Print this page
NEX-5665 SMB2 oplock leases
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-5665 SMB2 oplock leases
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-4538 SMB1 create file should support extended_response format (2)
NEX-6116 Failures in smbtorture raw.open
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Include this commit if upstreaming/backporting any of:
NEX-4540 SMB server declines EA support incorrectly
NEX-4239 smbtorture create failures re. allocation size
(illumos) 6398 SMB should support path names longer than 1024
NEX-5598 SMB needs a few more ioctls for Hyper-V
Reviewed by: Gordon Ross <gwr@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/smbsrv/ntifs.h
+++ new/usr/src/uts/common/smbsrv/ntifs.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
24 25 * Copyright (c) 2016 by Delphix. All rights reserved.
25 26 */
26 27
27 28 #ifndef _SMBSRV_NTIFS_H
28 29 #define _SMBSRV_NTIFS_H
29 30
30 31 /*
31 32 * This file provides definitions compatible with the NT Installable
32 33 * File System (IFS) interface. This header file also defines the Security
33 34 * Descriptor module from Windows.
34 35 */
35 36
36 37 #ifdef __cplusplus
37 38 extern "C" {
38 39 #endif
39 40
40 41 #include <sys/acl.h>
41 42 #include <sys/list.h>
42 43 #include <smbsrv/smb_sid.h>
43 44
44 45 /*
45 46 * The Volume and Directory bits are for SMB rather than NT.
46 47 * NT has an explicit Normal bit; this bit is implied in SMB
47 48 * when the Hidden, System and Directory bits are not set.
48 49 *
49 50 * File attributes and creation flags share the same 32-bit
50 51 * space.
51 52 */
52 53 #define FILE_ATTRIBUTE_READONLY 0x00000001
53 54 #define FILE_ATTRIBUTE_HIDDEN 0x00000002
54 55 #define FILE_ATTRIBUTE_SYSTEM 0x00000004
55 56 #define FILE_ATTRIBUTE_VOLUME 0x00000008
56 57 #define FILE_ATTRIBUTE_DIRECTORY 0x00000010
57 58 #define FILE_ATTRIBUTE_ARCHIVE 0x00000020
58 59 #define FILE_ATTRIBUTE_DEVICE 0x00000040
59 60 #define FILE_ATTRIBUTE_NORMAL 0x00000080
60 61 #define FILE_ATTRIBUTE_TEMPORARY 0x00000100
61 62 #define FILE_ATTRIBUTE_SPARSE_FILE 0x00000200
62 63 #define FILE_ATTRIBUTE_REPARSE_POINT 0x00000400
63 64 #define FILE_ATTRIBUTE_COMPRESSED 0x00000800
64 65 #define FILE_ATTRIBUTE_OFFLINE 0x00001000
65 66 #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
66 67 #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000
67 68 #define FILE_ATTRIBUTE_VIRTUAL 0x00010000
68 69 #define FILE_FLAG_OPEN_NO_RECALL 0x00100000
69 70 #define FILE_FLAG_OPEN_REPARSE_POINT 0x00200000
70 71 #define FILE_FLAG_POSIX_SEMANTICS 0x01000000
71 72 #define FILE_FLAG_BACKUP_SEMANTICS 0x02000000
72 73 #define FILE_FLAG_DELETE_ON_CLOSE 0x04000000
73 74 #define FILE_FLAG_SEQUENTIAL_SCAN 0x08000000
74 75 #define FILE_FLAG_RANDOM_ACCESS 0x10000000
75 76 #define FILE_FLAG_NO_BUFFERING 0x20000000
76 77 #define FILE_FLAG_OVERLAPPED 0x40000000
77 78 #define FILE_FLAG_WRITE_THROUGH 0x80000000
78 79
79 80 #define FILE_ATTRIBUTE_VALID_FLAGS 0x00001fb7
80 81 #define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x00001fa7
81 82 #define FILE_ATTRIBUTE_MASK 0x00003FFF
82 83
83 84 /*
84 85 * The create/open option flags: used in NtCreateAndx and NtTransactCreate
85 86 * SMB requests.
86 87 *
87 88 * The CreateOptions specify the options to be applied when creating or
88 89 * opening the file, as a compatible combination of the following flags:
89 90 *
90 91 * FILE_DIRECTORY_FILE
91 92 * The file being created or opened is a directory file. With this
92 93 * flag, the Disposition parameter must be set to one of FILE_CREATE,
93 94 * FILE_OPEN, or FILE_OPEN_IF. With this flag, other compatible
94 95 * CreateOptions flags include only the following:
95 96 * FILE_SYNCHRONOUS_IO_ALERT
96 97 * FILE_SYNCHRONOUS_IO_NONALERT
97 98 * FILE_WRITE_THROUGH
98 99 * FILE_OPEN_FOR_BACKUP_INTENT
99 100 * FILE_OPEN_BY_FILE_ID
100 101 *
101 102 * FILE_NON_DIRECTORY_FILE
102 103 * The file being opened must not be a directory file or this call
103 104 * will fail. The file object being opened can represent a data file,
104 105 * a logical, virtual, or physical device, or a volume.
105 106 *
106 107 * FILE_WRITE_THROUGH
107 108 * System services, FSDs, and drivers that write data to the file must
108 109 * actually transfer the data into the file before any requested write
109 110 * operation is considered complete. This flag is automatically set if
110 111 * the CreateOptions flag FILE_NO_INTERMEDIATE _BUFFERING is set.
111 112 *
112 113 * FILE_SEQUENTIAL_ONLY
113 114 * All accesses to the file will be sequential.
114 115 *
115 116 * FILE_RANDOM_ACCESS
116 117 * Accesses to the file can be random, so no sequential read-ahead
117 118 * operations should be performed on the file by FSDs or the system.
118 119 * FILE_NO_INTERMEDIATE _BUFFERING The file cannot be cached or
119 120 * buffered in a driver's internal buffers. This flag is incompatible
120 121 * with the DesiredAccess FILE_APPEND_DATA flag.
121 122 *
122 123 * FILE_SYNCHRONOUS_IO_ALERT
123 124 * All operations on the file are performed synchronously. Any wait
124 125 * on behalf of the caller is subject to premature termination from
125 126 * alerts. This flag also causes the I/O system to maintain the file
126 127 * position context. If this flag is set, the DesiredAccess
127 128 * SYNCHRONIZE flag also must be set.
128 129 *
129 130 * FILE_SYNCHRONOUS_IO _NONALERT
130 131 * All operations on the file are performed synchronously. Waits in
131 132 * the system to synchronize I/O queuing and completion are not subject
132 133 * to alerts. This flag also causes the I/O system to maintain the file
133 134 * position context. If this flag is set, the DesiredAccess SYNCHRONIZE
134 135 * flag also must be set.
135 136 *
136 137 * FILE_CREATE_TREE _CONNECTION
137 138 * Create a tree connection for this file in order to open it over the
138 139 * network. This flag is irrelevant to device and intermediate drivers.
139 140 *
140 141 * FILE_COMPLETE_IF_OPLOCKED
141 142 * Complete this operation immediately with an alternate success code
142 143 * if the target file is oplocked, rather than blocking the caller's
143 144 * thread. If the file is oplocked, another caller already has access
144 145 * to the file over the network. This flag is irrelevant to device and
145 146 * intermediate drivers.
146 147 *
147 148 * FILE_NO_EA_KNOWLEDGE
148 149 * If the extended attributes on an existing file being opened indicate
149 150 * that the caller must understand EAs to properly interpret the file,
150 151 * fail this request because the caller does not understand how to deal
151 152 * with EAs. Device and intermediate drivers can ignore this flag.
152 153 *
153 154 * FILE_DELETE_ON_CLOSE
154 155 * Delete the file when the last reference to it is passed to close.
155 156 *
156 157 * FILE_OPEN_BY_FILE_ID
157 158 * The file name contains the name of a device and a 64-bit ID to
158 159 * be used to open the file. This flag is irrelevant to device and
159 160 * intermediate drivers.
160 161 *
161 162 * FILE_OPEN_FOR_BACKUP _INTENT
162 163 * The file is being opened for backup intent, hence, the system should
163 164 * check for certain access rights and grant the caller the appropriate
164 165 * accesses to the file before checking the input DesiredAccess against
165 166 * the file's security descriptor. This flag is irrelevant to device
166 167 * and intermediate drivers.
167 168 */
168 169 #define FILE_DIRECTORY_FILE 0x00000001
169 170 #define FILE_WRITE_THROUGH 0x00000002
170 171 #define FILE_SEQUENTIAL_ONLY 0x00000004
171 172 #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
172 173
173 174 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
174 175 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
175 176 #define FILE_NON_DIRECTORY_FILE 0x00000040
176 177 #define FILE_CREATE_TREE_CONNECTION 0x00000080
177 178
178 179 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100
179 180 #define FILE_NO_EA_KNOWLEDGE 0x00000200
180 181 /* UNUSED 0x00000400 */
181 182 #define FILE_RANDOM_ACCESS 0x00000800
182 183
|
↓ open down ↓ |
149 lines elided |
↑ open up ↑ |
183 184 #define FILE_DELETE_ON_CLOSE 0x00001000
184 185 #define FILE_OPEN_BY_FILE_ID 0x00002000
185 186 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
186 187 #define FILE_NO_COMPRESSION 0x00008000
187 188
188 189 #define FILE_RESERVE_OPFILTER 0x00100000
189 190 #define FILE_RESERVED0 0x00200000
190 191 #define FILE_RESERVED1 0x00400000
191 192 #define FILE_RESERVED2 0x00800000
192 193
193 -#define FILE_VALID_OPTION_FLAGS 0x007fffff
194 +#define FILE_VALID_OPTION_FLAGS 0x00ffffff
194 195 #define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
195 196 #define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
196 197 #define FILE_VALID_SET_FLAGS 0x00000036
197 198
198 199 /*
200 + * "Granular" oplock flags; [MS-FSA], WinDDK/ntifs.h
201 + * Same as smb2.h SMB2_LEASE_...
202 + */
203 +#define OPLOCK_LEVEL_CACHE_READ 0x01
204 +#define OPLOCK_LEVEL_CACHE_HANDLE 0x02
205 +#define OPLOCK_LEVEL_CACHE_WRITE 0x04
206 +#define OPLOCK_LEVEL_CACHE_MASK 0x07
207 +
208 +/*
209 + * [MS-FSA] oplock types (also "levels")
210 + */
211 +#define OPLOCK_LEVEL_NONE 0
212 +#define OPLOCK_LEVEL_TWO 0x100
213 +#define OPLOCK_LEVEL_ONE 0x200
214 +#define OPLOCK_LEVEL_BATCH 0x400
215 +#define OPLOCK_LEVEL_GRANULAR 0x800
216 +#define OPLOCK_LEVEL_TYPE_MASK 0xf00
217 +
218 +/*
199 219 * Define the file information class values used by the NT DDK and HAL.
200 220 */
201 221 typedef enum _FILE_INFORMATION_CLASS {
202 222 FileDirectoryInformation = 1,
203 223 FileFullDirectoryInformation, /* 2 */
204 224 FileBothDirectoryInformation, /* 3 */
205 225 FileBasicInformation, /* 4 */
206 226 FileStandardInformation, /* 5 */
207 227 FileInternalInformation, /* 6 */
208 228 FileEaInformation, /* 7 */
209 229 FileAccessInformation, /* 8 */
210 230 FileNameInformation, /* 9 */
211 231 FileRenameInformation, /* 10 */
212 232 FileLinkInformation, /* 11 */
213 233 FileNamesInformation, /* 12 */
214 234 FileDispositionInformation, /* 13 */
215 235 FilePositionInformation, /* 14 */
216 236 FileFullEaInformation, /* 15 */
217 237 FileModeInformation, /* 16 */
218 238 FileAlignmentInformation, /* 17 */
219 239 FileAllInformation, /* 18 */
220 240 FileAllocationInformation, /* 19 */
221 241 FileEndOfFileInformation, /* 20 */
222 242 FileAlternateNameInformation, /* 21 */
223 243 FileStreamInformation, /* 22 */
224 244 FilePipeInformation, /* 23 */
225 245 FilePipeLocalInformation, /* 24 */
226 246 FilePipeRemoteInformation, /* 25 */
227 247 FileMailslotQueryInformation, /* 26 */
228 248 FileMailslotSetInformation, /* 27 */
229 249 FileCompressionInformation, /* 28 */
230 250 FileObjectIdInformation, /* 29 */
231 251 FileCompletionInformation, /* 30 */
232 252 FileMoveClusterInformation, /* 31 */
233 253 FileQuotaInformation, /* 32 */
234 254 FileReparsePointInformation, /* 33 */
235 255 FileNetworkOpenInformation, /* 34 */
236 256 FileAttributeTagInformation, /* 35 */
237 257 FileTrackingInformation, /* 36 */
238 258 FileIdBothDirectoryInformation, /* 37 */
239 259 FileIdFullDirectoryInformation, /* 38 */
240 260 FileValidDataLengthInformation, /* 39 */
241 261 FileShortNameInformation, /* 40 */
242 262 FileInformationReserved41, /* 41 */
243 263 FileInformationReserved42, /* 42 */
244 264 FileInformationReserved43, /* 43 */
245 265 FileSfioReserveInformation, /* 44 */
246 266 FileSfioVolumeInformation, /* 45 */
247 267 FileHardLinkInformation, /* 46 */
248 268 FileInformationReserved47, /* 47 */
249 269 FileNormalizedNameInformation, /* 48 */
250 270 FileInformationReserved49, /* 49 */
251 271 FileIdGlobalTxDirectoryInformation, /* 50 */
252 272 FileInformationReserved51, /* 51 */
253 273 FileInformationReserved52, /* 52 */
254 274 FileInformationReserved53, /* 53 */
255 275 FileStandardLinkInformation, /* 54 */
256 276 FileMaximumInformation
257 277 } FILE_INFORMATION_CLASS;
258 278
259 279 /*
260 280 * Define the file system information class values.
|
↓ open down ↓ |
52 lines elided |
↑ open up ↑ |
261 281 */
262 282 typedef enum _FILE_FS_INFORMATION_CLASS {
263 283 FileFsVolumeInformation = 1,
264 284 FileFsLabelInformation, /* 2 */
265 285 FileFsSizeInformation, /* 3 */
266 286 FileFsDeviceInformation, /* 4 */
267 287 FileFsAttributeInformation, /* 5 */
268 288 FileFsControlInformation, /* 6 */
269 289 FileFsFullSizeInformation, /* 7 */
270 290 FileFsObjectIdInformation, /* 8 */
271 - FileFsDriverPathInformation /* 9 */
291 + FileFsDriverPathInformation, /* 9 */
292 + FileFsVolumeFlagsInformation, /* A */
293 + FileFsSectorSizeInformation /* B */
272 294 } FILE_FS_INFORMATION_CLASS;
273 295
274 296 /*
275 297 * Discretionary Access Control List (DACL)
276 298 *
277 299 * A Discretionary Access Control List (DACL), often abbreviated to
278 300 * ACL, is a list of access controls which either allow or deny access
279 301 * for users or groups to a resource. There is a list header followed
280 302 * by a list of access control entries (ACE). Each ACE specifies the
281 303 * access allowed or denied to a single user or group (identified by
282 304 * a SID).
283 305 *
284 306 * There is another access control list object called a System Access
285 307 * Control List (SACL), which is used to control auditing, but no
286 308 * support is provideed for SACLs at this time.
287 309 *
288 310 * ACL header format:
289 311 *
290 312 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
291 313 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
292 314 * +-------------------------------+---------------+---------------+
293 315 * | AclSize | Sbz1 | AclRevision |
294 316 * +-------------------------------+---------------+---------------+
295 317 * | Sbz2 | AceCount |
296 318 * +-------------------------------+-------------------------------+
297 319 *
298 320 * AclRevision specifies the revision level of the ACL. This value should
299 321 * be ACL_REVISION, unless the ACL contains an object-specific ACE, in which
300 322 * case this value must be ACL_REVISION_DS. All ACEs in an ACL must be at the
301 323 * same revision level.
302 324 *
303 325 * ACE header format:
304 326 *
305 327 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
306 328 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
307 329 * +---------------+-------+-------+---------------+---------------+
308 330 * | AceSize | AceFlags | AceType |
309 331 * +---------------+-------+-------+---------------+---------------+
310 332 *
311 333 * Access mask format:
312 334 *
313 335 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
314 336 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
315 337 * +---------------+---------------+-------------------------------+
316 338 * |G|G|G|G|Res'd|A| StandardRights| SpecificRights |
317 339 * |R|W|E|A| |S| | |
318 340 * +-+-------------+---------------+-------------------------------+
319 341 *
320 342 * typedef struct ACCESS_MASK {
321 343 * WORD SpecificRights;
322 344 * BYTE StandardRights;
323 345 * BYTE AccessSystemAcl : 1;
324 346 * BYTE Reserved : 3;
325 347 * BYTE GenericAll : 1;
326 348 * BYTE GenericExecute : 1;
327 349 * BYTE GenericWrite : 1;
328 350 * BYTE GenericRead : 1;
329 351 * } ACCESS_MASK;
330 352 *
331 353 */
332 354
333 355 #define ACL_REVISION1 1
334 356 #define ACL_REVISION2 2
335 357 #define MIN_ACL_REVISION2 ACL_REVISION2
336 358 #define ACL_REVISION3 3
337 359 #define ACL_REVISION4 4
338 360 #define MAX_ACL_REVISION ACL_REVISION4
339 361
340 362 /*
341 363 * Current ACE and ACL revision Levels
342 364 */
343 365 #define ACE_REVISION 1
344 366 #define ACL_REVISION ACL_REVISION2
345 367 #define ACL_REVISION_DS ACL_REVISION4
346 368
347 369
348 370 #define ACCESS_ALLOWED_ACE_TYPE 0
349 371 #define ACCESS_DENIED_ACE_TYPE 1
350 372 #define SYSTEM_AUDIT_ACE_TYPE 2
351 373 #define SYSTEM_ALARM_ACE_TYPE 3
352 374
353 375 /*
354 376 * se_flags
355 377 * ----------
356 378 * Specifies a set of ACE type-specific control flags. This member can be a
357 379 * combination of the following values.
358 380 *
359 381 * CONTAINER_INHERIT_ACE: Child objects that are containers, such as
360 382 * directories, inherit the ACE as an effective ACE. The inherited
361 383 * ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag
362 384 * is also set.
363 385 *
364 386 * INHERIT_ONLY_ACE: Indicates an inherit-only ACE which does not control
365 387 * access to the object to which it is attached.
366 388 * If this flag is not set,
367 389 * the ACE is an effective ACE which controls access to the object
368 390 * to which it is attached.
369 391 * Both effective and inherit-only ACEs can be inherited
370 392 * depending on the state of the other inheritance flags.
371 393 *
372 394 * INHERITED_ACE: Windows 2000/XP: Indicates that the ACE was inherited.
373 395 * The system sets this bit when it propagates an
374 396 * inherited ACE to a child object.
375 397 *
376 398 * NO_PROPAGATE_INHERIT_ACE: If the ACE is inherited by a child object, the
377 399 * system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE
378 400 * flags in the inherited ACE.
379 401 * This prevents the ACE from being inherited by
380 402 * subsequent generations of objects.
381 403 *
382 404 * OBJECT_INHERIT_ACE: Noncontainer child objects inherit the ACE as an
383 405 * effective ACE. For child objects that are containers,
384 406 * the ACE is inherited as an inherit-only ACE unless the
385 407 * NO_PROPAGATE_INHERIT_ACE bit flag is also set.
386 408 */
387 409 #define OBJECT_INHERIT_ACE 0x01
388 410 #define CONTAINER_INHERIT_ACE 0x02
389 411 #define NO_PROPOGATE_INHERIT_ACE 0x04
390 412 #define INHERIT_ONLY_ACE 0x08
391 413 #define INHERITED_ACE 0x10
392 414 #define INHERIT_MASK_ACE 0x1F
393 415
394 416
395 417 /*
396 418 * These flags are only used in system audit or alarm ACEs to
397 419 * indicate when an audit message should be generated, i.e.
398 420 * on successful access or on unsuccessful access.
399 421 */
400 422 #define SUCCESSFUL_ACCESS_ACE_FLAG 0x40
401 423 #define FAILED_ACCESS_ACE_FLAG 0x80
402 424
403 425 /*
404 426 * se_bsize is the size, in bytes, of ACE as it appears on the wire.
405 427 * se_sln is used to sort the ACL when it's required.
406 428 */
407 429 typedef struct smb_acehdr {
408 430 uint8_t se_type;
409 431 uint8_t se_flags;
410 432 uint16_t se_bsize;
411 433 } smb_acehdr_t;
412 434
413 435 typedef struct smb_ace {
414 436 smb_acehdr_t se_hdr;
415 437 uint32_t se_mask;
416 438 list_node_t se_sln;
417 439 smb_sid_t *se_sid;
418 440 } smb_ace_t;
419 441
420 442 /*
421 443 * sl_bsize is the size of ACL in bytes as it appears on the wire.
422 444 */
423 445 typedef struct smb_acl {
424 446 uint8_t sl_revision;
425 447 uint16_t sl_bsize;
426 448 uint16_t sl_acecnt;
427 449 smb_ace_t *sl_aces;
428 450 list_t sl_sorted;
429 451 } smb_acl_t;
430 452
431 453 /*
432 454 * ACE/ACL header size, in byte, as it appears on the wire
433 455 */
434 456 #define SMB_ACE_HDRSIZE 4
435 457 #define SMB_ACL_HDRSIZE 8
436 458
437 459 /*
438 460 * Security Descriptor (SD)
439 461 *
440 462 * Security descriptors provide protection for objects, for example
441 463 * files and directories. It identifies the owner and primary group
442 464 * (SIDs) and contains an access control list. When a user tries to
443 465 * access an object their SID is compared to the permissions in the
444 466 * DACL to determine if access should be allowed or denied. Note that
445 467 * this is a simplification because there are other factors, such as
446 468 * default behavior and privileges to be taken into account (see also
447 469 * access tokens).
448 470 *
449 471 * The boolean flags have the following meanings when set:
450 472 *
451 473 * SE_OWNER_DEFAULTED indicates that the SID pointed to by the Owner
452 474 * field was provided by a defaulting mechanism rather than explicitly
453 475 * provided by the original provider of the security descriptor. This
454 476 * may affect the treatment of the SID with respect to inheritance of
455 477 * an owner.
456 478 *
457 479 * SE_GROUP_DEFAULTED indicates that the SID in the Group field was
458 480 * provided by a defaulting mechanism rather than explicitly provided
459 481 * by the original provider of the security descriptor. This may
460 482 * affect the treatment of the SID with respect to inheritance of a
461 483 * primary group.
462 484 *
463 485 * SE_DACL_PRESENT indicates that the security descriptor contains a
464 486 * discretionary ACL. If this flag is set and the Dacl field of the
465 487 * SECURITY_DESCRIPTOR is null, then a null ACL is explicitly being
466 488 * specified.
467 489 *
468 490 * SE_DACL_DEFAULTED indicates that the ACL pointed to by the Dacl
469 491 * field was provided by a defaulting mechanism rather than explicitly
470 492 * provided by the original provider of the security descriptor. This
471 493 * may affect the treatment of the ACL with respect to inheritance of
472 494 * an ACL. This flag is ignored if the DaclPresent flag is not set.
473 495 *
474 496 * SE_SACL_PRESENT indicates that the security descriptor contains a
475 497 * system ACL pointed to by the Sacl field. If this flag is set and
476 498 * the Sacl field of the SECURITY_DESCRIPTOR is null, then an empty
477 499 * (but present) ACL is being specified.
478 500 *
479 501 * SE_SACL_DEFAULTED indicates that the ACL pointed to by the Sacl
480 502 * field was provided by a defaulting mechanism rather than explicitly
481 503 * provided by the original provider of the security descriptor. This
482 504 * may affect the treatment of the ACL with respect to inheritance of
483 505 * an ACL. This flag is ignored if the SaclPresent flag is not set.
484 506 *
485 507 * SE_DACL_PROTECTED Prevents ACEs set on the DACL of the parent container
486 508 * (and any objects above the parent container in the directory hierarchy)
487 509 * from being applied to the object's DACL.
488 510 *
489 511 * SE_SACL_PROTECTED Prevents ACEs set on the SACL of the parent container
490 512 * (and any objects above the parent container in the directory hierarchy)
491 513 * from being applied to the object's SACL.
492 514 *
493 515 * Note that the SE_DACL_PRESENT flag needs to be present to set
494 516 * SE_DACL_PROTECTED and SE_SACL_PRESENT needs to be present to set
495 517 * SE_SACL_PROTECTED.
496 518 *
497 519 * SE_SELF_RELATIVE indicates that the security descriptor is in self-
498 520 * relative form. In this form, all fields of the security descriptor
499 521 * are contiguous in memory and all pointer fields are expressed as
500 522 * offsets from the beginning of the security descriptor.
501 523 *
502 524 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
503 525 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
504 526 * +---------------------------------------------------------------+
505 527 * | Control |Reserved1 (SBZ)| Revision |
506 528 * +---------------------------------------------------------------+
507 529 * | Owner |
508 530 * +---------------------------------------------------------------+
509 531 * | Group |
510 532 * +---------------------------------------------------------------+
511 533 * | Sacl |
512 534 * +---------------------------------------------------------------+
513 535 * | Dacl |
514 536 * +---------------------------------------------------------------+
515 537 *
516 538 */
517 539
518 540 #define SMB_OWNER_SECINFO 0x0001
519 541 #define SMB_GROUP_SECINFO 0x0002
520 542 #define SMB_DACL_SECINFO 0x0004
521 543 #define SMB_SACL_SECINFO 0x0008
522 544 #define SMB_ALL_SECINFO 0x000F
523 545 #define SMB_ACL_SECINFO (SMB_DACL_SECINFO | SMB_SACL_SECINFO)
524 546
525 547 #define SECURITY_DESCRIPTOR_REVISION 1
526 548
527 549
528 550 #define SE_OWNER_DEFAULTED 0x0001
529 551 #define SE_GROUP_DEFAULTED 0x0002
530 552 #define SE_DACL_PRESENT 0x0004
531 553 #define SE_DACL_DEFAULTED 0x0008
532 554 #define SE_SACL_PRESENT 0x0010
533 555 #define SE_SACL_DEFAULTED 0x0020
534 556 #define SE_DACL_AUTO_INHERIT_REQ 0x0100
535 557 #define SE_SACL_AUTO_INHERIT_REQ 0x0200
536 558 #define SE_DACL_AUTO_INHERITED 0x0400
537 559 #define SE_SACL_AUTO_INHERITED 0x0800
538 560 #define SE_DACL_PROTECTED 0x1000
539 561 #define SE_SACL_PROTECTED 0x2000
540 562 #define SE_SELF_RELATIVE 0x8000
541 563
542 564 #define SE_DACL_INHERITANCE_MASK 0x1500
543 565 #define SE_SACL_INHERITANCE_MASK 0x2A00
544 566
545 567 /*
546 568 * Security descriptor structures:
547 569 *
548 570 * smb_sd_t SD in SMB pointer form
549 571 * smb_fssd_t SD in filesystem form
550 572 *
551 573 * Filesystems (e.g. ZFS/UFS) don't have something equivalent
552 574 * to SD. The items comprising a SMB SD are kept separately in
553 575 * filesystem. smb_fssd_t is introduced as a helper to provide
554 576 * the required abstraction for CIFS code.
555 577 */
556 578
557 579 typedef struct smb_sd {
558 580 uint8_t sd_revision;
559 581 uint16_t sd_control;
560 582 smb_sid_t *sd_owner; /* SID file owner */
561 583 smb_sid_t *sd_group; /* SID group (for POSIX) */
562 584 smb_acl_t *sd_sacl; /* ACL System (audits) */
563 585 smb_acl_t *sd_dacl; /* ACL Discretionary (perm) */
564 586 } smb_sd_t;
565 587
566 588 /*
567 589 * SD header size as it appears on the wire
568 590 */
569 591 #define SMB_SD_HDRSIZE 20
570 592
571 593 /*
572 594 * values for smb_fssd.sd_flags
573 595 */
574 596 #define SMB_FSSD_FLAGS_DIR 0x01
575 597
576 598 typedef struct smb_fssd {
577 599 uint32_t sd_secinfo;
578 600 uint32_t sd_flags;
579 601 uid_t sd_uid;
580 602 gid_t sd_gid;
581 603 acl_t *sd_zdacl;
582 604 acl_t *sd_zsacl;
583 605 } smb_fssd_t;
584 606
585 607 void smb_sd_init(smb_sd_t *, uint8_t);
586 608 void smb_sd_term(smb_sd_t *);
587 609 uint32_t smb_sd_get_secinfo(smb_sd_t *);
588 610 uint32_t smb_sd_len(smb_sd_t *, uint32_t);
589 611 uint32_t smb_sd_tofs(smb_sd_t *, smb_fssd_t *);
590 612
591 613 void smb_fssd_init(smb_fssd_t *, uint32_t, uint32_t);
592 614 void smb_fssd_term(smb_fssd_t *);
593 615
594 616 void smb_acl_sort(smb_acl_t *);
595 617 void smb_acl_free(smb_acl_t *);
596 618 smb_acl_t *smb_acl_alloc(uint8_t, uint16_t, uint16_t);
597 619 smb_acl_t *smb_acl_from_zfs(acl_t *);
598 620 uint32_t smb_acl_to_zfs(smb_acl_t *, uint32_t, int, acl_t **);
599 621 uint16_t smb_acl_len(smb_acl_t *);
600 622 boolean_t smb_acl_isvalid(smb_acl_t *, int);
601 623
602 624 void smb_fsacl_free(acl_t *);
603 625 acl_t *smb_fsacl_alloc(int, int);
604 626
605 627 #ifdef __cplusplus
606 628 }
607 629 #endif
608 630
609 631 #endif /* _SMBSRV_NTIFS_H */
|
↓ open down ↓ |
328 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX