s3: smbd: Add smbd_calculate_access_mask_fsp().

Not yet used but this now uses smbd_calculate_maximum_allowed_access_fsp(),
so uncomment it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index a227fdd903a4f56bb79faa76a8f74e161537a7c4..58aa07a08d916c27999c01fa8fdac6745ec87bbd 100644 (file)
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -218,6 +218,11 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
                        uint32_t access_mask,
                        uint32_t *access_mask_out);
 
+NTSTATUS smbd_calculate_access_mask_fsp(struct files_struct *fsp,
+                       bool use_privs,
+                       uint32_t access_mask,
+                       uint32_t *access_mask_out);
+
 void smbd_notify_cancel_by_smbreq(const struct smb_request *smbreq);
 
 void smbXsrv_connection_disconnect_transport(struct smbXsrv_connection *xconn,

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 303790e6022a89779e63618e9555282877adb0c7..2de26f84b03726e61ac53839977db1d8f7fea6b5 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3275,7 +3275,6 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
        return NT_STATUS_OK;
 }
 
-#if 0
 /****************************************************************************
  Work out what access_mask to use from what the client sent us.
 ****************************************************************************/
@@ -3365,7 +3364,6 @@ static NTSTATUS smbd_calculate_maximum_allowed_access_fsp(
 
        return NT_STATUS_OK;
 }
-#endif
 
 NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
                        struct files_struct *dirfsp,
@@ -3425,6 +3423,58 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn,
        return NT_STATUS_OK;
 }
 
+NTSTATUS smbd_calculate_access_mask_fsp(struct files_struct *fsp,
+                       bool use_privs,
+                       uint32_t access_mask,
+                       uint32_t *access_mask_out)
+{
+       NTSTATUS status;
+       uint32_t orig_access_mask = access_mask;
+       uint32_t rejected_share_access;
+
+       if (access_mask & SEC_MASK_INVALID) {
+               DBG_DEBUG("access_mask [%8x] contains invalid bits\n",
+                         access_mask);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       /*
+        * Convert GENERIC bits to specific bits.
+        */
+
+       se_map_generic(&access_mask, &file_generic_mapping);
+
+       /* Calculate MAXIMUM_ALLOWED_ACCESS if requested. */
+       if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
+
+               status = smbd_calculate_maximum_allowed_access_fsp(fsp,
+                                                  use_privs,
+                                                  &access_mask);
+
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+
+               access_mask &= fsp->conn->share_access;
+       }
+
+       rejected_share_access = access_mask & ~(fsp->conn->share_access);
+
+       if (rejected_share_access) {
+               DBG_ERR("Access denied on file %s: "
+                       "rejected by share access mask[0x%08X] "
+                       "orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n",
+                       fsp_str_dbg(fsp),
+                       fsp->conn->share_access,
+                       orig_access_mask, access_mask,
+                       rejected_share_access);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       *access_mask_out = access_mask;
+       return NT_STATUS_OK;
+}
+
 /****************************************************************************
  Remove the deferred open entry under lock.
 ****************************************************************************/