1/* SPDX-License-Identifier: LGPL-2.1+ */
  2/*
  3 *   Copyright (c) International Business Machines  Corp., 2007
  4 *   Author(s): Steve French (sfrench@us.ibm.com)
  5 *   Modified by Namjae Jeon (linkinjeon@kernel.org)
  6 */
  7
  8#ifndef _SMBACL_H
  9#define _SMBACL_H
 10
 11#include <linux/fs.h>
 12#include <linux/namei.h>
 13#include <linux/posix_acl.h>
 14#include <linux/mnt_idmapping.h>
 15
 16#include "mgmt/tree_connect.h"
 17
 18#define NUM_AUTHS (6)	/* number of authority fields */
 19#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */
 20
 21/*
 22 * ACE types - see MS-DTYP 2.4.4.1
 23 */
 24enum {
 25	ACCESS_ALLOWED,
 26	ACCESS_DENIED,
 27};
 28
 29/*
 30 * Security ID types
 31 */
 32enum {
 33	SIDOWNER = 1,
 34	SIDGROUP,
 35	SIDCREATOR_OWNER,
 36	SIDCREATOR_GROUP,
 37	SIDUNIX_USER,
 38	SIDUNIX_GROUP,
 39	SIDNFS_USER,
 40	SIDNFS_GROUP,
 41	SIDNFS_MODE,
 42};
 43
 44/* Revision for ACLs */
 45#define SD_REVISION	1
 46
 47/* Control flags for Security Descriptor */
 48#define OWNER_DEFAULTED		0x0001
 49#define GROUP_DEFAULTED		0x0002
 50#define DACL_PRESENT		0x0004
 51#define DACL_DEFAULTED		0x0008
 52#define SACL_PRESENT		0x0010
 53#define SACL_DEFAULTED		0x0020
 54#define DACL_TRUSTED		0x0040
 55#define SERVER_SECURITY		0x0080
 56#define DACL_AUTO_INHERIT_REQ	0x0100
 57#define SACL_AUTO_INHERIT_REQ	0x0200
 58#define DACL_AUTO_INHERITED	0x0400
 59#define SACL_AUTO_INHERITED	0x0800
 60#define DACL_PROTECTED		0x1000
 61#define SACL_PROTECTED		0x2000
 62#define RM_CONTROL_VALID	0x4000
 63#define SELF_RELATIVE		0x8000
 64
 65/* ACE types - see MS-DTYP 2.4.4.1 */
 66#define ACCESS_ALLOWED_ACE_TYPE 0x00
 67#define ACCESS_DENIED_ACE_TYPE  0x01
 68#define SYSTEM_AUDIT_ACE_TYPE   0x02
 69#define SYSTEM_ALARM_ACE_TYPE   0x03
 70#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04
 71#define ACCESS_ALLOWED_OBJECT_ACE_TYPE  0x05
 72#define ACCESS_DENIED_OBJECT_ACE_TYPE   0x06
 73#define SYSTEM_AUDIT_OBJECT_ACE_TYPE    0x07
 74#define SYSTEM_ALARM_OBJECT_ACE_TYPE    0x08
 75#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09
 76#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A
 77#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B
 78#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE  0x0C
 79#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE  0x0D
 80#define SYSTEM_ALARM_CALLBACK_ACE_TYPE  0x0E /* Reserved */
 81#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F
 82#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */
 83#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11
 84#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12
 85#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13
 86
 87/* ACE flags */
 88#define OBJECT_INHERIT_ACE		0x01
 89#define CONTAINER_INHERIT_ACE		0x02
 90#define NO_PROPAGATE_INHERIT_ACE	0x04
 91#define INHERIT_ONLY_ACE		0x08
 92#define INHERITED_ACE			0x10
 93#define SUCCESSFUL_ACCESS_ACE_FLAG	0x40
 94#define FAILED_ACCESS_ACE_FLAG		0x80
 95
 96/*
 97 * Maximum size of a string representation of a SID:
 98 *
 99 * The fields are unsigned values in decimal. So:
100 *
101 * u8:  max 3 bytes in decimal
102 * u32: max 10 bytes in decimal
103 *
104 * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator
105 *
106 * For authority field, max is when all 6 values are non-zero and it must be
107 * represented in hex. So "-0x" + 12 hex digits.
108 *
109 * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-')
110 */
111#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1)
112#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */
113
114#define DOMAIN_USER_RID_LE	cpu_to_le32(513)
115
116struct ksmbd_conn;
117
118struct smb_ntsd {
119	__le16 revision; /* revision level */
120	__le16 type;
121	__le32 osidoffset;
122	__le32 gsidoffset;
123	__le32 sacloffset;
124	__le32 dacloffset;
125} __packed;
126
127struct smb_sid {
128	__u8 revision; /* revision level */
129	__u8 num_subauth;
130	__u8 authority[NUM_AUTHS];
131	__le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
132} __packed;
133
134/* size of a struct cifs_sid, sans sub_auth array */
135#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS)
136
137struct smb_acl {
138	__le16 revision; /* revision level */
139	__le16 size;
140	__le32 num_aces;
141} __packed;
142
143struct smb_ace {
144	__u8 type;
145	__u8 flags;
146	__le16 size;
147	__le32 access_req;
148	struct smb_sid sid; /* ie UUID of user or group who gets these perms */
149} __packed;
150
151struct smb_fattr {
152	kuid_t	cf_uid;
153	kgid_t	cf_gid;
154	umode_t	cf_mode;
155	__le32 daccess;
156	struct posix_acl *cf_acls;
157	struct posix_acl *cf_dacls;
158};
159
160struct posix_ace_state {
161	u32 allow;
162	u32 deny;
163};
164
165struct posix_user_ace_state {
166	union {
167		kuid_t uid;
168		kgid_t gid;
169	};
170	struct posix_ace_state perms;
171};
172
173struct posix_ace_state_array {
174	int n;
175	struct posix_user_ace_state aces[];
176};
177
178/*
179 * while processing the nfsv4 ace, this maintains the partial permissions
180 * calculated so far:
181 */
182
183struct posix_acl_state {
184	struct posix_ace_state owner;
185	struct posix_ace_state group;
186	struct posix_ace_state other;
187	struct posix_ace_state everyone;
188	struct posix_ace_state mask; /* deny unused in this case */
189	struct posix_ace_state_array *users;
190	struct posix_ace_state_array *groups;
191};
192
193int parse_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd,
194		   int acl_len, struct smb_fattr *fattr);
195int build_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd,
196		   struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info,
197		   __u32 *secdesclen, struct smb_fattr *fattr);
198int init_acl_state(struct posix_acl_state *state, int cnt);
199void free_acl_state(struct posix_acl_state *state);
200void posix_state_to_acl(struct posix_acl_state *state,
201			struct posix_acl_entry *pace);
202int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid);
203bool smb_inherit_flags(int flags, bool is_dir);
204int smb_inherit_dacl(struct ksmbd_conn *conn, const struct path *path,
205		     unsigned int uid, unsigned int gid);
206int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path,
207			__le32 *pdaccess, int uid);
208int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon,
209		 const struct path *path, struct smb_ntsd *pntsd, int ntsd_len,
210		 bool type_check, bool get_write);
211void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid);
212void ksmbd_init_domain(u32 *sub_auth);
213
214static inline uid_t posix_acl_uid_translate(struct mnt_idmap *idmap,
215					    struct posix_acl_entry *pace)
216{
217	vfsuid_t vfsuid;
218
219	/* If this is an idmapped mount, apply the idmapping. */
220	vfsuid = make_vfsuid(idmap, &init_user_ns, pace->e_uid);
221
222	/* Translate the kuid into a userspace id ksmbd would see. */
223	return from_kuid(&init_user_ns, vfsuid_into_kuid(vfsuid));
224}
225
226static inline gid_t posix_acl_gid_translate(struct mnt_idmap *idmap,
227					    struct posix_acl_entry *pace)
228{
229	vfsgid_t vfsgid;
230
231	/* If this is an idmapped mount, apply the idmapping. */
232	vfsgid = make_vfsgid(idmap, &init_user_ns, pace->e_gid);
233
234	/* Translate the kgid into a userspace id ksmbd would see. */
235	return from_kgid(&init_user_ns, vfsgid_into_kgid(vfsgid));
236}
237
238#endif /* _SMBACL_H */