1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/sid.h> 27 #include <sys/nbmlock.h> 28 #include <smbsrv/smb_fsops.h> 29 #include <smbsrv/smb_kproto.h> 30 #include <smbsrv/ntstatus.h> 31 #include <smbsrv/ntaccess.h> 32 #include <smbsrv/smb_incl.h> 33 #include <acl/acl_common.h> 34 #include <sys/fcntl.h> 35 #include <sys/flock.h> 36 #include <fs/fs_subr.h> 37 38 extern caller_context_t smb_ct; 39 40 extern int smb_fem_oplock_install(smb_node_t *); 41 extern void smb_fem_oplock_uninstall(smb_node_t *); 42 43 extern int smb_vop_other_opens(vnode_t *, int); 44 45 static int smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, 46 smb_fssd_t *fs_sd); 47 48 /* 49 * The smb_fsop_* functions have knowledge of CIFS semantics. 50 * 51 * The smb_vop_* functions have minimal knowledge of CIFS semantics and 52 * serve as an interface to the VFS layer. 53 * 54 * Hence, smb_request_t and smb_node_t structures should not be passed 55 * from the smb_fsop_* layer to the smb_vop_* layer. 56 * 57 * In general, CIFS service code should only ever call smb_fsop_* 58 * functions directly, and never smb_vop_* functions directly. 59 * 60 * smb_fsop_* functions should call smb_vop_* functions where possible, instead 61 * of their smb_fsop_* counterparts. However, there are times when 62 * this cannot be avoided. 63 */ 64 65 /* 66 * Note: Stream names cannot be mangled. 67 */ 68 69 /* 70 * smb_fsop_amask_to_omode 71 * 72 * Convert the access mask to the open mode (for use 73 * with the VOP_OPEN call). 74 * 75 * Note that opening a file for attribute only access 76 * will also translate into an FREAD or FWRITE open mode 77 * (i.e., it's not just for data). 78 * 79 * This is needed so that opens are tracked appropriately 80 * for oplock processing. 81 */ 82 83 int 84 smb_fsop_amask_to_omode(uint32_t access) 85 { 86 int mode = 0; 87 88 if (access & (FILE_READ_DATA | FILE_EXECUTE | 89 FILE_READ_ATTRIBUTES | FILE_READ_EA)) 90 mode |= FREAD; 91 92 if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA | 93 FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA)) 94 mode |= FWRITE; 95 96 if (access & FILE_APPEND_DATA) 97 mode |= FAPPEND; 98 99 return (mode); 100 } 101 102 int 103 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred) 104 { 105 /* 106 * Assuming that the same vnode is returned as we had before. 107 * (I.e., with certain types of files or file systems, a 108 * different vnode might be returned by VOP_OPEN) 109 */ 110 return (smb_vop_open(&node->vp, mode, cred)); 111 } 112 113 void 114 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred) 115 { 116 smb_vop_close(node->vp, mode, cred); 117 } 118 119 int 120 smb_fsop_oplock_install(smb_node_t *node, int mode) 121 { 122 int rc; 123 124 if (smb_vop_other_opens(node->vp, mode)) 125 return (EMFILE); 126 127 if ((rc = smb_fem_oplock_install(node))) 128 return (rc); 129 130 if (smb_vop_other_opens(node->vp, mode)) { 131 (void) smb_fem_oplock_uninstall(node); 132 return (EMFILE); 133 } 134 135 return (0); 136 } 137 138 void 139 smb_fsop_oplock_uninstall(smb_node_t *node) 140 { 141 smb_fem_oplock_uninstall(node); 142 } 143 144 static int 145 smb_fsop_create_with_sd( 146 smb_request_t *sr, 147 cred_t *cr, 148 smb_node_t *dir_snode, 149 char *name, 150 smb_attr_t *attr, 151 smb_node_t **ret_snode, 152 smb_attr_t *ret_attr, 153 smb_fssd_t *fs_sd) 154 { 155 vsecattr_t *vsap; 156 vsecattr_t vsecattr; 157 acl_t *acl, *dacl, *sacl; 158 smb_attr_t set_attr; 159 vnode_t *vp; 160 int aclbsize = 0; /* size of acl list in bytes */ 161 int flags = 0; 162 int rc; 163 boolean_t is_dir; 164 165 ASSERT(fs_sd); 166 167 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 168 flags = SMB_IGNORE_CASE; 169 if (SMB_TREE_SUPPORTS_CATIA(sr)) 170 flags |= SMB_CATIA; 171 172 ASSERT(cr); 173 174 is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0); 175 176 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) { 177 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 178 dacl = fs_sd->sd_zdacl; 179 sacl = fs_sd->sd_zsacl; 180 ASSERT(dacl || sacl); 181 if (dacl && sacl) { 182 acl = smb_fsacl_merge(dacl, sacl); 183 } else if (dacl) { 184 acl = dacl; 185 } else { 186 acl = sacl; 187 } 188 189 rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize); 190 191 if (dacl && sacl) 192 acl_free(acl); 193 194 if (rc != 0) 195 return (rc); 196 197 vsap = &vsecattr; 198 } else { 199 vsap = NULL; 200 } 201 202 /* The tree ACEs may prevent a create */ 203 rc = EACCES; 204 if (is_dir) { 205 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0) 206 rc = smb_vop_mkdir(dir_snode->vp, name, attr, 207 &vp, flags, cr, vsap); 208 } else { 209 if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0) 210 rc = smb_vop_create(dir_snode->vp, name, attr, 211 &vp, flags, cr, vsap); 212 } 213 214 if (vsap != NULL) 215 kmem_free(vsap->vsa_aclentp, aclbsize); 216 217 if (rc != 0) 218 return (rc); 219 220 set_attr.sa_mask = 0; 221 222 /* 223 * Ideally we should be able to specify the owner and owning 224 * group at create time along with the ACL. Since we cannot 225 * do that right now, kcred is passed to smb_vop_setattr so it 226 * doesn't fail due to lack of permission. 227 */ 228 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 229 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 230 set_attr.sa_mask |= SMB_AT_UID; 231 } 232 233 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 234 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 235 set_attr.sa_mask |= SMB_AT_GID; 236 } 237 238 if (set_attr.sa_mask) 239 rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcred); 240 241 if (rc == 0) { 242 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 243 name, dir_snode, NULL, ret_attr); 244 245 if (*ret_snode == NULL) 246 rc = ENOMEM; 247 248 VN_RELE(vp); 249 } 250 } else { 251 /* 252 * For filesystems that don't support ACL-on-create, try 253 * to set the specified SD after create, which could actually 254 * fail because of conflicts between inherited security 255 * attributes upon creation and the specified SD. 256 * 257 * Passing kcred to smb_fsop_sdwrite() to overcome this issue. 258 */ 259 260 if (is_dir) { 261 rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, 262 flags, cr, NULL); 263 } else { 264 rc = smb_vop_create(dir_snode->vp, name, attr, &vp, 265 flags, cr, NULL); 266 } 267 268 if (rc != 0) 269 return (rc); 270 271 *ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp, 272 name, dir_snode, NULL, ret_attr); 273 274 if (*ret_snode != NULL) { 275 if (!smb_tree_has_feature(sr->tid_tree, 276 SMB_TREE_NFS_MOUNTED)) 277 rc = smb_fsop_sdwrite(sr, kcred, *ret_snode, 278 fs_sd, 1); 279 } else { 280 rc = ENOMEM; 281 } 282 283 VN_RELE(vp); 284 } 285 286 if (rc != 0) { 287 if (is_dir) 288 (void) smb_vop_rmdir(dir_snode->vp, name, flags, cr); 289 else 290 (void) smb_vop_remove(dir_snode->vp, name, flags, cr); 291 } 292 293 return (rc); 294 } 295 296 /* 297 * smb_fsop_create 298 * 299 * All SMB functions should use this wrapper to ensure that 300 * all the smb_vop_creates are performed with the appropriate credentials. 301 * Please document any direct calls to explain the reason 302 * for avoiding this wrapper. 303 * 304 * It is assumed that a reference exists on snode coming into this routine. 305 * 306 * *ret_snode is returned with a reference upon success. No reference is 307 * taken if an error is returned. 308 */ 309 int 310 smb_fsop_create( 311 smb_request_t *sr, 312 cred_t *cr, 313 smb_node_t *dir_snode, 314 char *name, 315 smb_attr_t *attr, 316 smb_node_t **ret_snode, 317 smb_attr_t *ret_attr) 318 { 319 struct open_param *op = &sr->arg.open; 320 smb_node_t *fnode; 321 smb_attr_t file_attr; 322 vnode_t *xattrdirvp; 323 vnode_t *vp; 324 char *longname = NULL; 325 char *fname; 326 char *sname; 327 int flags = 0; 328 int rc = 0; 329 smb_fssd_t fs_sd; 330 uint32_t secinfo; 331 uint32_t status; 332 333 ASSERT(cr); 334 ASSERT(dir_snode); 335 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 336 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 337 338 ASSERT(ret_snode); 339 *ret_snode = 0; 340 341 ASSERT(name); 342 if (*name == 0) 343 return (EINVAL); 344 345 ASSERT(sr); 346 ASSERT(sr->tid_tree); 347 348 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0) 349 return (EACCES); 350 351 if (SMB_TREE_IS_READONLY(sr)) 352 return (EROFS); 353 354 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 355 flags = SMB_IGNORE_CASE; 356 if (SMB_TREE_SUPPORTS_CATIA(sr)) 357 flags |= SMB_CATIA; 358 359 if (smb_is_stream_name(name)) { 360 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 361 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 362 363 if (smb_stream_parse_name(name, fname, sname) == -1) { 364 kmem_free(fname, MAXNAMELEN); 365 kmem_free(sname, MAXNAMELEN); 366 return (EINVAL); 367 } 368 369 /* Look up the unnamed stream. */ 370 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 371 sr->tid_tree->t_snode, dir_snode, fname, 372 &fnode, &file_attr); 373 374 if (rc != 0) { 375 kmem_free(fname, MAXNAMELEN); 376 kmem_free(sname, MAXNAMELEN); 377 return (rc); 378 } 379 380 rc = smb_vop_stream_create(fnode->vp, sname, attr, &vp, 381 &xattrdirvp, flags, cr); 382 383 if (rc != 0) { 384 smb_node_release(fnode); 385 kmem_free(fname, MAXNAMELEN); 386 kmem_free(sname, MAXNAMELEN); 387 return (rc); 388 } 389 390 attr->sa_vattr.va_uid = file_attr.sa_vattr.va_uid; 391 attr->sa_vattr.va_gid = file_attr.sa_vattr.va_gid; 392 attr->sa_mask = SMB_AT_UID | SMB_AT_GID; 393 394 /* 395 * The second parameter of smb_vop_setattr() is set to 396 * NULL, even though an unnamed stream exists. This is 397 * because we want to set the UID and GID on the named 398 * stream in this case for consistency with the (unnamed 399 * stream) file (see comments for smb_vop_setattr()). 400 */ 401 402 rc = smb_vop_setattr(vp, NULL, attr, 0, kcred); 403 404 if (rc != 0) { 405 smb_node_release(fnode); 406 kmem_free(fname, MAXNAMELEN); 407 kmem_free(sname, MAXNAMELEN); 408 return (rc); 409 } 410 411 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, 412 vp, sname, ret_attr); 413 414 smb_node_release(fnode); 415 VN_RELE(xattrdirvp); 416 VN_RELE(vp); 417 418 if (*ret_snode == NULL) 419 rc = ENOMEM; 420 421 kmem_free(fname, MAXNAMELEN); 422 kmem_free(sname, MAXNAMELEN); 423 return (rc); 424 } 425 426 /* Not a named stream */ 427 if (smb_maybe_mangled_name(name)) { 428 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 429 rc = smb_unmangle_name(dir_snode, name, longname, MAXNAMELEN); 430 kmem_free(longname, MAXNAMELEN); 431 432 if (rc == 0) 433 rc = EEXIST; 434 if (rc != ENOENT) 435 return (rc); 436 } 437 438 if (op->sd) { 439 /* 440 * SD sent by client in Windows format. Needs to be 441 * converted to FS format. No inheritance. 442 */ 443 secinfo = smb_sd_get_secinfo(op->sd); 444 smb_fssd_init(&fs_sd, secinfo, 0); 445 446 status = smb_sd_tofs(op->sd, &fs_sd); 447 if (status == NT_STATUS_SUCCESS) { 448 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 449 name, attr, ret_snode, ret_attr, &fs_sd); 450 } else { 451 rc = EINVAL; 452 } 453 smb_fssd_term(&fs_sd); 454 } else if (sr->tid_tree->t_acltype == ACE_T) { 455 /* 456 * No incoming SD and filesystem is ZFS 457 * Server applies Windows inheritance rules, 458 * see smb_fsop_sdinherit() comments as to why. 459 */ 460 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, 0); 461 rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd); 462 if (rc == 0) { 463 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 464 name, attr, ret_snode, ret_attr, &fs_sd); 465 } 466 467 smb_fssd_term(&fs_sd); 468 } else { 469 /* 470 * No incoming SD and filesystem is not ZFS 471 * let the filesystem handles the inheritance. 472 */ 473 rc = smb_vop_create(dir_snode->vp, name, attr, &vp, 474 flags, cr, NULL); 475 476 if (rc == 0) { 477 *ret_snode = smb_node_lookup(sr, op, cr, vp, 478 name, dir_snode, NULL, ret_attr); 479 480 if (*ret_snode == NULL) 481 rc = ENOMEM; 482 483 VN_RELE(vp); 484 } 485 486 } 487 488 return (rc); 489 } 490 491 /* 492 * smb_fsop_mkdir 493 * 494 * All SMB functions should use this wrapper to ensure that 495 * the the calls are performed with the appropriate credentials. 496 * Please document any direct call to explain the reason 497 * for avoiding this wrapper. 498 * 499 * It is assumed that a reference exists on snode coming into this routine. 500 * 501 * *ret_snode is returned with a reference upon success. No reference is 502 * taken if an error is returned. 503 */ 504 int 505 smb_fsop_mkdir( 506 smb_request_t *sr, 507 cred_t *cr, 508 smb_node_t *dir_snode, 509 char *name, 510 smb_attr_t *attr, 511 smb_node_t **ret_snode, 512 smb_attr_t *ret_attr) 513 { 514 struct open_param *op = &sr->arg.open; 515 char *longname; 516 vnode_t *vp; 517 int flags = 0; 518 smb_fssd_t fs_sd; 519 uint32_t secinfo; 520 uint32_t status; 521 int rc; 522 ASSERT(cr); 523 ASSERT(dir_snode); 524 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 525 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 526 527 ASSERT(ret_snode); 528 *ret_snode = 0; 529 530 ASSERT(name); 531 if (*name == 0) 532 return (EINVAL); 533 534 ASSERT(sr); 535 ASSERT(sr->tid_tree); 536 537 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0) 538 return (EACCES); 539 540 if (SMB_TREE_IS_READONLY(sr)) 541 return (EROFS); 542 if (SMB_TREE_SUPPORTS_CATIA(sr)) 543 flags |= SMB_CATIA; 544 545 if (smb_maybe_mangled_name(name)) { 546 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 547 rc = smb_unmangle_name(dir_snode, name, longname, MAXNAMELEN); 548 kmem_free(longname, MAXNAMELEN); 549 550 /* 551 * If the name passed in by the client has an unmangled 552 * equivalent that is found in the specified directory, 553 * then the mkdir cannot succeed. Return EEXIST. 554 * 555 * Only if ENOENT is returned will a mkdir be attempted. 556 */ 557 558 if (rc == 0) 559 rc = EEXIST; 560 561 if (rc != ENOENT) 562 return (rc); 563 } 564 565 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 566 flags = SMB_IGNORE_CASE; 567 568 if (op->sd) { 569 /* 570 * SD sent by client in Windows format. Needs to be 571 * converted to FS format. No inheritance. 572 */ 573 secinfo = smb_sd_get_secinfo(op->sd); 574 smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR); 575 576 status = smb_sd_tofs(op->sd, &fs_sd); 577 if (status == NT_STATUS_SUCCESS) { 578 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 579 name, attr, ret_snode, ret_attr, &fs_sd); 580 } 581 else 582 rc = EINVAL; 583 smb_fssd_term(&fs_sd); 584 } else if (sr->tid_tree->t_acltype == ACE_T) { 585 /* 586 * No incoming SD and filesystem is ZFS 587 * Server applies Windows inheritance rules, 588 * see smb_fsop_sdinherit() comments as to why. 589 */ 590 smb_fssd_init(&fs_sd, SMB_ACL_SECINFO, SMB_FSSD_FLAGS_DIR); 591 rc = smb_fsop_sdinherit(sr, dir_snode, &fs_sd); 592 if (rc == 0) { 593 rc = smb_fsop_create_with_sd(sr, cr, dir_snode, 594 name, attr, ret_snode, ret_attr, &fs_sd); 595 } 596 597 smb_fssd_term(&fs_sd); 598 599 } else { 600 rc = smb_vop_mkdir(dir_snode->vp, name, attr, &vp, flags, cr, 601 NULL); 602 603 if (rc == 0) { 604 *ret_snode = smb_node_lookup(sr, op, cr, vp, name, 605 dir_snode, NULL, ret_attr); 606 607 if (*ret_snode == NULL) 608 rc = ENOMEM; 609 610 VN_RELE(vp); 611 } 612 } 613 614 return (rc); 615 } 616 617 /* 618 * smb_fsop_remove 619 * 620 * All SMB functions should use this wrapper to ensure that 621 * the the calls are performed with the appropriate credentials. 622 * Please document any direct call to explain the reason 623 * for avoiding this wrapper. 624 * 625 * It is assumed that a reference exists on snode coming into this routine. 626 * 627 * A null smb_request might be passed to this function. 628 */ 629 int 630 smb_fsop_remove( 631 smb_request_t *sr, 632 cred_t *cr, 633 smb_node_t *dir_snode, 634 char *name, 635 uint32_t flags) 636 { 637 smb_node_t *fnode; 638 smb_attr_t file_attr; 639 char *longname; 640 char *fname; 641 char *sname; 642 int rc; 643 644 ASSERT(cr); 645 /* 646 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 647 * function is called during the deletion of the node (because of 648 * DELETE_ON_CLOSE). 649 */ 650 ASSERT(dir_snode); 651 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 652 653 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0 || 654 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0) 655 return (EACCES); 656 657 if (SMB_TREE_IS_READONLY(sr)) 658 return (EROFS); 659 660 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 661 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 662 663 if (dir_snode->flags & NODE_XATTR_DIR) { 664 rc = smb_vop_stream_remove(dir_snode->dir_snode->vp, 665 name, flags, cr); 666 } else if ((rc = smb_stream_parse_name(name, fname, sname)) != 0) { 667 if (rc == -1) { 668 kmem_free(fname, MAXNAMELEN); 669 kmem_free(sname, MAXNAMELEN); 670 return (EINVAL); 671 } 672 673 /* 674 * Look up the unnamed stream (i.e. fname). 675 * Unmangle processing will be done on fname 676 * as well as any link target. 677 */ 678 679 rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS, 680 sr->tid_tree->t_snode, dir_snode, fname, 681 &fnode, &file_attr); 682 683 if (rc != 0) { 684 kmem_free(fname, MAXNAMELEN); 685 kmem_free(sname, MAXNAMELEN); 686 return (rc); 687 } 688 689 /* 690 * XXX 691 * Need to find out what permission is required by NTFS 692 * to remove a stream. 693 */ 694 rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr); 695 696 smb_node_release(fnode); 697 } else { 698 rc = smb_vop_remove(dir_snode->vp, name, flags, cr); 699 700 if (rc == ENOENT) { 701 if (smb_maybe_mangled_name(name) == 0) { 702 kmem_free(fname, MAXNAMELEN); 703 kmem_free(sname, MAXNAMELEN); 704 return (rc); 705 } 706 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 707 708 rc = smb_unmangle_name(dir_snode, name, 709 longname, MAXNAMELEN); 710 711 if (rc == 0) { 712 /* 713 * longname is the real (case-sensitive) 714 * on-disk name. 715 * We make sure we do a remove on this exact 716 * name, as the name was mangled and denotes 717 * a unique file. 718 */ 719 flags &= ~SMB_IGNORE_CASE; 720 rc = smb_vop_remove(dir_snode->vp, longname, 721 flags, cr); 722 } 723 724 kmem_free(longname, MAXNAMELEN); 725 } 726 } 727 728 kmem_free(fname, MAXNAMELEN); 729 kmem_free(sname, MAXNAMELEN); 730 return (rc); 731 } 732 733 /* 734 * smb_fsop_remove_streams 735 * 736 * This function removes a file's streams without removing the 737 * file itself. 738 * 739 * It is assumed that fnode is not a link. 740 */ 741 int 742 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode) 743 { 744 int rc, flags = 0; 745 uint16_t odid; 746 smb_odir_t *od; 747 smb_odirent_t *odirent; 748 boolean_t eos; 749 750 ASSERT(sr); 751 ASSERT(cr); 752 ASSERT(fnode); 753 ASSERT(fnode->n_magic == SMB_NODE_MAGIC); 754 ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING); 755 756 if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0) 757 return (EACCES); 758 759 if (SMB_TREE_IS_READONLY(sr)) 760 return (EROFS); 761 762 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 763 flags = SMB_IGNORE_CASE; 764 if (SMB_TREE_SUPPORTS_CATIA(sr)) 765 flags |= SMB_CATIA; 766 767 if ((odid = smb_odir_openat(sr, fnode)) == 0) 768 return (ENOENT); 769 if ((od = smb_tree_lookup_odir(sr->tid_tree, odid)) == NULL) 770 return (ENOENT); 771 772 odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP); 773 for (;;) { 774 rc = smb_odir_read(sr, od, odirent, &eos); 775 if ((rc != 0) || (eos)) 776 break; 777 (void) smb_vop_remove(od->d_dnode->vp, odirent->od_name, 778 flags, cr); 779 } 780 kmem_free(odirent, sizeof (smb_odirent_t)); 781 782 smb_odir_release(od); 783 smb_odir_close(od); 784 return (rc); 785 } 786 787 /* 788 * smb_fsop_rmdir 789 * 790 * All SMB functions should use this wrapper to ensure that 791 * the the calls are performed with the appropriate credentials. 792 * Please document any direct call to explain the reason 793 * for avoiding this wrapper. 794 * 795 * It is assumed that a reference exists on snode coming into this routine. 796 */ 797 int 798 smb_fsop_rmdir( 799 smb_request_t *sr, 800 cred_t *cr, 801 smb_node_t *dir_snode, 802 char *name, 803 uint32_t flags) 804 { 805 int rc; 806 char *longname; 807 808 ASSERT(cr); 809 /* 810 * The state of the node could be SMB_NODE_STATE_DESTROYING if this 811 * function is called during the deletion of the node (because of 812 * DELETE_ON_CLOSE). 813 */ 814 ASSERT(dir_snode); 815 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 816 817 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0 || 818 SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0) 819 return (EACCES); 820 821 if (SMB_TREE_IS_READONLY(sr)) 822 return (EROFS); 823 824 rc = smb_vop_rmdir(dir_snode->vp, name, flags, cr); 825 826 if (rc == ENOENT) { 827 if (smb_maybe_mangled_name(name) == 0) 828 return (rc); 829 830 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 831 rc = smb_unmangle_name(dir_snode, name, longname, MAXNAMELEN); 832 833 if (rc == 0) { 834 /* 835 * longname is the real (case-sensitive) 836 * on-disk name. 837 * We make sure we do a rmdir on this exact 838 * name, as the name was mangled and denotes 839 * a unique directory. 840 */ 841 flags &= ~SMB_IGNORE_CASE; 842 rc = smb_vop_rmdir(dir_snode->vp, longname, flags, cr); 843 } 844 845 kmem_free(longname, MAXNAMELEN); 846 } 847 848 return (rc); 849 } 850 851 /* 852 * smb_fsop_getattr 853 * 854 * All SMB functions should use this wrapper to ensure that 855 * the the calls are performed with the appropriate credentials. 856 * Please document any direct call to explain the reason 857 * for avoiding this wrapper. 858 * 859 * It is assumed that a reference exists on snode coming into this routine. 860 */ 861 int 862 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 863 smb_attr_t *attr) 864 { 865 smb_node_t *unnamed_node; 866 vnode_t *unnamed_vp = NULL; 867 uint32_t status; 868 uint32_t access = 0; 869 int flags = 0; 870 int rc; 871 872 ASSERT(cr); 873 ASSERT(snode); 874 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 875 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 876 877 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 || 878 SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0) 879 return (EACCES); 880 881 if (sr->fid_ofile) { 882 /* if uid and/or gid is requested */ 883 if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID)) 884 access |= READ_CONTROL; 885 886 /* if anything else is also requested */ 887 if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID)) 888 access |= FILE_READ_ATTRIBUTES; 889 890 status = smb_ofile_access(sr->fid_ofile, cr, access); 891 if (status != NT_STATUS_SUCCESS) 892 return (EACCES); 893 894 if (smb_tree_has_feature(sr->tid_tree, 895 SMB_TREE_ACEMASKONACCESS)) 896 flags = ATTR_NOACLCHECK; 897 } 898 899 unnamed_node = SMB_IS_STREAM(snode); 900 901 if (unnamed_node) { 902 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 903 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 904 unnamed_vp = unnamed_node->vp; 905 } 906 907 rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr); 908 if (rc == 0) 909 snode->attr = *attr; 910 911 return (rc); 912 } 913 914 /* 915 * smb_fsop_rename 916 * 917 * All SMB functions should use this smb_vop_rename wrapper to ensure that 918 * the smb_vop_rename is performed with the appropriate credentials. 919 * Please document any direct call to smb_vop_rename to explain the reason 920 * for avoiding this wrapper. 921 * 922 * It is assumed that references exist on from_dir_snode and to_dir_snode coming 923 * into this routine. 924 */ 925 int 926 smb_fsop_rename( 927 smb_request_t *sr, 928 cred_t *cr, 929 smb_node_t *from_dir_snode, 930 char *from_name, 931 smb_node_t *to_dir_snode, 932 char *to_name) 933 { 934 smb_node_t *from_snode; 935 smb_attr_t tmp_attr; 936 vnode_t *from_vp; 937 int flags = 0, ret_flags; 938 int rc; 939 boolean_t isdir; 940 941 ASSERT(cr); 942 ASSERT(from_dir_snode); 943 ASSERT(from_dir_snode->n_magic == SMB_NODE_MAGIC); 944 ASSERT(from_dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 945 946 ASSERT(to_dir_snode); 947 ASSERT(to_dir_snode->n_magic == SMB_NODE_MAGIC); 948 ASSERT(to_dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 949 950 if (SMB_TREE_CONTAINS_NODE(sr, from_dir_snode) == 0) 951 return (EACCES); 952 953 if (SMB_TREE_CONTAINS_NODE(sr, to_dir_snode) == 0) 954 return (EACCES); 955 956 ASSERT(sr); 957 ASSERT(sr->tid_tree); 958 if (SMB_TREE_IS_READONLY(sr)) 959 return (EROFS); 960 961 /* 962 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE 963 * here. 964 * 965 * A case-sensitive rename is always done in this routine 966 * because we are using the on-disk name from an earlier lookup. 967 * If a mangled name was passed in by the caller (denoting a 968 * deterministic lookup), then the exact file must be renamed 969 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or 970 * else the underlying file system might return a "first-match" 971 * on this on-disk name, possibly resulting in the wrong file). 972 */ 973 974 if (SMB_TREE_SUPPORTS_CATIA(sr)) 975 flags |= SMB_CATIA; 976 977 /* 978 * XXX: Lock required through smb_node_release() below? 979 */ 980 981 rc = smb_vop_lookup(from_dir_snode->vp, from_name, &from_vp, NULL, 982 flags, &ret_flags, NULL, cr); 983 984 if (rc != 0) 985 return (rc); 986 987 isdir = from_vp->v_type == VDIR; 988 989 if ((isdir && SMB_TREE_HAS_ACCESS(sr, 990 ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) != 991 (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) || 992 (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) != 993 (ACE_DELETE | ACE_ADD_FILE))) 994 return (EACCES); 995 996 rc = smb_vop_rename(from_dir_snode->vp, from_name, to_dir_snode->vp, 997 to_name, flags, cr); 998 999 if (rc == 0) { 1000 from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name, 1001 from_dir_snode, NULL, &tmp_attr); 1002 1003 if (from_snode == NULL) { 1004 rc = ENOMEM; 1005 } else { 1006 smb_node_rename(from_dir_snode, from_snode, 1007 to_dir_snode, to_name); 1008 smb_node_release(from_snode); 1009 } 1010 } 1011 VN_RELE(from_vp); 1012 1013 /* XXX: unlock */ 1014 1015 return (rc); 1016 } 1017 1018 /* 1019 * smb_fsop_setattr 1020 * 1021 * All SMB functions should use this wrapper to ensure that 1022 * the the calls are performed with the appropriate credentials. 1023 * Please document any direct call to explain the reason 1024 * for avoiding this wrapper. 1025 * 1026 * It is assumed that a reference exists on snode coming into this routine. 1027 * A null smb_request might be passed to this function. 1028 */ 1029 int 1030 smb_fsop_setattr( 1031 smb_request_t *sr, 1032 cred_t *cr, 1033 smb_node_t *snode, 1034 smb_attr_t *set_attr, 1035 smb_attr_t *ret_attr) 1036 { 1037 smb_node_t *unnamed_node; 1038 vnode_t *unnamed_vp = NULL; 1039 uint32_t status; 1040 uint32_t access; 1041 int rc = 0; 1042 int flags = 0; 1043 uint_t sa_mask; 1044 1045 ASSERT(cr); 1046 ASSERT(snode); 1047 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1048 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1049 1050 if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0) 1051 return (EACCES); 1052 1053 if (SMB_TREE_IS_READONLY(sr)) 1054 return (EROFS); 1055 1056 if (SMB_TREE_HAS_ACCESS(sr, 1057 ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0) 1058 return (EACCES); 1059 1060 if (sr && (set_attr->sa_mask & SMB_AT_SIZE)) { 1061 if (sr->fid_ofile) { 1062 if (SMB_OFILE_IS_READONLY(sr->fid_ofile)) 1063 return (EACCES); 1064 } else { 1065 if (SMB_PATHFILE_IS_READONLY(sr, snode)) 1066 return (EACCES); 1067 } 1068 } 1069 1070 /* sr could be NULL in some cases */ 1071 if (sr && sr->fid_ofile) { 1072 sa_mask = set_attr->sa_mask; 1073 access = 0; 1074 1075 if (sa_mask & SMB_AT_SIZE) { 1076 access |= FILE_WRITE_DATA; 1077 sa_mask &= ~SMB_AT_SIZE; 1078 } 1079 1080 if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) { 1081 access |= WRITE_OWNER; 1082 sa_mask &= ~(SMB_AT_UID|SMB_AT_GID); 1083 } 1084 1085 if (sa_mask) 1086 access |= FILE_WRITE_ATTRIBUTES; 1087 1088 status = smb_ofile_access(sr->fid_ofile, cr, access); 1089 if (status != NT_STATUS_SUCCESS) 1090 return (EACCES); 1091 1092 if (smb_tree_has_feature(sr->tid_tree, 1093 SMB_TREE_ACEMASKONACCESS)) 1094 flags = ATTR_NOACLCHECK; 1095 } 1096 1097 unnamed_node = SMB_IS_STREAM(snode); 1098 1099 if (unnamed_node) { 1100 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1101 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1102 unnamed_vp = unnamed_node->vp; 1103 } 1104 1105 rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr); 1106 1107 if ((rc == 0) && ret_attr) { 1108 /* 1109 * Use kcred to update the node attr because this 1110 * call is not being made on behalf of the user. 1111 */ 1112 ret_attr->sa_mask = SMB_AT_ALL; 1113 rc = smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, flags, 1114 kcred); 1115 if (rc == 0) 1116 snode->attr = *ret_attr; 1117 } 1118 1119 return (rc); 1120 } 1121 1122 /* 1123 * smb_fsop_read 1124 * 1125 * All SMB functions should use this wrapper to ensure that 1126 * the the calls are performed with the appropriate credentials. 1127 * Please document any direct call to explain the reason 1128 * for avoiding this wrapper. 1129 * 1130 * It is assumed that a reference exists on snode coming into this routine. 1131 */ 1132 int 1133 smb_fsop_read( 1134 struct smb_request *sr, 1135 cred_t *cr, 1136 smb_node_t *snode, 1137 uio_t *uio, 1138 smb_attr_t *ret_attr) 1139 { 1140 smb_node_t *unnamed_node; 1141 vnode_t *unnamed_vp = NULL; 1142 caller_context_t ct; 1143 int svmand; 1144 int rc; 1145 1146 ASSERT(cr); 1147 ASSERT(snode); 1148 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1149 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1150 1151 ASSERT(sr); 1152 ASSERT(sr->fid_ofile); 1153 1154 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_DATA) == 0) 1155 return (EACCES); 1156 1157 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_READ_DATA); 1158 if (rc != NT_STATUS_SUCCESS) { 1159 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_EXECUTE); 1160 if (rc != NT_STATUS_SUCCESS) 1161 return (EACCES); 1162 } 1163 1164 unnamed_node = SMB_IS_STREAM(snode); 1165 if (unnamed_node) { 1166 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1167 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1168 unnamed_vp = unnamed_node->vp; 1169 /* 1170 * Streams permission are checked against the unnamed stream, 1171 * but in FS level they have their own permissions. To avoid 1172 * rejection by FS due to lack of permission on the actual 1173 * extended attr kcred is passed for streams. 1174 */ 1175 cr = kcred; 1176 } 1177 1178 smb_node_start_crit(snode, RW_READER); 1179 rc = nbl_svmand(snode->vp, kcred, &svmand); 1180 if (rc) { 1181 smb_node_end_crit(snode); 1182 return (rc); 1183 } 1184 1185 ct = smb_ct; 1186 ct.cc_pid = sr->fid_ofile->f_uniqid; 1187 rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset, 1188 uio->uio_iov->iov_len, svmand, &ct); 1189 1190 if (rc) { 1191 smb_node_end_crit(snode); 1192 return (ERANGE); 1193 } 1194 rc = smb_vop_read(snode->vp, uio, cr); 1195 1196 if (rc == 0 && ret_attr) { 1197 /* 1198 * Use kcred to update the node attr because this 1199 * call is not being made on behalf of the user. 1200 */ 1201 ret_attr->sa_mask = SMB_AT_ALL; 1202 if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0, 1203 kcred) == 0) { 1204 snode->attr = *ret_attr; 1205 } 1206 } 1207 1208 smb_node_end_crit(snode); 1209 1210 return (rc); 1211 } 1212 1213 /* 1214 * smb_fsop_write 1215 * 1216 * This is a wrapper function used for smb_write and smb_write_raw operations. 1217 * 1218 * It is assumed that a reference exists on snode coming into this routine. 1219 */ 1220 int 1221 smb_fsop_write( 1222 smb_request_t *sr, 1223 cred_t *cr, 1224 smb_node_t *snode, 1225 uio_t *uio, 1226 uint32_t *lcount, 1227 smb_attr_t *ret_attr, 1228 int ioflag) 1229 { 1230 smb_node_t *unnamed_node; 1231 vnode_t *unnamed_vp = NULL; 1232 caller_context_t ct; 1233 int svmand; 1234 int rc; 1235 1236 ASSERT(cr); 1237 ASSERT(snode); 1238 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1239 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1240 1241 ASSERT(sr); 1242 ASSERT(sr->tid_tree); 1243 ASSERT(sr->fid_ofile); 1244 1245 if (SMB_TREE_IS_READONLY(sr)) 1246 return (EROFS); 1247 1248 if (SMB_OFILE_IS_READONLY(sr->fid_ofile) || 1249 SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_DATA | ACE_APPEND_DATA) == 0) 1250 return (EACCES); 1251 1252 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_WRITE_DATA); 1253 if (rc != NT_STATUS_SUCCESS) { 1254 rc = smb_ofile_access(sr->fid_ofile, cr, FILE_APPEND_DATA); 1255 if (rc != NT_STATUS_SUCCESS) 1256 return (EACCES); 1257 } 1258 1259 unnamed_node = SMB_IS_STREAM(snode); 1260 1261 if (unnamed_node) { 1262 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1263 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1264 unnamed_vp = unnamed_node->vp; 1265 /* 1266 * Streams permission are checked against the unnamed stream, 1267 * but in FS level they have their own permissions. To avoid 1268 * rejection by FS due to lack of permission on the actual 1269 * extended attr kcred is passed for streams. 1270 */ 1271 cr = kcred; 1272 } 1273 1274 smb_node_start_crit(snode, RW_READER); 1275 rc = nbl_svmand(snode->vp, kcred, &svmand); 1276 if (rc) { 1277 smb_node_end_crit(snode); 1278 return (rc); 1279 } 1280 1281 ct = smb_ct; 1282 ct.cc_pid = sr->fid_ofile->f_uniqid; 1283 rc = nbl_lock_conflict(snode->vp, NBL_WRITE, uio->uio_loffset, 1284 uio->uio_iov->iov_len, svmand, &ct); 1285 1286 if (rc) { 1287 smb_node_end_crit(snode); 1288 return (ERANGE); 1289 } 1290 rc = smb_vop_write(snode->vp, uio, ioflag, lcount, cr); 1291 1292 if (rc == 0 && ret_attr) { 1293 /* 1294 * Use kcred to update the node attr because this 1295 * call is not being made on behalf of the user. 1296 */ 1297 ret_attr->sa_mask = SMB_AT_ALL; 1298 if (smb_vop_getattr(snode->vp, unnamed_vp, ret_attr, 0, 1299 kcred) == 0) { 1300 snode->attr = *ret_attr; 1301 } 1302 } 1303 1304 smb_node_end_crit(snode); 1305 1306 return (rc); 1307 } 1308 1309 /* 1310 * smb_fsop_statfs 1311 * 1312 * This is a wrapper function used for stat operations. 1313 */ 1314 int 1315 smb_fsop_statfs( 1316 cred_t *cr, 1317 smb_node_t *snode, 1318 struct statvfs64 *statp) 1319 { 1320 ASSERT(cr); 1321 ASSERT(snode); 1322 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1323 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1324 1325 return (smb_vop_statfs(snode->vp, statp, cr)); 1326 } 1327 1328 /* 1329 * smb_fsop_access 1330 * 1331 * Named streams do not have separate permissions from the associated 1332 * unnamed stream. Thus, if node is a named stream, the permissions 1333 * check will be performed on the associated unnamed stream. 1334 * 1335 * However, our named streams do have their own quarantine attribute, 1336 * separate from that on the unnamed stream. If READ or EXECUTE 1337 * access has been requested on a named stream, an additional access 1338 * check is performed on the named stream in case it has been 1339 * quarantined. kcred is used to avoid issues with the permissions 1340 * set on the extended attribute file representing the named stream. 1341 */ 1342 int 1343 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1344 uint32_t faccess) 1345 { 1346 int access = 0; 1347 int error; 1348 vnode_t *dir_vp; 1349 boolean_t acl_check = B_TRUE; 1350 smb_node_t *unnamed_node; 1351 1352 ASSERT(sr); 1353 ASSERT(cr); 1354 ASSERT(snode); 1355 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1356 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1357 1358 if (faccess == 0) 1359 return (NT_STATUS_SUCCESS); 1360 1361 if (SMB_TREE_IS_READONLY(sr)) { 1362 if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA| 1363 FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES| 1364 DELETE|WRITE_DAC|WRITE_OWNER)) { 1365 return (NT_STATUS_ACCESS_DENIED); 1366 } 1367 } 1368 1369 unnamed_node = SMB_IS_STREAM(snode); 1370 if (unnamed_node) { 1371 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1372 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1373 1374 /* 1375 * Perform VREAD access check on the named stream in case it 1376 * is quarantined. kcred is passed to smb_vop_access so it 1377 * doesn't fail due to lack of permission. 1378 */ 1379 if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) { 1380 error = smb_vop_access(snode->vp, VREAD, 1381 0, NULL, kcred); 1382 if (error) 1383 return (NT_STATUS_ACCESS_DENIED); 1384 } 1385 1386 /* 1387 * Streams authorization should be performed against the 1388 * unnamed stream. 1389 */ 1390 snode = unnamed_node; 1391 } 1392 1393 if (faccess & ACCESS_SYSTEM_SECURITY) { 1394 /* 1395 * This permission is required for reading/writing SACL and 1396 * it's not part of DACL. It's only granted via proper 1397 * privileges. 1398 */ 1399 if ((sr->uid_user->u_privileges & 1400 (SMB_USER_PRIV_BACKUP | 1401 SMB_USER_PRIV_RESTORE | 1402 SMB_USER_PRIV_SECURITY)) == 0) 1403 return (NT_STATUS_PRIVILEGE_NOT_HELD); 1404 1405 faccess &= ~ACCESS_SYSTEM_SECURITY; 1406 } 1407 1408 /* Links don't have ACL */ 1409 if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) || 1410 (snode->attr.sa_vattr.va_type == VLNK)) 1411 acl_check = B_FALSE; 1412 1413 /* 1414 * Use the most restrictive parts of both faccess and the 1415 * share access. An AND of the two value masks gives us that 1416 * since we've already converted to a mask of what we "can" 1417 * do. 1418 */ 1419 faccess &= sr->tid_tree->t_access; 1420 1421 if (acl_check) { 1422 dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL; 1423 error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp, 1424 cr); 1425 } else { 1426 /* 1427 * FS doesn't understand 32-bit mask, need to map 1428 */ 1429 if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA)) 1430 access |= VWRITE; 1431 1432 if (faccess & FILE_READ_DATA) 1433 access |= VREAD; 1434 1435 if (faccess & FILE_EXECUTE) 1436 access |= VEXEC; 1437 1438 error = smb_vop_access(snode->vp, access, 0, NULL, cr); 1439 } 1440 1441 return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS); 1442 } 1443 1444 /* 1445 * smb_fsop_lookup_name() 1446 * 1447 * If name indicates that the file is a stream file, perform 1448 * stream specific lookup, otherwise call smb_fsop_lookup. 1449 * 1450 * Return an error if the looked-up file is in outside the tree. 1451 * (Required when invoked from open path.) 1452 */ 1453 1454 int 1455 smb_fsop_lookup_name( 1456 smb_request_t *sr, 1457 cred_t *cr, 1458 int flags, 1459 smb_node_t *root_node, 1460 smb_node_t *dir_snode, 1461 char *name, 1462 smb_node_t **ret_snode, 1463 smb_attr_t *ret_attr) 1464 { 1465 smb_node_t *fnode; 1466 smb_attr_t file_attr; 1467 vnode_t *xattrdirvp; 1468 vnode_t *vp; 1469 char *od_name; 1470 char *fname; 1471 char *sname; 1472 int rc; 1473 1474 ASSERT(cr); 1475 ASSERT(dir_snode); 1476 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 1477 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 1478 1479 /* 1480 * The following check is required for streams processing, below 1481 */ 1482 1483 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1484 flags |= SMB_IGNORE_CASE; 1485 1486 fname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1487 sname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1488 1489 if ((rc = smb_stream_parse_name(name, fname, sname)) != 0) { 1490 if (rc == -1) { 1491 kmem_free(fname, MAXNAMELEN); 1492 kmem_free(sname, MAXNAMELEN); 1493 return (EINVAL); 1494 } 1495 1496 /* 1497 * Look up the unnamed stream (i.e. fname). 1498 * Unmangle processing will be done on fname 1499 * as well as any link target. 1500 */ 1501 rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, fname, 1502 &fnode, &file_attr); 1503 1504 if (rc != 0) { 1505 kmem_free(fname, MAXNAMELEN); 1506 kmem_free(sname, MAXNAMELEN); 1507 return (rc); 1508 } 1509 1510 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1511 1512 /* 1513 * od_name is the on-disk name of the stream, except 1514 * without the prepended stream prefix (SMB_STREAM_PREFIX) 1515 */ 1516 1517 /* 1518 * XXX 1519 * What permissions NTFS requires for stream lookup if any? 1520 */ 1521 rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name, 1522 &xattrdirvp, flags, root_node->vp, cr); 1523 1524 if (rc != 0) { 1525 smb_node_release(fnode); 1526 kmem_free(fname, MAXNAMELEN); 1527 kmem_free(sname, MAXNAMELEN); 1528 kmem_free(od_name, MAXNAMELEN); 1529 return (rc); 1530 } 1531 1532 *ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp, 1533 vp, od_name, ret_attr); 1534 1535 kmem_free(od_name, MAXNAMELEN); 1536 smb_node_release(fnode); 1537 VN_RELE(xattrdirvp); 1538 VN_RELE(vp); 1539 1540 if (*ret_snode == NULL) { 1541 kmem_free(fname, MAXNAMELEN); 1542 kmem_free(sname, MAXNAMELEN); 1543 return (ENOMEM); 1544 } 1545 } else { 1546 rc = smb_fsop_lookup(sr, cr, flags, root_node, dir_snode, name, 1547 ret_snode, ret_attr); 1548 } 1549 1550 if (rc == 0) { 1551 ASSERT(ret_snode); 1552 if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) { 1553 smb_node_release(*ret_snode); 1554 *ret_snode = NULL; 1555 rc = EACCES; 1556 } 1557 } 1558 1559 kmem_free(fname, MAXNAMELEN); 1560 kmem_free(sname, MAXNAMELEN); 1561 1562 return (rc); 1563 } 1564 1565 /* 1566 * smb_fsop_lookup 1567 * 1568 * All SMB functions should use this smb_vop_lookup wrapper to ensure that 1569 * the smb_vop_lookup is performed with the appropriate credentials and using 1570 * case insensitive compares. Please document any direct call to smb_vop_lookup 1571 * to explain the reason for avoiding this wrapper. 1572 * 1573 * It is assumed that a reference exists on dir_snode coming into this routine 1574 * (and that it is safe from deallocation). 1575 * 1576 * Same with the root_node. 1577 * 1578 * *ret_snode is returned with a reference upon success. No reference is 1579 * taken if an error is returned. 1580 * 1581 * Note: The returned ret_snode may be in a child mount. This is ok for 1582 * readdir. 1583 * 1584 * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent 1585 * operations on files not in the parent mount. 1586 */ 1587 int 1588 smb_fsop_lookup( 1589 smb_request_t *sr, 1590 cred_t *cr, 1591 int flags, 1592 smb_node_t *root_node, 1593 smb_node_t *dir_snode, 1594 char *name, 1595 smb_node_t **ret_snode, 1596 smb_attr_t *ret_attr) 1597 { 1598 smb_node_t *lnk_target_node; 1599 smb_node_t *lnk_dnode; 1600 char *longname; 1601 char *od_name; 1602 vnode_t *vp; 1603 int rc; 1604 int ret_flags; 1605 1606 ASSERT(cr); 1607 ASSERT(dir_snode); 1608 ASSERT(dir_snode->n_magic == SMB_NODE_MAGIC); 1609 ASSERT(dir_snode->n_state != SMB_NODE_STATE_DESTROYING); 1610 1611 if (name == NULL) 1612 return (EINVAL); 1613 1614 if (SMB_TREE_CONTAINS_NODE(sr, dir_snode) == 0) 1615 return (EACCES); 1616 1617 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1618 flags |= SMB_IGNORE_CASE; 1619 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1620 flags |= SMB_CATIA; 1621 1622 od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1623 1624 rc = smb_vop_lookup(dir_snode->vp, name, &vp, od_name, flags, 1625 &ret_flags, root_node ? root_node->vp : NULL, cr); 1626 1627 if (rc != 0) { 1628 if (smb_maybe_mangled_name(name) == 0) { 1629 kmem_free(od_name, MAXNAMELEN); 1630 return (rc); 1631 } 1632 1633 longname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1634 rc = smb_unmangle_name(dir_snode, name, longname, MAXNAMELEN); 1635 if (rc != 0) { 1636 kmem_free(od_name, MAXNAMELEN); 1637 kmem_free(longname, MAXNAMELEN); 1638 return (rc); 1639 } 1640 1641 /* 1642 * longname is the real (case-sensitive) 1643 * on-disk name. 1644 * We make sure we do a lookup on this exact 1645 * name, as the name was mangled and denotes 1646 * a unique file. 1647 */ 1648 1649 if (flags & SMB_IGNORE_CASE) 1650 flags &= ~SMB_IGNORE_CASE; 1651 1652 rc = smb_vop_lookup(dir_snode->vp, longname, &vp, od_name, 1653 flags, &ret_flags, root_node ? root_node->vp : NULL, cr); 1654 1655 kmem_free(longname, MAXNAMELEN); 1656 1657 if (rc != 0) { 1658 kmem_free(od_name, MAXNAMELEN); 1659 return (rc); 1660 } 1661 } 1662 1663 if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK)) { 1664 1665 rc = smb_pathname(sr, od_name, FOLLOW, root_node, dir_snode, 1666 &lnk_dnode, &lnk_target_node, cr); 1667 1668 if (rc != 0) { 1669 /* 1670 * The link is assumed to be for the last component 1671 * of a path. Hence any ENOTDIR error will be returned 1672 * as ENOENT. 1673 */ 1674 if (rc == ENOTDIR) 1675 rc = ENOENT; 1676 1677 VN_RELE(vp); 1678 kmem_free(od_name, MAXNAMELEN); 1679 return (rc); 1680 } 1681 1682 /* 1683 * Release the original VLNK vnode 1684 */ 1685 1686 VN_RELE(vp); 1687 vp = lnk_target_node->vp; 1688 1689 rc = smb_vop_traverse_check(&vp); 1690 1691 if (rc != 0) { 1692 smb_node_release(lnk_dnode); 1693 smb_node_release(lnk_target_node); 1694 kmem_free(od_name, MAXNAMELEN); 1695 return (rc); 1696 } 1697 1698 /* 1699 * smb_vop_traverse_check() may have returned a different vnode 1700 */ 1701 1702 if (lnk_target_node->vp == vp) { 1703 *ret_snode = lnk_target_node; 1704 *ret_attr = (*ret_snode)->attr; 1705 } else { 1706 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, 1707 lnk_target_node->od_name, lnk_dnode, NULL, 1708 ret_attr); 1709 VN_RELE(vp); 1710 1711 if (*ret_snode == NULL) 1712 rc = ENOMEM; 1713 smb_node_release(lnk_target_node); 1714 } 1715 1716 smb_node_release(lnk_dnode); 1717 1718 } else { 1719 1720 rc = smb_vop_traverse_check(&vp); 1721 if (rc) { 1722 VN_RELE(vp); 1723 kmem_free(od_name, MAXNAMELEN); 1724 return (rc); 1725 } 1726 1727 *ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name, 1728 dir_snode, NULL, ret_attr); 1729 VN_RELE(vp); 1730 1731 if (*ret_snode == NULL) 1732 rc = ENOMEM; 1733 } 1734 1735 kmem_free(od_name, MAXNAMELEN); 1736 return (rc); 1737 } 1738 1739 int /*ARGSUSED*/ 1740 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode) 1741 { 1742 ASSERT(cr); 1743 ASSERT(snode); 1744 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 1745 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 1746 1747 ASSERT(sr); 1748 ASSERT(sr->tid_tree); 1749 if (SMB_TREE_IS_READONLY(sr)) 1750 return (EROFS); 1751 1752 return (smb_vop_commit(snode->vp, cr)); 1753 } 1754 1755 /* 1756 * smb_fsop_aclread 1757 * 1758 * Retrieve filesystem ACL. Depends on requested ACLs in 1759 * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in 1760 * fs_sd. Note that requesting a DACL/SACL doesn't mean that 1761 * the corresponding field in fs_sd should be non-NULL upon 1762 * return, since the target ACL might not contain that type of 1763 * entries. 1764 * 1765 * Returned ACL is always in ACE_T (aka ZFS) format. 1766 * If successful the allocated memory for the ACL should be freed 1767 * using smb_fsacl_free() or smb_fssd_term() 1768 */ 1769 int 1770 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1771 smb_fssd_t *fs_sd) 1772 { 1773 int error = 0; 1774 int flags = 0; 1775 int access = 0; 1776 acl_t *acl; 1777 smb_node_t *unnamed_node; 1778 1779 ASSERT(cr); 1780 1781 if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0) 1782 return (EACCES); 1783 1784 if (sr->fid_ofile) { 1785 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1786 access = READ_CONTROL; 1787 1788 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1789 access |= ACCESS_SYSTEM_SECURITY; 1790 1791 error = smb_ofile_access(sr->fid_ofile, cr, access); 1792 if (error != NT_STATUS_SUCCESS) { 1793 return (EACCES); 1794 } 1795 } 1796 1797 unnamed_node = SMB_IS_STREAM(snode); 1798 if (unnamed_node) { 1799 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1800 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1801 /* 1802 * Streams don't have ACL, any read ACL attempt on a stream 1803 * should be performed on the unnamed stream. 1804 */ 1805 snode = unnamed_node; 1806 } 1807 1808 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) 1809 flags = ATTR_NOACLCHECK; 1810 1811 error = smb_vop_acl_read(snode->vp, &acl, flags, 1812 sr->tid_tree->t_acltype, cr); 1813 if (error != 0) { 1814 return (error); 1815 } 1816 1817 error = acl_translate(acl, _ACL_ACE_ENABLED, 1818 (snode->vp->v_type == VDIR), fs_sd->sd_uid, fs_sd->sd_gid); 1819 1820 if (error == 0) { 1821 smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl, 1822 fs_sd->sd_secinfo); 1823 } 1824 1825 acl_free(acl); 1826 return (error); 1827 } 1828 1829 /* 1830 * smb_fsop_aclwrite 1831 * 1832 * Stores the filesystem ACL provided in fs_sd->sd_acl. 1833 */ 1834 int 1835 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1836 smb_fssd_t *fs_sd) 1837 { 1838 int target_flavor; 1839 int error = 0; 1840 int flags = 0; 1841 int access = 0; 1842 acl_t *acl, *dacl, *sacl; 1843 smb_node_t *unnamed_node; 1844 1845 ASSERT(cr); 1846 1847 ASSERT(sr); 1848 ASSERT(sr->tid_tree); 1849 if (SMB_TREE_IS_READONLY(sr)) 1850 return (EROFS); 1851 1852 if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0) 1853 return (EACCES); 1854 1855 if (sr->fid_ofile) { 1856 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 1857 access = WRITE_DAC; 1858 1859 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 1860 access |= ACCESS_SYSTEM_SECURITY; 1861 1862 error = smb_ofile_access(sr->fid_ofile, cr, access); 1863 if (error != NT_STATUS_SUCCESS) 1864 return (EACCES); 1865 } 1866 1867 switch (sr->tid_tree->t_acltype) { 1868 case ACLENT_T: 1869 target_flavor = _ACL_ACLENT_ENABLED; 1870 break; 1871 1872 case ACE_T: 1873 target_flavor = _ACL_ACE_ENABLED; 1874 break; 1875 default: 1876 return (EINVAL); 1877 } 1878 1879 unnamed_node = SMB_IS_STREAM(snode); 1880 if (unnamed_node) { 1881 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 1882 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 1883 /* 1884 * Streams don't have ACL, any write ACL attempt on a stream 1885 * should be performed on the unnamed stream. 1886 */ 1887 snode = unnamed_node; 1888 } 1889 1890 dacl = fs_sd->sd_zdacl; 1891 sacl = fs_sd->sd_zsacl; 1892 1893 ASSERT(dacl || sacl); 1894 if ((dacl == NULL) && (sacl == NULL)) 1895 return (EINVAL); 1896 1897 if (dacl && sacl) 1898 acl = smb_fsacl_merge(dacl, sacl); 1899 else if (dacl) 1900 acl = dacl; 1901 else 1902 acl = sacl; 1903 1904 error = acl_translate(acl, target_flavor, (snode->vp->v_type == VDIR), 1905 fs_sd->sd_uid, fs_sd->sd_gid); 1906 if (error == 0) { 1907 if (smb_tree_has_feature(sr->tid_tree, 1908 SMB_TREE_ACEMASKONACCESS)) 1909 flags = ATTR_NOACLCHECK; 1910 1911 error = smb_vop_acl_write(snode->vp, acl, flags, cr); 1912 } 1913 1914 if (dacl && sacl) 1915 acl_free(acl); 1916 1917 return (error); 1918 } 1919 1920 acl_type_t 1921 smb_fsop_acltype(smb_node_t *snode) 1922 { 1923 return (smb_vop_acl_type(snode->vp)); 1924 } 1925 1926 /* 1927 * smb_fsop_sdread 1928 * 1929 * Read the requested security descriptor items from filesystem. 1930 * The items are specified in fs_sd->sd_secinfo. 1931 */ 1932 int 1933 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 1934 smb_fssd_t *fs_sd) 1935 { 1936 int error = 0; 1937 int getowner = 0; 1938 cred_t *ga_cred; 1939 smb_attr_t attr; 1940 1941 ASSERT(cr); 1942 ASSERT(fs_sd); 1943 1944 /* 1945 * File's uid/gid is fetched in two cases: 1946 * 1947 * 1. it's explicitly requested 1948 * 1949 * 2. target ACL is ACE_T (ZFS ACL). They're needed for 1950 * owner@/group@ entries. In this case kcred should be used 1951 * because uid/gid are fetched on behalf of smb server. 1952 */ 1953 if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) { 1954 getowner = 1; 1955 ga_cred = cr; 1956 } else if (sr->tid_tree->t_acltype == ACE_T) { 1957 getowner = 1; 1958 ga_cred = kcred; 1959 } 1960 1961 if (getowner) { 1962 /* 1963 * Windows require READ_CONTROL to read owner/group SID since 1964 * they're part of Security Descriptor. 1965 * ZFS only requires read_attribute. Need to have a explicit 1966 * access check here. 1967 */ 1968 if (sr->fid_ofile == NULL) { 1969 error = smb_fsop_access(sr, ga_cred, snode, 1970 READ_CONTROL); 1971 if (error) 1972 return (error); 1973 } 1974 1975 attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 1976 error = smb_fsop_getattr(sr, ga_cred, snode, &attr); 1977 if (error == 0) { 1978 fs_sd->sd_uid = attr.sa_vattr.va_uid; 1979 fs_sd->sd_gid = attr.sa_vattr.va_gid; 1980 } else { 1981 return (error); 1982 } 1983 } 1984 1985 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 1986 error = smb_fsop_aclread(sr, cr, snode, fs_sd); 1987 } 1988 1989 return (error); 1990 } 1991 1992 /* 1993 * smb_fsop_sdmerge 1994 * 1995 * From SMB point of view DACL and SACL are two separate list 1996 * which can be manipulated independently without one affecting 1997 * the other, but entries for both DACL and SACL will end up 1998 * in the same ACL if target filesystem supports ACE_T ACLs. 1999 * 2000 * So, if either DACL or SACL is present in the client set request 2001 * the entries corresponding to the non-present ACL shouldn't 2002 * be touched in the FS ACL. 2003 * 2004 * fs_sd parameter contains DACL and SACL specified by SMB 2005 * client to be set on a file/directory. The client could 2006 * specify both or one of these ACLs (if none is specified 2007 * we don't get this far). When both DACL and SACL are given 2008 * by client the existing ACL should be overwritten. If only 2009 * one of them is specified the entries corresponding to the other 2010 * ACL should not be touched. For example, if only DACL 2011 * is specified in input fs_sd, the function reads audit entries 2012 * of the existing ACL of the file and point fs_sd->sd_zsdacl 2013 * pointer to the fetched SACL, this way when smb_fsop_sdwrite() 2014 * function is called the passed fs_sd would point to the specified 2015 * DACL by client and fetched SACL from filesystem, so the file 2016 * will end up with correct ACL. 2017 */ 2018 static int 2019 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd) 2020 { 2021 smb_fssd_t cur_sd; 2022 int error = 0; 2023 2024 if (sr->tid_tree->t_acltype != ACE_T) 2025 /* Don't bother if target FS doesn't support ACE_T */ 2026 return (0); 2027 2028 if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) { 2029 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) { 2030 /* 2031 * Don't overwrite existing audit entries 2032 */ 2033 smb_fssd_init(&cur_sd, SMB_SACL_SECINFO, 2034 fs_sd->sd_flags); 2035 2036 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2037 if (error == 0) { 2038 ASSERT(fs_sd->sd_zsacl == NULL); 2039 fs_sd->sd_zsacl = cur_sd.sd_zsacl; 2040 if (fs_sd->sd_zsacl && fs_sd->sd_zdacl) 2041 fs_sd->sd_zsacl->acl_flags = 2042 fs_sd->sd_zdacl->acl_flags; 2043 } 2044 } else { 2045 /* 2046 * Don't overwrite existing access entries 2047 */ 2048 smb_fssd_init(&cur_sd, SMB_DACL_SECINFO, 2049 fs_sd->sd_flags); 2050 2051 error = smb_fsop_sdread(sr, kcred, snode, &cur_sd); 2052 if (error == 0) { 2053 ASSERT(fs_sd->sd_zdacl == NULL); 2054 fs_sd->sd_zdacl = cur_sd.sd_zdacl; 2055 if (fs_sd->sd_zdacl && fs_sd->sd_zsacl) 2056 fs_sd->sd_zdacl->acl_flags = 2057 fs_sd->sd_zsacl->acl_flags; 2058 } 2059 } 2060 2061 if (error) 2062 smb_fssd_term(&cur_sd); 2063 } 2064 2065 return (error); 2066 } 2067 2068 /* 2069 * smb_fsop_sdwrite 2070 * 2071 * Stores the given uid, gid and acl in filesystem. 2072 * Provided items in fs_sd are specified by fs_sd->sd_secinfo. 2073 * 2074 * A SMB security descriptor could contain owner, primary group, 2075 * DACL and SACL. Setting an SD should be atomic but here it has to 2076 * be done via two separate FS operations: VOP_SETATTR and 2077 * VOP_SETSECATTR. Therefore, this function has to simulate the 2078 * atomicity as well as it can. 2079 * 2080 * Get the current uid, gid before setting the new uid/gid 2081 * so if smb_fsop_aclwrite fails they can be restored. root cred is 2082 * used to get currend uid/gid since this operation is performed on 2083 * behalf of the server not the user. 2084 * 2085 * If setting uid/gid fails with EPERM it means that and invalid 2086 * owner has been specified. Callers should translate this to 2087 * STATUS_INVALID_OWNER which is not the normal mapping for EPERM 2088 * in upper layers, so EPERM is mapped to EBADE. 2089 */ 2090 int 2091 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2092 smb_fssd_t *fs_sd, int overwrite) 2093 { 2094 int error = 0; 2095 int access = 0; 2096 smb_attr_t set_attr; 2097 smb_attr_t orig_attr; 2098 2099 ASSERT(cr); 2100 ASSERT(fs_sd); 2101 2102 ASSERT(sr); 2103 ASSERT(sr->tid_tree); 2104 if (SMB_TREE_IS_READONLY(sr)) 2105 return (EROFS); 2106 2107 bzero(&set_attr, sizeof (smb_attr_t)); 2108 2109 if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) { 2110 set_attr.sa_vattr.va_uid = fs_sd->sd_uid; 2111 set_attr.sa_mask |= SMB_AT_UID; 2112 access |= WRITE_OWNER; 2113 } 2114 2115 if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) { 2116 set_attr.sa_vattr.va_gid = fs_sd->sd_gid; 2117 set_attr.sa_mask |= SMB_AT_GID; 2118 access |= WRITE_OWNER; 2119 } 2120 2121 if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) 2122 access |= WRITE_DAC; 2123 2124 if (fs_sd->sd_secinfo & SMB_SACL_SECINFO) 2125 access |= ACCESS_SYSTEM_SECURITY; 2126 2127 if (sr->fid_ofile) 2128 error = smb_ofile_access(sr->fid_ofile, cr, access); 2129 else 2130 error = smb_fsop_access(sr, cr, snode, access); 2131 2132 if (error) 2133 return (EACCES); 2134 2135 if (set_attr.sa_mask) { 2136 orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID; 2137 error = smb_fsop_getattr(sr, kcred, snode, &orig_attr); 2138 if (error == 0) { 2139 error = smb_fsop_setattr(sr, cr, snode, &set_attr, 2140 NULL); 2141 if (error == EPERM) 2142 error = EBADE; 2143 } 2144 2145 if (error) 2146 return (error); 2147 } 2148 2149 if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) { 2150 if (overwrite == 0) { 2151 error = smb_fsop_sdmerge(sr, snode, fs_sd); 2152 if (error) 2153 return (error); 2154 } 2155 2156 error = smb_fsop_aclwrite(sr, cr, snode, fs_sd); 2157 if (error) { 2158 /* 2159 * Revert uid/gid changes if required. 2160 */ 2161 if (set_attr.sa_mask) { 2162 orig_attr.sa_mask = set_attr.sa_mask; 2163 (void) smb_fsop_setattr(sr, kcred, snode, 2164 &orig_attr, NULL); 2165 } 2166 } 2167 } 2168 2169 return (error); 2170 } 2171 2172 /* 2173 * smb_fsop_sdinherit 2174 * 2175 * Inherit the security descriptor from the parent container. 2176 * This function is called after FS has created the file/folder 2177 * so if this doesn't do anything it means FS inheritance is 2178 * in place. 2179 * 2180 * Do inheritance for ZFS internally. 2181 * 2182 * If we want to let ZFS does the inheritance the 2183 * following setting should be true: 2184 * 2185 * - aclinherit = passthrough 2186 * - aclmode = passthrough 2187 * - smbd umask = 0777 2188 * 2189 * This will result in right effective permissions but 2190 * ZFS will always add 6 ACEs for owner, owning group 2191 * and others to be POSIX compliant. This is not what 2192 * Windows clients/users expect, so we decided that CIFS 2193 * implements Windows rules and overwrite whatever ZFS 2194 * comes up with. This way we also don't have to care 2195 * about ZFS aclinherit and aclmode settings. 2196 */ 2197 static int 2198 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd) 2199 { 2200 int is_dir; 2201 acl_t *dacl = NULL; 2202 acl_t *sacl = NULL; 2203 ksid_t *owner_sid; 2204 int error; 2205 2206 ASSERT(fs_sd); 2207 2208 if (sr->tid_tree->t_acltype != ACE_T) { 2209 /* 2210 * No forced inheritance for non-ZFS filesystems. 2211 */ 2212 fs_sd->sd_secinfo = 0; 2213 return (0); 2214 } 2215 2216 2217 /* Fetch parent directory's ACL */ 2218 error = smb_fsop_sdread(sr, kcred, dnode, fs_sd); 2219 if (error) { 2220 return (error); 2221 } 2222 2223 is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR); 2224 owner_sid = crgetsid(sr->user_cr, KSID_OWNER); 2225 ASSERT(owner_sid); 2226 dacl = smb_fsacl_inherit(fs_sd->sd_zdacl, is_dir, SMB_DACL_SECINFO, 2227 owner_sid->ks_id); 2228 sacl = smb_fsacl_inherit(fs_sd->sd_zsacl, is_dir, SMB_SACL_SECINFO, 2229 (uid_t)-1); 2230 2231 if (sacl == NULL) 2232 fs_sd->sd_secinfo &= ~SMB_SACL_SECINFO; 2233 2234 smb_fsacl_free(fs_sd->sd_zdacl); 2235 smb_fsacl_free(fs_sd->sd_zsacl); 2236 2237 fs_sd->sd_zdacl = dacl; 2238 fs_sd->sd_zsacl = sacl; 2239 2240 return (0); 2241 } 2242 2243 /* 2244 * smb_fsop_eaccess 2245 * 2246 * Returns the effective permission of the given credential for the 2247 * specified object. 2248 * 2249 * This is just a workaround. We need VFS/FS support for this. 2250 */ 2251 void 2252 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode, 2253 uint32_t *eaccess) 2254 { 2255 int access = 0; 2256 vnode_t *dir_vp; 2257 smb_node_t *unnamed_node; 2258 2259 ASSERT(cr); 2260 ASSERT(snode); 2261 ASSERT(snode->n_magic == SMB_NODE_MAGIC); 2262 ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING); 2263 2264 unnamed_node = SMB_IS_STREAM(snode); 2265 if (unnamed_node) { 2266 ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC); 2267 ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING); 2268 /* 2269 * Streams authorization should be performed against the 2270 * unnamed stream. 2271 */ 2272 snode = unnamed_node; 2273 } 2274 2275 if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) { 2276 dir_vp = (snode->dir_snode) ? snode->dir_snode->vp : NULL; 2277 smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp, 2278 cr); 2279 return; 2280 } 2281 2282 /* 2283 * FS doesn't understand 32-bit mask 2284 */ 2285 smb_vop_eaccess(snode->vp, &access, 0, NULL, cr); 2286 access &= sr->tid_tree->t_access; 2287 2288 *eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES; 2289 2290 if (access & VREAD) 2291 *eaccess |= FILE_READ_DATA; 2292 2293 if (access & VEXEC) 2294 *eaccess |= FILE_EXECUTE; 2295 2296 if (access & VWRITE) 2297 *eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | 2298 FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD; 2299 } 2300 2301 /* 2302 * smb_fsop_shrlock 2303 * 2304 * For the current open request, check file sharing rules 2305 * against existing opens. 2306 * 2307 * Returns NT_STATUS_SHARING_VIOLATION if there is any 2308 * sharing conflict. Returns NT_STATUS_SUCCESS otherwise. 2309 * 2310 * Full system-wide share reservation synchronization is available 2311 * when the nbmand (non-blocking mandatory) mount option is set 2312 * (i.e. nbl_need_crit() is true) and nbmand critical regions are used. 2313 * This provides synchronization with NFS and local processes. The 2314 * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called 2315 * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well 2316 * as the CIFS rename and delete paths. 2317 * 2318 * The CIFS server will also enter the nbl critical region in the open, 2319 * rename, and delete paths when nbmand is not set. There is limited 2320 * coordination with local and VFS share reservations in this case. 2321 * Note that when the nbmand mount option is not set, the VFS layer 2322 * only processes advisory reservations and the delete mode is not checked. 2323 * 2324 * Whether or not the nbmand mount option is set, intra-CIFS share 2325 * checking is done in the open, delete, and rename paths using a CIFS 2326 * critical region (node->n_share_lock). 2327 */ 2328 2329 uint32_t 2330 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid, 2331 uint32_t desired_access, uint32_t share_access) 2332 { 2333 int rc; 2334 2335 if (node->attr.sa_vattr.va_type == VDIR) 2336 return (NT_STATUS_SUCCESS); 2337 2338 /* Allow access if the request is just for meta data */ 2339 if ((desired_access & FILE_DATA_ALL) == 0) 2340 return (NT_STATUS_SUCCESS); 2341 2342 rc = smb_node_open_check(node, cr, desired_access, share_access); 2343 if (rc) 2344 return (NT_STATUS_SHARING_VIOLATION); 2345 2346 rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access, 2347 cr); 2348 if (rc) 2349 return (NT_STATUS_SHARING_VIOLATION); 2350 2351 return (NT_STATUS_SUCCESS); 2352 } 2353 2354 void 2355 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid) 2356 { 2357 if (node->attr.sa_vattr.va_type == VDIR) 2358 return; 2359 2360 (void) smb_vop_unshrlock(node->vp, uniq_fid, cr); 2361 } 2362 2363 int 2364 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock, 2365 cred_t *cr) 2366 { 2367 flock64_t bf; 2368 int flag = F_REMOTELOCK; 2369 2370 /* 2371 * VOP_FRLOCK() will not be called if: 2372 * 2373 * 1) The lock has a range of zero bytes. The semantics of Windows and 2374 * POSIX are different. In the case of POSIX it asks for the locking 2375 * of all the bytes from the offset provided until the end of the 2376 * file. In the case of Windows a range of zero locks nothing and 2377 * doesn't conflict with any other lock. 2378 * 2379 * 2) The lock rolls over (start + lenght < start). Solaris will assert 2380 * if such a request is submitted. This will not create 2381 * incompatibilities between POSIX and Windows. In the Windows world, 2382 * if a client submits such a lock, the server will not lock any 2383 * bytes. Interestingly if the same lock (same offset and length) is 2384 * resubmitted Windows will consider that there is an overlap and 2385 * the granting rules will then apply. 2386 */ 2387 if ((lock->l_length == 0) || 2388 ((lock->l_start + lock->l_length - 1) < lock->l_start)) 2389 return (0); 2390 2391 bzero(&bf, sizeof (bf)); 2392 2393 if (unlock) { 2394 bf.l_type = F_UNLCK; 2395 } else if (lock->l_type == SMB_LOCK_TYPE_READONLY) { 2396 bf.l_type = F_RDLCK; 2397 flag |= FREAD; 2398 } else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) { 2399 bf.l_type = F_WRLCK; 2400 flag |= FWRITE; 2401 } 2402 2403 bf.l_start = lock->l_start; 2404 bf.l_len = lock->l_length; 2405 bf.l_pid = lock->l_file->f_uniqid; 2406 bf.l_sysid = smb_ct.cc_sysid; 2407 2408 return (smb_vop_frlock(node->vp, cr, flag, &bf)); 2409 } 2410