From: Douglas Bagnall Date: Wed, 12 Jul 2023 05:20:44 +0000 (+1200) Subject: libcli/security: add stub of conditional ACE code. X-Git-Tag: tevent-0.16.0~480 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=140f7466a457607dce2156e0de695cf31d7a3236;p=thirdparty%2Fsamba.git libcli/security: add stub of conditional ACE code. This is just the outline of what will come, but first we'll add conditional ACE SDDL decoding in sddl_conditional_ace.c Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c new file mode 100644 index 00000000000..a749a5ef10a --- /dev/null +++ b/libcli/security/conditional_ace.c @@ -0,0 +1,74 @@ +/* + * Unix SMB implementation. + * Functions for understanding conditional ACEs + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include "replace.h" +#include "librpc/gen_ndr/ndr_security.h" +#include "librpc/gen_ndr/conditional_ace.h" +#include "libcli/security/security.h" +#include "libcli/security/conditional_ace.h" + + +struct ace_condition_script *parse_conditional_ace(TALLOC_CTX *mem_ctx, + DATA_BLOB data) +{ + return NULL; +} + + + +int run_conditional_ace(TALLOC_CTX *mem_ctx, + const struct security_token *token, + struct ace_condition_script *program, + const struct security_descriptor *sd) +{ + return ACE_CONDITION_UNKNOWN; +} + + +/** access_check_conditional_ace() + * + * Run the conditional ACE from the blob form. Return false if it is + * not a valid conditional ACE, true if it is, even if there is some + * other error in running it. The *result parameter is set to + * ACE_CONDITION_FALSE, ACE_CONDITION_TRUE, or ACE_CONDITION_UNKNOWN. + * + * ACE_CONDITION_UNKNOWN should be treated pessimistically, as if were + * TRUE for deny ACEs, and FALSE for allow ACEs. + * + * @param[in] ace - the ACE being processed. + * @param[in] token - the security token the ACE is processing. + * @param[out] result - a ternary result value. + * + * @return true if it is a valid conditional ACE. + */ + +bool access_check_conditional_ace(const struct security_ace *ace, + const struct security_token *token, + const struct security_descriptor *sd, + int *result) +{ + return false; +} + + +bool conditional_ace_encode_binary(TALLOC_CTX *mem_ctx, + struct ace_condition_script *program, + DATA_BLOB *dest) +{ + return false; +} diff --git a/libcli/security/conditional_ace.h b/libcli/security/conditional_ace.h new file mode 100644 index 00000000000..8deb527e5b4 --- /dev/null +++ b/libcli/security/conditional_ace.h @@ -0,0 +1,43 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + + Copyright © Catalyst + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _CONDITIONAL_ACE_H_ +#define _CONDITIONAL_ACE_H_ + + +struct ace_condition_script *parse_conditional_ace(TALLOC_CTX *mem_ctx, + DATA_BLOB data); + +int run_conditional_ace(TALLOC_CTX *mem_ctx, + const struct security_token *token, + struct ace_condition_script *program, + const struct security_descriptor *sd); + + +bool access_check_conditional_ace(const struct security_ace *ace, + const struct security_token *token, + const struct security_descriptor *sd, + int *result); + +bool conditional_ace_encode_binary(TALLOC_CTX *mem_ctx, + struct ace_condition_script *program, + DATA_BLOB *dest); + +#endif /*_CONDITIONAL_ACE_H_*/