| blob | 169e024605f80aeb9cd745702e0d3a21a5c3d360 |
1 /*
2 * Unix SMB implementation.
3 * Functions for understanding conditional ACEs
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 3 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, see <http://www.gnu.org/licenses/>.
17 */
30 /*
31 * Conditional ACE logic truth tables.
32 *
33 * Conditional ACES use a ternary logic, with "unknown" as well as true and
34 * false. The ultmate meaning of unknown depends on the context; in a deny
35 * ace, unknown means yes, in an allow ace, unknown means no. That is, we
36 * treat unknown results with maximum suspicion.
37 *
38 * AND true false unknown
39 * true T F ?
40 * false F F F
41 * unknown ? F ?
42 *
43 * OR true false unknown
44 * true T T T
45 * false T F ?
46 * unknown T ? ?
47 *
48 * NOT
49 * true F
50 * false T
51 * unknown ?
52 *
53 * This can be summed up by saying unknown values taint the result except in
54 * the cases where short circuit evaluation could apply (true OR anything,
55 * false AND anything, which hold their value).
56 *
57 * What counts as unknown
58 *
59 * - NULL attributes.
60 * - certain comparisons between incompatible types
61 *
62 * What counts as false
63 *
64 * - zero
65 * - empty strings
66 *
67 * An error means the entire expression is unknown.
68 */
72 {
78 }
83 }
88 }
91 /* val has these limits naturally */
95 }
101 }
106 }
108 }
113 {
116 }
121 }
125 {
128 }
133 }
138 {
147 }
151 }
153 /* we need an even number of bytes */
155 }
157 /*
158 * The string in the ACE blob is utf-16, which we convert to
159 * utf-8 for further processing.
160 *
161 * There may be inefficencies here (FIXME, etc, if you dare),
162 * and we might prefer to keep it as utf-16 in the runtime.
163 * But maybe not.
164 */
166 /*
167 * A 0x0000 codepoint is illegal. The string is length-bound,
168 * not NUL-terminated. If we don't do this the string will be
169 * truncated at the first 0x0000, which is not terrible, but
170 * not expected, and it makes round-trip assertions
171 * impossible.
172 */
175 }
176 }
184 }
186 /*
187 * This is a special case, because convert_string_talloc()
188 * will turn a length 0 string into a length 1 string
189 * containing a zero byte. This is not the same as returning
190 * the truly allocated size, counting the '\0' for all strings
191 * -- it only happens for the empty string.
192 */
194 }
198 }
202 {
203 /*
204 * The string stored in the token is utf-8, but must be
205 * converted to utf-16 in the compiled ACE.
206 */
213 }
217 //XXX do we allow an empty string?
224 }
227 }
233 {
236 }
240 }
244 }
248 }
253 {
256 }
260 }
266 {
268 ssize_t sidlen;
271 }
275 }
279 }
284 }
286 }
290 {
292 DATA_BLOB v;
293 ssize_t total_length;
299 }
304 }
309 }
315 {
322 }
326 }
327 /*
328 * There is a list of other literal tokens (possibly including nested
329 * composites), which we will store in an array.
330 *
331 * This array can *only* be literals.
332 */
336 alloc_length);
339 }
345 ssize_t consumed;
350 i++;
361 available,
366 }
370 el_data,
371 available,
377 el_data,
378 available,
384 el_data,
385 available,
391 el_data,
392 available,
397 }
401 }
403 j++;
407 }
411 tokens,
413 alloc_length);
417 }
418 }
419 }
423 error:
426 }
431 {
437 }
438 /*
439 * We have no idea what the eventual length will be, so we keep a
440 * pointer to write it in at the end.
441 */
448 ssize_t consumed;
453 used++;
455 /*
456 * used == length is not expected here; the token
457 * types that only have an opcode and no data are not
458 * literals that can be in composites.
459 */
461 }
473 }
475 available,
480 available,
486 available,
492 available,
498 available,
504 }
508 }
510 }
513 }
517 }
520 {
521 /*
522 * We just check that we have the right kind of number of zero
523 * bytes. The blob must end on a multiple of 4. One zero byte
524 * has already been swallowed as tok->type, which sends us
525 * here, so we expect 1 or two more -- total padding is 0, 1,
526 * 2, or 3.
527 *
528 * zero is also called CONDITIONAL_ACE_TOKEN_INVALID_OR_PADDING.
529 */
530 ssize_t i;
533 }
537 }
538 }
540 }
544 DATA_BLOB data)
545 {
556 /*
557 * lacks the "artx" conditional ace identifier magic.
558 * NULL returns will deny access.
559 */
561 }
564 /*
565 * >= 64k or non-multiples of 4 are not possible in the ACE
566 * wire format.
567 */
569 }
574 }
576 /*
577 * We will normally end up with fewer than data.length tokens, as
578 * values are stored in multiple bytes (all integers are 10 bytes,
579 * strings and attributes are utf16 + length, SIDs are SID-size +
580 * length, etc). But operators are one byte, so something like
581 * !(!(!(!(!(!(x)))))) -- where each '!(..)' is one byte -- will bring
582 * the number of tokens close to the number of bytes.
583 *
584 * This is all to say we're guessing a token length that hopes to
585 * avoid reallocs without wasting too much up front.
586 */
590 alloc_length);
594 }
605 i++;
615 available,
620 }
623 /*
624 * The next four are pulled as unicode, but are
625 * processed as user attribute look-ups.
626 */
632 tok_data,
633 available,
639 tok_data,
640 available,
646 tok_data,
647 available,
653 tok_data,
654 available,
666 /*
667 * these require a SID or composite SID list operand,
668 * and we could check that now in most cases.
669 */
671 /* binary relational operators */
682 /* unary logical operators */
686 /* binary logical operators */
691 /* this is only valid at the end */
693 available);
698 }
702 }
704 j++;
708 tokens,
710 alloc_length);
713 }
714 }
715 }
718 tokens,
723 }
724 /*
725 * When interpreting the program we will need a stack, which in the
726 * very worst case can be as deep as the program is long.
727 */
733 }
736 fail:
739 }
746 {
749 }
757 {
758 /*
759 * For a @Resource.attr, the claims come from a resource ACE
760 * in the object's SACL. That's why we need a security descriptor.
761 *
762 * If there is no matching resource ACE, a NULL result is returned,
763 * which should compare UNKNOWN to anything. The NULL will have the
764 * CONDITIONAL_ACE_FLAG_NULL_MEANS_ERROR flag set if it seems failure
765 * is not simply due to the sought claim not existing. This useful for
766 * the Exists and Not_Exists operators.
767 */
774 /* what are we even doing here? */
777 }
786 }
794 }
799 }
800 /* this is the one */
804 }
805 }
809 }
817 {
818 /*
819 * The operator has an attribute name; if there is a claim of
820 * the right type with that name, that is returned as the result.
821 *
822 * XXX what happens otherwise? NULL result?
823 */
853 }
855 /*
856 * Loop backwards: a later claim will override an earlier one with the
857 * same name.
858 */
863 }
865 /* this is the one */
868 }
869 }
872 }
882 {
883 /*
884 * We need to compare the lists of SIDs in the token with the
885 * SID[s] in the argument. There are 8 combinations of
886 * operation, depending on whether we want to match all or any
887 * of the SIDs, whether we're using the device SIDs or user
888 * SIDs, and whether the operator name starts with "Not_".
889 *
890 * _MEMBER_OF User has all operand SIDs
891 * _DEVICE_MEMBER_OF Device has all operand SIDs
892 * _MEMBER_OF_ANY User has one or more operand SIDs
893 * _DEVICE_MEMBER_OF_ANY Device has one or more operand SIDs
894 *
895 * NOT_* has the effect of !(the operator without NOT_).
896 *
897 * The operand can either be a composite of SIDs or a single SID.
898 * This adds an additional branch.
899 */
923 }
950 }
961 }
969 }
972 /*
973 * In this case the any and all operations are the
974 * same.
975 */
982 }
983 }
986 }
991 }
993 }
995 /* This is a composite list (hopefully of SIDs) */
999 }
1009 }
1016 }
1017 }
1020 /* we have matched one SID, which is enough */
1022 }
1025 /* failing one is enough */
1027 }
1028 }
1029 }
1030 /*
1031 * Reaching the end of that loop means either:
1032 * 1. it was an ALL op and we never failed to find one, or
1033 * 2. it was an ANY op, and we didn't find one.
1034 */
1037 apply_not:
1040 }
1045 }
1048 }
1054 {
1055 /*
1056 * Find the truth value of the argument, stored in the result token.
1057 *
1058 * A return value of false means the operation is invalid, and the
1059 * result is undefined.
1060 */
1062 /* pass through */
1065 }
1071 /* zero is false */
1076 }
1078 }
1080 /* empty is false */
1085 }
1087 }
1089 /*
1090 * everything else in UNKNOWN. This includes NULL values (i.e. an
1091 * unsuccessful look-up).
1092 */
1095 }
1100 {
1103 /*
1104 * Logic operators don't work on literals.
1105 */
1107 }
1112 }
1117 }
1118 /* unknown stays unknown */
1120 }
1130 {
1136 };
1139 }
1143 /*
1144 * Not_Exists and Exists require the same work, except we negate the
1145 * answer in one case. From [MS-DTYP] 2.4.4.17.7:
1146 *
1147 * If the type of the operand is "Local Attribute"
1148 * If the value is non-null return TRUE
1149 * Else return FALSE
1150 * Else if the type of the operand is "Resource Attribute"
1151 * Return TRUE if value is non-null; FALSE otherwise.
1152 * Else return Error
1153 */
1157 /*
1158 * "not ok" usually means a failure to find the attribute,
1159 * which is the false condition and not an error.
1160 *
1161 * XXX or do we need an extra flag?
1162 */
1169 }
1171 /*
1172 *
1173 */
1181 }
1188 /* should not get here */
1190 }
1194 }
1204 {
1213 /*
1214 * Logic operators don't work on literals.
1215 */
1217 }
1222 }
1226 }
1231 /*
1232 * AND true false unknown
1233 * true T F ?
1234 * false F F F
1235 * unknown ? F ?
1236 *
1237 * unknown unless BOTH true or EITHER false
1238 */
1243 }
1248 }
1249 /*
1250 * Neither value is False, so the result is Unknown,
1251 * as set at the start of this function.
1252 */
1254 }
1255 /*
1256 * OR true false unknown
1257 * true T T T
1258 * false T F ?
1259 * unknown T ? ?
1260 *
1261 * unknown unless EITHER true or BOTH false
1262 */
1267 }
1272 }
1274 }
1280 {
1282 /*
1283 * we can't compare different types *unless* they are both
1284 * integers, or one is a bool and the other is an integer 0 or
1285 * 1, and the operator is == or !=.
1286 */
1287 //XXX actually it says "literal integers", do we need to check flags?
1290 /* don't block e.g. comparing an int32 to an int64 */
1292 }
1294 /* is it == or != */
1298 }
1299 /* is one a bool and the other an int? */
1306 }
1309 }
1311 }
1317 {
1341 }
1345 }
1353 {
1356 /*
1357 * Comparison is case-insensitive UNLESS the claim structure
1358 * has the case-sensitive flag, which is passed through as a
1359 * flag on the token. Usually only the LHS is a claim value,
1360 * but in the event that they both are, we allow either to
1361 * request case-sensitivity.
1362 *
1363 * For greater than and less than, the sort order is utf-8 order,
1364 * which is not exactly what Windows does, but we don't sort like
1365 * Windows does anywhere else either.
1366 */
1372 }
1375 }
1377 }
1384 {
1390 }
1392 }
1399 {
1403 }
1410 {
1420 }
1422 }
1429 {
1435 /*
1436 * we can compare a boolean LHS to a literal RHS, but not
1437 * vice versa
1438 */
1440 }
1444 }
1448 }
1452 }
1460 /* we are not allowing non-equality comparisons with bools */
1462 }
1464 }
1477 {
1478 /*
1479 * We treat composites as if they are sets, which is to say we
1480 * don't care about order. This rules out < and > operations.
1481 *
1482 * In Kerberos clams it is not possible to add duplicate
1483 * values to a composite, but in Conditional ACEs you can do
1484 * that. This means we can't short-cut by comparing the
1485 * lengths.
1486 *
1487 * THe extra sad thing is we might have to do it both ways
1488 * round. For example, comparing {a, a, b, a} to {a, b, c}, we
1489 * find all of the first group in the second, but that doesn't
1490 * mean all of the second are in the first.
1491 */
1495 };
1511 }
1513 /* This item in A is also in B. */
1516 }
1517 }
1521 }
1522 }
1523 }
1526 }
1534 {
1538 }
1539 }
1547 }
1560 /* leave the result unknown */
1565 }
1568 }
1574 {
1580 };
1586 tok,
1591 }
1595 }
1596 }
1598 }
1604 {
1610 };
1612 /*
1613 * All the required objects must be identical to something in
1614 * candidates. But what do we mean by *identical*? We'll use
1615 * the equality operator to decide that.
1616 *
1617 * Both the lhs or rhs can be solitary objects or composites.
1618 * This makes it a bit fiddlier.
1619 */
1625 }
1629 }
1635 }
1637 /*
1638 * one required item was not there,
1639 * *answer is false
1640 */
1642 }
1643 }
1644 /* all required items are there, *answer will be true */
1646 }
1647 /* LHS is a single item */
1649 /*
1650 * There could be more than one RHS member that is
1651 * equal to the single LHS value, so it doesn't help
1652 * to compare lengths or anything.
1653 */
1657 }
1660 lhs,
1665 }
1667 /*
1668 * one required item was not there,
1669 * *answer is false
1670 */
1673 }
1674 }
1677 }
1678 /* LHS and RHS are both single */
1680 lhs,
1681 rhs,
1685 }
1688 }
1694 {
1700 };
1702 /*
1703 * There has to be *some* overlap between the LHS and RHS.
1704 * Both sides can be solitary objects or composites.
1705 *
1706 * We can exploit this symmetry.
1707 */
1712 }
1714 /* both singles */
1716 lhs,
1717 rhs,
1721 }
1724 }
1727 }
1728 /* both are composites */
1731 }
1735 answer);
1738 }
1740 /* We have found one match, which is enough. */
1742 }
1743 }
1745 }
1752 {
1765 }
1768 }
1770 /* negate the NOTs */
1774 }
1780 }
1782 }
1791 {
1798 /* LHS was not derived from an attribute */
1800 }
1802 /*
1803 * This first nested switch is ensuring that >, >=, <, <= are
1804 * not being tried on tokens that are not numbers, strings, or
1805 * octet strings. Equality operators are available for all types.
1806 */
1824 }
1825 }
1827 /*
1828 * Dispatch according to operator type.
1829 */
1838 lhs,
1839 rhs,
1843 }
1851 lhs,
1852 rhs,
1853 result);
1856 }
1857 }
1864 {
1883 /* just plonk these literals on the stack */
1885 depth++;
1894 }
1896 depth++;
1901 tok,
1902 sd,
1906 }
1908 depth++;
1921 }
1922 depth--;
1927 }
1929 depth++;
1931 /* binary relational operators */
1944 }
1945 depth--;
1947 depth--;
1952 }
1954 depth++;
1956 /* unary logical operators */
1962 }
1963 depth--;
1968 }
1970 depth++;
1972 /* binary logical operators */
1977 }
1978 depth--;
1980 depth--;
1985 }
1987 depth++;
1991 }
1992 }
1993 /*
1994 * The evaluation should have left a single result value (true, false,
1995 * or unknown) on the stack. If not, the expression was malformed.
1996 */
1999 }
2003 }
2007 error:
2008 /*
2009 * the result of an error is always UNKNOWN, which should be
2010 * interpreted pessimistically, not allowing access.
2011 */
2013 }
2016 /** access_check_conditional_ace()
2017 *
2018 * Run the conditional ACE from the blob form. Return false if it is
2019 * not a valid conditional ACE, true if it is, even if there is some
2020 * other error in running it. The *result parameter is set to
2021 * ACE_CONDITION_FALSE, ACE_CONDITION_TRUE, or ACE_CONDITION_UNKNOWN.
2022 *
2023 * ACE_CONDITION_UNKNOWN should be treated pessimistically, as if were
2024 * TRUE for deny ACEs, and FALSE for allow ACEs.
2025 *
2026 * @param[in] ace - the ACE being processed.
2027 * @param[in] token - the security token the ACE is processing.
2028 * @param[out] result - a ternary result value.
2029 *
2030 * @return true if it is a valid conditional ACE.
2031 */
2037 {
2045 }
2051 }
2057 {
2065 alloc_size);
2068 }
2078 ssize_t consumed;
2080 /*
2081 * In all cases we write the token type byte.
2082 */
2084 j++;
2087 }
2113 /*
2114 * All of these are simple operators that operate on
2115 * the stack. We have already added the tok->type and
2116 * there's nothing else to do.
2117 */
2127 }
2161 }
2164 }
2168 }
2169 }
2170 /* align to a 4 byte boundary */
2174 }
2177 j++;
2178 }
2180 data,
2182 required_size);
2185 }
2190 error:
2193 }