xref: /titanic_52/usr/src/uts/common/fs/smbsrv/smb_acl.c (revision 98c507c4288789fc67365c4cb51f80eb641e7182)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/acl.h>
27 #include <acl/acl_common.h>
28 #include <smbsrv/smb_sid.h>
29 #include <smbsrv/smb_fsops.h>
30 #include <smbsrv/smb_idmap.h>
31 #include <smbsrv/smb_kproto.h>
32 
33 #define	ACE_FD_INHERIT_ACE (ACE_FILE_INHERIT_ACE | ACE_DIRECTORY_INHERIT_ACE)
34 
35 #define	ZACE_IS_OWNER(zace) ((zace->a_flags & ACE_TYPE_FLAGS) == ACE_OWNER)
36 #define	ZACE_IS_OWNGRP(zace) \
37 	((zace->a_flags & ACE_TYPE_FLAGS) == (ACE_IDENTIFIER_GROUP|ACE_GROUP))
38 
39 #define	ZACE_IS_USER(zace) \
40 	(((zace->a_flags & ACE_TYPE_FLAGS) == 0) || (ZACE_IS_OWNER(zace)))
41 #define	ZACE_IS_GROUP(zace) (zace->a_flags & ACE_IDENTIFIER_GROUP)
42 #define	ZACE_IS_EVERYONE(zace) (zace->a_flags & ACE_EVERYONE)
43 
44 #define	ZACE_IS_PROPAGATE(zace) \
45 	((zace->a_flags & ACE_NO_PROPAGATE_INHERIT_ACE) == 0)
46 
47 #define	ZACE_IS_CREATOR_OWNER(zace) \
48 	(ZACE_IS_USER(zace) && (zace->a_who == IDMAP_WK_CREATOR_OWNER_UID))
49 
50 #define	ZACE_IS_CREATOR_GROUP(zace) \
51 	(ZACE_IS_GROUP(zace) && (zace->a_who == IDMAP_WK_CREATOR_GROUP_GID))
52 
53 #define	ZACE_IS_CREATOR(zace) \
54 	(ZACE_IS_CREATOR_OWNER(zace) || ZACE_IS_CREATOR_GROUP(zace))
55 
56 /*
57  * ACE groups within a DACL
58  *
59  * This is from lower to higher ACE order priority
60  */
61 #define	SMB_AG_START		0
62 #define	SMB_AG_ALW_INHRT	0
63 #define	SMB_AG_DNY_INHRT	1
64 #define	SMB_AG_ALW_DRCT		2
65 #define	SMB_AG_DNY_DRCT		3
66 #define	SMB_AG_NUM		4
67 
68 /*
69  * SID for Everyone group: S-1-1-0.
70  */
71 smb_sid_t everyone_sid = {
72 	NT_SID_REVISION,
73 	1,
74 	NT_SECURITY_WORLD_AUTH,
75 	{ 0 }
76 };
77 
78 #define	DEFAULT_DACL_ACENUM	2
79 /*
80  * Default ACL:
81  *    owner: full access
82  *    SYSTEM: full access
83  */
84 static ace_t default_dacl[DEFAULT_DACL_ACENUM] = {
85 	{ (uid_t)-1, ACE_ALL_PERMS, 0, ACE_ACCESS_ALLOWED_ACE_TYPE },
86 	{ IDMAP_WK_LOCAL_SYSTEM_GID, ACE_ALL_PERMS, ACE_IDENTIFIER_GROUP,
87 	    ACE_ACCESS_ALLOWED_ACE_TYPE }
88 };
89 
90 /*
91  * Note:
92  *
93  * smb_acl_xxx functions work with smb_acl_t which represents the CIFS format
94  * smb_fsacl_xxx functions work with acl_t which represents the Solaris native
95  * format
96  */
97 
98 static idmap_stat smb_fsacl_getsids(smb_idmap_batch_t *, acl_t *, uid_t, gid_t);
99 static acl_t *smb_fsacl_null_empty(boolean_t);
100 static int smb_fsacl_inheritable(acl_t *, int);
101 
102 static void smb_ace_inherit(ace_t *, ace_t *, int);
103 static boolean_t smb_ace_isvalid(smb_ace_t *, int);
104 static uint16_t smb_ace_len(smb_ace_t *);
105 static uint32_t smb_ace_mask_g2s(uint32_t);
106 static uint16_t smb_ace_flags_tozfs(uint8_t);
107 static uint8_t smb_ace_flags_fromzfs(uint16_t);
108 
109 smb_acl_t *
110 smb_acl_alloc(uint8_t revision, uint16_t bsize, uint16_t acecnt)
111 {
112 	smb_acl_t *acl;
113 	int size;
114 
115 	size = sizeof (smb_acl_t) + (acecnt * sizeof (smb_ace_t));
116 	acl = kmem_zalloc(size, KM_SLEEP);
117 	acl->sl_revision = revision;
118 	acl->sl_bsize = bsize;
119 	acl->sl_acecnt = acecnt;
120 	acl->sl_aces = (smb_ace_t *)(acl + 1);
121 
122 	list_create(&acl->sl_sorted, sizeof (smb_ace_t),
123 	    offsetof(smb_ace_t, se_sln));
124 	return (acl);
125 }
126 
127 void
128 smb_acl_free(smb_acl_t *acl)
129 {
130 	int i, size;
131 	void *ace;
132 
133 	if (acl == NULL)
134 		return;
135 
136 	for (i = 0; i < acl->sl_acecnt; i++)
137 		smb_sid_free(acl->sl_aces[i].se_sid);
138 
139 	while ((ace = list_head(&acl->sl_sorted)) != NULL)
140 		list_remove(&acl->sl_sorted, ace);
141 	list_destroy(&acl->sl_sorted);
142 
143 	size = sizeof (smb_acl_t) + (acl->sl_acecnt * sizeof (smb_ace_t));
144 	kmem_free(acl, size);
145 }
146 
147 /*
148  * smb_acl_len
149  *
150  * Returns the size of given ACL in bytes. Note that this
151  * is not an in-memory size, it's the ACL's size as it would
152  * appear on the wire
153  */
154 uint16_t
155 smb_acl_len(smb_acl_t *acl)
156 {
157 	return ((acl) ? acl->sl_bsize : 0);
158 }
159 
160 boolean_t
161 smb_acl_isvalid(smb_acl_t *acl, int which_acl)
162 {
163 	int i;
164 
165 	if (acl->sl_bsize < SMB_ACL_HDRSIZE)
166 		return (B_FALSE);
167 
168 	if (acl->sl_revision != ACL_REVISION) {
169 		/*
170 		 * we are rejecting ACLs with object-specific ACEs for now
171 		 */
172 		return (B_FALSE);
173 	}
174 
175 	for (i = 0; i < acl->sl_acecnt; i++) {
176 		if (!smb_ace_isvalid(&acl->sl_aces[i], which_acl))
177 			return (B_FALSE);
178 	}
179 
180 	return (B_TRUE);
181 }
182 
183 /*
184  * smb_acl_sort
185  *
186  * Sorts the given ACL in place if it needs to be sorted.
187  *
188  * The following is an excerpt from MSDN website.
189  *
190  * Order of ACEs in a DACL
191  *
192  * For Windows NT versions 4.0 and earlier, the preferred order of ACEs
193  * is simple: In a DACL, all access-denied ACEs should precede any
194  * access-allowed ACEs.
195  *
196  * For Windows 2000 or later, the proper order of ACEs is more complicated
197  * because of the introduction of object-specific ACEs and automatic
198  * inheritance.
199  *
200  * The following describes the preferred order:
201  *
202  * To ensure that noninherited ACEs have precedence over inherited ACEs,
203  * place all noninherited ACEs in a group before any inherited ACEs. This
204  * ordering ensures, for example, that a noninherited access-denied ACE
205  * is enforced regardless of any inherited ACE that allows access.
206  * Within the groups of noninherited ACEs and inherited ACEs, order ACEs
207  * according to ACE type, as the following shows:
208  * 	. Access-denied ACEs that apply to the object itself
209  * 	. Access-denied ACEs that apply to a subobject of the
210  *	  object, such as a property set or property
211  * 	. Access-allowed ACEs that apply to the object itself
212  * 	. Access-allowed ACEs that apply to a subobject of the object
213  *
214  * So, here is the desired ACE order
215  *
216  * deny-direct, allow-direct, deny-inherited, allow-inherited
217  *
218  * Of course, not all ACE types are required in an ACL.
219  */
220 void
221 smb_acl_sort(smb_acl_t *acl)
222 {
223 	list_t ace_grps[SMB_AG_NUM];
224 	list_t *alist;
225 	smb_ace_t *ace;
226 	uint8_t ace_flags;
227 	int ag, i;
228 
229 	ASSERT(acl);
230 
231 	if (acl->sl_acecnt == 0) {
232 		/*
233 		 * ACL with no entry is a valid ACL and it means
234 		 * no access for anybody.
235 		 */
236 		return;
237 	}
238 
239 	for (i = SMB_AG_START; i < SMB_AG_NUM; i++) {
240 		list_create(&ace_grps[i], sizeof (smb_ace_t),
241 		    offsetof(smb_ace_t, se_sln));
242 	}
243 
244 	for (i = 0, ace = acl->sl_aces; i < acl->sl_acecnt; ++i, ace++) {
245 		ace_flags = ace->se_hdr.se_flags;
246 
247 		switch (ace->se_hdr.se_type) {
248 		case ACCESS_DENIED_ACE_TYPE:
249 			ag = (ace_flags & INHERITED_ACE) ?
250 			    SMB_AG_DNY_INHRT : SMB_AG_DNY_DRCT;
251 			break;
252 
253 		case ACCESS_ALLOWED_ACE_TYPE:
254 			ag = (ace_flags & INHERITED_ACE) ?
255 			    SMB_AG_ALW_INHRT : SMB_AG_ALW_DRCT;
256 			break;
257 
258 		default:
259 			/*
260 			 * This is the lowest priority group so we put
261 			 * evertything unknown here.
262 			 */
263 			ag = SMB_AG_ALW_INHRT;
264 			break;
265 		}
266 
267 		/* Add the ACE to the selected group */
268 		list_insert_tail(&ace_grps[ag], ace);
269 	}
270 
271 	/*
272 	 * start with highest priority ACE group and append
273 	 * the ACEs to the ACL.
274 	 */
275 	for (i = SMB_AG_NUM - 1; i >= SMB_AG_START; i--) {
276 		alist = &ace_grps[i];
277 		while ((ace = list_head(alist)) != NULL) {
278 			list_remove(alist, ace);
279 			list_insert_tail(&acl->sl_sorted, ace);
280 		}
281 		list_destroy(alist);
282 	}
283 }
284 
285 /*
286  * smb_acl_from_zfs
287  *
288  * Converts given ZFS ACL to a Windows ACL.
289  *
290  * A pointer to allocated memory for the Win ACL will be
291  * returned upon successful conversion.
292  */
293 smb_acl_t *
294 smb_acl_from_zfs(acl_t *zacl, uid_t uid, gid_t gid)
295 {
296 	ace_t *zace;
297 	int numaces;
298 	smb_acl_t *acl;
299 	smb_ace_t *ace;
300 	smb_idmap_batch_t sib;
301 	smb_idmap_t *sim;
302 	idmap_stat idm_stat;
303 
304 	idm_stat = smb_idmap_batch_create(&sib, zacl->acl_cnt,
305 	    SMB_IDMAP_ID2SID);
306 	if (idm_stat != IDMAP_SUCCESS)
307 		return (NULL);
308 
309 	if (smb_fsacl_getsids(&sib, zacl, uid, gid) != IDMAP_SUCCESS) {
310 		smb_idmap_batch_destroy(&sib);
311 		return (NULL);
312 	}
313 
314 	acl = smb_acl_alloc(ACL_REVISION, SMB_ACL_HDRSIZE, zacl->acl_cnt);
315 
316 	sim = sib.sib_maps;
317 	for (numaces = 0, zace = zacl->acl_aclp;
318 	    numaces < zacl->acl_cnt;
319 	    zace++, numaces++, sim++) {
320 		ASSERT(sim->sim_sid);
321 		if (sim->sim_sid == NULL) {
322 			smb_acl_free(acl);
323 			acl = NULL;
324 			break;
325 		}
326 
327 		ace = &acl->sl_aces[numaces];
328 		ace->se_hdr.se_type = zace->a_type;
329 		ace->se_hdr.se_flags = smb_ace_flags_fromzfs(zace->a_flags);
330 		ace->se_mask = zace->a_access_mask;
331 		ace->se_sid = smb_sid_dup(sim->sim_sid);
332 		ace->se_hdr.se_bsize = smb_ace_len(ace);
333 
334 		acl->sl_bsize += ace->se_hdr.se_bsize;
335 	}
336 
337 	smb_idmap_batch_destroy(&sib);
338 	return (acl);
339 }
340 
341 /*
342  * smb_acl_to_zfs
343  *
344  * Converts given Windows ACL to a ZFS ACL.
345  *
346  * fs_acl will contain a pointer to the created ZFS ACL.
347  * The allocated memory should be freed by calling
348  * smb_fsacl_free().
349  *
350  * Since the output parameter, fs_acl, is allocated in this
351  * function, the caller has to make sure *fs_acl is NULL which
352  * means it's not pointing to any memory.
353  */
354 uint32_t
355 smb_acl_to_zfs(smb_acl_t *acl, uint32_t flags, int which_acl, acl_t **fs_acl)
356 {
357 	smb_ace_t *ace;
358 	acl_t *zacl;
359 	ace_t *zace;
360 	smb_idmap_batch_t sib;
361 	smb_idmap_t *sim;
362 	idmap_stat idm_stat;
363 	int i;
364 
365 	ASSERT(fs_acl);
366 	ASSERT(*fs_acl == NULL);
367 
368 	if (acl && !smb_acl_isvalid(acl, which_acl))
369 		return (NT_STATUS_INVALID_ACL);
370 
371 	if ((acl == NULL) || (acl->sl_acecnt == 0)) {
372 		if (which_acl == SMB_DACL_SECINFO) {
373 			*fs_acl = smb_fsacl_null_empty(acl == NULL);
374 		}
375 
376 		return (NT_STATUS_SUCCESS);
377 	}
378 
379 	idm_stat = smb_idmap_batch_create(&sib, acl->sl_acecnt,
380 	    SMB_IDMAP_SID2ID);
381 	if (idm_stat != IDMAP_SUCCESS)
382 		return (NT_STATUS_INTERNAL_ERROR);
383 
384 	zacl = smb_fsacl_alloc(acl->sl_acecnt, flags);
385 
386 	zace = zacl->acl_aclp;
387 	ace = acl->sl_aces;
388 	sim = sib.sib_maps;
389 
390 	for (i = 0; i < acl->sl_acecnt; i++, zace++, ace++, sim++) {
391 		zace->a_type = ace->se_hdr.se_type & ACE_ALL_TYPES;
392 		zace->a_access_mask = smb_ace_mask_g2s(ace->se_mask);
393 		zace->a_flags = smb_ace_flags_tozfs(ace->se_hdr.se_flags);
394 
395 		if (smb_sid_cmp(ace->se_sid, &everyone_sid))
396 			zace->a_flags |= ACE_EVERYONE;
397 		else {
398 			sim->sim_id = &zace->a_who;
399 			idm_stat = smb_idmap_batch_getid(sib.sib_idmaph, sim,
400 			    ace->se_sid, -1);
401 
402 			if (idm_stat != IDMAP_SUCCESS) {
403 				smb_fsacl_free(zacl);
404 				smb_idmap_batch_destroy(&sib);
405 				return (NT_STATUS_INTERNAL_ERROR);
406 			}
407 		}
408 	}
409 
410 	idm_stat = smb_idmap_batch_getmappings(&sib);
411 	if (idm_stat != IDMAP_SUCCESS) {
412 		smb_fsacl_free(zacl);
413 		smb_idmap_batch_destroy(&sib);
414 		return (NT_STATUS_NONE_MAPPED);
415 	}
416 
417 	/*
418 	 * Set the ACEs group flag based on the type of ID returned.
419 	 */
420 	zace = zacl->acl_aclp;
421 	ace = acl->sl_aces;
422 	sim = sib.sib_maps;
423 	for (i = 0; i < acl->sl_acecnt; i++, zace++, ace++, sim++) {
424 		if (zace->a_flags & ACE_EVERYONE)
425 			continue;
426 
427 		if (sim->sim_idtype == SMB_IDMAP_GROUP)
428 			zace->a_flags |= ACE_IDENTIFIER_GROUP;
429 	}
430 
431 	smb_idmap_batch_destroy(&sib);
432 
433 	*fs_acl = zacl;
434 	return (NT_STATUS_SUCCESS);
435 }
436 
437 /*
438  * smb_fsacl_getsids
439  *
440  * Batch all the uid/gid in given ZFS ACL to get their corresponding SIDs.
441  */
442 static idmap_stat
443 smb_fsacl_getsids(smb_idmap_batch_t *sib, acl_t *zacl, uid_t uid, gid_t gid)
444 {
445 	ace_t *zace;
446 	idmap_stat idm_stat;
447 	smb_idmap_t *sim;
448 	uid_t id;
449 	int i, idtype;
450 
451 	sim = sib->sib_maps;
452 
453 	for (i = 0, zace = zacl->acl_aclp; i < zacl->acl_cnt;
454 	    zace++, i++, sim++) {
455 		switch (zace->a_flags & ACE_TYPE_FLAGS) {
456 		case ACE_OWNER:
457 			id = uid;
458 			idtype = SMB_IDMAP_USER;
459 			break;
460 
461 		case (ACE_GROUP | ACE_IDENTIFIER_GROUP):
462 			/* owning group */
463 			id = gid;
464 			idtype = SMB_IDMAP_GROUP;
465 			break;
466 
467 		case ACE_IDENTIFIER_GROUP:
468 			/* regular group */
469 			id = zace->a_who;
470 			idtype = SMB_IDMAP_GROUP;
471 			break;
472 
473 		case ACE_EVERYONE:
474 			idtype = SMB_IDMAP_EVERYONE;
475 			break;
476 
477 		default:
478 			/* user entry */
479 			id = zace->a_who;
480 			idtype = SMB_IDMAP_USER;
481 		}
482 
483 		idm_stat = smb_idmap_batch_getsid(sib->sib_idmaph, sim,
484 		    id, idtype);
485 
486 		if (idm_stat != IDMAP_SUCCESS) {
487 			return (idm_stat);
488 		}
489 	}
490 
491 	idm_stat = smb_idmap_batch_getmappings(sib);
492 	return (idm_stat);
493 }
494 
495 /*
496  * smb_fsacl_null_empty
497  *
498  * NULL DACL means everyone full-access
499  * Empty DACL means everyone full-deny
500  *
501  * ZFS ACL must have at least one entry so smb server has
502  * to simulate the aforementioned expected behavior by adding
503  * an entry in case the requested DACL is null or empty. Adding
504  * a everyone full-deny entry has proved to be problematic in
505  * tests since a deny entry takes precedence over allow entries.
506  * So, instead of adding a everyone full-deny, an owner ACE with
507  * owner implicit permissions will be set.
508  */
509 static acl_t *
510 smb_fsacl_null_empty(boolean_t null)
511 {
512 	acl_t *zacl;
513 	ace_t *zace;
514 
515 	zacl = smb_fsacl_alloc(1, ACL_AUTO_INHERIT);
516 	zace = zacl->acl_aclp;
517 
518 	zace->a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
519 	if (null) {
520 		zace->a_access_mask = ACE_ALL_PERMS;
521 		zace->a_flags = ACE_EVERYONE;
522 	} else {
523 		zace->a_access_mask = ACE_READ_ACL | ACE_WRITE_ACL |
524 		    ACE_READ_ATTRIBUTES;
525 		zace->a_flags = ACE_OWNER;
526 	}
527 
528 	return (zacl);
529 }
530 
531 /*
532  * FS ACL (acl_t) Functions
533  */
534 acl_t *
535 smb_fsacl_alloc(int acenum, int flags)
536 {
537 	acl_t *acl;
538 
539 	acl = acl_alloc(ACE_T);
540 	acl->acl_cnt = acenum;
541 	acl->acl_aclp = kmem_zalloc(acl->acl_entry_size * acenum, KM_SLEEP);
542 	acl->acl_flags = flags;
543 	return (acl);
544 }
545 
546 void
547 smb_fsacl_free(acl_t *acl)
548 {
549 	if (acl)
550 		acl_free(acl);
551 }
552 
553 /*
554  * smb_fsop_aclmerge
555  *
556  * smb_fsop_aclread/write routines which interact with filesystem
557  * work with single ACL. This routine merges given DACL and SACL
558  * which might have been created during CIFS to FS conversion into
559  * one single ACL.
560  */
561 acl_t *
562 smb_fsacl_merge(acl_t *dacl, acl_t *sacl)
563 {
564 	acl_t *acl;
565 	int dacl_size;
566 
567 	ASSERT(dacl);
568 	ASSERT(sacl);
569 
570 	acl = smb_fsacl_alloc(dacl->acl_cnt + sacl->acl_cnt, dacl->acl_flags);
571 	dacl_size = dacl->acl_cnt * dacl->acl_entry_size;
572 	bcopy(dacl->acl_aclp, acl->acl_aclp, dacl_size);
573 	bcopy(sacl->acl_aclp, (char *)acl->acl_aclp + dacl_size,
574 	    sacl->acl_cnt * sacl->acl_entry_size);
575 
576 	return (acl);
577 }
578 
579 /*
580  * smb_fsacl_split
581  *
582  * splits the given ACE_T ACL (zacl) to one or two ACLs (DACL/SACL) based on
583  * the 'which_acl' parameter. Note that output dacl/sacl parameters could be
584  * NULL even if they're specified in 'which_acl', which means the target
585  * doesn't have any access and/or audit ACEs.
586  */
587 void
588 smb_fsacl_split(acl_t *zacl, acl_t **dacl, acl_t **sacl, int which_acl)
589 {
590 	ace_t *zace;
591 	ace_t *access_ace;
592 	ace_t *audit_ace;
593 	int naccess, naudit;
594 	int get_dacl, get_sacl;
595 	int i;
596 
597 	*dacl = *sacl = NULL;
598 	naccess = naudit = 0;
599 	get_dacl = (which_acl & SMB_DACL_SECINFO);
600 	get_sacl = (which_acl & SMB_SACL_SECINFO);
601 
602 	for (i = 0, zace = zacl->acl_aclp; i < zacl->acl_cnt; zace++, i++) {
603 		if (get_dacl && smb_ace_is_access(zace->a_type))
604 			naccess++;
605 		else if (get_sacl && smb_ace_is_audit(zace->a_type))
606 			naudit++;
607 	}
608 
609 	if (naccess) {
610 		*dacl = smb_fsacl_alloc(naccess, zacl->acl_flags);
611 		access_ace = (*dacl)->acl_aclp;
612 	}
613 
614 	if (naudit) {
615 		*sacl = smb_fsacl_alloc(naudit, zacl->acl_flags);
616 		audit_ace = (*sacl)->acl_aclp;
617 	}
618 
619 	for (i = 0, zace = zacl->acl_aclp; i < zacl->acl_cnt; zace++, i++) {
620 		if (get_dacl && smb_ace_is_access(zace->a_type)) {
621 			*access_ace = *zace;
622 			access_ace++;
623 		} else if (get_sacl && smb_ace_is_audit(zace->a_type)) {
624 			*audit_ace = *zace;
625 			audit_ace++;
626 		}
627 	}
628 }
629 
630 /*
631  * ACE Inheritance Rules
632  *
633  * The system propagates inheritable ACEs to child objects according to a
634  * set of inheritance rules. The system places inherited ACEs in the child's
635  * DACL according to the preferred order of ACEs in a DACL. For Windows
636  * 2000 or later, the system sets the INHERITED_ACE flag in all inherited ACEs.
637  *
638  * The following table shows the ACEs inherited by container and noncontainer
639  * child objects for different combinations of inheritance flags. These
640  * inheritance rules work the same for both DACLs and SACLs.
641  *
642  * Parent ACE type 			Effect on Child ACL
643  * -----------------------		-------------------
644  * OBJECT_INHERIT_ACE only 		Noncontainer child objects:
645  *					Inherited as an effective ACE.
646  *					Container child objects:
647  *					Containers inherit an inherit-only ACE
648  *					unless the NO_PROPAGATE_INHERIT_ACE bit
649  *					flag is also set.
650  *
651  * CONTAINER_INHERIT_ACE only 		Noncontainer child objects:
652  *					No effect on the child object.
653  *					Container child objects:
654  *				The child object inherits an effective ACE.
655  *				The inherited ACE is inheritable unless the
656  *				NO_PROPAGATE_INHERIT_ACE bit flag is also set.
657  *
658  * CONTAINER_INHERIT_ACE and
659  * OBJECT_INHERIT_ACE 			Noncontainer child objects:
660  *					Inherited as an effective ACE.
661  *					Container child objects:
662  *				The child object inherits an effective ACE.
663  *				The inherited ACE is inheritable unless the
664  *				NO_PROPAGATE_INHERIT_ACE bit flag is also set
665  *
666  * No inheritance flags set 	No effect on child container or noncontainer
667  *				objects.
668  *
669  * If an inherited ACE is an effective ACE for the child object, the system
670  * maps any generic rights to the specific rights for the child object.
671  * Similarly, the system maps generic SIDs, such as CREATOR_OWNER, to the
672  * appropriate SID. If an inherited ACE is an inherit-only ACE, any generic
673  * rights or generic SIDs are left unchanged so that they can be mapped
674  * appropriately when the ACE is inherited by the next generation of child
675  * objects.
676  *
677  * For a case in which a container object inherits an ACE that is both
678  * effective on the container and inheritable by its descendants, the
679  * container may inherit two ACEs. This occurs if the inheritable ACE
680  * contains generic information. The container inherits an inherit-only
681  * ACE containing the generic information and an effective-only ACE in
682  * which the generic information has been mapped.
683  */
684 
685 /*
686  * smb_fsacl_inherit
687  *
688  * Manufacture the inherited ACL from the given ACL considering
689  * the new object type (file/dir) specified by 'is_dir'. The
690  * returned ACL is used in smb_fsop_create/smb_fsop_mkdir functions.
691  * This function implements Windows inheritance rules explained above.
692  *
693  * Note that the in/out ACLs are ZFS ACLs not Windows ACLs
694  */
695 acl_t *
696 smb_fsacl_inherit(acl_t *dir_zacl, int is_dir, int which_acl, uid_t owner_uid)
697 {
698 	boolean_t use_default = B_FALSE;
699 	int num_inheritable = 0;
700 	int numaces;
701 	ace_t *dir_zace;
702 	acl_t *new_zacl;
703 	ace_t *new_zace;
704 
705 	num_inheritable = smb_fsacl_inheritable(dir_zacl, is_dir);
706 
707 	if (num_inheritable == 0) {
708 		if (which_acl == SMB_DACL_SECINFO) {
709 			/* No inheritable access ACEs -> default DACL */
710 			num_inheritable = DEFAULT_DACL_ACENUM;
711 			use_default = B_TRUE;
712 		} else {
713 			return (NULL);
714 		}
715 	}
716 
717 	new_zacl = smb_fsacl_alloc(num_inheritable, ACL_AUTO_INHERIT);
718 	new_zace = new_zacl->acl_aclp;
719 
720 	if (use_default) {
721 		bcopy(default_dacl, new_zacl->acl_aclp, sizeof (default_dacl));
722 		new_zace->a_who = owner_uid;
723 		return (new_zacl);
724 	}
725 
726 	for (numaces = 0, dir_zace = dir_zacl->acl_aclp;
727 	    numaces < dir_zacl->acl_cnt;
728 	    dir_zace++, numaces++) {
729 		switch (dir_zace->a_flags & ACE_FD_INHERIT_ACE) {
730 		case (ACE_FILE_INHERIT_ACE | ACE_DIRECTORY_INHERIT_ACE):
731 			/*
732 			 * Files inherit an effective ACE.
733 			 *
734 			 * Dirs inherit an effective ACE.
735 			 * The inherited ACE is inheritable unless the
736 			 * ACE_NO_PROPAGATE_INHERIT_ACE bit flag is also set
737 			 */
738 			smb_ace_inherit(dir_zace, new_zace, is_dir);
739 			new_zace++;
740 
741 			if (is_dir && ZACE_IS_CREATOR(dir_zace) &&
742 			    (ZACE_IS_PROPAGATE(dir_zace))) {
743 				*new_zace = *dir_zace;
744 				new_zace->a_flags |= (ACE_INHERIT_ONLY_ACE |
745 				    ACE_INHERITED_ACE);
746 				new_zace++;
747 			}
748 			break;
749 
750 		case ACE_FILE_INHERIT_ACE:
751 			/*
752 			 * Files inherit as an effective ACE.
753 			 *
754 			 * Dirs inherit an inherit-only ACE
755 			 * unless the ACE_NO_PROPAGATE_INHERIT_ACE bit
756 			 * flag is also set.
757 			 */
758 			if (is_dir == 0) {
759 				smb_ace_inherit(dir_zace, new_zace, is_dir);
760 				new_zace++;
761 			} else if (ZACE_IS_PROPAGATE(dir_zace)) {
762 				*new_zace = *dir_zace;
763 				new_zace->a_flags |= (ACE_INHERIT_ONLY_ACE |
764 				    ACE_INHERITED_ACE);
765 				new_zace++;
766 			}
767 			break;
768 
769 		case ACE_DIRECTORY_INHERIT_ACE:
770 			/*
771 			 * No effect on files
772 			 *
773 			 * Dirs inherit an effective ACE.
774 			 * The inherited ACE is inheritable unless the
775 			 * ACE_NO_PROPAGATE_INHERIT_ACE bit flag is also set.
776 			 */
777 			if (is_dir == 0)
778 				break;
779 
780 			smb_ace_inherit(dir_zace, new_zace, is_dir);
781 			new_zace++;
782 
783 			if (ZACE_IS_CREATOR(dir_zace) &&
784 			    (ZACE_IS_PROPAGATE(dir_zace))) {
785 				*new_zace = *dir_zace;
786 				new_zace->a_flags |= (ACE_INHERIT_ONLY_ACE |
787 				    ACE_INHERITED_ACE);
788 				new_zace++;
789 			}
790 
791 			break;
792 
793 		default:
794 			break;
795 		}
796 	}
797 
798 	return (new_zacl);
799 }
800 
801 /*
802  * smb_fsacl_from_vsa
803  *
804  * Converts given vsecattr_t structure to a acl_t structure.
805  *
806  * The allocated memory for retuned acl_t should be freed by
807  * calling acl_free().
808  */
809 acl_t *
810 smb_fsacl_from_vsa(vsecattr_t *vsecattr, acl_type_t acl_type)
811 {
812 	int		aclbsize = 0;	/* size of acl list in bytes */
813 	int		dfaclbsize = 0;	/* size of default acl list in bytes */
814 	int		numacls;
815 	acl_t		*acl_info;
816 
817 	ASSERT(vsecattr);
818 
819 	acl_info = acl_alloc(acl_type);
820 	if (acl_info == NULL)
821 		return (NULL);
822 
823 	acl_info->acl_flags = 0;
824 
825 	switch (acl_type) {
826 
827 	case ACLENT_T:
828 		numacls = vsecattr->vsa_aclcnt + vsecattr->vsa_dfaclcnt;
829 		aclbsize = vsecattr->vsa_aclcnt * sizeof (aclent_t);
830 		dfaclbsize = vsecattr->vsa_dfaclcnt * sizeof (aclent_t);
831 
832 		acl_info->acl_cnt = numacls;
833 		acl_info->acl_aclp = kmem_alloc(aclbsize + dfaclbsize,
834 		    KM_SLEEP);
835 		(void) memcpy(acl_info->acl_aclp, vsecattr->vsa_aclentp,
836 		    aclbsize);
837 		(void) memcpy((char *)acl_info->acl_aclp + aclbsize,
838 		    vsecattr->vsa_dfaclentp, dfaclbsize);
839 
840 		if (acl_info->acl_cnt <= MIN_ACL_ENTRIES)
841 			acl_info->acl_flags |= ACL_IS_TRIVIAL;
842 
843 		break;
844 
845 	case ACE_T:
846 		aclbsize = vsecattr->vsa_aclcnt * sizeof (ace_t);
847 		acl_info->acl_cnt = vsecattr->vsa_aclcnt;
848 		acl_info->acl_flags = vsecattr->vsa_aclflags;
849 		acl_info->acl_aclp = kmem_alloc(aclbsize, KM_SLEEP);
850 		(void) memcpy(acl_info->acl_aclp, vsecattr->vsa_aclentp,
851 		    aclbsize);
852 		if (ace_trivial(acl_info->acl_aclp, acl_info->acl_cnt) == 0)
853 			acl_info->acl_flags |= ACL_IS_TRIVIAL;
854 
855 		break;
856 
857 	default:
858 		acl_free(acl_info);
859 		return (NULL);
860 	}
861 
862 	if (aclbsize && vsecattr->vsa_aclentp)
863 		kmem_free(vsecattr->vsa_aclentp, aclbsize);
864 	if (dfaclbsize && vsecattr->vsa_dfaclentp)
865 		kmem_free(vsecattr->vsa_dfaclentp, dfaclbsize);
866 
867 	return (acl_info);
868 }
869 
870 /*
871  * smb_fsacl_to_vsa
872  *
873  * Converts given acl_t structure to a vsecattr_t structure.
874  *
875  * IMPORTANT:
876  * Upon successful return the memory allocated for vsa_aclentp
877  * should be freed by calling kmem_free(). The size is returned
878  * in aclbsize.
879  */
880 int
881 smb_fsacl_to_vsa(acl_t *acl_info, vsecattr_t *vsecattr, int *aclbsize)
882 {
883 	int		error = 0;
884 	int		numacls;
885 	aclent_t	*aclp;
886 
887 	ASSERT(acl_info);
888 	ASSERT(vsecattr);
889 	ASSERT(aclbsize);
890 
891 	bzero(vsecattr, sizeof (vsecattr_t));
892 	*aclbsize = 0;
893 
894 	switch (acl_info->acl_type) {
895 	case ACLENT_T:
896 		numacls = acl_info->acl_cnt;
897 		/*
898 		 * Minimum ACL size is three entries so might as well
899 		 * bail out here.  Also limit request size to prevent user
900 		 * from allocating too much kernel memory.  Maximum size
901 		 * is MAX_ACL_ENTRIES for the ACL part and MAX_ACL_ENTRIES
902 		 * for the default ACL part.
903 		 */
904 		if (numacls < 3 || numacls > (MAX_ACL_ENTRIES * 2)) {
905 			error = EINVAL;
906 			break;
907 		}
908 
909 		vsecattr->vsa_mask = VSA_ACL;
910 
911 		vsecattr->vsa_aclcnt = numacls;
912 		*aclbsize = numacls * sizeof (aclent_t);
913 		vsecattr->vsa_aclentp = kmem_alloc(*aclbsize, KM_SLEEP);
914 		(void) memcpy(vsecattr->vsa_aclentp, acl_info->acl_aclp,
915 		    *aclbsize);
916 
917 		/* Sort the acl list */
918 		ksort((caddr_t)vsecattr->vsa_aclentp,
919 		    vsecattr->vsa_aclcnt, sizeof (aclent_t), cmp2acls);
920 
921 		/* Break into acl and default acl lists */
922 		for (numacls = 0, aclp = vsecattr->vsa_aclentp;
923 		    numacls < vsecattr->vsa_aclcnt;
924 		    aclp++, numacls++) {
925 			if (aclp->a_type & ACL_DEFAULT)
926 				break;
927 		}
928 
929 		/* Find where defaults start (if any) */
930 		if (numacls < vsecattr->vsa_aclcnt) {
931 			vsecattr->vsa_mask |= VSA_DFACL;
932 			vsecattr->vsa_dfaclcnt = vsecattr->vsa_aclcnt - numacls;
933 			vsecattr->vsa_dfaclentp = aclp;
934 			vsecattr->vsa_aclcnt = numacls;
935 		}
936 
937 		/* Adjust if they're all defaults */
938 		if (vsecattr->vsa_aclcnt == 0) {
939 			vsecattr->vsa_mask &= ~VSA_ACL;
940 			vsecattr->vsa_aclentp = NULL;
941 		}
942 
943 		/* Only directories can have defaults */
944 		if (vsecattr->vsa_dfaclcnt &&
945 		    (acl_info->acl_flags & ACL_IS_DIR)) {
946 			error = ENOTDIR;
947 		}
948 
949 		break;
950 
951 	case ACE_T:
952 		if (acl_info->acl_cnt < 1 ||
953 		    acl_info->acl_cnt > MAX_ACL_ENTRIES) {
954 			error = EINVAL;
955 			break;
956 		}
957 
958 		vsecattr->vsa_mask = VSA_ACE | VSA_ACE_ACLFLAGS;
959 		vsecattr->vsa_aclcnt = acl_info->acl_cnt;
960 		vsecattr->vsa_aclflags = acl_info->acl_flags & ACL_FLAGS_ALL;
961 		*aclbsize = vsecattr->vsa_aclcnt * sizeof (ace_t);
962 		vsecattr->vsa_aclentsz = *aclbsize;
963 		vsecattr->vsa_aclentp = kmem_alloc(*aclbsize, KM_SLEEP);
964 		(void) memcpy(vsecattr->vsa_aclentp, acl_info->acl_aclp,
965 		    *aclbsize);
966 
967 		break;
968 
969 	default:
970 		error = EINVAL;
971 	}
972 
973 	return (error);
974 }
975 
976 /*
977  * smb_fsacl_inheritable
978  *
979  * Checks to see if there are any inheritable ACEs in the
980  * given ZFS ACL. Returns the number of inheritable ACEs.
981  *
982  * The inherited ACL could be different based on the type of
983  * new object (file/dir) specified by 'is_dir'.
984  *
985  * Note that the input ACL is a ZFS ACL not Windows ACL.
986  */
987 static int
988 smb_fsacl_inheritable(acl_t *zacl, int is_dir)
989 {
990 	int numaces;
991 	int num_inheritable = 0;
992 	ace_t *zace;
993 
994 	if (zacl == NULL)
995 		return (0);
996 
997 	for (numaces = 0, zace = zacl->acl_aclp;
998 	    numaces < zacl->acl_cnt;
999 	    zace++, numaces++) {
1000 		switch (zace->a_flags & ACE_FD_INHERIT_ACE) {
1001 		case (ACE_FILE_INHERIT_ACE | ACE_DIRECTORY_INHERIT_ACE):
1002 			/*
1003 			 * Files inherit an effective ACE.
1004 			 *
1005 			 * Dirs inherit an effective ACE.
1006 			 * The inherited ACE is inheritable unless the
1007 			 * ACE_NO_PROPAGATE_INHERIT_ACE bit flag is also set
1008 			 */
1009 			num_inheritable++;
1010 
1011 			if (is_dir && ZACE_IS_CREATOR(zace) &&
1012 			    (ZACE_IS_PROPAGATE(zace))) {
1013 				num_inheritable++;
1014 			}
1015 			break;
1016 
1017 		case ACE_FILE_INHERIT_ACE:
1018 			/*
1019 			 * Files inherit as an effective ACE.
1020 			 *
1021 			 * Dirs inherit an inherit-only ACE
1022 			 * unless the ACE_NO_PROPAGATE_INHERIT_ACE bit
1023 			 * flag is also set.
1024 			 */
1025 			if (is_dir == 0)
1026 				num_inheritable++;
1027 			else if (ZACE_IS_PROPAGATE(zace))
1028 				num_inheritable++;
1029 			break;
1030 
1031 		case ACE_DIRECTORY_INHERIT_ACE:
1032 			/*
1033 			 * No effect on files
1034 			 *
1035 			 * Dirs inherit an effective ACE.
1036 			 * The inherited ACE is inheritable unless the
1037 			 * ACE_NO_PROPAGATE_INHERIT_ACE bit flag is also set.
1038 			 */
1039 			if (is_dir == 0)
1040 				break;
1041 
1042 			num_inheritable++;
1043 
1044 			if (ZACE_IS_CREATOR(zace) &&
1045 			    (ZACE_IS_PROPAGATE(zace)))
1046 				num_inheritable++;
1047 			break;
1048 
1049 		default:
1050 			break;
1051 		}
1052 	}
1053 
1054 	return (num_inheritable);
1055 }
1056 
1057 
1058 /*
1059  * ACE Functions
1060  */
1061 
1062 /*
1063  * This is generic (ACL version 2) vs. object-specific
1064  * (ACL version 4) ACE types.
1065  */
1066 boolean_t
1067 smb_ace_is_generic(int type)
1068 {
1069 	switch (type) {
1070 	case ACE_ACCESS_ALLOWED_ACE_TYPE:
1071 	case ACE_ACCESS_DENIED_ACE_TYPE:
1072 	case ACE_SYSTEM_AUDIT_ACE_TYPE:
1073 	case ACE_SYSTEM_ALARM_ACE_TYPE:
1074 	case ACE_ACCESS_ALLOWED_CALLBACK_ACE_TYPE:
1075 	case ACE_ACCESS_DENIED_CALLBACK_ACE_TYPE:
1076 	case ACE_SYSTEM_AUDIT_CALLBACK_ACE_TYPE:
1077 	case ACE_SYSTEM_ALARM_CALLBACK_ACE_TYPE:
1078 		return (B_TRUE);
1079 
1080 	default:
1081 		break;
1082 	}
1083 
1084 	return (B_FALSE);
1085 }
1086 
1087 boolean_t
1088 smb_ace_is_access(int type)
1089 {
1090 	switch (type) {
1091 	case ACE_ACCESS_ALLOWED_ACE_TYPE:
1092 	case ACE_ACCESS_DENIED_ACE_TYPE:
1093 	case ACE_ACCESS_ALLOWED_COMPOUND_ACE_TYPE:
1094 	case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1095 	case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1096 	case ACE_ACCESS_ALLOWED_CALLBACK_ACE_TYPE:
1097 	case ACE_ACCESS_DENIED_CALLBACK_ACE_TYPE:
1098 	case ACE_ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE:
1099 	case ACE_ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE:
1100 		return (B_TRUE);
1101 
1102 	default:
1103 		break;
1104 	}
1105 
1106 	return (B_FALSE);
1107 }
1108 
1109 boolean_t
1110 smb_ace_is_audit(int type)
1111 {
1112 	switch (type) {
1113 	case ACE_SYSTEM_AUDIT_ACE_TYPE:
1114 	case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1115 	case ACE_SYSTEM_AUDIT_CALLBACK_ACE_TYPE:
1116 	case ACE_SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE:
1117 		return (B_TRUE);
1118 
1119 	default:
1120 		break;
1121 	}
1122 
1123 	return (B_FALSE);
1124 }
1125 
1126 /*
1127  * smb_ace_len
1128  *
1129  * Returns the length of the given ACE as it appears in an
1130  * ACL on the wire (i.e. a flat buffer which contains the SID)
1131  */
1132 static uint16_t
1133 smb_ace_len(smb_ace_t *ace)
1134 {
1135 	ASSERT(ace);
1136 	ASSERT(ace->se_sid);
1137 
1138 	if (ace == NULL)
1139 		return (0);
1140 
1141 	return (SMB_ACE_HDRSIZE + sizeof (ace->se_mask) +
1142 	    smb_sid_len(ace->se_sid));
1143 }
1144 
1145 static void
1146 smb_ace_inherit(ace_t *dir_zace, ace_t *zace, int is_dir)
1147 {
1148 	*zace = *dir_zace;
1149 
1150 	/* This is an effective ACE so remove the inherit_only flag */
1151 	zace->a_flags &= ~ACE_INHERIT_ONLY_ACE;
1152 	/* Mark this ACE as inherited */
1153 	zace->a_flags |= ACE_INHERITED_ACE;
1154 
1155 	/*
1156 	 * If this is a file or NO_PROPAGATE is set then this inherited
1157 	 * ACE is not inheritable so clear the inheritance flags
1158 	 */
1159 	if (!(is_dir && ZACE_IS_PROPAGATE(dir_zace)))
1160 		zace->a_flags &= ~ACE_INHERIT_FLAGS;
1161 
1162 	/*
1163 	 * Replace creator owner/group ACEs with actual owner/group ACEs.
1164 	 * This would be an effictive ACE which is not inheritable.
1165 	 */
1166 	if (ZACE_IS_CREATOR_OWNER(dir_zace)) {
1167 		zace->a_who = (uid_t)-1;
1168 		zace->a_flags |= ACE_OWNER;
1169 		zace->a_flags &= ~ACE_INHERIT_FLAGS;
1170 	} else if (ZACE_IS_CREATOR_GROUP(dir_zace)) {
1171 		zace->a_who = (uid_t)-1;
1172 		zace->a_flags |= ACE_GROUP;
1173 		zace->a_flags &= ~ACE_INHERIT_FLAGS;
1174 	}
1175 }
1176 
1177 /*
1178  * smb_ace_mask_g2s
1179  *
1180  * Converts generic access bits in the given mask (if any)
1181  * to file specific bits. Generic access masks shouldn't be
1182  * stored in filesystem ACEs.
1183  */
1184 static uint32_t
1185 smb_ace_mask_g2s(uint32_t mask)
1186 {
1187 	if (mask & GENERIC_ALL) {
1188 		mask &= ~(GENERIC_ALL | GENERIC_READ | GENERIC_WRITE
1189 		    | GENERIC_EXECUTE);
1190 
1191 		mask |= FILE_ALL_ACCESS;
1192 		return (mask);
1193 	}
1194 
1195 	if (mask & GENERIC_READ) {
1196 		mask &= ~GENERIC_READ;
1197 		mask |= FILE_GENERIC_READ;
1198 	}
1199 
1200 	if (mask & GENERIC_WRITE) {
1201 		mask &= ~GENERIC_WRITE;
1202 		mask |= FILE_GENERIC_WRITE;
1203 	}
1204 
1205 	if (mask & GENERIC_EXECUTE) {
1206 		mask &= ~GENERIC_EXECUTE;
1207 		mask |= FILE_GENERIC_EXECUTE;
1208 	}
1209 
1210 	return (mask);
1211 }
1212 
1213 /*
1214  * smb_ace_flags_tozfs
1215  *
1216  * This function maps the flags which have different values
1217  * in Windows and Solaris. The ones with the same value are
1218  * transferred untouched.
1219  */
1220 static uint16_t
1221 smb_ace_flags_tozfs(uint8_t c_flags)
1222 {
1223 	uint16_t z_flags = 0;
1224 
1225 	if (c_flags & SUCCESSFUL_ACCESS_ACE_FLAG)
1226 		z_flags |= ACE_SUCCESSFUL_ACCESS_ACE_FLAG;
1227 
1228 	if (c_flags & FAILED_ACCESS_ACE_FLAG)
1229 		z_flags |= ACE_FAILED_ACCESS_ACE_FLAG;
1230 
1231 	if (c_flags & INHERITED_ACE)
1232 		z_flags |= ACE_INHERITED_ACE;
1233 
1234 	z_flags |= (c_flags & ACE_INHERIT_FLAGS);
1235 
1236 	return (z_flags);
1237 }
1238 
1239 static uint8_t
1240 smb_ace_flags_fromzfs(uint16_t z_flags)
1241 {
1242 	uint8_t c_flags;
1243 
1244 	c_flags = z_flags & ACE_INHERIT_FLAGS;
1245 
1246 	if (z_flags & ACE_SUCCESSFUL_ACCESS_ACE_FLAG)
1247 		c_flags |= SUCCESSFUL_ACCESS_ACE_FLAG;
1248 
1249 	if (z_flags & ACE_FAILED_ACCESS_ACE_FLAG)
1250 		c_flags |= FAILED_ACCESS_ACE_FLAG;
1251 
1252 	if (z_flags & ACE_INHERITED_ACE)
1253 		c_flags |= INHERITED_ACE;
1254 
1255 	return (c_flags);
1256 }
1257 
1258 static boolean_t
1259 smb_ace_isvalid(smb_ace_t *ace, int which_acl)
1260 {
1261 	uint16_t min_len;
1262 
1263 	min_len = sizeof (smb_acehdr_t);
1264 
1265 	if (ace->se_hdr.se_bsize < min_len)
1266 		return (B_FALSE);
1267 
1268 	if (smb_ace_is_access(ace->se_hdr.se_type) &&
1269 	    (which_acl != SMB_DACL_SECINFO))
1270 		return (B_FALSE);
1271 
1272 	if (smb_ace_is_audit(ace->se_hdr.se_type) &&
1273 	    (which_acl != SMB_SACL_SECINFO))
1274 		return (B_FALSE);
1275 
1276 	if (smb_ace_is_generic(ace->se_hdr.se_type)) {
1277 		if (!smb_sid_isvalid(ace->se_sid))
1278 			return (B_FALSE);
1279 
1280 		min_len += sizeof (ace->se_mask);
1281 		min_len += smb_sid_len(ace->se_sid);
1282 
1283 		if (ace->se_hdr.se_bsize < min_len)
1284 			return (B_FALSE);
1285 	}
1286 
1287 	/*
1288 	 * object-specific ACE validation will be added later.
1289 	 */
1290 	return (B_TRUE);
1291 }
1292