libcli/security/access_check.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Copyright (C) Andrew Tridgell 2004
   5    Copyright (C) Gerald Carter 2005
   6    Copyright (C) Volker Lendecke 2007
   7    Copyright (C) Jeremy Allison 2008
   8    Copyright (C) Andrew Bartlett 2010
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23 #ifndef _ACCESS_CHECK_H_
  24 #define _ACCESS_CHECK_H_
  25
  26 #include "lib/util/data_blob.h"
  27 #include "librpc/gen_ndr/security.h"
  28
  29 /* Map generic access rights to object specific rights.  This technique is
  30    used to give meaning to assigning read, write, execute and all access to
  31    objects.  Each type of object has its own mapping of generic to object
  32    specific access rights. */
  33
  34 void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping);
  35
  36 /* Map generic access rights to object specific rights for all the ACE's
  37  * in a security_acl.
  38  */
  39 void security_acl_map_generic(struct security_acl *sa,
  40                               const struct generic_mapping *mapping);
  41
  42 /* Map standard access rights to object specific rights.  This technique is
  43    used to give meaning to assigning read, write, execute and all access to
  44    objects.  Each type of object has its own mapping of standard to object
  45    specific access rights. */
  46 void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping);
  47
  48 /*
  49   The main entry point for access checking. If returning ACCESS_DENIED
  50   this function returns the denied bits in the uint32_t pointed
  51   to by the access_granted pointer.
  52 */
  53 NTSTATUS se_access_check(const struct security_descriptor *sd,
  54                          const struct security_token *token,
  55                          uint32_t access_desired,
  56                          uint32_t *access_granted);
  57
  58 /*
  59   The main entry point for access checking FOR THE FILE SERVER ONLY !
  60   If returning ACCESS_DENIED this function returns the denied bits in
  61   the uint32_t pointed to by the access_granted pointer.
  62 */
  63 NTSTATUS se_file_access_check(const struct security_descriptor *sd,
  64                          const struct security_token *token,
  65                          bool priv_open_requested,
  66                          uint32_t access_desired,
  67                          uint32_t *access_granted);
  68
  69 struct object_tree;
  70 NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd,
  71                                             const struct security_token *token,
  72                                             uint32_t access_desired,
  73                                             uint32_t *access_granted,
  74                                             struct object_tree *tree,
  75                                             const struct dom_sid *replace_sid,
  76                                             enum implicit_owner_rights implicit_owner_rights);
  77
  78 /* modified access check for the purposes of DS security
  79  * Lots of code duplication, it will be united in just one
  80  * function eventually */
  81
  82 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
  83                              const struct security_token *token,
  84                              uint32_t access_desired,
  85                              uint32_t *access_granted,
  86                              struct object_tree *tree,
  87                              const struct dom_sid *replace_sid);
  88
  89 bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
  90                            const struct GUID *guid,
  91                            uint32_t init_access,
  92                            struct object_tree *root,
  93                            struct object_tree **new_node_out);
  94
  95 /* search by GUID */
  96 struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
  97                                             const struct GUID *guid);
  98
  99 /* Change the granted access per each ACE */
 100 void object_tree_modify_access(struct object_tree *root,
 101                                uint32_t access_mask);
 102 #endif