1 // SPDX-License-Identifier: LGPL-2.1+
3 * Copyright (C) International Business Machines Corp., 2007,2008
4 * Author(s): Steve French (sfrench@us.ibm.com)
5 * Copyright (C) 2020 Samsung Electronics Co., Ltd.
6 * Author(s): Namjae Jeon <linkinjeon@kernel.org>
10 #include <linux/slab.h>
11 #include <linux/string.h>
12 #include <linux/mnt_idmapping.h>
15 #include "smb_common.h"
18 #include "mgmt/share_config.h"
20 static const struct smb_sid domain
= {1, 4, {0, 0, 0, 0, 0, 5},
21 {cpu_to_le32(21), cpu_to_le32(1), cpu_to_le32(2), cpu_to_le32(3),
22 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
24 /* security id for everyone/world system group */
25 static const struct smb_sid creator_owner
= {
26 1, 1, {0, 0, 0, 0, 0, 3}, {0} };
27 /* security id for everyone/world system group */
28 static const struct smb_sid creator_group
= {
29 1, 1, {0, 0, 0, 0, 0, 3}, {cpu_to_le32(1)} };
31 /* security id for everyone/world system group */
32 static const struct smb_sid sid_everyone
= {
33 1, 1, {0, 0, 0, 0, 0, 1}, {0} };
34 /* security id for Authenticated Users system group */
35 static const struct smb_sid sid_authusers
= {
36 1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11)} };
38 /* S-1-22-1 Unmapped Unix users */
39 static const struct smb_sid sid_unix_users
= {1, 1, {0, 0, 0, 0, 0, 22},
40 {cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
42 /* S-1-22-2 Unmapped Unix groups */
43 static const struct smb_sid sid_unix_groups
= { 1, 1, {0, 0, 0, 0, 0, 22},
44 {cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
47 * See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
50 /* S-1-5-88 MS NFS and Apple style UID/GID/mode */
52 /* S-1-5-88-1 Unix uid */
53 static const struct smb_sid sid_unix_NFS_users
= { 1, 2, {0, 0, 0, 0, 0, 5},
55 cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
57 /* S-1-5-88-2 Unix gid */
58 static const struct smb_sid sid_unix_NFS_groups
= { 1, 2, {0, 0, 0, 0, 0, 5},
60 cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
62 /* S-1-5-88-3 Unix mode */
63 static const struct smb_sid sid_unix_NFS_mode
= { 1, 2, {0, 0, 0, 0, 0, 5},
65 cpu_to_le32(3), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
68 * if the two SIDs (roughly equivalent to a UUID for a user or group) are
69 * the same returns zero, if they do not match returns non-zero.
71 int compare_sids(const struct smb_sid
*ctsid
, const struct smb_sid
*cwsid
)
74 int num_subauth
, num_sat
, num_saw
;
79 /* compare the revision */
80 if (ctsid
->revision
!= cwsid
->revision
) {
81 if (ctsid
->revision
> cwsid
->revision
)
87 /* compare all of the six auth values */
88 for (i
= 0; i
< NUM_AUTHS
; ++i
) {
89 if (ctsid
->authority
[i
] != cwsid
->authority
[i
]) {
90 if (ctsid
->authority
[i
] > cwsid
->authority
[i
])
97 /* compare all of the subauth values if any */
98 num_sat
= ctsid
->num_subauth
;
99 num_saw
= cwsid
->num_subauth
;
100 num_subauth
= min(num_sat
, num_saw
);
102 for (i
= 0; i
< num_subauth
; ++i
) {
103 if (ctsid
->sub_auth
[i
] != cwsid
->sub_auth
[i
]) {
104 if (le32_to_cpu(ctsid
->sub_auth
[i
]) >
105 le32_to_cpu(cwsid
->sub_auth
[i
]))
113 return 0; /* sids compare/match */
116 static void smb_copy_sid(struct smb_sid
*dst
, const struct smb_sid
*src
)
120 dst
->revision
= src
->revision
;
121 dst
->num_subauth
= min_t(u8
, src
->num_subauth
, SID_MAX_SUB_AUTHORITIES
);
122 for (i
= 0; i
< NUM_AUTHS
; ++i
)
123 dst
->authority
[i
] = src
->authority
[i
];
124 for (i
= 0; i
< dst
->num_subauth
; ++i
)
125 dst
->sub_auth
[i
] = src
->sub_auth
[i
];
129 * change posix mode to reflect permissions
130 * pmode is the existing mode (we only want to overwrite part of this
131 * bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
133 static umode_t
access_flags_to_mode(struct smb_fattr
*fattr
, __le32 ace_flags
,
136 __u32 flags
= le32_to_cpu(ace_flags
);
139 if (flags
& GENERIC_ALL
) {
141 ksmbd_debug(SMB
, "all perms\n");
145 if ((flags
& GENERIC_READ
) || (flags
& FILE_READ_RIGHTS
))
147 if ((flags
& GENERIC_WRITE
) || (flags
& FILE_WRITE_RIGHTS
)) {
149 if (S_ISDIR(fattr
->cf_mode
))
152 if ((flags
& GENERIC_EXECUTE
) || (flags
& FILE_EXEC_RIGHTS
))
155 if (type
== ACCESS_DENIED_ACE_TYPE
|| type
== ACCESS_DENIED_OBJECT_ACE_TYPE
)
158 ksmbd_debug(SMB
, "access flags 0x%x mode now %04o\n", flags
, mode
);
164 * Generate access flags to reflect permissions mode is the existing mode.
165 * This function is called for every ACE in the DACL whose SID matches
166 * with either owner or group or everyone.
168 static void mode_to_access_flags(umode_t mode
, umode_t bits_to_use
,
171 /* reset access mask */
174 /* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
178 * check for R/W/X UGO since we do not know whose flags
179 * is this but we have cleared all the bits sans RWX for
180 * either user or group or other as per bits_to_use
183 *pace_flags
|= SET_FILE_READ_RIGHTS
;
185 *pace_flags
|= FILE_WRITE_RIGHTS
;
187 *pace_flags
|= SET_FILE_EXEC_RIGHTS
;
189 ksmbd_debug(SMB
, "mode: %o, access flags now 0x%x\n",
193 static __u16
fill_ace_for_sid(struct smb_ace
*pntace
,
194 const struct smb_sid
*psid
, int type
, int flags
,
195 umode_t mode
, umode_t bits
)
199 __u32 access_req
= 0;
202 pntace
->flags
= flags
;
203 mode_to_access_flags(mode
, bits
, &access_req
);
205 access_req
= SET_MINIMUM_RIGHTS
;
206 pntace
->access_req
= cpu_to_le32(access_req
);
208 pntace
->sid
.revision
= psid
->revision
;
209 pntace
->sid
.num_subauth
= psid
->num_subauth
;
210 for (i
= 0; i
< NUM_AUTHS
; i
++)
211 pntace
->sid
.authority
[i
] = psid
->authority
[i
];
212 for (i
= 0; i
< psid
->num_subauth
; i
++)
213 pntace
->sid
.sub_auth
[i
] = psid
->sub_auth
[i
];
215 size
= 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid
->num_subauth
* 4);
216 pntace
->size
= cpu_to_le16(size
);
221 void id_to_sid(unsigned int cid
, uint sidtype
, struct smb_sid
*ssid
)
225 smb_copy_sid(ssid
, &server_conf
.domain_sid
);
228 smb_copy_sid(ssid
, &sid_unix_users
);
231 smb_copy_sid(ssid
, &sid_unix_groups
);
233 case SIDCREATOR_OWNER
:
234 smb_copy_sid(ssid
, &creator_owner
);
236 case SIDCREATOR_GROUP
:
237 smb_copy_sid(ssid
, &creator_group
);
240 smb_copy_sid(ssid
, &sid_unix_NFS_users
);
243 smb_copy_sid(ssid
, &sid_unix_NFS_groups
);
246 smb_copy_sid(ssid
, &sid_unix_NFS_mode
);
253 ssid
->sub_auth
[ssid
->num_subauth
] = cpu_to_le32(cid
);
257 static int sid_to_id(struct mnt_idmap
*idmap
,
258 struct smb_sid
*psid
, uint sidtype
,
259 struct smb_fattr
*fattr
)
264 * If we have too many subauthorities, then something is really wrong.
265 * Just return an error.
267 if (unlikely(psid
->num_subauth
> SID_MAX_SUB_AUTHORITIES
)) {
268 pr_err("%s: %u subauthorities is too many!\n",
269 __func__
, psid
->num_subauth
);
273 if (sidtype
== SIDOWNER
) {
277 id
= le32_to_cpu(psid
->sub_auth
[psid
->num_subauth
- 1]);
278 uid
= KUIDT_INIT(id
);
279 uid
= from_vfsuid(idmap
, &init_user_ns
, VFSUIDT_INIT(uid
));
280 if (uid_valid(uid
)) {
288 id
= le32_to_cpu(psid
->sub_auth
[psid
->num_subauth
- 1]);
289 gid
= KGIDT_INIT(id
);
290 gid
= from_vfsgid(idmap
, &init_user_ns
, VFSGIDT_INIT(gid
));
291 if (gid_valid(gid
)) {
300 void posix_state_to_acl(struct posix_acl_state
*state
,
301 struct posix_acl_entry
*pace
)
305 pace
->e_tag
= ACL_USER_OBJ
;
306 pace
->e_perm
= state
->owner
.allow
;
307 for (i
= 0; i
< state
->users
->n
; i
++) {
309 pace
->e_tag
= ACL_USER
;
310 pace
->e_uid
= state
->users
->aces
[i
].uid
;
311 pace
->e_perm
= state
->users
->aces
[i
].perms
.allow
;
315 pace
->e_tag
= ACL_GROUP_OBJ
;
316 pace
->e_perm
= state
->group
.allow
;
318 for (i
= 0; i
< state
->groups
->n
; i
++) {
320 pace
->e_tag
= ACL_GROUP
;
321 pace
->e_gid
= state
->groups
->aces
[i
].gid
;
322 pace
->e_perm
= state
->groups
->aces
[i
].perms
.allow
;
325 if (state
->users
->n
|| state
->groups
->n
) {
327 pace
->e_tag
= ACL_MASK
;
328 pace
->e_perm
= state
->mask
.allow
;
332 pace
->e_tag
= ACL_OTHER
;
333 pace
->e_perm
= state
->other
.allow
;
336 int init_acl_state(struct posix_acl_state
*state
, int cnt
)
340 memset(state
, 0, sizeof(struct posix_acl_state
));
342 * In the worst case, each individual acl could be for a distinct
343 * named user or group, but we don't know which, so we allocate
344 * enough space for either:
346 alloc
= sizeof(struct posix_ace_state_array
)
347 + cnt
* sizeof(struct posix_user_ace_state
);
348 state
->users
= kzalloc(alloc
, GFP_KERNEL
);
351 state
->groups
= kzalloc(alloc
, GFP_KERNEL
);
352 if (!state
->groups
) {
359 void free_acl_state(struct posix_acl_state
*state
)
362 kfree(state
->groups
);
365 static void parse_dacl(struct mnt_idmap
*idmap
,
366 struct smb_acl
*pdacl
, char *end_of_acl
,
367 struct smb_sid
*pownersid
, struct smb_sid
*pgrpsid
,
368 struct smb_fattr
*fattr
)
372 unsigned int acl_size
;
374 struct smb_ace
**ppace
;
375 struct posix_acl_entry
*cf_pace
, *cf_pdace
;
376 struct posix_acl_state acl_state
, default_acl_state
;
377 umode_t mode
= 0, acl_mode
;
378 bool owner_found
= false, group_found
= false, others_found
= false;
383 /* validate that we do not go past end of acl */
384 if (end_of_acl
< (char *)pdacl
+ sizeof(struct smb_acl
) ||
385 end_of_acl
< (char *)pdacl
+ le16_to_cpu(pdacl
->size
)) {
386 pr_err("ACL too small to parse DACL\n");
390 ksmbd_debug(SMB
, "DACL revision %d size %d num aces %d\n",
391 le16_to_cpu(pdacl
->revision
), le16_to_cpu(pdacl
->size
),
392 le32_to_cpu(pdacl
->num_aces
));
394 acl_base
= (char *)pdacl
;
395 acl_size
= sizeof(struct smb_acl
);
397 num_aces
= le32_to_cpu(pdacl
->num_aces
);
401 if (num_aces
> ULONG_MAX
/ sizeof(struct smb_ace
*))
404 ppace
= kmalloc_array(num_aces
, sizeof(struct smb_ace
*), GFP_KERNEL
);
408 ret
= init_acl_state(&acl_state
, num_aces
);
411 ret
= init_acl_state(&default_acl_state
, num_aces
);
413 free_acl_state(&acl_state
);
418 * reset rwx permissions for user/group/other.
419 * Also, if num_aces is 0 i.e. DACL has no ACEs,
420 * user/group/other have no permissions
422 for (i
= 0; i
< num_aces
; ++i
) {
423 if (end_of_acl
- acl_base
< acl_size
)
426 ppace
[i
] = (struct smb_ace
*)(acl_base
+ acl_size
);
427 acl_base
= (char *)ppace
[i
];
428 acl_size
= offsetof(struct smb_ace
, sid
) +
429 offsetof(struct smb_sid
, sub_auth
);
431 if (end_of_acl
- acl_base
< acl_size
||
432 ppace
[i
]->sid
.num_subauth
> SID_MAX_SUB_AUTHORITIES
||
433 (end_of_acl
- acl_base
<
434 acl_size
+ sizeof(__le32
) * ppace
[i
]->sid
.num_subauth
) ||
435 (le16_to_cpu(ppace
[i
]->size
) <
436 acl_size
+ sizeof(__le32
) * ppace
[i
]->sid
.num_subauth
))
439 acl_size
= le16_to_cpu(ppace
[i
]->size
);
440 ppace
[i
]->access_req
=
441 smb_map_generic_desired_access(ppace
[i
]->access_req
);
443 if (!(compare_sids(&ppace
[i
]->sid
, &sid_unix_NFS_mode
))) {
445 le32_to_cpu(ppace
[i
]->sid
.sub_auth
[2]);
447 } else if (!compare_sids(&ppace
[i
]->sid
, pownersid
)) {
448 acl_mode
= access_flags_to_mode(fattr
,
449 ppace
[i
]->access_req
,
458 } else if (!compare_sids(&ppace
[i
]->sid
, pgrpsid
) ||
459 ppace
[i
]->sid
.sub_auth
[ppace
[i
]->sid
.num_subauth
- 1] ==
460 DOMAIN_USER_RID_LE
) {
461 acl_mode
= access_flags_to_mode(fattr
,
462 ppace
[i
]->access_req
,
470 } else if (!compare_sids(&ppace
[i
]->sid
, &sid_everyone
)) {
471 acl_mode
= access_flags_to_mode(fattr
,
472 ppace
[i
]->access_req
,
480 } else if (!compare_sids(&ppace
[i
]->sid
, &creator_owner
)) {
482 } else if (!compare_sids(&ppace
[i
]->sid
, &creator_group
)) {
484 } else if (!compare_sids(&ppace
[i
]->sid
, &sid_authusers
)) {
487 struct smb_fattr temp_fattr
;
489 acl_mode
= access_flags_to_mode(fattr
, ppace
[i
]->access_req
,
491 temp_fattr
.cf_uid
= INVALID_UID
;
492 ret
= sid_to_id(idmap
, &ppace
[i
]->sid
, SIDOWNER
, &temp_fattr
);
493 if (ret
|| uid_eq(temp_fattr
.cf_uid
, INVALID_UID
)) {
494 pr_err("%s: Error %d mapping Owner SID to uid\n",
499 acl_state
.owner
.allow
= ((acl_mode
& 0700) >> 6) | 0004;
500 acl_state
.users
->aces
[acl_state
.users
->n
].uid
=
502 acl_state
.users
->aces
[acl_state
.users
->n
++].perms
.allow
=
503 ((acl_mode
& 0700) >> 6) | 0004;
504 default_acl_state
.owner
.allow
= ((acl_mode
& 0700) >> 6) | 0004;
505 default_acl_state
.users
->aces
[default_acl_state
.users
->n
].uid
=
507 default_acl_state
.users
->aces
[default_acl_state
.users
->n
++].perms
.allow
=
508 ((acl_mode
& 0700) >> 6) | 0004;
514 /* The owner must be set to at least read-only. */
515 acl_state
.owner
.allow
= ((mode
& 0700) >> 6) | 0004;
516 acl_state
.users
->aces
[acl_state
.users
->n
].uid
= fattr
->cf_uid
;
517 acl_state
.users
->aces
[acl_state
.users
->n
++].perms
.allow
=
518 ((mode
& 0700) >> 6) | 0004;
519 default_acl_state
.owner
.allow
= ((mode
& 0700) >> 6) | 0004;
520 default_acl_state
.users
->aces
[default_acl_state
.users
->n
].uid
=
522 default_acl_state
.users
->aces
[default_acl_state
.users
->n
++].perms
.allow
=
523 ((mode
& 0700) >> 6) | 0004;
527 acl_state
.group
.allow
= (mode
& 0070) >> 3;
528 acl_state
.groups
->aces
[acl_state
.groups
->n
].gid
=
530 acl_state
.groups
->aces
[acl_state
.groups
->n
++].perms
.allow
=
532 default_acl_state
.group
.allow
= (mode
& 0070) >> 3;
533 default_acl_state
.groups
->aces
[default_acl_state
.groups
->n
].gid
=
535 default_acl_state
.groups
->aces
[default_acl_state
.groups
->n
++].perms
.allow
=
540 fattr
->cf_mode
&= ~(0007);
541 fattr
->cf_mode
|= mode
& 0007;
543 acl_state
.other
.allow
= mode
& 0007;
544 default_acl_state
.other
.allow
= mode
& 0007;
547 if (acl_state
.users
->n
|| acl_state
.groups
->n
) {
548 acl_state
.mask
.allow
= 0x07;
550 if (IS_ENABLED(CONFIG_FS_POSIX_ACL
)) {
552 posix_acl_alloc(acl_state
.users
->n
+
553 acl_state
.groups
->n
+ 4, GFP_KERNEL
);
554 if (fattr
->cf_acls
) {
555 cf_pace
= fattr
->cf_acls
->a_entries
;
556 posix_state_to_acl(&acl_state
, cf_pace
);
561 if (default_acl_state
.users
->n
|| default_acl_state
.groups
->n
) {
562 default_acl_state
.mask
.allow
= 0x07;
564 if (IS_ENABLED(CONFIG_FS_POSIX_ACL
)) {
566 posix_acl_alloc(default_acl_state
.users
->n
+
567 default_acl_state
.groups
->n
+ 4, GFP_KERNEL
);
568 if (fattr
->cf_dacls
) {
569 cf_pdace
= fattr
->cf_dacls
->a_entries
;
570 posix_state_to_acl(&default_acl_state
, cf_pdace
);
574 free_acl_state(&acl_state
);
575 free_acl_state(&default_acl_state
);
578 static void set_posix_acl_entries_dacl(struct mnt_idmap
*idmap
,
579 struct smb_ace
*pndace
,
580 struct smb_fattr
*fattr
, u32
*num_aces
,
581 u16
*size
, u32 nt_aces_num
)
583 struct posix_acl_entry
*pace
;
585 struct smb_ace
*ntace
;
589 goto posix_default_acl
;
591 pace
= fattr
->cf_acls
->a_entries
;
592 for (i
= 0; i
< fattr
->cf_acls
->a_count
; i
++, pace
++) {
595 sid
= kmalloc(sizeof(struct smb_sid
), GFP_KERNEL
);
599 if (pace
->e_tag
== ACL_USER
) {
601 unsigned int sid_type
= SIDOWNER
;
603 uid
= posix_acl_uid_translate(idmap
, pace
);
605 sid_type
= SIDUNIX_USER
;
606 id_to_sid(uid
, sid_type
, sid
);
607 } else if (pace
->e_tag
== ACL_GROUP
) {
610 gid
= posix_acl_gid_translate(idmap
, pace
);
611 id_to_sid(gid
, SIDUNIX_GROUP
, sid
);
612 } else if (pace
->e_tag
== ACL_OTHER
&& !nt_aces_num
) {
613 smb_copy_sid(sid
, &sid_everyone
);
619 for (j
= 0; j
< nt_aces_num
; j
++) {
620 if (ntace
->sid
.sub_auth
[ntace
->sid
.num_subauth
- 1] ==
621 sid
->sub_auth
[sid
->num_subauth
- 1])
623 ntace
= (struct smb_ace
*)((char *)ntace
+
624 le16_to_cpu(ntace
->size
));
627 if (S_ISDIR(fattr
->cf_mode
) && pace
->e_tag
== ACL_OTHER
)
630 ntace
= (struct smb_ace
*)((char *)pndace
+ *size
);
631 *size
+= fill_ace_for_sid(ntace
, sid
, ACCESS_ALLOWED
, flags
,
634 if (pace
->e_tag
== ACL_USER
)
636 FILE_DELETE_LE
| FILE_DELETE_CHILD_LE
;
638 if (S_ISDIR(fattr
->cf_mode
) &&
639 (pace
->e_tag
== ACL_USER
|| pace
->e_tag
== ACL_GROUP
)) {
640 ntace
= (struct smb_ace
*)((char *)pndace
+ *size
);
641 *size
+= fill_ace_for_sid(ntace
, sid
, ACCESS_ALLOWED
,
642 0x03, pace
->e_perm
, 0777);
644 if (pace
->e_tag
== ACL_USER
)
646 FILE_DELETE_LE
| FILE_DELETE_CHILD_LE
;
657 if (!fattr
->cf_dacls
)
660 pace
= fattr
->cf_dacls
->a_entries
;
661 for (i
= 0; i
< fattr
->cf_dacls
->a_count
; i
++, pace
++) {
662 sid
= kmalloc(sizeof(struct smb_sid
), GFP_KERNEL
);
666 if (pace
->e_tag
== ACL_USER
) {
669 uid
= posix_acl_uid_translate(idmap
, pace
);
670 id_to_sid(uid
, SIDCREATOR_OWNER
, sid
);
671 } else if (pace
->e_tag
== ACL_GROUP
) {
674 gid
= posix_acl_gid_translate(idmap
, pace
);
675 id_to_sid(gid
, SIDCREATOR_GROUP
, sid
);
681 ntace
= (struct smb_ace
*)((char *)pndace
+ *size
);
682 *size
+= fill_ace_for_sid(ntace
, sid
, ACCESS_ALLOWED
, 0x0b,
685 if (pace
->e_tag
== ACL_USER
)
687 FILE_DELETE_LE
| FILE_DELETE_CHILD_LE
;
692 static void set_ntacl_dacl(struct mnt_idmap
*idmap
,
693 struct smb_acl
*pndacl
,
694 struct smb_acl
*nt_dacl
,
695 unsigned int aces_size
,
696 const struct smb_sid
*pownersid
,
697 const struct smb_sid
*pgrpsid
,
698 struct smb_fattr
*fattr
)
700 struct smb_ace
*ntace
, *pndace
;
701 int nt_num_aces
= le32_to_cpu(nt_dacl
->num_aces
), num_aces
= 0;
702 unsigned short size
= 0;
705 pndace
= (struct smb_ace
*)((char *)pndacl
+ sizeof(struct smb_acl
));
707 ntace
= (struct smb_ace
*)((char *)nt_dacl
+ sizeof(struct smb_acl
));
708 for (i
= 0; i
< nt_num_aces
; i
++) {
709 unsigned short nt_ace_size
;
711 if (offsetof(struct smb_ace
, access_req
) > aces_size
)
714 nt_ace_size
= le16_to_cpu(ntace
->size
);
715 if (nt_ace_size
> aces_size
)
718 memcpy((char *)pndace
+ size
, ntace
, nt_ace_size
);
720 aces_size
-= nt_ace_size
;
721 ntace
= (struct smb_ace
*)((char *)ntace
+ nt_ace_size
);
726 set_posix_acl_entries_dacl(idmap
, pndace
, fattr
,
727 &num_aces
, &size
, nt_num_aces
);
728 pndacl
->num_aces
= cpu_to_le32(num_aces
);
729 pndacl
->size
= cpu_to_le16(le16_to_cpu(pndacl
->size
) + size
);
732 static void set_mode_dacl(struct mnt_idmap
*idmap
,
733 struct smb_acl
*pndacl
, struct smb_fattr
*fattr
)
735 struct smb_ace
*pace
, *pndace
;
737 u16 size
= 0, ace_size
= 0;
739 const struct smb_sid
*sid
;
741 pace
= pndace
= (struct smb_ace
*)((char *)pndacl
+ sizeof(struct smb_acl
));
743 if (fattr
->cf_acls
) {
744 set_posix_acl_entries_dacl(idmap
, pndace
, fattr
,
745 &num_aces
, &size
, num_aces
);
750 uid
= from_kuid(&init_user_ns
, fattr
->cf_uid
);
752 sid
= &server_conf
.domain_sid
;
754 sid
= &sid_unix_users
;
755 ace_size
= fill_ace_for_sid(pace
, sid
, ACCESS_ALLOWED
, 0,
756 fattr
->cf_mode
, 0700);
757 pace
->sid
.sub_auth
[pace
->sid
.num_subauth
++] = cpu_to_le32(uid
);
758 pace
->size
= cpu_to_le16(ace_size
+ 4);
759 size
+= le16_to_cpu(pace
->size
);
760 pace
= (struct smb_ace
*)((char *)pndace
+ size
);
763 ace_size
= fill_ace_for_sid(pace
, &sid_unix_groups
,
764 ACCESS_ALLOWED
, 0, fattr
->cf_mode
, 0070);
765 pace
->sid
.sub_auth
[pace
->sid
.num_subauth
++] =
766 cpu_to_le32(from_kgid(&init_user_ns
, fattr
->cf_gid
));
767 pace
->size
= cpu_to_le16(ace_size
+ 4);
768 size
+= le16_to_cpu(pace
->size
);
769 pace
= (struct smb_ace
*)((char *)pndace
+ size
);
772 if (S_ISDIR(fattr
->cf_mode
)) {
773 pace
= (struct smb_ace
*)((char *)pndace
+ size
);
776 size
+= fill_ace_for_sid(pace
, &creator_owner
, ACCESS_ALLOWED
,
777 0x0b, fattr
->cf_mode
, 0700);
778 pace
= (struct smb_ace
*)((char *)pndace
+ size
);
781 size
+= fill_ace_for_sid(pace
, &creator_group
, ACCESS_ALLOWED
,
782 0x0b, fattr
->cf_mode
, 0070);
783 pace
= (struct smb_ace
*)((char *)pndace
+ size
);
788 size
+= fill_ace_for_sid(pace
, &sid_everyone
, ACCESS_ALLOWED
, 0,
789 fattr
->cf_mode
, 0007);
792 pndacl
->num_aces
= cpu_to_le32(num_aces
);
793 pndacl
->size
= cpu_to_le16(le16_to_cpu(pndacl
->size
) + size
);
796 static int parse_sid(struct smb_sid
*psid
, char *end_of_acl
)
799 * validate that we do not go past end of ACL - sid must be at least 8
800 * bytes long (assuming no sub-auths - e.g. the null SID
802 if (end_of_acl
< (char *)psid
+ 8) {
803 pr_err("ACL too small to parse SID %p\n", psid
);
810 /* Convert CIFS ACL to POSIX form */
811 int parse_sec_desc(struct mnt_idmap
*idmap
, struct smb_ntsd
*pntsd
,
812 int acl_len
, struct smb_fattr
*fattr
)
815 struct smb_sid
*owner_sid_ptr
, *group_sid_ptr
;
816 struct smb_acl
*dacl_ptr
; /* no need for SACL ptr */
817 char *end_of_acl
= ((char *)pntsd
) + acl_len
;
824 if (acl_len
< sizeof(struct smb_ntsd
))
827 owner_sid_ptr
= (struct smb_sid
*)((char *)pntsd
+
828 le32_to_cpu(pntsd
->osidoffset
));
829 group_sid_ptr
= (struct smb_sid
*)((char *)pntsd
+
830 le32_to_cpu(pntsd
->gsidoffset
));
831 dacloffset
= le32_to_cpu(pntsd
->dacloffset
);
832 dacl_ptr
= (struct smb_acl
*)((char *)pntsd
+ dacloffset
);
834 "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
835 pntsd
->revision
, pntsd
->type
, le32_to_cpu(pntsd
->osidoffset
),
836 le32_to_cpu(pntsd
->gsidoffset
),
837 le32_to_cpu(pntsd
->sacloffset
), dacloffset
);
839 pntsd_type
= le16_to_cpu(pntsd
->type
);
840 if (!(pntsd_type
& DACL_PRESENT
)) {
841 ksmbd_debug(SMB
, "DACL_PRESENT in DACL type is not set\n");
845 pntsd
->type
= cpu_to_le16(DACL_PRESENT
);
847 if (pntsd
->osidoffset
) {
848 rc
= parse_sid(owner_sid_ptr
, end_of_acl
);
850 pr_err("%s: Error %d parsing Owner SID\n", __func__
, rc
);
854 rc
= sid_to_id(idmap
, owner_sid_ptr
, SIDOWNER
, fattr
);
856 pr_err("%s: Error %d mapping Owner SID to uid\n",
858 owner_sid_ptr
= NULL
;
862 if (pntsd
->gsidoffset
) {
863 rc
= parse_sid(group_sid_ptr
, end_of_acl
);
865 pr_err("%s: Error %d mapping Owner SID to gid\n",
869 rc
= sid_to_id(idmap
, group_sid_ptr
, SIDUNIX_GROUP
, fattr
);
871 pr_err("%s: Error %d mapping Group SID to gid\n",
873 group_sid_ptr
= NULL
;
877 if ((pntsd_type
& (DACL_AUTO_INHERITED
| DACL_AUTO_INHERIT_REQ
)) ==
878 (DACL_AUTO_INHERITED
| DACL_AUTO_INHERIT_REQ
))
879 pntsd
->type
|= cpu_to_le16(DACL_AUTO_INHERITED
);
880 if (pntsd_type
& DACL_PROTECTED
)
881 pntsd
->type
|= cpu_to_le16(DACL_PROTECTED
);
884 parse_dacl(idmap
, dacl_ptr
, end_of_acl
,
885 owner_sid_ptr
, group_sid_ptr
, fattr
);
891 /* Convert permission bits from mode to equivalent CIFS ACL */
892 int build_sec_desc(struct mnt_idmap
*idmap
,
893 struct smb_ntsd
*pntsd
, struct smb_ntsd
*ppntsd
,
894 int ppntsd_size
, int addition_info
, __u32
*secdesclen
,
895 struct smb_fattr
*fattr
)
899 struct smb_sid
*owner_sid_ptr
, *group_sid_ptr
;
900 struct smb_sid
*nowner_sid_ptr
, *ngroup_sid_ptr
;
901 struct smb_acl
*dacl_ptr
= NULL
; /* no need for SACL ptr */
904 unsigned int sid_type
= SIDOWNER
;
906 nowner_sid_ptr
= kmalloc(sizeof(struct smb_sid
), GFP_KERNEL
);
910 uid
= from_kuid(&init_user_ns
, fattr
->cf_uid
);
912 sid_type
= SIDUNIX_USER
;
913 id_to_sid(uid
, sid_type
, nowner_sid_ptr
);
915 ngroup_sid_ptr
= kmalloc(sizeof(struct smb_sid
), GFP_KERNEL
);
916 if (!ngroup_sid_ptr
) {
917 kfree(nowner_sid_ptr
);
921 gid
= from_kgid(&init_user_ns
, fattr
->cf_gid
);
922 id_to_sid(gid
, SIDUNIX_GROUP
, ngroup_sid_ptr
);
924 offset
= sizeof(struct smb_ntsd
);
925 pntsd
->sacloffset
= 0;
926 pntsd
->revision
= cpu_to_le16(1);
927 pntsd
->type
= cpu_to_le16(SELF_RELATIVE
);
929 pntsd
->type
|= ppntsd
->type
;
931 if (addition_info
& OWNER_SECINFO
) {
932 pntsd
->osidoffset
= cpu_to_le32(offset
);
933 owner_sid_ptr
= (struct smb_sid
*)((char *)pntsd
+ offset
);
934 smb_copy_sid(owner_sid_ptr
, nowner_sid_ptr
);
935 offset
+= 1 + 1 + 6 + (nowner_sid_ptr
->num_subauth
* 4);
938 if (addition_info
& GROUP_SECINFO
) {
939 pntsd
->gsidoffset
= cpu_to_le32(offset
);
940 group_sid_ptr
= (struct smb_sid
*)((char *)pntsd
+ offset
);
941 smb_copy_sid(group_sid_ptr
, ngroup_sid_ptr
);
942 offset
+= 1 + 1 + 6 + (ngroup_sid_ptr
->num_subauth
* 4);
945 if (addition_info
& DACL_SECINFO
) {
946 pntsd
->type
|= cpu_to_le16(DACL_PRESENT
);
947 dacl_ptr
= (struct smb_acl
*)((char *)pntsd
+ offset
);
948 dacl_ptr
->revision
= cpu_to_le16(2);
949 dacl_ptr
->size
= cpu_to_le16(sizeof(struct smb_acl
));
950 dacl_ptr
->num_aces
= 0;
953 set_mode_dacl(idmap
, dacl_ptr
, fattr
);
955 struct smb_acl
*ppdacl_ptr
;
956 unsigned int dacl_offset
= le32_to_cpu(ppntsd
->dacloffset
);
957 int ppdacl_size
, ntacl_size
= ppntsd_size
- dacl_offset
;
960 (dacl_offset
+ sizeof(struct smb_acl
) > ppntsd_size
))
963 ppdacl_ptr
= (struct smb_acl
*)((char *)ppntsd
+ dacl_offset
);
964 ppdacl_size
= le16_to_cpu(ppdacl_ptr
->size
);
965 if (ppdacl_size
> ntacl_size
||
966 ppdacl_size
< sizeof(struct smb_acl
))
969 set_ntacl_dacl(idmap
, dacl_ptr
, ppdacl_ptr
,
970 ntacl_size
- sizeof(struct smb_acl
),
971 nowner_sid_ptr
, ngroup_sid_ptr
,
974 pntsd
->dacloffset
= cpu_to_le32(offset
);
975 offset
+= le16_to_cpu(dacl_ptr
->size
);
979 kfree(nowner_sid_ptr
);
980 kfree(ngroup_sid_ptr
);
981 *secdesclen
= offset
;
985 static void smb_set_ace(struct smb_ace
*ace
, const struct smb_sid
*sid
, u8 type
,
986 u8 flags
, __le32 access_req
)
990 ace
->access_req
= access_req
;
991 smb_copy_sid(&ace
->sid
, sid
);
992 ace
->size
= cpu_to_le16(1 + 1 + 2 + 4 + 1 + 1 + 6 + (sid
->num_subauth
* 4));
995 int smb_inherit_dacl(struct ksmbd_conn
*conn
,
996 const struct path
*path
,
997 unsigned int uid
, unsigned int gid
)
999 const struct smb_sid
*psid
, *creator
= NULL
;
1000 struct smb_ace
*parent_aces
, *aces
;
1001 struct smb_acl
*parent_pdacl
;
1002 struct smb_ntsd
*parent_pntsd
= NULL
;
1003 struct smb_sid owner_sid
, group_sid
;
1004 struct dentry
*parent
= path
->dentry
->d_parent
;
1005 struct mnt_idmap
*idmap
= mnt_idmap(path
->mnt
);
1006 int inherited_flags
= 0, flags
= 0, i
, ace_cnt
= 0, nt_size
= 0, pdacl_size
;
1007 int rc
= 0, num_aces
, dacloffset
, pntsd_type
, pntsd_size
, acl_len
, aces_size
;
1009 bool is_dir
= S_ISDIR(d_inode(path
->dentry
)->i_mode
);
1011 pntsd_size
= ksmbd_vfs_get_sd_xattr(conn
, idmap
,
1012 parent
, &parent_pntsd
);
1013 if (pntsd_size
<= 0)
1015 dacloffset
= le32_to_cpu(parent_pntsd
->dacloffset
);
1016 if (!dacloffset
|| (dacloffset
+ sizeof(struct smb_acl
) > pntsd_size
)) {
1018 goto free_parent_pntsd
;
1021 parent_pdacl
= (struct smb_acl
*)((char *)parent_pntsd
+ dacloffset
);
1022 acl_len
= pntsd_size
- dacloffset
;
1023 num_aces
= le32_to_cpu(parent_pdacl
->num_aces
);
1024 pntsd_type
= le16_to_cpu(parent_pntsd
->type
);
1025 pdacl_size
= le16_to_cpu(parent_pdacl
->size
);
1027 if (pdacl_size
> acl_len
|| pdacl_size
< sizeof(struct smb_acl
)) {
1029 goto free_parent_pntsd
;
1032 aces_base
= kmalloc(sizeof(struct smb_ace
) * num_aces
* 2, GFP_KERNEL
);
1035 goto free_parent_pntsd
;
1038 aces
= (struct smb_ace
*)aces_base
;
1039 parent_aces
= (struct smb_ace
*)((char *)parent_pdacl
+
1040 sizeof(struct smb_acl
));
1041 aces_size
= acl_len
- sizeof(struct smb_acl
);
1043 if (pntsd_type
& DACL_AUTO_INHERITED
)
1044 inherited_flags
= INHERITED_ACE
;
1046 for (i
= 0; i
< num_aces
; i
++) {
1049 if (offsetof(struct smb_ace
, access_req
) > aces_size
)
1052 pace_size
= le16_to_cpu(parent_aces
->size
);
1053 if (pace_size
> aces_size
)
1056 aces_size
-= pace_size
;
1058 flags
= parent_aces
->flags
;
1059 if (!smb_inherit_flags(flags
, is_dir
))
1062 flags
&= ~(INHERIT_ONLY_ACE
| INHERITED_ACE
);
1063 if (!(flags
& CONTAINER_INHERIT_ACE
))
1064 flags
|= INHERIT_ONLY_ACE
;
1065 if (flags
& NO_PROPAGATE_INHERIT_ACE
)
1071 if (!compare_sids(&creator_owner
, &parent_aces
->sid
)) {
1072 creator
= &creator_owner
;
1073 id_to_sid(uid
, SIDOWNER
, &owner_sid
);
1075 } else if (!compare_sids(&creator_group
, &parent_aces
->sid
)) {
1076 creator
= &creator_group
;
1077 id_to_sid(gid
, SIDUNIX_GROUP
, &group_sid
);
1081 psid
= &parent_aces
->sid
;
1084 if (is_dir
&& creator
&& flags
& CONTAINER_INHERIT_ACE
) {
1085 smb_set_ace(aces
, psid
, parent_aces
->type
, inherited_flags
,
1086 parent_aces
->access_req
);
1087 nt_size
+= le16_to_cpu(aces
->size
);
1089 aces
= (struct smb_ace
*)((char *)aces
+ le16_to_cpu(aces
->size
));
1090 flags
|= INHERIT_ONLY_ACE
;
1092 } else if (is_dir
&& !(parent_aces
->flags
& NO_PROPAGATE_INHERIT_ACE
)) {
1093 psid
= &parent_aces
->sid
;
1096 smb_set_ace(aces
, psid
, parent_aces
->type
, flags
| inherited_flags
,
1097 parent_aces
->access_req
);
1098 nt_size
+= le16_to_cpu(aces
->size
);
1099 aces
= (struct smb_ace
*)((char *)aces
+ le16_to_cpu(aces
->size
));
1102 parent_aces
= (struct smb_ace
*)((char *)parent_aces
+ pace_size
);
1106 struct smb_ntsd
*pntsd
;
1107 struct smb_acl
*pdacl
;
1108 struct smb_sid
*powner_sid
= NULL
, *pgroup_sid
= NULL
;
1109 int powner_sid_size
= 0, pgroup_sid_size
= 0, pntsd_size
;
1110 int pntsd_alloc_size
;
1112 if (parent_pntsd
->osidoffset
) {
1113 powner_sid
= (struct smb_sid
*)((char *)parent_pntsd
+
1114 le32_to_cpu(parent_pntsd
->osidoffset
));
1115 powner_sid_size
= 1 + 1 + 6 + (powner_sid
->num_subauth
* 4);
1117 if (parent_pntsd
->gsidoffset
) {
1118 pgroup_sid
= (struct smb_sid
*)((char *)parent_pntsd
+
1119 le32_to_cpu(parent_pntsd
->gsidoffset
));
1120 pgroup_sid_size
= 1 + 1 + 6 + (pgroup_sid
->num_subauth
* 4);
1123 pntsd_alloc_size
= sizeof(struct smb_ntsd
) + powner_sid_size
+
1124 pgroup_sid_size
+ sizeof(struct smb_acl
) + nt_size
;
1126 pntsd
= kzalloc(pntsd_alloc_size
, GFP_KERNEL
);
1129 goto free_aces_base
;
1132 pntsd
->revision
= cpu_to_le16(1);
1133 pntsd
->type
= cpu_to_le16(SELF_RELATIVE
| DACL_PRESENT
);
1134 if (le16_to_cpu(parent_pntsd
->type
) & DACL_AUTO_INHERITED
)
1135 pntsd
->type
|= cpu_to_le16(DACL_AUTO_INHERITED
);
1136 pntsd_size
= sizeof(struct smb_ntsd
);
1137 pntsd
->osidoffset
= parent_pntsd
->osidoffset
;
1138 pntsd
->gsidoffset
= parent_pntsd
->gsidoffset
;
1139 pntsd
->dacloffset
= parent_pntsd
->dacloffset
;
1141 if ((u64
)le32_to_cpu(pntsd
->osidoffset
) + powner_sid_size
>
1145 goto free_aces_base
;
1148 if ((u64
)le32_to_cpu(pntsd
->gsidoffset
) + pgroup_sid_size
>
1152 goto free_aces_base
;
1155 if ((u64
)le32_to_cpu(pntsd
->dacloffset
) + sizeof(struct smb_acl
) + nt_size
>
1159 goto free_aces_base
;
1162 if (pntsd
->osidoffset
) {
1163 struct smb_sid
*owner_sid
= (struct smb_sid
*)((char *)pntsd
+
1164 le32_to_cpu(pntsd
->osidoffset
));
1165 memcpy(owner_sid
, powner_sid
, powner_sid_size
);
1166 pntsd_size
+= powner_sid_size
;
1169 if (pntsd
->gsidoffset
) {
1170 struct smb_sid
*group_sid
= (struct smb_sid
*)((char *)pntsd
+
1171 le32_to_cpu(pntsd
->gsidoffset
));
1172 memcpy(group_sid
, pgroup_sid
, pgroup_sid_size
);
1173 pntsd_size
+= pgroup_sid_size
;
1176 if (pntsd
->dacloffset
) {
1177 struct smb_ace
*pace
;
1179 pdacl
= (struct smb_acl
*)((char *)pntsd
+ le32_to_cpu(pntsd
->dacloffset
));
1180 pdacl
->revision
= cpu_to_le16(2);
1181 pdacl
->size
= cpu_to_le16(sizeof(struct smb_acl
) + nt_size
);
1182 pdacl
->num_aces
= cpu_to_le32(ace_cnt
);
1183 pace
= (struct smb_ace
*)((char *)pdacl
+ sizeof(struct smb_acl
));
1184 memcpy(pace
, aces_base
, nt_size
);
1185 pntsd_size
+= sizeof(struct smb_acl
) + nt_size
;
1188 ksmbd_vfs_set_sd_xattr(conn
, idmap
, path
, pntsd
, pntsd_size
, false);
1195 kfree(parent_pntsd
);
1199 bool smb_inherit_flags(int flags
, bool is_dir
)
1202 return (flags
& OBJECT_INHERIT_ACE
) != 0;
1204 if (flags
& OBJECT_INHERIT_ACE
&& !(flags
& NO_PROPAGATE_INHERIT_ACE
))
1207 if (flags
& CONTAINER_INHERIT_ACE
)
1212 int smb_check_perm_dacl(struct ksmbd_conn
*conn
, const struct path
*path
,
1213 __le32
*pdaccess
, int uid
)
1215 struct mnt_idmap
*idmap
= mnt_idmap(path
->mnt
);
1216 struct smb_ntsd
*pntsd
= NULL
;
1217 struct smb_acl
*pdacl
;
1218 struct posix_acl
*posix_acls
;
1219 int rc
= 0, pntsd_size
, acl_size
, aces_size
, pdacl_size
, dacl_offset
;
1221 int granted
= le32_to_cpu(*pdaccess
& ~FILE_MAXIMAL_ACCESS_LE
);
1222 struct smb_ace
*ace
;
1224 unsigned int access_bits
= 0;
1225 struct smb_ace
*others_ace
= NULL
;
1226 struct posix_acl_entry
*pa_entry
;
1227 unsigned int sid_type
= SIDOWNER
;
1228 unsigned short ace_size
;
1230 ksmbd_debug(SMB
, "check permission using windows acl\n");
1231 pntsd_size
= ksmbd_vfs_get_sd_xattr(conn
, idmap
,
1232 path
->dentry
, &pntsd
);
1233 if (pntsd_size
<= 0 || !pntsd
)
1236 dacl_offset
= le32_to_cpu(pntsd
->dacloffset
);
1238 (dacl_offset
+ sizeof(struct smb_acl
) > pntsd_size
))
1241 pdacl
= (struct smb_acl
*)((char *)pntsd
+ le32_to_cpu(pntsd
->dacloffset
));
1242 acl_size
= pntsd_size
- dacl_offset
;
1243 pdacl_size
= le16_to_cpu(pdacl
->size
);
1245 if (pdacl_size
> acl_size
|| pdacl_size
< sizeof(struct smb_acl
))
1248 if (!pdacl
->num_aces
) {
1249 if (!(pdacl_size
- sizeof(struct smb_acl
)) &&
1250 *pdaccess
& ~(FILE_READ_CONTROL_LE
| FILE_WRITE_DAC_LE
)) {
1257 if (*pdaccess
& FILE_MAXIMAL_ACCESS_LE
) {
1258 granted
= READ_CONTROL
| WRITE_DAC
| FILE_READ_ATTRIBUTES
|
1261 ace
= (struct smb_ace
*)((char *)pdacl
+ sizeof(struct smb_acl
));
1262 aces_size
= acl_size
- sizeof(struct smb_acl
);
1263 for (i
= 0; i
< le32_to_cpu(pdacl
->num_aces
); i
++) {
1264 if (offsetof(struct smb_ace
, access_req
) > aces_size
)
1266 ace_size
= le16_to_cpu(ace
->size
);
1267 if (ace_size
> aces_size
)
1269 aces_size
-= ace_size
;
1270 granted
|= le32_to_cpu(ace
->access_req
);
1271 ace
= (struct smb_ace
*)((char *)ace
+ le16_to_cpu(ace
->size
));
1274 if (!pdacl
->num_aces
)
1275 granted
= GENERIC_ALL_FLAGS
;
1279 sid_type
= SIDUNIX_USER
;
1280 id_to_sid(uid
, sid_type
, &sid
);
1282 ace
= (struct smb_ace
*)((char *)pdacl
+ sizeof(struct smb_acl
));
1283 aces_size
= acl_size
- sizeof(struct smb_acl
);
1284 for (i
= 0; i
< le32_to_cpu(pdacl
->num_aces
); i
++) {
1285 if (offsetof(struct smb_ace
, access_req
) > aces_size
)
1287 ace_size
= le16_to_cpu(ace
->size
);
1288 if (ace_size
> aces_size
)
1290 aces_size
-= ace_size
;
1292 if (!compare_sids(&sid
, &ace
->sid
) ||
1293 !compare_sids(&sid_unix_NFS_mode
, &ace
->sid
)) {
1297 if (!compare_sids(&sid_everyone
, &ace
->sid
))
1300 ace
= (struct smb_ace
*)((char *)ace
+ le16_to_cpu(ace
->size
));
1303 if (*pdaccess
& FILE_MAXIMAL_ACCESS_LE
&& found
) {
1304 granted
= READ_CONTROL
| WRITE_DAC
| FILE_READ_ATTRIBUTES
|
1307 granted
|= le32_to_cpu(ace
->access_req
);
1309 if (!pdacl
->num_aces
)
1310 granted
= GENERIC_ALL_FLAGS
;
1313 if (IS_ENABLED(CONFIG_FS_POSIX_ACL
)) {
1314 posix_acls
= get_inode_acl(d_inode(path
->dentry
), ACL_TYPE_ACCESS
);
1315 if (!IS_ERR_OR_NULL(posix_acls
) && !found
) {
1316 unsigned int id
= -1;
1318 pa_entry
= posix_acls
->a_entries
;
1319 for (i
= 0; i
< posix_acls
->a_count
; i
++, pa_entry
++) {
1320 if (pa_entry
->e_tag
== ACL_USER
)
1321 id
= posix_acl_uid_translate(idmap
, pa_entry
);
1322 else if (pa_entry
->e_tag
== ACL_GROUP
)
1323 id
= posix_acl_gid_translate(idmap
, pa_entry
);
1328 mode_to_access_flags(pa_entry
->e_perm
,
1334 posix_acl_release(posix_acls
);
1335 goto check_access_bits
;
1339 if (!IS_ERR_OR_NULL(posix_acls
))
1340 posix_acl_release(posix_acls
);
1347 ksmbd_debug(SMB
, "Can't find corresponding sid\n");
1353 switch (ace
->type
) {
1354 case ACCESS_ALLOWED_ACE_TYPE
:
1355 access_bits
= le32_to_cpu(ace
->access_req
);
1357 case ACCESS_DENIED_ACE_TYPE
:
1358 case ACCESS_DENIED_CALLBACK_ACE_TYPE
:
1359 access_bits
= le32_to_cpu(~ace
->access_req
);
1365 ~(access_bits
| FILE_READ_ATTRIBUTES
| READ_CONTROL
| WRITE_DAC
| DELETE
)) {
1366 ksmbd_debug(SMB
, "Access denied with winACL, granted : %x, access_req : %x\n",
1367 granted
, le32_to_cpu(ace
->access_req
));
1372 *pdaccess
= cpu_to_le32(granted
);
1378 int set_info_sec(struct ksmbd_conn
*conn
, struct ksmbd_tree_connect
*tcon
,
1379 const struct path
*path
, struct smb_ntsd
*pntsd
, int ntsd_len
,
1380 bool type_check
, bool get_write
)
1383 struct smb_fattr fattr
= {{0}};
1384 struct inode
*inode
= d_inode(path
->dentry
);
1385 struct mnt_idmap
*idmap
= mnt_idmap(path
->mnt
);
1386 struct iattr newattrs
;
1388 fattr
.cf_uid
= INVALID_UID
;
1389 fattr
.cf_gid
= INVALID_GID
;
1390 fattr
.cf_mode
= inode
->i_mode
;
1392 rc
= parse_sec_desc(idmap
, pntsd
, ntsd_len
, &fattr
);
1396 newattrs
.ia_valid
= ATTR_CTIME
;
1397 if (!uid_eq(fattr
.cf_uid
, INVALID_UID
)) {
1398 newattrs
.ia_valid
|= ATTR_UID
;
1399 newattrs
.ia_uid
= fattr
.cf_uid
;
1401 if (!gid_eq(fattr
.cf_gid
, INVALID_GID
)) {
1402 newattrs
.ia_valid
|= ATTR_GID
;
1403 newattrs
.ia_gid
= fattr
.cf_gid
;
1405 newattrs
.ia_valid
|= ATTR_MODE
;
1406 newattrs
.ia_mode
= (inode
->i_mode
& ~0777) | (fattr
.cf_mode
& 0777);
1408 ksmbd_vfs_remove_acl_xattrs(idmap
, path
);
1409 /* Update posix acls */
1410 if (IS_ENABLED(CONFIG_FS_POSIX_ACL
) && fattr
.cf_dacls
) {
1411 rc
= set_posix_acl(idmap
, path
->dentry
,
1412 ACL_TYPE_ACCESS
, fattr
.cf_acls
);
1415 "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n",
1417 if (S_ISDIR(inode
->i_mode
) && fattr
.cf_dacls
) {
1418 rc
= set_posix_acl(idmap
, path
->dentry
,
1419 ACL_TYPE_DEFAULT
, fattr
.cf_dacls
);
1422 "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n",
1428 rc
= notify_change(idmap
, path
->dentry
, &newattrs
, NULL
);
1429 inode_unlock(inode
);
1433 /* Check it only calling from SD BUFFER context */
1434 if (type_check
&& !(le16_to_cpu(pntsd
->type
) & DACL_PRESENT
))
1437 if (test_share_config_flag(tcon
->share_conf
, KSMBD_SHARE_FLAG_ACL_XATTR
)) {
1438 /* Update WinACL in xattr */
1439 ksmbd_vfs_remove_sd_xattrs(idmap
, path
);
1440 ksmbd_vfs_set_sd_xattr(conn
, idmap
, path
, pntsd
, ntsd_len
,
1445 posix_acl_release(fattr
.cf_acls
);
1446 posix_acl_release(fattr
.cf_dacls
);
1450 void ksmbd_init_domain(u32
*sub_auth
)
1454 memcpy(&server_conf
.domain_sid
, &domain
, sizeof(struct smb_sid
));
1455 for (i
= 0; i
< 3; ++i
)
1456 server_conf
.domain_sid
.sub_auth
[i
+ 1] = cpu_to_le32(sub_auth
[i
]);