbz1     |  AclRevision  |
259  *   +-------------------------------+---------------+---------------+
260  *   |              Sbz2             |           AceCount            |
261  *   +-------------------------------+-------------------------------+
262  *
263  * AclRevision specifies the revision level of the ACL. This value should
264  * be ACL_REVISION, unless the ACL contains an object-specific ACE, in which
265  * case this value must be ACL_REVISION_DS. All ACEs in an ACL must be at the
266  * same revision level.
267  *
268  * ACE header format:
269  *
270  *    3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
271  *    1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
272  *   +---------------+-------+-------+---------------+---------------+
273  *   |            AceSize            |    AceFlags   |     AceType   |
274  *   +---------------+-------+-------+---------------+---------------+
275  *
276  * Access mask format:
277  *
278  *    3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
279  *    1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
280  *   +---------------+---------------+-------------------------------+
281  *   |G|G|G|G|Res'd|A| StandardRights|         SpecificRights        |
282  *   |R|W|E|A|     |S|               |                               |
283  *   +-+-------------+---------------+-------------------------------+
284  *
285  *   typedef struct ACCESS_MASK {
286  *       WORD SpecificRights;
287  *       BYTE StandardRights;
288  *       BYTE AccessSystemAcl : 1;
289  *       BYTE Reserved : 3;
290  *       BYTE GenericAll : 1;
291  *       BYTE GenericExecute : 1;
292  *       BYTE GenericWrite : 1;
293  *       BYTE GenericRead : 1;
294  *   } ACCESS_MASK;
295  *
296  */
297 
298 #define	ACL_REVISION1			1
299 #define	ACL_REVISION2			2
300 #define	MIN_ACL_REVISION2		ACL_REVISION2
301 #define	ACL_REVISION3			3
302 #define	ACL_REVISION4			4
303 #define	MAX_ACL_REVISION		ACL_REVISION4
304 
305 /*
306  * Current ACE and ACL revision Levels
307  */
308 #define	ACE_REVISION			1
309 #define	ACL_REVISION			ACL_REVISION2
310 #define	ACL_REVISION_DS			ACL_REVISION4
311 
312 
313 #define	ACCESS_ALLOWED_ACE_TYPE		0
314 #define	ACCESS_DENIED_ACE_TYPE		1
315 #define	SYSTEM_AUDIT_ACE_TYPE		2
316 #define	SYSTEM_ALARM_ACE_TYPE		3
317 
318 /*
319  *  se_flags
320  * ----------
321  * Specifies a set of ACE type-specific control flags. This member can be a
322  * combination of the following values.
323  *
324  * CONTAINER_INHERIT_ACE: Child objects that are containers, such as
325  *		directories, inherit the ACE as an effective ACE. The inherited
326  *		ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag
327  *		is also set.
328  *
329  * INHERIT_ONLY_ACE: Indicates an inherit-only ACE which does not control
330  *		access to the object to which it is attached.
331  *		If this flag is not set,
332  *		the ACE is an effective ACE which controls access to the object
333  *		to which it is attached.
334  * 		Both effective and inherit-only ACEs can be inherited
335  *		depending on the state of the other inheritance flags.
336  *
337  * INHERITED_ACE: Windows 2000/XP: Indicates that the ACE was inherited.
338  *		The system sets this bit when it propagates an
339  *		inherited ACE to a child object.
340  *
341  * NO_PROPAGATE_INHERIT_ACE: If the ACE is inherited by a child object, the
342  *		system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE
343  *		flags in the inherited ACE.
344  *		This prevents the ACE from being inherited by
345  *		subsequent generations of objects.
346  *
347  * OBJECT_INHERIT_ACE: Noncontainer child objects inherit the ACE as an
348  *		effective ACE.  For child objects that are containers,
349  *		the ACE is inherited as an inherit-only ACE unless the
350  *		NO_PROPAGATE_INHERIT_ACE bit flag is also set.
351  */
352 #define	OBJECT_INHERIT_ACE		0x01
353 #define	CONTAINER_INHERIT_ACE		0x02
354 #define	NO_PROPOGATE_INHERIT_ACE	0x04
355 #define	INHERIT_ONLY_ACE		0x08
356 #define	INHERITED_ACE			0x10
357 #define	INHERIT_MASK_ACE		0x1F
358 
359 
360 /*
361  * These flags are only used in system audit or alarm ACEs to
362  * indicate when an audit message should be generated, i.e.
363  * on successful access or on unsuccessful access.
364  */
365 #define	SUCCESSFUL_ACCESS_ACE_FLAG	0x40
366 #define	FAILED_ACCESS_ACE_FLAG		0x80
367 
368 /*
369  * se_bsize is the size, in bytes, of ACE as it appears on the wire.
370  * se_sln is used to sort the ACL when it's required.
371  */
372 typedef struct smb_acehdr {
373 	uint8_t		se_type;
374 	uint8_t		se_flags;
375 	uint16_t	se_bsize;
376 } smb_acehdr_t;
377 
378 typedef struct smb_ace {
379 	smb_acehdr_t	se_hdr;
380 	uint32_t	se_mask;
381 	list_node_t	se_sln;
382 	smb_sid_t	*se_sid;
383 } smb_ace_t;
384 
385 /*
386  * sl_bsize is the size of ACL in bytes as it appears on the wire.
387  */
388 typedef struct smb_acl {
389 	uint8_t		sl_revision;
390 	uint16_t	sl_bsize;
391 	uint16_t	sl_acecnt;
392 	smb_ace_t	*sl_aces;
393 	list_t		sl_sorted;
394 } smb_acl_t;
395 
396 /*
397  * ACE/ACL header size, in byte, as it appears on the wire
398  */
399 #define	SMB_ACE_HDRSIZE		4
400 #define	SMB_ACL_HDRSIZE		8
401 
402 /*
403  * Security Descriptor (SD)
404  *
405  * Security descriptors provide protection for objects, for example
406  * files and directories. It identifies the owner and primary group
407  * (SIDs) and contains an access control list. When a user tries to
408  * access an object his SID is compared to the permissions in the
409  * DACL to determine if access should be allowed or denied. Note that
410  * this is a simplification because there are other factors, such as
411  * default behavior and privileges to be taken into account (see also
412  * access tokens).
413  *
414  * The boolean flags have the following meanings when set:
415  *
416  * SE_OWNER_DEFAULTED indicates that the SID pointed to by the Owner
417  * field was provided by a defaulting mechanism rather than explicitly
418  * provided by the original provider of the security descriptor. This
419  * may affect the treatment of the SID with respect to inheritance of
420  * an owner.
421  *
422  * SE_GROUP_DEFAULTED indicates that the SID in the Group field was
423  * provided by a defaulting mechanism rather than explicitly provided
424  * by the original provider of the security descriptor.  This may
425  * affect the treatment of the SID with respect to inheritance of a
426  * primary group.
427  *
428  * SE_DACL_PRESENT indicates that the security descriptor contains a
429  * discretionary ACL. If this flag is set and the Dacl field of the
430  * SECURITY_DESCRIPTOR is null, then a null ACL is explicitly being
431  * specified.
432  *
433  * SE_DACL_DEFAULTED indicates that the ACL pointed to by the Dacl
434  * field was provided by a defaulting mechanism rather than explicitly
435  * provided by the original provider of the security descriptor. This
436  * may affect the treatment of the ACL with respect to inheritance of
437  * an ACL. This flag is ignored if the DaclPresent flag is not set.
438  *
439  * SE_SACL_PRESENT indicates that the security descriptor contains a
440  * system ACL pointed to by the Sacl field. If this flag is set and
441  * the Sacl field of the SECURITY_DESCRIPTOR is null, then an empty
442  * (but present) ACL is being specified.
443  *
444  * SE_SACL_DEFAULTED indicates that the ACL pointed to by the Sacl
445  * field was provided by a defaulting mechanism rather than explicitly
446  * provided by the original provider of the security descriptor. This
447  * may affect the treatment of the ACL with respect to inheritance of
448  * an ACL. This flag is ignored if the SaclPresent flag is not set.
449  *
450  * SE_DACL_PROTECTED Prevents ACEs set on the DACL of the parent container
451  * (and any objects above the parent container in the directory hierarchy)
452  * from being applied to the object's DACL.
453  *
454  * SE_SACL_PROTECTED Prevents ACEs set on the SACL of the parent container
455  * (and any objects above the parent container in the directory hierarchy)
456  * from being applied to the object's SACL.
457  *
458  * Note that the SE_DACL_PRESENT flag needs to be present to set
459  * SE_DACL_PROTECTED and SE_SACL_PRESENT needs to be present to set
460  * SE_SACL_PROTECTED.
461  *
462  * SE_SELF_RELATIVE indicates that the security descriptor is in self-
463  * relative form. In this form, all fields of the security descriptor
464  * are contiguous in memory and all pointer fields are expressed as
465  * offsets from the beginning of the security descriptor.
466  *
467  *    3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
468  *    1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
469  *   +---------------------------------------------------------------+
470  *   |            Control            |Reserved1 (SBZ)|   Revision    |
471  *   +---------------------------------------------------------------+
472  *   |                            Owner                              |
473  *   +---------------------------------------------------------------+
474  *   |                            Group                              |
475  *   +---------------------------------------------------------------+
476  *   |                            Sacl                               |
477  *   +---------------------------------------------------------------+
478  *   |                            Dacl                               |
479  *   +---------------------------------------------------------------+
480  *
481  */
482 
483 #define	SMB_OWNER_SECINFO	0x0001
484 #define	SMB_GROUP_SECINFO	0x0002
485 #define	SMB_DACL_SECINFO	0x0004
486 #define	SMB_SACL_SECINFO	0x0008
487 #define	SMB_ALL_SECINFO		0x000F
488 #define	SMB_ACL_SECINFO		(SMB_DACL_SECINFO | SMB_SACL_SECINFO)
489 
490 #define	SECURITY_DESCRIPTOR_REVISION	1
491 
492 
493 #define	SE_OWNER_DEFAULTED		0x0001
494 #define	SE_GROUP_DEFAULTED		0x0002
495 #define	SE_DACL_PRESENT			0x0004
496 #define	SE_DACL_DEFAULTED		0x0008
497 #define	SE_SACL_PRESENT			0x0010
498 #define	SE_SACL_DEFAULTED		0x0020
499 #define	SE_DACL_AUTO_INHERIT_REQ	0x0100
500 #define	SE_SACL_AUTO_INHERIT_REQ	0x0200
501 #define	SE_DACL_AUTO_INHERITED		0x0400
502 #define	SE_SACL_AUTO_INHERITED		0x0800
503 #define	SE_DACL_PROTECTED		0x1000
504 #define	SE_SACL_PROTECTED		0x2000
505 #define	SE_SELF_RELATIVE		0x8000
506 
507 #define	SE_DACL_INHERITANCE_MASK	0x1500
508 #define	SE_SACL_INHERITANCE_MASK	0x2A00
509 
510 /*
511  * Security descriptor structures:
512  *
513  * smb_sd_t     SD in SMB pointer form
514  * smb_fssd_t   SD in filesystem form
515  *
516  * Filesystems (e.g. ZFS/UFS) don't have something equivalent
517  * to SD. The items comprising a SMB SD are kept separately in
518  * filesystem. smb_fssd_t is introduced as a helper to provide
519  * the required abstraction for CIFS code.
520  */
521 
522 typedef struct smb_sd {
523 	uint8_t		sd_revision;
524 	uint16_t	sd_control;
525 	smb_sid_t 	*sd_owner;	/* SID file owner */
526 	smb_sid_t 	*sd_group;	/* SID group (for POSIX) */
527 	smb_acl_t 	*sd_sacl;	/* ACL System (audits) */
528 	smb_acl_t 	*sd_dacl;	/* ACL Discretionary (perm) */
529 } smb_sd_t;
530 
531 /*
532  * SD header size as it appears on the wire
533  */
534 #define	SMB_SD_HDRSIZE	20
535 
536 /*
537  * values for smb_fssd.sd_flags
538  */
539 #define	SMB_FSSD_FLAGS_DIR	0x01
540 
541 typedef struct smb_fssd {
542 	uint32_t	sd_secinfo;
543 	uint32_t	sd_flags;
544 	uid_t		sd_uid;
545 	gid_t		sd_gid;
546 	acl_t		*sd_zdacl;
547 	acl_t		*sd_zsacl;
548 } smb_fssd_t;
549 
550 void smb_sd_init(smb_sd_t *, uint8_t);
551 void smb_sd_term(smb_sd_t *);
552 uint32_t smb_sd_get_secinfo(smb_sd_t *);
553 uint32_t smb_sd_len(smb_sd_t *, uint32_t);
554 uint32_t smb_sd_tofs(smb_sd_t *, smb_fssd_t *);
555 
556 void smb_fssd_init(smb_fssd_t *, uint32_t, uint32_t);
557 void smb_fssd_term(smb_fssd_t *);
558 
559 void smb_acl_sort(smb_acl_t *);
560 void smb_acl_free(smb_acl_t *);
561 smb_acl_t *smb_acl_alloc(uint8_t, uint16_t, uint16_t);
562 smb_acl_t *smb_acl_from_zfs(acl_t *, uid_t, gid_t);
563 uint32_t smb_acl_to_zfs(smb_acl_t *, uint32_t, int, acl_t **);
564 uint16_t smb_acl_len(smb_acl_t *);
565 boolean_t smb_acl_isvalid(smb_acl_t *, int);
566 
567 void smb_fsacl_free(acl_t *);
568 acl_t *smb_fsacl_alloc(int, int);
569 
570 #ifdef __cplusplus
571 }
572 #endif
573 
574 #endif /* _SMBSRV_NTIFS_H */
575