diff options
Diffstat (limited to 'fs/ksmbd/smbacl.h')
-rw-r--r-- | fs/ksmbd/smbacl.h | 238 |
1 files changed, 0 insertions, 238 deletions
diff --git a/fs/ksmbd/smbacl.h b/fs/ksmbd/smbacl.h deleted file mode 100644 index 618f2e0236b3..000000000000 --- a/fs/ksmbd/smbacl.h +++ /dev/null @@ -1,238 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1+ */ -/* - * Copyright (c) International Business Machines Corp., 2007 - * Author(s): Steve French (sfrench@us.ibm.com) - * Modified by Namjae Jeon (linkinjeon@kernel.org) - */ - -#ifndef _SMBACL_H -#define _SMBACL_H - -#include <linux/fs.h> -#include <linux/namei.h> -#include <linux/posix_acl.h> -#include <linux/mnt_idmapping.h> - -#include "mgmt/tree_connect.h" - -#define NUM_AUTHS (6) /* number of authority fields */ -#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ - -/* - * ACE types - see MS-DTYP 2.4.4.1 - */ -enum { - ACCESS_ALLOWED, - ACCESS_DENIED, -}; - -/* - * Security ID types - */ -enum { - SIDOWNER = 1, - SIDGROUP, - SIDCREATOR_OWNER, - SIDCREATOR_GROUP, - SIDUNIX_USER, - SIDUNIX_GROUP, - SIDNFS_USER, - SIDNFS_GROUP, - SIDNFS_MODE, -}; - -/* Revision for ACLs */ -#define SD_REVISION 1 - -/* Control flags for Security Descriptor */ -#define OWNER_DEFAULTED 0x0001 -#define GROUP_DEFAULTED 0x0002 -#define DACL_PRESENT 0x0004 -#define DACL_DEFAULTED 0x0008 -#define SACL_PRESENT 0x0010 -#define SACL_DEFAULTED 0x0020 -#define DACL_TRUSTED 0x0040 -#define SERVER_SECURITY 0x0080 -#define DACL_AUTO_INHERIT_REQ 0x0100 -#define SACL_AUTO_INHERIT_REQ 0x0200 -#define DACL_AUTO_INHERITED 0x0400 -#define SACL_AUTO_INHERITED 0x0800 -#define DACL_PROTECTED 0x1000 -#define SACL_PROTECTED 0x2000 -#define RM_CONTROL_VALID 0x4000 -#define SELF_RELATIVE 0x8000 - -/* ACE types - see MS-DTYP 2.4.4.1 */ -#define ACCESS_ALLOWED_ACE_TYPE 0x00 -#define ACCESS_DENIED_ACE_TYPE 0x01 -#define SYSTEM_AUDIT_ACE_TYPE 0x02 -#define SYSTEM_ALARM_ACE_TYPE 0x03 -#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 -#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 -#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 -#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 -#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 -#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 -#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A -#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B -#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C -#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D -#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ -#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F -#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ -#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 -#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 -#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 - -/* ACE flags */ -#define OBJECT_INHERIT_ACE 0x01 -#define CONTAINER_INHERIT_ACE 0x02 -#define NO_PROPAGATE_INHERIT_ACE 0x04 -#define INHERIT_ONLY_ACE 0x08 -#define INHERITED_ACE 0x10 -#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 -#define FAILED_ACCESS_ACE_FLAG 0x80 - -/* - * Maximum size of a string representation of a SID: - * - * The fields are unsigned values in decimal. So: - * - * u8: max 3 bytes in decimal - * u32: max 10 bytes in decimal - * - * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator - * - * For authority field, max is when all 6 values are non-zero and it must be - * represented in hex. So "-0x" + 12 hex digits. - * - * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') - */ -#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) -#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ - -#define DOMAIN_USER_RID_LE cpu_to_le32(513) - -struct ksmbd_conn; - -struct smb_ntsd { - __le16 revision; /* revision level */ - __le16 type; - __le32 osidoffset; - __le32 gsidoffset; - __le32 sacloffset; - __le32 dacloffset; -} __packed; - -struct smb_sid { - __u8 revision; /* revision level */ - __u8 num_subauth; - __u8 authority[NUM_AUTHS]; - __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ -} __packed; - -/* size of a struct cifs_sid, sans sub_auth array */ -#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) - -struct smb_acl { - __le16 revision; /* revision level */ - __le16 size; - __le32 num_aces; -} __packed; - -struct smb_ace { - __u8 type; - __u8 flags; - __le16 size; - __le32 access_req; - struct smb_sid sid; /* ie UUID of user or group who gets these perms */ -} __packed; - -struct smb_fattr { - kuid_t cf_uid; - kgid_t cf_gid; - umode_t cf_mode; - __le32 daccess; - struct posix_acl *cf_acls; - struct posix_acl *cf_dacls; -}; - -struct posix_ace_state { - u32 allow; - u32 deny; -}; - -struct posix_user_ace_state { - union { - kuid_t uid; - kgid_t gid; - }; - struct posix_ace_state perms; -}; - -struct posix_ace_state_array { - int n; - struct posix_user_ace_state aces[]; -}; - -/* - * while processing the nfsv4 ace, this maintains the partial permissions - * calculated so far: - */ - -struct posix_acl_state { - struct posix_ace_state owner; - struct posix_ace_state group; - struct posix_ace_state other; - struct posix_ace_state everyone; - struct posix_ace_state mask; /* deny unused in this case */ - struct posix_ace_state_array *users; - struct posix_ace_state_array *groups; -}; - -int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, - int acl_len, struct smb_fattr *fattr); -int build_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, - struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info, - __u32 *secdesclen, struct smb_fattr *fattr); -int init_acl_state(struct posix_acl_state *state, int cnt); -void free_acl_state(struct posix_acl_state *state); -void posix_state_to_acl(struct posix_acl_state *state, - struct posix_acl_entry *pace); -int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid); -bool smb_inherit_flags(int flags, bool is_dir); -int smb_inherit_dacl(struct ksmbd_conn *conn, const struct path *path, - unsigned int uid, unsigned int gid); -int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path, - __le32 *pdaccess, int uid); -int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, - const struct path *path, struct smb_ntsd *pntsd, int ntsd_len, - bool type_check); -void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); -void ksmbd_init_domain(u32 *sub_auth); - -static inline uid_t posix_acl_uid_translate(struct user_namespace *mnt_userns, - struct posix_acl_entry *pace) -{ - vfsuid_t vfsuid; - - /* If this is an idmapped mount, apply the idmapping. */ - vfsuid = make_vfsuid(mnt_userns, &init_user_ns, pace->e_uid); - - /* Translate the kuid into a userspace id ksmbd would see. */ - return from_kuid(&init_user_ns, vfsuid_into_kuid(vfsuid)); -} - -static inline gid_t posix_acl_gid_translate(struct user_namespace *mnt_userns, - struct posix_acl_entry *pace) -{ - vfsgid_t vfsgid; - - /* If this is an idmapped mount, apply the idmapping. */ - vfsgid = make_vfsgid(mnt_userns, &init_user_ns, pace->e_gid); - - /* Translate the kgid into a userspace id ksmbd would see. */ - return from_kgid(&init_user_ns, vfsgid_into_kgid(vfsgid)); -} - -#endif /* _SMBACL_H */ |