1
2
3
4
5
6
7
8
9
10
11#include <linux/fs.h>
12#include <linux/slab.h>
13#include <linux/string.h>
14#include <linux/keyctl.h>
15#include <linux/key-type.h>
16#include <keys/user-type.h>
17#include "cifspdu.h"
18#include "cifsglob.h"
19#include "cifsacl.h"
20#include "cifsproto.h"
21#include "cifs_debug.h"
22#include "fs_context.h"
23
24
25static const struct cifs_sid sid_everyone = {
26 1, 1, {0, 0, 0, 0, 0, 1}, {0} };
27
28static const struct cifs_sid sid_authusers = {
29 1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11)} };
30
31
32static const struct cifs_sid sid_unix_users = {1, 1, {0, 0, 0, 0, 0, 22},
33 {cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
34
35
36static const struct cifs_sid sid_unix_groups = { 1, 1, {0, 0, 0, 0, 0, 22},
37 {cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
38
39
40
41
42
43
44
45
46static const struct cifs_sid sid_unix_NFS_users = { 1, 2, {0, 0, 0, 0, 0, 5},
47 {cpu_to_le32(88),
48 cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
49
50
51static const struct cifs_sid sid_unix_NFS_groups = { 1, 2, {0, 0, 0, 0, 0, 5},
52 {cpu_to_le32(88),
53 cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
54
55
56static const struct cifs_sid sid_unix_NFS_mode = { 1, 2, {0, 0, 0, 0, 0, 5},
57 {cpu_to_le32(88),
58 cpu_to_le32(3), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} };
59
60static const struct cred *root_cred;
61
62static int
63cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
64{
65 char *payload;
66
67
68
69
70
71
72
73
74
75 if (prep->datalen <= sizeof(key->payload)) {
76 key->payload.data[0] = NULL;
77 memcpy(&key->payload, prep->data, prep->datalen);
78 } else {
79 payload = kmemdup(prep->data, prep->datalen, GFP_KERNEL);
80 if (!payload)
81 return -ENOMEM;
82 key->payload.data[0] = payload;
83 }
84
85 key->datalen = prep->datalen;
86 return 0;
87}
88
89static inline void
90cifs_idmap_key_destroy(struct key *key)
91{
92 if (key->datalen > sizeof(key->payload))
93 kfree(key->payload.data[0]);
94}
95
96static struct key_type cifs_idmap_key_type = {
97 .name = "cifs.idmap",
98 .instantiate = cifs_idmap_key_instantiate,
99 .destroy = cifs_idmap_key_destroy,
100 .describe = user_describe,
101};
102
103static char *
104sid_to_key_str(struct cifs_sid *sidptr, unsigned int type)
105{
106 int i, len;
107 unsigned int saval;
108 char *sidstr, *strptr;
109 unsigned long long id_auth_val;
110
111
112 sidstr = kmalloc(3 + SID_STRING_BASE_SIZE +
113 (SID_STRING_SUBAUTH_SIZE * sidptr->num_subauth),
114 GFP_KERNEL);
115 if (!sidstr)
116 return sidstr;
117
118 strptr = sidstr;
119 len = sprintf(strptr, "%cs:S-%hhu", type == SIDOWNER ? 'o' : 'g',
120 sidptr->revision);
121 strptr += len;
122
123
124 id_auth_val = (unsigned long long)sidptr->authority[5];
125 id_auth_val |= (unsigned long long)sidptr->authority[4] << 8;
126 id_auth_val |= (unsigned long long)sidptr->authority[3] << 16;
127 id_auth_val |= (unsigned long long)sidptr->authority[2] << 24;
128 id_auth_val |= (unsigned long long)sidptr->authority[1] << 32;
129 id_auth_val |= (unsigned long long)sidptr->authority[0] << 48;
130
131
132
133
134
135 if (id_auth_val <= UINT_MAX)
136 len = sprintf(strptr, "-%llu", id_auth_val);
137 else
138 len = sprintf(strptr, "-0x%llx", id_auth_val);
139
140 strptr += len;
141
142 for (i = 0; i < sidptr->num_subauth; ++i) {
143 saval = le32_to_cpu(sidptr->sub_auth[i]);
144 len = sprintf(strptr, "-%u", saval);
145 strptr += len;
146 }
147
148 return sidstr;
149}
150
151
152
153
154
155static int
156compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
157{
158 int i;
159 int num_subauth, num_sat, num_saw;
160
161 if ((!ctsid) || (!cwsid))
162 return 1;
163
164
165 if (ctsid->revision != cwsid->revision) {
166 if (ctsid->revision > cwsid->revision)
167 return 1;
168 else
169 return -1;
170 }
171
172
173 for (i = 0; i < NUM_AUTHS; ++i) {
174 if (ctsid->authority[i] != cwsid->authority[i]) {
175 if (ctsid->authority[i] > cwsid->authority[i])
176 return 1;
177 else
178 return -1;
179 }
180 }
181
182
183 num_sat = ctsid->num_subauth;
184 num_saw = cwsid->num_subauth;
185 num_subauth = num_sat < num_saw ? num_sat : num_saw;
186 if (num_subauth) {
187 for (i = 0; i < num_subauth; ++i) {
188 if (ctsid->sub_auth[i] != cwsid->sub_auth[i]) {
189 if (le32_to_cpu(ctsid->sub_auth[i]) >
190 le32_to_cpu(cwsid->sub_auth[i]))
191 return 1;
192 else
193 return -1;
194 }
195 }
196 }
197
198 return 0;
199}
200
201static bool
202is_well_known_sid(const struct cifs_sid *psid, uint32_t *puid, bool is_group)
203{
204 int i;
205 int num_subauth;
206 const struct cifs_sid *pwell_known_sid;
207
208 if (!psid || (puid == NULL))
209 return false;
210
211 num_subauth = psid->num_subauth;
212
213
214 if (num_subauth == 2) {
215 if (is_group)
216 pwell_known_sid = &sid_unix_groups;
217 else
218 pwell_known_sid = &sid_unix_users;
219 } else if (num_subauth == 3) {
220 if (is_group)
221 pwell_known_sid = &sid_unix_NFS_groups;
222 else
223 pwell_known_sid = &sid_unix_NFS_users;
224 } else
225 return false;
226
227
228 if (psid->revision != pwell_known_sid->revision)
229 return false;
230
231
232 for (i = 0; i < NUM_AUTHS; ++i) {
233 if (psid->authority[i] != pwell_known_sid->authority[i]) {
234 cifs_dbg(FYI, "auth %d did not match\n", i);
235 return false;
236 }
237 }
238
239 if (num_subauth == 2) {
240 if (psid->sub_auth[0] != pwell_known_sid->sub_auth[0])
241 return false;
242
243 *puid = le32_to_cpu(psid->sub_auth[1]);
244 } else {
245 *puid = le32_to_cpu(psid->sub_auth[0]);
246 if ((psid->sub_auth[0] != pwell_known_sid->sub_auth[0]) ||
247 (psid->sub_auth[1] != pwell_known_sid->sub_auth[1]))
248 return false;
249
250 *puid = le32_to_cpu(psid->sub_auth[2]);
251 }
252
253 cifs_dbg(FYI, "Unix UID %d returned from SID\n", *puid);
254 return true;
255}
256
257static __u16
258cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
259{
260 int i;
261 __u16 size = 1 + 1 + 6;
262
263 dst->revision = src->revision;
264 dst->num_subauth = min_t(u8, src->num_subauth, SID_MAX_SUB_AUTHORITIES);
265 for (i = 0; i < NUM_AUTHS; ++i)
266 dst->authority[i] = src->authority[i];
267 for (i = 0; i < dst->num_subauth; ++i)
268 dst->sub_auth[i] = src->sub_auth[i];
269 size += (dst->num_subauth * 4);
270
271 return size;
272}
273
274static int
275id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
276{
277 int rc;
278 struct key *sidkey;
279 struct cifs_sid *ksid;
280 unsigned int ksid_size;
281 char desc[3 + 10 + 1];
282 const struct cred *saved_cred;
283
284 rc = snprintf(desc, sizeof(desc), "%ci:%u",
285 sidtype == SIDOWNER ? 'o' : 'g', cid);
286 if (rc >= sizeof(desc))
287 return -EINVAL;
288
289 rc = 0;
290 saved_cred = override_creds(root_cred);
291 sidkey = request_key(&cifs_idmap_key_type, desc, "");
292 if (IS_ERR(sidkey)) {
293 rc = -EINVAL;
294 cifs_dbg(FYI, "%s: Can't map %cid %u to a SID\n",
295 __func__, sidtype == SIDOWNER ? 'u' : 'g', cid);
296 goto out_revert_creds;
297 } else if (sidkey->datalen < CIFS_SID_BASE_SIZE) {
298 rc = -EIO;
299 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
300 __func__, sidkey->datalen);
301 goto invalidate_key;
302 }
303
304
305
306
307
308
309 ksid = sidkey->datalen <= sizeof(sidkey->payload) ?
310 (struct cifs_sid *)&sidkey->payload :
311 (struct cifs_sid *)sidkey->payload.data[0];
312
313 ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32));
314 if (ksid_size > sidkey->datalen) {
315 rc = -EIO;
316 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu, ksid_size=%u)\n",
317 __func__, sidkey->datalen, ksid_size);
318 goto invalidate_key;
319 }
320
321 cifs_copy_sid(ssid, ksid);
322out_key_put:
323 key_put(sidkey);
324out_revert_creds:
325 revert_creds(saved_cred);
326 return rc;
327
328invalidate_key:
329 key_invalidate(sidkey);
330 goto out_key_put;
331}
332
333int
334sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid,
335 struct cifs_fattr *fattr, uint sidtype)
336{
337 int rc = 0;
338 struct key *sidkey;
339 char *sidstr;
340 const struct cred *saved_cred;
341 kuid_t fuid = cifs_sb->ctx->linux_uid;
342 kgid_t fgid = cifs_sb->ctx->linux_gid;
343
344
345
346
347
348 if (unlikely(psid->num_subauth > SID_MAX_SUB_AUTHORITIES)) {
349 cifs_dbg(FYI, "%s: %u subauthorities is too many!\n",
350 __func__, psid->num_subauth);
351 return -EIO;
352 }
353
354 if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL) ||
355 (cifs_sb_master_tcon(cifs_sb)->posix_extensions)) {
356 uint32_t unix_id;
357 bool is_group;
358
359 if (sidtype != SIDOWNER)
360 is_group = true;
361 else
362 is_group = false;
363
364 if (is_well_known_sid(psid, &unix_id, is_group) == false)
365 goto try_upcall_to_get_id;
366
367 if (is_group) {
368 kgid_t gid;
369 gid_t id;
370
371 id = (gid_t)unix_id;
372 gid = make_kgid(&init_user_ns, id);
373 if (gid_valid(gid)) {
374 fgid = gid;
375 goto got_valid_id;
376 }
377 } else {
378 kuid_t uid;
379 uid_t id;
380
381 id = (uid_t)unix_id;
382 uid = make_kuid(&init_user_ns, id);
383 if (uid_valid(uid)) {
384 fuid = uid;
385 goto got_valid_id;
386 }
387 }
388
389 }
390
391try_upcall_to_get_id:
392 sidstr = sid_to_key_str(psid, sidtype);
393 if (!sidstr)
394 return -ENOMEM;
395
396 saved_cred = override_creds(root_cred);
397 sidkey = request_key(&cifs_idmap_key_type, sidstr, "");
398 if (IS_ERR(sidkey)) {
399 cifs_dbg(FYI, "%s: Can't map SID %s to a %cid\n",
400 __func__, sidstr, sidtype == SIDOWNER ? 'u' : 'g');
401 goto out_revert_creds;
402 }
403
404
405
406
407
408
409 BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
410 if (sidkey->datalen != sizeof(uid_t)) {
411 cifs_dbg(FYI, "%s: Downcall contained malformed key (datalen=%hu)\n",
412 __func__, sidkey->datalen);
413 key_invalidate(sidkey);
414 goto out_key_put;
415 }
416
417 if (sidtype == SIDOWNER) {
418 kuid_t uid;
419 uid_t id;
420 memcpy(&id, &sidkey->payload.data[0], sizeof(uid_t));
421 uid = make_kuid(&init_user_ns, id);
422 if (uid_valid(uid))
423 fuid = uid;
424 } else {
425 kgid_t gid;
426 gid_t id;
427 memcpy(&id, &sidkey->payload.data[0], sizeof(gid_t));
428 gid = make_kgid(&init_user_ns, id);
429 if (gid_valid(gid))
430 fgid = gid;
431 }
432
433out_key_put:
434 key_put(sidkey);
435out_revert_creds:
436 revert_creds(saved_cred);
437 kfree(sidstr);
438
439
440
441
442
443got_valid_id:
444 rc = 0;
445 if (sidtype == SIDOWNER)
446 fattr->cf_uid = fuid;
447 else
448 fattr->cf_gid = fgid;
449 return rc;
450}
451
452int
453init_cifs_idmap(void)
454{
455 struct cred *cred;
456 struct key *keyring;
457 int ret;
458
459 cifs_dbg(FYI, "Registering the %s key type\n",
460 cifs_idmap_key_type.name);
461
462
463
464
465
466
467
468 cred = prepare_kernel_cred(NULL);
469 if (!cred)
470 return -ENOMEM;
471
472 keyring = keyring_alloc(".cifs_idmap",
473 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
474 (KEY_POS_ALL & ~KEY_POS_SETATTR) |
475 KEY_USR_VIEW | KEY_USR_READ,
476 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
477 if (IS_ERR(keyring)) {
478 ret = PTR_ERR(keyring);
479 goto failed_put_cred;
480 }
481
482 ret = register_key_type(&cifs_idmap_key_type);
483 if (ret < 0)
484 goto failed_put_key;
485
486
487
488 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
489 cred->thread_keyring = keyring;
490 cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
491 root_cred = cred;
492
493 cifs_dbg(FYI, "cifs idmap keyring: %d\n", key_serial(keyring));
494 return 0;
495
496failed_put_key:
497 key_put(keyring);
498failed_put_cred:
499 put_cred(cred);
500 return ret;
501}
502
503void
504exit_cifs_idmap(void)
505{
506 key_revoke(root_cred->thread_keyring);
507 unregister_key_type(&cifs_idmap_key_type);
508 put_cred(root_cred);
509 cifs_dbg(FYI, "Unregistered %s key type\n", cifs_idmap_key_type.name);
510}
511
512
513static __u32 copy_sec_desc(const struct cifs_ntsd *pntsd,
514 struct cifs_ntsd *pnntsd,
515 __u32 sidsoffset,
516 struct cifs_sid *pownersid,
517 struct cifs_sid *pgrpsid)
518{
519 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
520 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
521
522
523 pnntsd->revision = pntsd->revision;
524 pnntsd->type = pntsd->type;
525 pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
526 pnntsd->sacloffset = 0;
527 pnntsd->osidoffset = cpu_to_le32(sidsoffset);
528 pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));
529
530
531 if (pownersid)
532 owner_sid_ptr = pownersid;
533 else
534 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
535 le32_to_cpu(pntsd->osidoffset));
536 nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
537 cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr);
538
539
540 if (pgrpsid)
541 group_sid_ptr = pgrpsid;
542 else
543 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
544 le32_to_cpu(pntsd->gsidoffset));
545 ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
546 sizeof(struct cifs_sid));
547 cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr);
548
549 return sidsoffset + (2 * sizeof(struct cifs_sid));
550}
551
552
553
554
555
556
557
558static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
559 umode_t *pdenied, umode_t mask)
560{
561 __u32 flags = le32_to_cpu(ace_flags);
562
563
564
565
566
567
568
569
570 if (type == ACCESS_DENIED) {
571 if (flags & GENERIC_ALL &&
572 !(*pmode & mask & 0777))
573 *pdenied |= mask & 0777;
574
575 if (((flags & GENERIC_WRITE) ||
576 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
577 !(*pmode & mask & 0222))
578 *pdenied |= mask & 0222;
579
580 if (((flags & GENERIC_READ) ||
581 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
582 !(*pmode & mask & 0444))
583 *pdenied |= mask & 0444;
584
585 if (((flags & GENERIC_EXECUTE) ||
586 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
587 !(*pmode & mask & 0111))
588 *pdenied |= mask & 0111;
589
590 return;
591 } else if (type != ACCESS_ALLOWED) {
592 cifs_dbg(VFS, "unknown access control type %d\n", type);
593 return;
594 }
595
596
597 if ((flags & GENERIC_ALL) &&
598 !(*pdenied & mask & 0777)) {
599 *pmode |= mask & 0777;
600 cifs_dbg(NOISY, "all perms\n");
601 return;
602 }
603
604 if (((flags & GENERIC_WRITE) ||
605 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS)) &&
606 !(*pdenied & mask & 0222))
607 *pmode |= mask & 0222;
608
609 if (((flags & GENERIC_READ) ||
610 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS)) &&
611 !(*pdenied & mask & 0444))
612 *pmode |= mask & 0444;
613
614 if (((flags & GENERIC_EXECUTE) ||
615 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS)) &&
616 !(*pdenied & mask & 0111))
617 *pmode |= mask & 0111;
618
619
620 if (flags & FILE_DELETE_CHILD) {
621 if (mask == ACL_OWNER_MASK) {
622 if (!(*pdenied & 01000))
623 *pmode |= 01000;
624 } else if (!(*pdenied & 01000)) {
625 *pmode &= ~01000;
626 *pdenied |= 01000;
627 }
628 }
629
630 cifs_dbg(NOISY, "access flags 0x%x mode now %04o\n", flags, *pmode);
631 return;
632}
633
634
635
636
637
638
639
640static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
641 __u32 *pace_flags)
642{
643
644 *pace_flags = 0x0;
645
646
647 mode &= bits_to_use;
648
649
650
651
652 if (mode & S_IRUGO)
653 *pace_flags |= SET_FILE_READ_RIGHTS;
654 if (mode & S_IWUGO)
655 *pace_flags |= SET_FILE_WRITE_RIGHTS;
656 if (mode & S_IXUGO)
657 *pace_flags |= SET_FILE_EXEC_RIGHTS;
658
659 cifs_dbg(NOISY, "mode: %04o, access flags now 0x%x\n",
660 mode, *pace_flags);
661 return;
662}
663
664static __u16 cifs_copy_ace(struct cifs_ace *dst, struct cifs_ace *src, struct cifs_sid *psid)
665{
666 __u16 size = 1 + 1 + 2 + 4;
667
668 dst->type = src->type;
669 dst->flags = src->flags;
670 dst->access_req = src->access_req;
671
672
673 if (psid)
674 size += cifs_copy_sid(&dst->sid, psid);
675 else
676 size += cifs_copy_sid(&dst->sid, &src->sid);
677
678 dst->size = cpu_to_le16(size);
679
680 return size;
681}
682
683static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
684 const struct cifs_sid *psid, __u64 nmode,
685 umode_t bits, __u8 access_type,
686 bool allow_delete_child)
687{
688 int i;
689 __u16 size = 0;
690 __u32 access_req = 0;
691
692 pntace->type = access_type;
693 pntace->flags = 0x0;
694 mode_to_access_flags(nmode, bits, &access_req);
695
696 if (access_type == ACCESS_ALLOWED && allow_delete_child)
697 access_req |= FILE_DELETE_CHILD;
698
699 if (access_type == ACCESS_ALLOWED && !access_req)
700 access_req = SET_MINIMUM_RIGHTS;
701 else if (access_type == ACCESS_DENIED)
702 access_req &= ~SET_MINIMUM_RIGHTS;
703
704 pntace->access_req = cpu_to_le32(access_req);
705
706 pntace->sid.revision = psid->revision;
707 pntace->sid.num_subauth = psid->num_subauth;
708 for (i = 0; i < NUM_AUTHS; i++)
709 pntace->sid.authority[i] = psid->authority[i];
710 for (i = 0; i < psid->num_subauth; i++)
711 pntace->sid.sub_auth[i] = psid->sub_auth[i];
712
713 size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
714 pntace->size = cpu_to_le16(size);
715
716 return size;
717}
718
719
720#ifdef CONFIG_CIFS_DEBUG2
721static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
722{
723 int num_subauth;
724
725
726
727 if (le16_to_cpu(pace->size) < 16) {
728 cifs_dbg(VFS, "ACE too small %d\n", le16_to_cpu(pace->size));
729 return;
730 }
731
732 if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
733 cifs_dbg(VFS, "ACL too small to parse ACE\n");
734 return;
735 }
736
737 num_subauth = pace->sid.num_subauth;
738 if (num_subauth) {
739 int i;
740 cifs_dbg(FYI, "ACE revision %d num_auth %d type %d flags %d size %d\n",
741 pace->sid.revision, pace->sid.num_subauth, pace->type,
742 pace->flags, le16_to_cpu(pace->size));
743 for (i = 0; i < num_subauth; ++i) {
744 cifs_dbg(FYI, "ACE sub_auth[%d]: 0x%x\n",
745 i, le32_to_cpu(pace->sid.sub_auth[i]));
746 }
747
748
749
750 }
751
752 return;
753}
754#endif
755
756static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
757 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
758 struct cifs_fattr *fattr, bool mode_from_special_sid)
759{
760 int i;
761 int num_aces = 0;
762 int acl_size;
763 char *acl_base;
764 struct cifs_ace **ppace;
765
766
767
768 if (!pdacl) {
769
770
771 fattr->cf_mode |= 0777;
772 return;
773 }
774
775
776 if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
777 cifs_dbg(VFS, "ACL too small to parse DACL\n");
778 return;
779 }
780
781 cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
782 le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
783 le32_to_cpu(pdacl->num_aces));
784
785
786
787
788 fattr->cf_mode &= ~(0777);
789
790 acl_base = (char *)pdacl;
791 acl_size = sizeof(struct cifs_acl);
792
793 num_aces = le32_to_cpu(pdacl->num_aces);
794 if (num_aces > 0) {
795 umode_t denied_mode = 0;
796
797 if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
798 return;
799 ppace = kmalloc_array(num_aces, sizeof(struct cifs_ace *),
800 GFP_KERNEL);
801 if (!ppace)
802 return;
803
804 for (i = 0; i < num_aces; ++i) {
805 ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
806#ifdef CONFIG_CIFS_DEBUG2
807 dump_ace(ppace[i], end_of_acl);
808#endif
809 if (mode_from_special_sid &&
810 (compare_sids(&(ppace[i]->sid),
811 &sid_unix_NFS_mode) == 0)) {
812
813
814
815
816
817 fattr->cf_mode &= ~07777;
818 fattr->cf_mode |=
819 le32_to_cpu(ppace[i]->sid.sub_auth[2]);
820 break;
821 } else {
822 if (compare_sids(&(ppace[i]->sid), pownersid) == 0) {
823 access_flags_to_mode(ppace[i]->access_req,
824 ppace[i]->type,
825 &fattr->cf_mode,
826 &denied_mode,
827 ACL_OWNER_MASK);
828 } else if (compare_sids(&(ppace[i]->sid), pgrpsid) == 0) {
829 access_flags_to_mode(ppace[i]->access_req,
830 ppace[i]->type,
831 &fattr->cf_mode,
832 &denied_mode,
833 ACL_GROUP_MASK);
834 } else if ((compare_sids(&(ppace[i]->sid), &sid_everyone) == 0) ||
835 (compare_sids(&(ppace[i]->sid), &sid_authusers) == 0)) {
836 access_flags_to_mode(ppace[i]->access_req,
837 ppace[i]->type,
838 &fattr->cf_mode,
839 &denied_mode,
840 ACL_EVERYONE_MASK);
841 }
842 }
843
844
845
846
847
848
849 acl_base = (char *)ppace[i];
850 acl_size = le16_to_cpu(ppace[i]->size);
851 }
852
853 kfree(ppace);
854 }
855
856 return;
857}
858
859unsigned int setup_authusers_ACE(struct cifs_ace *pntace)
860{
861 int i;
862 unsigned int ace_size = 20;
863
864 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
865 pntace->flags = 0x0;
866 pntace->access_req = cpu_to_le32(GENERIC_ALL);
867 pntace->sid.num_subauth = 1;
868 pntace->sid.revision = 1;
869 for (i = 0; i < NUM_AUTHS; i++)
870 pntace->sid.authority[i] = sid_authusers.authority[i];
871
872 pntace->sid.sub_auth[0] = sid_authusers.sub_auth[0];
873
874
875 pntace->size = cpu_to_le16(ace_size);
876 return ace_size;
877}
878
879
880
881
882
883unsigned int setup_special_mode_ACE(struct cifs_ace *pntace, __u64 nmode)
884{
885 int i;
886 unsigned int ace_size = 28;
887
888 pntace->type = ACCESS_DENIED_ACE_TYPE;
889 pntace->flags = 0x0;
890 pntace->access_req = 0;
891 pntace->sid.num_subauth = 3;
892 pntace->sid.revision = 1;
893 for (i = 0; i < NUM_AUTHS; i++)
894 pntace->sid.authority[i] = sid_unix_NFS_mode.authority[i];
895
896 pntace->sid.sub_auth[0] = sid_unix_NFS_mode.sub_auth[0];
897 pntace->sid.sub_auth[1] = sid_unix_NFS_mode.sub_auth[1];
898 pntace->sid.sub_auth[2] = cpu_to_le32(nmode & 07777);
899
900
901 pntace->size = cpu_to_le16(ace_size);
902 return ace_size;
903}
904
905unsigned int setup_special_user_owner_ACE(struct cifs_ace *pntace)
906{
907 int i;
908 unsigned int ace_size = 28;
909
910 pntace->type = ACCESS_ALLOWED_ACE_TYPE;
911 pntace->flags = 0x0;
912 pntace->access_req = cpu_to_le32(GENERIC_ALL);
913 pntace->sid.num_subauth = 3;
914 pntace->sid.revision = 1;
915 for (i = 0; i < NUM_AUTHS; i++)
916 pntace->sid.authority[i] = sid_unix_NFS_users.authority[i];
917
918 pntace->sid.sub_auth[0] = sid_unix_NFS_users.sub_auth[0];
919 pntace->sid.sub_auth[1] = sid_unix_NFS_users.sub_auth[1];
920 pntace->sid.sub_auth[2] = cpu_to_le32(current_fsgid().val);
921
922
923 pntace->size = cpu_to_le16(ace_size);
924 return ace_size;
925}
926
927static void populate_new_aces(char *nacl_base,
928 struct cifs_sid *pownersid,
929 struct cifs_sid *pgrpsid,
930 __u64 *pnmode, u32 *pnum_aces, u16 *pnsize,
931 bool modefromsid)
932{
933 __u64 nmode;
934 u32 num_aces = 0;
935 u16 nsize = 0;
936 __u64 user_mode;
937 __u64 group_mode;
938 __u64 other_mode;
939 __u64 deny_user_mode = 0;
940 __u64 deny_group_mode = 0;
941 bool sticky_set = false;
942 struct cifs_ace *pnntace = NULL;
943
944 nmode = *pnmode;
945 num_aces = *pnum_aces;
946 nsize = *pnsize;
947
948 if (modefromsid) {
949 pnntace = (struct cifs_ace *) (nacl_base + nsize);
950 nsize += setup_special_mode_ACE(pnntace, nmode);
951 num_aces++;
952 pnntace = (struct cifs_ace *) (nacl_base + nsize);
953 nsize += setup_authusers_ACE(pnntace);
954 num_aces++;
955 goto set_size;
956 }
957
958
959
960
961
962
963
964
965 if (!memcmp(pownersid, pgrpsid, sizeof(struct cifs_sid))) {
966
967
968
969
970 user_mode = nmode & (nmode << 3) & 0700;
971 group_mode = nmode & (nmode >> 3) & 0070;
972 } else {
973 user_mode = nmode & 0700;
974 group_mode = nmode & 0070;
975 }
976
977 other_mode = nmode & 0007;
978
979
980 deny_user_mode = ~(user_mode) & ((group_mode << 3) | (other_mode << 6)) & 0700;
981 deny_group_mode = ~(group_mode) & (other_mode << 3) & 0070;
982
983 *pnmode = user_mode | group_mode | other_mode | (nmode & ~0777);
984
985
986 if (nmode & 01000)
987 sticky_set = true;
988
989 if (deny_user_mode) {
990 pnntace = (struct cifs_ace *) (nacl_base + nsize);
991 nsize += fill_ace_for_sid(pnntace, pownersid, deny_user_mode,
992 0700, ACCESS_DENIED, false);
993 num_aces++;
994 }
995
996
997 if (deny_group_mode && !(deny_group_mode & (user_mode >> 3))) {
998 pnntace = (struct cifs_ace *) (nacl_base + nsize);
999 nsize += fill_ace_for_sid(pnntace, pgrpsid, deny_group_mode,
1000 0070, ACCESS_DENIED, false);
1001 num_aces++;
1002 }
1003
1004 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1005 nsize += fill_ace_for_sid(pnntace, pownersid, user_mode,
1006 0700, ACCESS_ALLOWED, true);
1007 num_aces++;
1008
1009
1010 if (deny_group_mode && (deny_group_mode & (user_mode >> 3))) {
1011 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1012 nsize += fill_ace_for_sid(pnntace, pgrpsid, deny_group_mode,
1013 0070, ACCESS_DENIED, false);
1014 num_aces++;
1015 }
1016
1017 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1018 nsize += fill_ace_for_sid(pnntace, pgrpsid, group_mode,
1019 0070, ACCESS_ALLOWED, !sticky_set);
1020 num_aces++;
1021
1022 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1023 nsize += fill_ace_for_sid(pnntace, &sid_everyone, other_mode,
1024 0007, ACCESS_ALLOWED, !sticky_set);
1025 num_aces++;
1026
1027set_size:
1028 *pnum_aces = num_aces;
1029 *pnsize = nsize;
1030}
1031
1032static __u16 replace_sids_and_copy_aces(struct cifs_acl *pdacl, struct cifs_acl *pndacl,
1033 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
1034 struct cifs_sid *pnownersid, struct cifs_sid *pngrpsid)
1035{
1036 int i;
1037 u16 size = 0;
1038 struct cifs_ace *pntace = NULL;
1039 char *acl_base = NULL;
1040 u32 src_num_aces = 0;
1041 u16 nsize = 0;
1042 struct cifs_ace *pnntace = NULL;
1043 char *nacl_base = NULL;
1044 u16 ace_size = 0;
1045
1046 acl_base = (char *)pdacl;
1047 size = sizeof(struct cifs_acl);
1048 src_num_aces = le32_to_cpu(pdacl->num_aces);
1049
1050 nacl_base = (char *)pndacl;
1051 nsize = sizeof(struct cifs_acl);
1052
1053
1054 for (i = 0; i < src_num_aces; ++i) {
1055 pntace = (struct cifs_ace *) (acl_base + size);
1056 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1057
1058 if (pnownersid && compare_sids(&pntace->sid, pownersid) == 0)
1059 ace_size = cifs_copy_ace(pnntace, pntace, pnownersid);
1060 else if (pngrpsid && compare_sids(&pntace->sid, pgrpsid) == 0)
1061 ace_size = cifs_copy_ace(pnntace, pntace, pngrpsid);
1062 else
1063 ace_size = cifs_copy_ace(pnntace, pntace, NULL);
1064
1065 size += le16_to_cpu(pntace->size);
1066 nsize += ace_size;
1067 }
1068
1069 return nsize;
1070}
1071
1072static int set_chmod_dacl(struct cifs_acl *pdacl, struct cifs_acl *pndacl,
1073 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
1074 __u64 *pnmode, bool mode_from_sid)
1075{
1076 int i;
1077 u16 size = 0;
1078 struct cifs_ace *pntace = NULL;
1079 char *acl_base = NULL;
1080 u32 src_num_aces = 0;
1081 u16 nsize = 0;
1082 struct cifs_ace *pnntace = NULL;
1083 char *nacl_base = NULL;
1084 u32 num_aces = 0;
1085 bool new_aces_set = false;
1086
1087
1088 nacl_base = (char *)pndacl;
1089 nsize = sizeof(struct cifs_acl);
1090
1091
1092 if (!pdacl) {
1093 populate_new_aces(nacl_base,
1094 pownersid, pgrpsid,
1095 pnmode, &num_aces, &nsize,
1096 mode_from_sid);
1097 goto finalize_dacl;
1098 }
1099
1100 acl_base = (char *)pdacl;
1101 size = sizeof(struct cifs_acl);
1102 src_num_aces = le32_to_cpu(pdacl->num_aces);
1103
1104
1105 for (i = 0; i < src_num_aces; ++i) {
1106 pntace = (struct cifs_ace *) (acl_base + size);
1107
1108 if (!new_aces_set && (pntace->flags & INHERITED_ACE)) {
1109
1110 populate_new_aces(nacl_base,
1111 pownersid, pgrpsid,
1112 pnmode, &num_aces, &nsize,
1113 mode_from_sid);
1114
1115 new_aces_set = true;
1116 }
1117
1118
1119 if (((compare_sids(&pntace->sid, &sid_unix_NFS_mode) == 0) ||
1120 (compare_sids(&pntace->sid, pownersid) == 0) ||
1121 (compare_sids(&pntace->sid, pgrpsid) == 0) ||
1122 (compare_sids(&pntace->sid, &sid_everyone) == 0) ||
1123 (compare_sids(&pntace->sid, &sid_authusers) == 0))) {
1124 goto next_ace;
1125 }
1126
1127
1128 pnntace = (struct cifs_ace *) (nacl_base + nsize);
1129
1130 nsize += cifs_copy_ace(pnntace, pntace, NULL);
1131 num_aces++;
1132
1133next_ace:
1134 size += le16_to_cpu(pntace->size);
1135 }
1136
1137
1138 if (!new_aces_set) {
1139 populate_new_aces(nacl_base,
1140 pownersid, pgrpsid,
1141 pnmode, &num_aces, &nsize,
1142 mode_from_sid);
1143
1144 new_aces_set = true;
1145 }
1146
1147finalize_dacl:
1148 pndacl->num_aces = cpu_to_le32(num_aces);
1149 pndacl->size = cpu_to_le16(nsize);
1150
1151 return 0;
1152}
1153
1154static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
1155{
1156
1157
1158
1159
1160 if (end_of_acl < (char *)psid + 8) {
1161 cifs_dbg(VFS, "ACL too small to parse SID %p\n", psid);
1162 return -EINVAL;
1163 }
1164
1165#ifdef CONFIG_CIFS_DEBUG2
1166 if (psid->num_subauth) {
1167 int i;
1168 cifs_dbg(FYI, "SID revision %d num_auth %d\n",
1169 psid->revision, psid->num_subauth);
1170
1171 for (i = 0; i < psid->num_subauth; i++) {
1172 cifs_dbg(FYI, "SID sub_auth[%d]: 0x%x\n",
1173 i, le32_to_cpu(psid->sub_auth[i]));
1174 }
1175
1176
1177
1178 cifs_dbg(FYI, "RID 0x%x\n",
1179 le32_to_cpu(psid->sub_auth[psid->num_subauth-1]));
1180 }
1181#endif
1182
1183 return 0;
1184}
1185
1186
1187
1188static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
1189 struct cifs_ntsd *pntsd, int acl_len, struct cifs_fattr *fattr,
1190 bool get_mode_from_special_sid)
1191{
1192 int rc = 0;
1193 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1194 struct cifs_acl *dacl_ptr;
1195 char *end_of_acl = ((char *)pntsd) + acl_len;
1196 __u32 dacloffset;
1197
1198 if (pntsd == NULL)
1199 return -EIO;
1200
1201 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1202 le32_to_cpu(pntsd->osidoffset));
1203 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1204 le32_to_cpu(pntsd->gsidoffset));
1205 dacloffset = le32_to_cpu(pntsd->dacloffset);
1206 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1207 cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
1208 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
1209 le32_to_cpu(pntsd->gsidoffset),
1210 le32_to_cpu(pntsd->sacloffset), dacloffset);
1211
1212 rc = parse_sid(owner_sid_ptr, end_of_acl);
1213 if (rc) {
1214 cifs_dbg(FYI, "%s: Error %d parsing Owner SID\n", __func__, rc);
1215 return rc;
1216 }
1217 rc = sid_to_id(cifs_sb, owner_sid_ptr, fattr, SIDOWNER);
1218 if (rc) {
1219 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to uid\n",
1220 __func__, rc);
1221 return rc;
1222 }
1223
1224 rc = parse_sid(group_sid_ptr, end_of_acl);
1225 if (rc) {
1226 cifs_dbg(FYI, "%s: Error %d mapping Owner SID to gid\n",
1227 __func__, rc);
1228 return rc;
1229 }
1230 rc = sid_to_id(cifs_sb, group_sid_ptr, fattr, SIDGROUP);
1231 if (rc) {
1232 cifs_dbg(FYI, "%s: Error %d mapping Group SID to gid\n",
1233 __func__, rc);
1234 return rc;
1235 }
1236
1237 if (dacloffset)
1238 parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
1239 group_sid_ptr, fattr, get_mode_from_special_sid);
1240 else
1241 cifs_dbg(FYI, "no ACL\n");
1242
1243 return rc;
1244}
1245
1246
1247static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
1248 __u32 secdesclen, __u32 *pnsecdesclen, __u64 *pnmode, kuid_t uid, kgid_t gid,
1249 bool mode_from_sid, bool id_from_sid, int *aclflag)
1250{
1251 int rc = 0;
1252 __u32 dacloffset;
1253 __u32 ndacloffset;
1254 __u32 sidsoffset;
1255 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1256 struct cifs_sid *nowner_sid_ptr = NULL, *ngroup_sid_ptr = NULL;
1257 struct cifs_acl *dacl_ptr = NULL;
1258 struct cifs_acl *ndacl_ptr = NULL;
1259 char *end_of_acl = ((char *)pntsd) + secdesclen;
1260 u16 size = 0;
1261
1262 dacloffset = le32_to_cpu(pntsd->dacloffset);
1263 if (dacloffset) {
1264 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1265 if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
1266 cifs_dbg(VFS, "Server returned illegal ACL size\n");
1267 return -EINVAL;
1268 }
1269 }
1270
1271 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1272 le32_to_cpu(pntsd->osidoffset));
1273 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
1274 le32_to_cpu(pntsd->gsidoffset));
1275
1276 if (pnmode && *pnmode != NO_CHANGE_64) {
1277 ndacloffset = sizeof(struct cifs_ntsd);
1278 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1279 ndacl_ptr->revision =
1280 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION);
1281
1282 ndacl_ptr->size = cpu_to_le16(0);
1283 ndacl_ptr->num_aces = cpu_to_le32(0);
1284
1285 rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, owner_sid_ptr, group_sid_ptr,
1286 pnmode, mode_from_sid);
1287
1288 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1289
1290 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset,
1291 NULL, NULL);
1292
1293 *aclflag |= CIFS_ACL_DACL;
1294 } else {
1295 ndacloffset = sizeof(struct cifs_ntsd);
1296 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1297 ndacl_ptr->revision =
1298 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION);
1299 ndacl_ptr->num_aces = dacl_ptr ? dacl_ptr->num_aces : 0;
1300
1301 if (uid_valid(uid)) {
1302 uid_t id;
1303 nowner_sid_ptr = kzalloc(sizeof(struct cifs_sid),
1304 GFP_KERNEL);
1305 if (!nowner_sid_ptr) {
1306 rc = -ENOMEM;
1307 goto chown_chgrp_exit;
1308 }
1309 id = from_kuid(&init_user_ns, uid);
1310 if (id_from_sid) {
1311 struct owner_sid *osid = (struct owner_sid *)nowner_sid_ptr;
1312
1313 osid->Revision = 1;
1314 osid->NumAuth = 3;
1315 osid->Authority[5] = 5;
1316 osid->SubAuthorities[0] = cpu_to_le32(88);
1317 osid->SubAuthorities[1] = cpu_to_le32(1);
1318 osid->SubAuthorities[2] = cpu_to_le32(id);
1319
1320 } else {
1321 rc = id_to_sid(id, SIDOWNER, nowner_sid_ptr);
1322 if (rc) {
1323 cifs_dbg(FYI, "%s: Mapping error %d for owner id %d\n",
1324 __func__, rc, id);
1325 goto chown_chgrp_exit;
1326 }
1327 }
1328 *aclflag |= CIFS_ACL_OWNER;
1329 }
1330 if (gid_valid(gid)) {
1331 gid_t id;
1332 ngroup_sid_ptr = kzalloc(sizeof(struct cifs_sid),
1333 GFP_KERNEL);
1334 if (!ngroup_sid_ptr) {
1335 rc = -ENOMEM;
1336 goto chown_chgrp_exit;
1337 }
1338 id = from_kgid(&init_user_ns, gid);
1339 if (id_from_sid) {
1340 struct owner_sid *gsid = (struct owner_sid *)ngroup_sid_ptr;
1341
1342 gsid->Revision = 1;
1343 gsid->NumAuth = 3;
1344 gsid->Authority[5] = 5;
1345 gsid->SubAuthorities[0] = cpu_to_le32(88);
1346 gsid->SubAuthorities[1] = cpu_to_le32(2);
1347 gsid->SubAuthorities[2] = cpu_to_le32(id);
1348
1349 } else {
1350 rc = id_to_sid(id, SIDGROUP, ngroup_sid_ptr);
1351 if (rc) {
1352 cifs_dbg(FYI, "%s: Mapping error %d for group id %d\n",
1353 __func__, rc, id);
1354 goto chown_chgrp_exit;
1355 }
1356 }
1357 *aclflag |= CIFS_ACL_GROUP;
1358 }
1359
1360 if (dacloffset) {
1361
1362 size = replace_sids_and_copy_aces(dacl_ptr, ndacl_ptr,
1363 owner_sid_ptr, group_sid_ptr,
1364 nowner_sid_ptr, ngroup_sid_ptr);
1365 ndacl_ptr->size = cpu_to_le16(size);
1366 }
1367
1368 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1369
1370 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset,
1371 nowner_sid_ptr, ngroup_sid_ptr);
1372
1373chown_chgrp_exit:
1374
1375 kfree(nowner_sid_ptr);
1376 kfree(ngroup_sid_ptr);
1377 }
1378
1379 return rc;
1380}
1381
1382struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
1383 const struct cifs_fid *cifsfid, u32 *pacllen,
1384 u32 __maybe_unused unused)
1385{
1386 struct cifs_ntsd *pntsd = NULL;
1387 unsigned int xid;
1388 int rc;
1389 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1390
1391 if (IS_ERR(tlink))
1392 return ERR_CAST(tlink);
1393
1394 xid = get_xid();
1395 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), cifsfid->netfid, &pntsd,
1396 pacllen);
1397 free_xid(xid);
1398
1399 cifs_put_tlink(tlink);
1400
1401 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1402 if (rc)
1403 return ERR_PTR(rc);
1404 return pntsd;
1405}
1406
1407static struct cifs_ntsd *get_cifs_acl_by_path(struct cifs_sb_info *cifs_sb,
1408 const char *path, u32 *pacllen)
1409{
1410 struct cifs_ntsd *pntsd = NULL;
1411 int oplock = 0;
1412 unsigned int xid;
1413 int rc;
1414 struct cifs_tcon *tcon;
1415 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1416 struct cifs_fid fid;
1417 struct cifs_open_parms oparms;
1418
1419 if (IS_ERR(tlink))
1420 return ERR_CAST(tlink);
1421
1422 tcon = tlink_tcon(tlink);
1423 xid = get_xid();
1424
1425 oparms.tcon = tcon;
1426 oparms.cifs_sb = cifs_sb;
1427 oparms.desired_access = READ_CONTROL;
1428 oparms.create_options = cifs_create_options(cifs_sb, 0);
1429 oparms.disposition = FILE_OPEN;
1430 oparms.path = path;
1431 oparms.fid = &fid;
1432 oparms.reconnect = false;
1433
1434 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1435 if (!rc) {
1436 rc = CIFSSMBGetCIFSACL(xid, tcon, fid.netfid, &pntsd, pacllen);
1437 CIFSSMBClose(xid, tcon, fid.netfid);
1438 }
1439
1440 cifs_put_tlink(tlink);
1441 free_xid(xid);
1442
1443 cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen);
1444 if (rc)
1445 return ERR_PTR(rc);
1446 return pntsd;
1447}
1448
1449
1450struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
1451 struct inode *inode, const char *path,
1452 u32 *pacllen, u32 info)
1453{
1454 struct cifs_ntsd *pntsd = NULL;
1455 struct cifsFileInfo *open_file = NULL;
1456
1457 if (inode)
1458 open_file = find_readable_file(CIFS_I(inode), true);
1459 if (!open_file)
1460 return get_cifs_acl_by_path(cifs_sb, path, pacllen);
1461
1462 pntsd = get_cifs_acl_by_fid(cifs_sb, &open_file->fid, pacllen, info);
1463 cifsFileInfo_put(open_file);
1464 return pntsd;
1465}
1466
1467
1468int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
1469 struct inode *inode, const char *path, int aclflag)
1470{
1471 int oplock = 0;
1472 unsigned int xid;
1473 int rc, access_flags;
1474 struct cifs_tcon *tcon;
1475 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1476 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1477 struct cifs_fid fid;
1478 struct cifs_open_parms oparms;
1479
1480 if (IS_ERR(tlink))
1481 return PTR_ERR(tlink);
1482
1483 tcon = tlink_tcon(tlink);
1484 xid = get_xid();
1485
1486 if (aclflag == CIFS_ACL_OWNER || aclflag == CIFS_ACL_GROUP)
1487 access_flags = WRITE_OWNER;
1488 else
1489 access_flags = WRITE_DAC;
1490
1491 oparms.tcon = tcon;
1492 oparms.cifs_sb = cifs_sb;
1493 oparms.desired_access = access_flags;
1494 oparms.create_options = cifs_create_options(cifs_sb, 0);
1495 oparms.disposition = FILE_OPEN;
1496 oparms.path = path;
1497 oparms.fid = &fid;
1498 oparms.reconnect = false;
1499
1500 rc = CIFS_open(xid, &oparms, &oplock, NULL);
1501 if (rc) {
1502 cifs_dbg(VFS, "Unable to open file to set ACL\n");
1503 goto out;
1504 }
1505
1506 rc = CIFSSMBSetCIFSACL(xid, tcon, fid.netfid, pnntsd, acllen, aclflag);
1507 cifs_dbg(NOISY, "SetCIFSACL rc = %d\n", rc);
1508
1509 CIFSSMBClose(xid, tcon, fid.netfid);
1510out:
1511 free_xid(xid);
1512 cifs_put_tlink(tlink);
1513 return rc;
1514}
1515
1516
1517int
1518cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
1519 struct inode *inode, bool mode_from_special_sid,
1520 const char *path, const struct cifs_fid *pfid)
1521{
1522 struct cifs_ntsd *pntsd = NULL;
1523 u32 acllen = 0;
1524 int rc = 0;
1525 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1526 struct smb_version_operations *ops;
1527 const u32 info = 0;
1528
1529 cifs_dbg(NOISY, "converting ACL to mode for %s\n", path);
1530
1531 if (IS_ERR(tlink))
1532 return PTR_ERR(tlink);
1533
1534 ops = tlink_tcon(tlink)->ses->server->ops;
1535
1536 if (pfid && (ops->get_acl_by_fid))
1537 pntsd = ops->get_acl_by_fid(cifs_sb, pfid, &acllen, info);
1538 else if (ops->get_acl)
1539 pntsd = ops->get_acl(cifs_sb, inode, path, &acllen, info);
1540 else {
1541 cifs_put_tlink(tlink);
1542 return -EOPNOTSUPP;
1543 }
1544
1545 if (IS_ERR(pntsd)) {
1546 rc = PTR_ERR(pntsd);
1547 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1548 } else if (mode_from_special_sid) {
1549 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, true);
1550 kfree(pntsd);
1551 } else {
1552
1553 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, false);
1554 kfree(pntsd);
1555 if (rc)
1556 cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc);
1557 }
1558
1559 cifs_put_tlink(tlink);
1560
1561 return rc;
1562}
1563
1564
1565int
1566id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
1567 kuid_t uid, kgid_t gid)
1568{
1569 int rc = 0;
1570 int aclflag = CIFS_ACL_DACL;
1571 __u32 secdesclen = 0;
1572 __u32 nsecdesclen = 0;
1573 __u32 dacloffset = 0;
1574 struct cifs_acl *dacl_ptr = NULL;
1575 struct cifs_ntsd *pntsd = NULL;
1576 struct cifs_ntsd *pnntsd = NULL;
1577 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
1578 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1579 struct smb_version_operations *ops;
1580 bool mode_from_sid, id_from_sid;
1581 const u32 info = 0;
1582
1583 if (IS_ERR(tlink))
1584 return PTR_ERR(tlink);
1585
1586 ops = tlink_tcon(tlink)->ses->server->ops;
1587
1588 cifs_dbg(NOISY, "set ACL from mode for %s\n", path);
1589
1590
1591
1592 if (ops->get_acl == NULL) {
1593 cifs_put_tlink(tlink);
1594 return -EOPNOTSUPP;
1595 }
1596
1597 pntsd = ops->get_acl(cifs_sb, inode, path, &secdesclen, info);
1598 if (IS_ERR(pntsd)) {
1599 rc = PTR_ERR(pntsd);
1600 cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
1601 cifs_put_tlink(tlink);
1602 return rc;
1603 }
1604
1605 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MODE_FROM_SID)
1606 mode_from_sid = true;
1607 else
1608 mode_from_sid = false;
1609
1610 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL)
1611 id_from_sid = true;
1612 else
1613 id_from_sid = false;
1614
1615
1616 nsecdesclen = secdesclen;
1617 if (pnmode && *pnmode != NO_CHANGE_64) {
1618 if (mode_from_sid)
1619 nsecdesclen += 2 * sizeof(struct cifs_ace);
1620 else
1621 nsecdesclen += 5 * sizeof(struct cifs_ace);
1622 } else {
1623
1624 nsecdesclen = sizeof(struct cifs_ntsd) + (sizeof(struct cifs_sid) * 2);
1625 dacloffset = le32_to_cpu(pntsd->dacloffset);
1626 if (dacloffset) {
1627 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1628 if (mode_from_sid)
1629 nsecdesclen +=
1630 le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct cifs_ace);
1631 else
1632 nsecdesclen += le16_to_cpu(dacl_ptr->size);
1633 }
1634 }
1635
1636
1637
1638
1639
1640
1641
1642 nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN);
1643 pnntsd = kmalloc(nsecdesclen, GFP_KERNEL);
1644 if (!pnntsd) {
1645 kfree(pntsd);
1646 cifs_put_tlink(tlink);
1647 return -ENOMEM;
1648 }
1649
1650 rc = build_sec_desc(pntsd, pnntsd, secdesclen, &nsecdesclen, pnmode, uid, gid,
1651 mode_from_sid, id_from_sid, &aclflag);
1652
1653 cifs_dbg(NOISY, "build_sec_desc rc: %d\n", rc);
1654
1655 if (ops->set_acl == NULL)
1656 rc = -EOPNOTSUPP;
1657
1658 if (!rc) {
1659
1660 rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
1661 cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
1662 }
1663 cifs_put_tlink(tlink);
1664
1665 kfree(pnntsd);
1666 kfree(pntsd);
1667 return rc;
1668}
1669
