search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cifs: Use mask of ACEs for SID Everyone to calculate all three permissions user,...
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / fs / cifs / cifsacl.c
blob1e7636b145a88a180c8459f65bf86d51d6c165f6
1 /*
2 * fs/cifs/cifsacl.c
3 *
4 * Copyright (C) International Business Machines Corp., 2007,2008
5 * Author(s): Steve French (sfrench@us.ibm.com)
6 *
7 * Contains the routines for mapping CIFS/NTFS ACLs
8 *
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
24 #include <linux/fs.h>
25 #include <linux/slab.h>
26 #include "cifspdu.h"
27 #include "cifsglob.h"
28 #include "cifsacl.h"
29 #include "cifsproto.h"
30 #include "cifs_debug.h"
31
32
33 static struct cifs_wksid wksidarr[NUM_WK_SIDS] = {
34 {{1, 0, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0} }, "null user"},
35 {{1, 1, {0, 0, 0, 0, 0, 1}, {0, 0, 0, 0, 0} }, "nobody"},
36 {{1, 1, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(11), 0, 0, 0, 0} }, "net-users"},
37 {{1, 1, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(18), 0, 0, 0, 0} }, "sys"},
38 {{1, 2, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(32), __constant_cpu_to_le32(544), 0, 0, 0} }, "root"},
39 {{1, 2, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(32), __constant_cpu_to_le32(545), 0, 0, 0} }, "users"},
40 {{1, 2, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(32), __constant_cpu_to_le32(546), 0, 0, 0} }, "guest"} }
41 ;
42
43
44 /* security id for everyone/world system group */
45 static const struct cifs_sid sid_everyone = {
46 1, 1, {0, 0, 0, 0, 0, 1}, {0} };
47 /* security id for Authenticated Users system group */
48 static const struct cifs_sid sid_authusers = {
49 1, 1, {0, 0, 0, 0, 0, 5}, {11} };
50 /* group users */
51 static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };
52
53
54 int match_sid(struct cifs_sid *ctsid)
55 {
56 int i, j;
57 int num_subauth, num_sat, num_saw;
58 struct cifs_sid *cwsid;
59
60 if (!ctsid)
61 return -1;
62
63 for (i = 0; i < NUM_WK_SIDS; ++i) {
64 cwsid = &(wksidarr[i].cifssid);
65
66 /* compare the revision */
67 if (ctsid->revision != cwsid->revision)
68 continue;
69
70 /* compare all of the six auth values */
71 for (j = 0; j < 6; ++j) {
72 if (ctsid->authority[j] != cwsid->authority[j])
73 break;
74 }
75 if (j < 6)
76 continue; /* all of the auth values did not match */
77
78 /* compare all of the subauth values if any */
79 num_sat = ctsid->num_subauth;
80 num_saw = cwsid->num_subauth;
81 num_subauth = num_sat < num_saw ? num_sat : num_saw;
82 if (num_subauth) {
83 for (j = 0; j < num_subauth; ++j) {
84 if (ctsid->sub_auth[j] != cwsid->sub_auth[j])
85 break;
86 }
87 if (j < num_subauth)
88 continue; /* all sub_auth values do not match */
89 }
90
91 cFYI(1, "matching sid: %s\n", wksidarr[i].sidname);
92 return 0; /* sids compare/match */
93 }
94
95 cFYI(1, "No matching sid");
96 return -1;
97 }
98
99 /* if the two SIDs (roughly equivalent to a UUID for a user or group) are
100 the same returns 1, if they do not match returns 0 */
101 int compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
102 {
103 int i;
104 int num_subauth, num_sat, num_saw;
105
106 if ((!ctsid) || (!cwsid))
107 return 0;
108
109 /* compare the revision */
110 if (ctsid->revision != cwsid->revision)
111 return 0;
112
113 /* compare all of the six auth values */
114 for (i = 0; i < 6; ++i) {
115 if (ctsid->authority[i] != cwsid->authority[i])
116 return 0;
117 }
118
119 /* compare all of the subauth values if any */
120 num_sat = ctsid->num_subauth;
121 num_saw = cwsid->num_subauth;
122 num_subauth = num_sat < num_saw ? num_sat : num_saw;
123 if (num_subauth) {
124 for (i = 0; i < num_subauth; ++i) {
125 if (ctsid->sub_auth[i] != cwsid->sub_auth[i])
126 return 0;
127 }
128 }
129
130 return 1; /* sids compare/match */
131 }
132
133
134 /* copy ntsd, owner sid, and group sid from a security descriptor to another */
135 static void copy_sec_desc(const struct cifs_ntsd *pntsd,
136 struct cifs_ntsd *pnntsd, __u32 sidsoffset)
137 {
138 int i;
139
140 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
141 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
142
143 /* copy security descriptor control portion */
144 pnntsd->revision = pntsd->revision;
145 pnntsd->type = pntsd->type;
146 pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
147 pnntsd->sacloffset = 0;
148 pnntsd->osidoffset = cpu_to_le32(sidsoffset);
149 pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));
150
151 /* copy owner sid */
152 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
153 le32_to_cpu(pntsd->osidoffset));
154 nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
155
156 nowner_sid_ptr->revision = owner_sid_ptr->revision;
157 nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
158 for (i = 0; i < 6; i++)
159 nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
160 for (i = 0; i < 5; i++)
161 nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];
162
163 /* copy group sid */
164 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
165 le32_to_cpu(pntsd->gsidoffset));
166 ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
167 sizeof(struct cifs_sid));
168
169 ngroup_sid_ptr->revision = group_sid_ptr->revision;
170 ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
171 for (i = 0; i < 6; i++)
172 ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
173 for (i = 0; i < 5; i++)
174 ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i];
175
176 return;
177 }
178
179
180 /*
181 change posix mode to reflect permissions
182 pmode is the existing mode (we only want to overwrite part of this
183 bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
184 */
185 static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
186 umode_t *pbits_to_set)
187 {
188 __u32 flags = le32_to_cpu(ace_flags);
189 /* the order of ACEs is important. The canonical order is to begin with
190 DENY entries followed by ALLOW, otherwise an allow entry could be
191 encountered first, making the subsequent deny entry like "dead code"
192 which would be superflous since Windows stops when a match is made
193 for the operation you are trying to perform for your user */
194
195 /* For deny ACEs we change the mask so that subsequent allow access
196 control entries do not turn on the bits we are denying */
197 if (type == ACCESS_DENIED) {
198 if (flags & GENERIC_ALL)
199 *pbits_to_set &= ~S_IRWXUGO;
200
201 if ((flags & GENERIC_WRITE) ||
202 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
203 *pbits_to_set &= ~S_IWUGO;
204 if ((flags & GENERIC_READ) ||
205 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
206 *pbits_to_set &= ~S_IRUGO;
207 if ((flags & GENERIC_EXECUTE) ||
208 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
209 *pbits_to_set &= ~S_IXUGO;
210 return;
211 } else if (type != ACCESS_ALLOWED) {
212 cERROR(1, "unknown access control type %d", type);
213 return;
214 }
215 /* else ACCESS_ALLOWED type */
216
217 if (flags & GENERIC_ALL) {
218 *pmode |= (S_IRWXUGO & (*pbits_to_set));
219 cFYI(DBG2, "all perms");
220 return;
221 }
222 if ((flags & GENERIC_WRITE) ||
223 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
224 *pmode |= (S_IWUGO & (*pbits_to_set));
225 if ((flags & GENERIC_READ) ||
226 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
227 *pmode |= (S_IRUGO & (*pbits_to_set));
228 if ((flags & GENERIC_EXECUTE) ||
229 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
230 *pmode |= (S_IXUGO & (*pbits_to_set));
231
232 cFYI(DBG2, "access flags 0x%x mode now 0x%x", flags, *pmode);
233 return;
234 }
235
236 /*
237 Generate access flags to reflect permissions mode is the existing mode.
238 This function is called for every ACE in the DACL whose SID matches
239 with either owner or group or everyone.
240 */
241
242 static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
243 __u32 *pace_flags)
244 {
245 /* reset access mask */
246 *pace_flags = 0x0;
247
248 /* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
249 mode &= bits_to_use;
250
251 /* check for R/W/X UGO since we do not know whose flags
252 is this but we have cleared all the bits sans RWX for
253 either user or group or other as per bits_to_use */
254 if (mode & S_IRUGO)
255 *pace_flags |= SET_FILE_READ_RIGHTS;
256 if (mode & S_IWUGO)
257 *pace_flags |= SET_FILE_WRITE_RIGHTS;
258 if (mode & S_IXUGO)
259 *pace_flags |= SET_FILE_EXEC_RIGHTS;
260
261 cFYI(DBG2, "mode: 0x%x, access flags now 0x%x", mode, *pace_flags);
262 return;
263 }
264
265 static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
266 const struct cifs_sid *psid, __u64 nmode, umode_t bits)
267 {
268 int i;
269 __u16 size = 0;
270 __u32 access_req = 0;
271
272 pntace->type = ACCESS_ALLOWED;
273 pntace->flags = 0x0;
274 mode_to_access_flags(nmode, bits, &access_req);
275 if (!access_req)
276 access_req = SET_MINIMUM_RIGHTS;
277 pntace->access_req = cpu_to_le32(access_req);
278
279 pntace->sid.revision = psid->revision;
280 pntace->sid.num_subauth = psid->num_subauth;
281 for (i = 0; i < 6; i++)
282 pntace->sid.authority[i] = psid->authority[i];
283 for (i = 0; i < psid->num_subauth; i++)
284 pntace->sid.sub_auth[i] = psid->sub_auth[i];
285
286 size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
287 pntace->size = cpu_to_le16(size);
288
289 return size;
290 }
291
292
293 #ifdef CONFIG_CIFS_DEBUG2
294 static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
295 {
296 int num_subauth;
297
298 /* validate that we do not go past end of acl */
299
300 if (le16_to_cpu(pace->size) < 16) {
301 cERROR(1, "ACE too small %d", le16_to_cpu(pace->size));
302 return;
303 }
304
305 if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
306 cERROR(1, "ACL too small to parse ACE");
307 return;
308 }
309
310 num_subauth = pace->sid.num_subauth;
311 if (num_subauth) {
312 int i;
313 cFYI(1, "ACE revision %d num_auth %d type %d flags %d size %d",
314 pace->sid.revision, pace->sid.num_subauth, pace->type,
315 pace->flags, le16_to_cpu(pace->size));
316 for (i = 0; i < num_subauth; ++i) {
317 cFYI(1, "ACE sub_auth[%d]: 0x%x", i,
318 le32_to_cpu(pace->sid.sub_auth[i]));
319 }
320
321 /* BB add length check to make sure that we do not have huge
322 num auths and therefore go off the end */
323 }
324
325 return;
326 }
327 #endif
328
329
330 static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
331 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
332 struct cifs_fattr *fattr)
333 {
334 int i;
335 int num_aces = 0;
336 int acl_size;
337 char *acl_base;
338 struct cifs_ace **ppace;
339
340 /* BB need to add parm so we can store the SID BB */
341
342 if (!pdacl) {
343 /* no DACL in the security descriptor, set
344 all the permissions for user/group/other */
345 fattr->cf_mode |= S_IRWXUGO;
346 return;
347 }
348
349 /* validate that we do not go past end of acl */
350 if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
351 cERROR(1, "ACL too small to parse DACL");
352 return;
353 }
354
355 cFYI(DBG2, "DACL revision %d size %d num aces %d",
356 le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
357 le32_to_cpu(pdacl->num_aces));
358
359 /* reset rwx permissions for user/group/other.
360 Also, if num_aces is 0 i.e. DACL has no ACEs,
361 user/group/other have no permissions */
362 fattr->cf_mode &= ~(S_IRWXUGO);
363
364 acl_base = (char *)pdacl;
365 acl_size = sizeof(struct cifs_acl);
366
367 num_aces = le32_to_cpu(pdacl->num_aces);
368 if (num_aces > 0) {
369 umode_t user_mask = S_IRWXU;
370 umode_t group_mask = S_IRWXG;
371 umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
372
373 ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
374 GFP_KERNEL);
375
376 for (i = 0; i < num_aces; ++i) {
377 ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
378 #ifdef CONFIG_CIFS_DEBUG2
379 dump_ace(ppace[i], end_of_acl);
380 #endif
381 if (compare_sids(&(ppace[i]->sid), pownersid))
382 access_flags_to_mode(ppace[i]->access_req,
383 ppace[i]->type,
384 &fattr->cf_mode,
385 &user_mask);
386 if (compare_sids(&(ppace[i]->sid), pgrpsid))
387 access_flags_to_mode(ppace[i]->access_req,
388 ppace[i]->type,
389 &fattr->cf_mode,
390 &group_mask);
391 if (compare_sids(&(ppace[i]->sid), &sid_everyone))
392 access_flags_to_mode(ppace[i]->access_req,
393 ppace[i]->type,
394 &fattr->cf_mode,
395 &other_mask);
396 if (compare_sids(&(ppace[i]->sid), &sid_authusers))
397 access_flags_to_mode(ppace[i]->access_req,
398 ppace[i]->type,
399 &fattr->cf_mode,
400 &other_mask);
401
402
403 /* memcpy((void *)(&(cifscred->aces[i])),
404 (void *)ppace[i],
405 sizeof(struct cifs_ace)); */
406
407 acl_base = (char *)ppace[i];
408 acl_size = le16_to_cpu(ppace[i]->size);
409 }
410
411 kfree(ppace);
412 }
413
414 return;
415 }
416
417
418 static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
419 struct cifs_sid *pgrpsid, __u64 nmode)
420 {
421 u16 size = 0;
422 struct cifs_acl *pnndacl;
423
424 pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));
425
426 size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
427 pownersid, nmode, S_IRWXU);
428 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
429 pgrpsid, nmode, S_IRWXG);
430 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
431 &sid_everyone, nmode, S_IRWXO);
432
433 pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
434 pndacl->num_aces = cpu_to_le32(3);
435
436 return 0;
437 }
438
439
440 static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
441 {
442 /* BB need to add parm so we can store the SID BB */
443
444 /* validate that we do not go past end of ACL - sid must be at least 8
445 bytes long (assuming no sub-auths - e.g. the null SID */
446 if (end_of_acl < (char *)psid + 8) {
447 cERROR(1, "ACL too small to parse SID %p", psid);
448 return -EINVAL;
449 }
450
451 if (psid->num_subauth) {
452 #ifdef CONFIG_CIFS_DEBUG2
453 int i;
454 cFYI(1, "SID revision %d num_auth %d",
455 psid->revision, psid->num_subauth);
456
457 for (i = 0; i < psid->num_subauth; i++) {
458 cFYI(1, "SID sub_auth[%d]: 0x%x ", i,
459 le32_to_cpu(psid->sub_auth[i]));
460 }
461
462 /* BB add length check to make sure that we do not have huge
463 num auths and therefore go off the end */
464 cFYI(1, "RID 0x%x",
465 le32_to_cpu(psid->sub_auth[psid->num_subauth-1]));
466 #endif
467 }
468
469 return 0;
470 }
471
472
473 /* Convert CIFS ACL to POSIX form */
474 static int parse_sec_desc(struct cifs_ntsd *pntsd, int acl_len,
475 struct cifs_fattr *fattr)
476 {
477 int rc;
478 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
479 struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
480 char *end_of_acl = ((char *)pntsd) + acl_len;
481 __u32 dacloffset;
482
483 if (pntsd == NULL)
484 return -EIO;
485
486 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
487 le32_to_cpu(pntsd->osidoffset));
488 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
489 le32_to_cpu(pntsd->gsidoffset));
490 dacloffset = le32_to_cpu(pntsd->dacloffset);
491 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
492 cFYI(DBG2, "revision %d type 0x%x ooffset 0x%x goffset 0x%x "
493 "sacloffset 0x%x dacloffset 0x%x",
494 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
495 le32_to_cpu(pntsd->gsidoffset),
496 le32_to_cpu(pntsd->sacloffset), dacloffset);
497 /* cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
498 rc = parse_sid(owner_sid_ptr, end_of_acl);
499 if (rc)
500 return rc;
501
502 rc = parse_sid(group_sid_ptr, end_of_acl);
503 if (rc)
504 return rc;
505
506 if (dacloffset)
507 parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
508 group_sid_ptr, fattr);
509 else
510 cFYI(1, "no ACL"); /* BB grant all or default perms? */
511
512 /* cifscred->uid = owner_sid_ptr->rid;
513 cifscred->gid = group_sid_ptr->rid;
514 memcpy((void *)(&(cifscred->osid)), (void *)owner_sid_ptr,
515 sizeof(struct cifs_sid));
516 memcpy((void *)(&(cifscred->gsid)), (void *)group_sid_ptr,
517 sizeof(struct cifs_sid)); */
518
519 return 0;
520 }
521
522
523 /* Convert permission bits from mode to equivalent CIFS ACL */
524 static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
525 struct inode *inode, __u64 nmode)
526 {
527 int rc = 0;
528 __u32 dacloffset;
529 __u32 ndacloffset;
530 __u32 sidsoffset;
531 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
532 struct cifs_acl *dacl_ptr = NULL; /* no need for SACL ptr */
533 struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */
534
535 if ((inode == NULL) || (pntsd == NULL) || (pnntsd == NULL))
536 return -EIO;
537
538 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
539 le32_to_cpu(pntsd->osidoffset));
540 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
541 le32_to_cpu(pntsd->gsidoffset));
542
543 dacloffset = le32_to_cpu(pntsd->dacloffset);
544 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
545
546 ndacloffset = sizeof(struct cifs_ntsd);
547 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
548 ndacl_ptr->revision = dacl_ptr->revision;
549 ndacl_ptr->size = 0;
550 ndacl_ptr->num_aces = 0;
551
552 rc = set_chmod_dacl(ndacl_ptr, owner_sid_ptr, group_sid_ptr, nmode);
553
554 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
555
556 /* copy security descriptor control portion and owner and group sid */
557 copy_sec_desc(pntsd, pnntsd, sidsoffset);
558
559 return rc;
560 }
561
562 static struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
563 __u16 fid, u32 *pacllen)
564 {
565 struct cifs_ntsd *pntsd = NULL;
566 int xid, rc;
567 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
568
569 if (IS_ERR(tlink))
570 return ERR_CAST(tlink);
571
572 xid = GetXid();
573 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), fid, &pntsd, pacllen);
574 FreeXid(xid);
575
576 cifs_put_tlink(tlink);
577
578 cFYI(1, "%s: rc = %d ACL len %d", __func__, rc, *pacllen);
579 if (rc)
580 return ERR_PTR(rc);
581 return pntsd;
582 }
583
584 static struct cifs_ntsd *get_cifs_acl_by_path(struct cifs_sb_info *cifs_sb,
585 const char *path, u32 *pacllen)
586 {
587 struct cifs_ntsd *pntsd = NULL;
588 int oplock = 0;
589 int xid, rc;
590 __u16 fid;
591 struct cifsTconInfo *tcon;
592 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
593
594 if (IS_ERR(tlink))
595 return ERR_CAST(tlink);
596
597 tcon = tlink_tcon(tlink);
598 xid = GetXid();
599
600 rc = CIFSSMBOpen(xid, tcon, path, FILE_OPEN, READ_CONTROL, 0,
601 &fid, &oplock, NULL, cifs_sb->local_nls,
602 cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
603 if (!rc) {
604 rc = CIFSSMBGetCIFSACL(xid, tcon, fid, &pntsd, pacllen);
605 CIFSSMBClose(xid, tcon, fid);
606 }
607
608 cifs_put_tlink(tlink);
609 FreeXid(xid);
610
611 cFYI(1, "%s: rc = %d ACL len %d", __func__, rc, *pacllen);
612 if (rc)
613 return ERR_PTR(rc);
614 return pntsd;
615 }
616
617 /* Retrieve an ACL from the server */
618 struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
619 struct inode *inode, const char *path,
620 u32 *pacllen)
621 {
622 struct cifs_ntsd *pntsd = NULL;
623 struct cifsFileInfo *open_file = NULL;
624
625 if (inode)
626 open_file = find_readable_file(CIFS_I(inode), true);
627 if (!open_file)
628 return get_cifs_acl_by_path(cifs_sb, path, pacllen);
629
630 pntsd = get_cifs_acl_by_fid(cifs_sb, open_file->netfid, pacllen);
631 cifsFileInfo_put(open_file);
632 return pntsd;
633 }
634
635 static int set_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb, __u16 fid,
636 struct cifs_ntsd *pnntsd, u32 acllen)
637 {
638 int xid, rc;
639 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
640
641 if (IS_ERR(tlink))
642 return PTR_ERR(tlink);
643
644 xid = GetXid();
645 rc = CIFSSMBSetCIFSACL(xid, tlink_tcon(tlink), fid, pnntsd, acllen);
646 FreeXid(xid);
647 cifs_put_tlink(tlink);
648
649 cFYI(DBG2, "SetCIFSACL rc = %d", rc);
650 return rc;
651 }
652
653 static int set_cifs_acl_by_path(struct cifs_sb_info *cifs_sb, const char *path,
654 struct cifs_ntsd *pnntsd, u32 acllen)
655 {
656 int oplock = 0;
657 int xid, rc;
658 __u16 fid;
659 struct cifsTconInfo *tcon;
660 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
661
662 if (IS_ERR(tlink))
663 return PTR_ERR(tlink);
664
665 tcon = tlink_tcon(tlink);
666 xid = GetXid();
667
668 rc = CIFSSMBOpen(xid, tcon, path, FILE_OPEN, WRITE_DAC, 0,
669 &fid, &oplock, NULL, cifs_sb->local_nls,
670 cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
671 if (rc) {
672 cERROR(1, "Unable to open file to set ACL");
673 goto out;
674 }
675
676 rc = CIFSSMBSetCIFSACL(xid, tcon, fid, pnntsd, acllen);
677 cFYI(DBG2, "SetCIFSACL rc = %d", rc);
678
679 CIFSSMBClose(xid, tcon, fid);
680 out:
681 FreeXid(xid);
682 cifs_put_tlink(tlink);
683 return rc;
684 }
685
686 /* Set an ACL on the server */
687 static int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
688 struct inode *inode, const char *path)
689 {
690 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
691 struct cifsFileInfo *open_file;
692 int rc;
693
694 cFYI(DBG2, "set ACL for %s from mode 0x%x", path, inode->i_mode);
695
696 open_file = find_readable_file(CIFS_I(inode), true);
697 if (!open_file)
698 return set_cifs_acl_by_path(cifs_sb, path, pnntsd, acllen);
699
700 rc = set_cifs_acl_by_fid(cifs_sb, open_file->netfid, pnntsd, acllen);
701 cifsFileInfo_put(open_file);
702 return rc;
703 }
704
705 /* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */
706 int
707 cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
708 struct inode *inode, const char *path, const __u16 *pfid)
709 {
710 struct cifs_ntsd *pntsd = NULL;
711 u32 acllen = 0;
712 int rc = 0;
713
714 cFYI(DBG2, "converting ACL to mode for %s", path);
715
716 if (pfid)
717 pntsd = get_cifs_acl_by_fid(cifs_sb, *pfid, &acllen);
718 else
719 pntsd = get_cifs_acl(cifs_sb, inode, path, &acllen);
720
721 /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
722 if (IS_ERR(pntsd)) {
723 rc = PTR_ERR(pntsd);
724 cERROR(1, "%s: error %d getting sec desc", __func__, rc);
725 } else {
726 rc = parse_sec_desc(pntsd, acllen, fattr);
727 kfree(pntsd);
728 if (rc)
729 cERROR(1, "parse sec desc failed rc = %d", rc);
730 }
731
732 return rc;
733 }
734
735 /* Convert mode bits to an ACL so we can update the ACL on the server */
736 int mode_to_cifs_acl(struct inode *inode, const char *path, __u64 nmode)
737 {
738 int rc = 0;
739 __u32 secdesclen = 0;
740 struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
741 struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
742
743 cFYI(DBG2, "set ACL from mode for %s", path);
744
745 /* Get the security descriptor */
746 pntsd = get_cifs_acl(CIFS_SB(inode->i_sb), inode, path, &secdesclen);
747
748 /* Add three ACEs for owner, group, everyone getting rid of
749 other ACEs as chmod disables ACEs and set the security descriptor */
750
751 if (IS_ERR(pntsd)) {
752 rc = PTR_ERR(pntsd);
753 cERROR(1, "%s: error %d getting sec desc", __func__, rc);
754 } else {
755 /* allocate memory for the smb header,
756 set security descriptor request security descriptor
757 parameters, and secuirty descriptor itself */
758
759 secdesclen = secdesclen < DEFSECDESCLEN ?
760 DEFSECDESCLEN : secdesclen;
761 pnntsd = kmalloc(secdesclen, GFP_KERNEL);
762 if (!pnntsd) {
763 cERROR(1, "Unable to allocate security descriptor");
764 kfree(pntsd);
765 return -ENOMEM;
766 }
767
768 rc = build_sec_desc(pntsd, pnntsd, inode, nmode);
769
770 cFYI(DBG2, "build_sec_desc rc: %d", rc);
771
772 if (!rc) {
773 /* Set the security descriptor */
774 rc = set_cifs_acl(pnntsd, secdesclen, inode, path);
775 cFYI(DBG2, "set_cifs_acl rc: %d", rc);
776 }
777
778 kfree(pnntsd);
779 kfree(pntsd);
780 }
781
782 return rc;
783 }
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree