cifsacl.c 20.9 KB
Newer Older
1 2 3
/*
 *   fs/cifs/cifsacl.c
 *
4
 *   Copyright (C) International Business Machines  Corp., 2007,2008
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   Contains the routines for mapping CIFS/NTFS ACLs
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

24 25 26
#include <linux/fs.h>
#include "cifspdu.h"
#include "cifsglob.h"
27
#include "cifsacl.h"
28 29 30
#include "cifsproto.h"
#include "cifs_debug.h"

S
Steve French 已提交
31 32 33

#ifdef CONFIG_CIFS_EXPERIMENTAL

34
static struct cifs_wksid wksidarr[NUM_WK_SIDS] = {
S
Steve French 已提交
35 36
	{{1, 0, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0} }, "null user"},
	{{1, 1, {0, 0, 0, 0, 0, 1}, {0, 0, 0, 0, 0} }, "nobody"},
37 38 39 40 41
	{{1, 1, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(11), 0, 0, 0, 0} }, "net-users"},
	{{1, 1, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(18), 0, 0, 0, 0} }, "sys"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(32), __constant_cpu_to_le32(544), 0, 0, 0} }, "root"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(32), __constant_cpu_to_le32(545), 0, 0, 0} }, "users"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(32), __constant_cpu_to_le32(546), 0, 0, 0} }, "guest"} }
S
Steve French 已提交
42
;
S
Steve French 已提交
43 44


45
/* security id for everyone */
46 47
static const struct cifs_sid sid_everyone = {
	1, 1, {0, 0, 0, 0, 0, 1}, {0} };
48
/* group users */
S
Steve French 已提交
49
static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };
50

S
Steve French 已提交
51 52 53 54 55 56 57 58

int match_sid(struct cifs_sid *ctsid)
{
	int i, j;
	int num_subauth, num_sat, num_saw;
	struct cifs_sid *cwsid;

	if (!ctsid)
59
		return -1;
S
Steve French 已提交
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

	for (i = 0; i < NUM_WK_SIDS; ++i) {
		cwsid = &(wksidarr[i].cifssid);

		/* compare the revision */
		if (ctsid->revision != cwsid->revision)
			continue;

		/* compare all of the six auth values */
		for (j = 0; j < 6; ++j) {
			if (ctsid->authority[j] != cwsid->authority[j])
				break;
		}
		if (j < 6)
			continue; /* all of the auth values did not match */

		/* compare all of the subauth values if any */
77 78
		num_sat = ctsid->num_subauth;
		num_saw = cwsid->num_subauth;
S
Steve French 已提交
79 80 81 82 83 84 85 86 87 88 89
		num_subauth = num_sat < num_saw ? num_sat : num_saw;
		if (num_subauth) {
			for (j = 0; j < num_subauth; ++j) {
				if (ctsid->sub_auth[j] != cwsid->sub_auth[j])
					break;
			}
			if (j < num_subauth)
				continue; /* all sub_auth values do not match */
		}

		cFYI(1, ("matching sid: %s\n", wksidarr[i].sidname));
90
		return 0; /* sids compare/match */
S
Steve French 已提交
91 92 93
	}

	cFYI(1, ("No matching sid"));
94
	return -1;
S
Steve French 已提交
95 96
}

S
Steve French 已提交
97 98
/* if the two SIDs (roughly equivalent to a UUID for a user or group) are
   the same returns 1, if they do not match returns 0 */
S
Steve French 已提交
99
int compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
S
Steve French 已提交
100 101 102 103 104
{
	int i;
	int num_subauth, num_sat, num_saw;

	if ((!ctsid) || (!cwsid))
105
		return 0;
S
Steve French 已提交
106 107 108

	/* compare the revision */
	if (ctsid->revision != cwsid->revision)
109
		return 0;
S
Steve French 已提交
110 111 112 113

	/* compare all of the six auth values */
	for (i = 0; i < 6; ++i) {
		if (ctsid->authority[i] != cwsid->authority[i])
114
			return 0;
S
Steve French 已提交
115 116 117
	}

	/* compare all of the subauth values if any */
S
Steve French 已提交
118
	num_sat = ctsid->num_subauth;
S
Steve French 已提交
119
	num_saw = cwsid->num_subauth;
S
Steve French 已提交
120 121 122 123
	num_subauth = num_sat < num_saw ? num_sat : num_saw;
	if (num_subauth) {
		for (i = 0; i < num_subauth; ++i) {
			if (ctsid->sub_auth[i] != cwsid->sub_auth[i])
124
				return 0;
S
Steve French 已提交
125 126 127
		}
	}

128
	return 1; /* sids compare/match */
S
Steve French 已提交
129 130
}

131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171

/* copy ntsd, owner sid, and group sid from a security descriptor to another */
static void copy_sec_desc(const struct cifs_ntsd *pntsd,
				struct cifs_ntsd *pnntsd, __u32 sidsoffset)
{
	int i;

	struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
	struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;

	/* copy security descriptor control portion */
	pnntsd->revision = pntsd->revision;
	pnntsd->type = pntsd->type;
	pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
	pnntsd->sacloffset = 0;
	pnntsd->osidoffset = cpu_to_le32(sidsoffset);
	pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));

	/* copy owner sid */
	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->osidoffset));
	nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);

	nowner_sid_ptr->revision = owner_sid_ptr->revision;
	nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
	for (i = 0; i < 6; i++)
		nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
	for (i = 0; i < 5; i++)
		nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];

	/* copy group sid */
	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->gsidoffset));
	ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
					sizeof(struct cifs_sid));

	ngroup_sid_ptr->revision = group_sid_ptr->revision;
	ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
	for (i = 0; i < 6; i++)
		ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
	for (i = 0; i < 5; i++)
172
		ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i];
173 174 175 176 177

	return;
}


S
Steve French 已提交
178 179 180 181 182
/*
   change posix mode to reflect permissions
   pmode is the existing mode (we only want to overwrite part of this
   bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
*/
A
Al Viro 已提交
183
static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
184
				 umode_t *pbits_to_set)
S
Steve French 已提交
185
{
A
Al Viro 已提交
186
	__u32 flags = le32_to_cpu(ace_flags);
187
	/* the order of ACEs is important.  The canonical order is to begin with
188
	   DENY entries followed by ALLOW, otherwise an allow entry could be
189
	   encountered first, making the subsequent deny entry like "dead code"
190
	   which would be superflous since Windows stops when a match is made
191 192 193 194 195
	   for the operation you are trying to perform for your user */

	/* For deny ACEs we change the mask so that subsequent allow access
	   control entries do not turn on the bits we are denying */
	if (type == ACCESS_DENIED) {
S
Steve French 已提交
196
		if (flags & GENERIC_ALL)
197
			*pbits_to_set &= ~S_IRWXUGO;
S
Steve French 已提交
198

A
Al Viro 已提交
199 200
		if ((flags & GENERIC_WRITE) ||
			((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
201
			*pbits_to_set &= ~S_IWUGO;
A
Al Viro 已提交
202 203
		if ((flags & GENERIC_READ) ||
			((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
204
			*pbits_to_set &= ~S_IRUGO;
A
Al Viro 已提交
205 206
		if ((flags & GENERIC_EXECUTE) ||
			((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
207 208 209 210 211 212 213
			*pbits_to_set &= ~S_IXUGO;
		return;
	} else if (type != ACCESS_ALLOWED) {
		cERROR(1, ("unknown access control type %d", type));
		return;
	}
	/* else ACCESS_ALLOWED type */
S
Steve French 已提交
214

A
Al Viro 已提交
215
	if (flags & GENERIC_ALL) {
216
		*pmode |= (S_IRWXUGO & (*pbits_to_set));
217
		cFYI(DBG2, ("all perms"));
S
Steve French 已提交
218 219
		return;
	}
A
Al Viro 已提交
220 221
	if ((flags & GENERIC_WRITE) ||
			((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
222
		*pmode |= (S_IWUGO & (*pbits_to_set));
A
Al Viro 已提交
223 224
	if ((flags & GENERIC_READ) ||
			((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
225
		*pmode |= (S_IRUGO & (*pbits_to_set));
A
Al Viro 已提交
226 227
	if ((flags & GENERIC_EXECUTE) ||
			((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
228
		*pmode |= (S_IXUGO & (*pbits_to_set));
S
Steve French 已提交
229

230
	cFYI(DBG2, ("access flags 0x%x mode now 0x%x", flags, *pmode));
S
Steve French 已提交
231 232 233
	return;
}

234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258
/*
   Generate access flags to reflect permissions mode is the existing mode.
   This function is called for every ACE in the DACL whose SID matches
   with either owner or group or everyone.
*/

static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
				__u32 *pace_flags)
{
	/* reset access mask */
	*pace_flags = 0x0;

	/* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
	mode &= bits_to_use;

	/* check for R/W/X UGO since we do not know whose flags
	   is this but we have cleared all the bits sans RWX for
	   either user or group or other as per bits_to_use */
	if (mode & S_IRUGO)
		*pace_flags |= SET_FILE_READ_RIGHTS;
	if (mode & S_IWUGO)
		*pace_flags |= SET_FILE_WRITE_RIGHTS;
	if (mode & S_IXUGO)
		*pace_flags |= SET_FILE_EXEC_RIGHTS;

259
	cFYI(DBG2, ("mode: 0x%x, access flags now 0x%x", mode, *pace_flags));
260 261 262
	return;
}

A
Al Viro 已提交
263
static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286
			const struct cifs_sid *psid, __u64 nmode, umode_t bits)
{
	int i;
	__u16 size = 0;
	__u32 access_req = 0;

	pntace->type = ACCESS_ALLOWED;
	pntace->flags = 0x0;
	mode_to_access_flags(nmode, bits, &access_req);
	if (!access_req)
		access_req = SET_MINIMUM_RIGHTS;
	pntace->access_req = cpu_to_le32(access_req);

	pntace->sid.revision = psid->revision;
	pntace->sid.num_subauth = psid->num_subauth;
	for (i = 0; i < 6; i++)
		pntace->sid.authority[i] = psid->authority[i];
	for (i = 0; i < psid->num_subauth; i++)
		pntace->sid.sub_auth[i] = psid->sub_auth[i];

	size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
	pntace->size = cpu_to_le16(size);

287
	return size;
288 289
}

S
Steve French 已提交
290

291 292
#ifdef CONFIG_CIFS_DEBUG2
static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
293 294 295 296
{
	int num_subauth;

	/* validate that we do not go past end of acl */
S
Steve French 已提交
297

S
Steve French 已提交
298 299 300 301 302 303
	if (le16_to_cpu(pace->size) < 16) {
		cERROR(1, ("ACE too small, %d", le16_to_cpu(pace->size)));
		return;
	}

	if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
304 305
		cERROR(1, ("ACL too small to parse ACE"));
		return;
S
Steve French 已提交
306
	}
307

S
Steve French 已提交
308
	num_subauth = pace->sid.num_subauth;
309
	if (num_subauth) {
310
		int i;
S
Steve French 已提交
311 312
		cFYI(1, ("ACE revision %d num_auth %d type %d flags %d size %d",
			pace->sid.revision, pace->sid.num_subauth, pace->type,
313
			pace->flags, le16_to_cpu(pace->size)));
S
Steve French 已提交
314 315
		for (i = 0; i < num_subauth; ++i) {
			cFYI(1, ("ACE sub_auth[%d]: 0x%x", i,
S
Steve French 已提交
316
				le32_to_cpu(pace->sid.sub_auth[i])));
S
Steve French 已提交
317 318 319 320 321 322 323 324
		}

		/* BB add length check to make sure that we do not have huge
			num auths and therefore go off the end */
	}

	return;
}
325
#endif
S
Steve French 已提交
326

327

S
Steve French 已提交
328
static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
S
Steve French 已提交
329
		       struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
S
Steve French 已提交
330
		       struct inode *inode)
331 332 333 334 335 336 337 338 339
{
	int i;
	int num_aces = 0;
	int acl_size;
	char *acl_base;
	struct cifs_ace **ppace;

	/* BB need to add parm so we can store the SID BB */

340 341 342 343 344 345 346
	if (!pdacl) {
		/* no DACL in the security descriptor, set
		   all the permissions for user/group/other */
		inode->i_mode |= S_IRWXUGO;
		return;
	}

347
	/* validate that we do not go past end of acl */
348
	if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
349 350 351 352
		cERROR(1, ("ACL too small to parse DACL"));
		return;
	}

353
	cFYI(DBG2, ("DACL revision %d size %d num aces %d",
354 355
		le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
		le32_to_cpu(pdacl->num_aces)));
356

357 358 359 360 361
	/* reset rwx permissions for user/group/other.
	   Also, if num_aces is 0 i.e. DACL has no ACEs,
	   user/group/other have no permissions */
	inode->i_mode &= ~(S_IRWXUGO);

362 363 364
	acl_base = (char *)pdacl;
	acl_size = sizeof(struct cifs_acl);

S
Steve French 已提交
365
	num_aces = le32_to_cpu(pdacl->num_aces);
366
	if (num_aces  > 0) {
367 368 369 370
		umode_t user_mask = S_IRWXU;
		umode_t group_mask = S_IRWXG;
		umode_t other_mask = S_IRWXO;

371 372 373 374
		ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
				GFP_KERNEL);

		for (i = 0; i < num_aces; ++i) {
S
Steve French 已提交
375
			ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
376 377 378
#ifdef CONFIG_CIFS_DEBUG2
			dump_ace(ppace[i], end_of_acl);
#endif
379 380
			if (compare_sids(&(ppace[i]->sid), pownersid))
				access_flags_to_mode(ppace[i]->access_req,
381 382 383
						     ppace[i]->type,
						     &(inode->i_mode),
						     &user_mask);
384 385
			if (compare_sids(&(ppace[i]->sid), pgrpsid))
				access_flags_to_mode(ppace[i]->access_req,
386 387 388
						     ppace[i]->type,
						     &(inode->i_mode),
						     &group_mask);
389 390
			if (compare_sids(&(ppace[i]->sid), &sid_everyone))
				access_flags_to_mode(ppace[i]->access_req,
391 392 393
						     ppace[i]->type,
						     &(inode->i_mode),
						     &other_mask);
394

S
Steve French 已提交
395
/*			memcpy((void *)(&(cifscred->aces[i])),
S
Steve French 已提交
396 397
				(void *)ppace[i],
				sizeof(struct cifs_ace)); */
398

S
Steve French 已提交
399 400
			acl_base = (char *)ppace[i];
			acl_size = le16_to_cpu(ppace[i]->size);
401 402 403 404 405 406 407 408
		}

		kfree(ppace);
	}

	return;
}

409

410 411 412
static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
			struct cifs_sid *pgrpsid, __u64 nmode)
{
A
Al Viro 已提交
413
	u16 size = 0;
414 415 416 417 418 419 420 421 422 423 424 425
	struct cifs_acl *pnndacl;

	pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));

	size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
					pownersid, nmode, S_IRWXU);
	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
					pgrpsid, nmode, S_IRWXG);
	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
					 &sid_everyone, nmode, S_IRWXO);

	pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
426
	pndacl->num_aces = cpu_to_le32(3);
427

428
	return 0;
429 430 431
}


432 433 434 435
static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
{
	/* BB need to add parm so we can store the SID BB */

S
Steve French 已提交
436 437 438 439
	/* validate that we do not go past end of ACL - sid must be at least 8
	   bytes long (assuming no sub-auths - e.g. the null SID */
	if (end_of_acl < (char *)psid + 8) {
		cERROR(1, ("ACL too small to parse SID %p", psid));
440 441
		return -EINVAL;
	}
442

443
	if (psid->num_subauth) {
444
#ifdef CONFIG_CIFS_DEBUG2
445
		int i;
S
Steve French 已提交
446 447
		cFYI(1, ("SID revision %d num_auth %d",
			psid->revision, psid->num_subauth));
448

449
		for (i = 0; i < psid->num_subauth; i++) {
450
			cFYI(1, ("SID sub_auth[%d]: 0x%x ", i,
S
Steve French 已提交
451
				le32_to_cpu(psid->sub_auth[i])));
452 453
		}

S
Steve French 已提交
454
		/* BB add length check to make sure that we do not have huge
455
			num auths and therefore go off the end */
S
Steve French 已提交
456
		cFYI(1, ("RID 0x%x",
457
			le32_to_cpu(psid->sub_auth[psid->num_subauth-1])));
458
#endif
459 460
	}

461 462 463
	return 0;
}

464

465
/* Convert CIFS ACL to POSIX form */
S
Steve French 已提交
466 467
static int parse_sec_desc(struct cifs_ntsd *pntsd, int acl_len,
			  struct inode *inode)
468
{
469
	int rc;
470 471 472
	struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
	struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
	char *end_of_acl = ((char *)pntsd) + acl_len;
473
	__u32 dacloffset;
474

S
Steve French 已提交
475 476 477
	if ((inode == NULL) || (pntsd == NULL))
		return -EIO;

478
	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
479
				le32_to_cpu(pntsd->osidoffset));
480
	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
481
				le32_to_cpu(pntsd->gsidoffset));
482
	dacloffset = le32_to_cpu(pntsd->dacloffset);
483
	dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
484
	cFYI(DBG2, ("revision %d type 0x%x ooffset 0x%x goffset 0x%x "
485
		 "sacloffset 0x%x dacloffset 0x%x",
486 487
		 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
		 le32_to_cpu(pntsd->gsidoffset),
488
		 le32_to_cpu(pntsd->sacloffset), dacloffset));
S
Steve French 已提交
489
/*	cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
490 491 492 493 494 495 496 497
	rc = parse_sid(owner_sid_ptr, end_of_acl);
	if (rc)
		return rc;

	rc = parse_sid(group_sid_ptr, end_of_acl);
	if (rc)
		return rc;

498 499
	if (dacloffset)
		parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
500
			   group_sid_ptr, inode);
501 502
	else
		cFYI(1, ("no ACL")); /* BB grant all or default perms? */
503

504 505 506
/*	cifscred->uid = owner_sid_ptr->rid;
	cifscred->gid = group_sid_ptr->rid;
	memcpy((void *)(&(cifscred->osid)), (void *)owner_sid_ptr,
S
Steve French 已提交
507
			sizeof(struct cifs_sid));
508
	memcpy((void *)(&(cifscred->gsid)), (void *)group_sid_ptr,
S
Steve French 已提交
509
			sizeof(struct cifs_sid)); */
510

S
Steve French 已提交
511

512
	return 0;
513
}
S
Steve French 已提交
514 515


516 517
/* Convert permission bits from mode to equivalent CIFS ACL */
static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
518
				struct inode *inode, __u64 nmode)
519 520 521 522 523 524 525 526 527 528
{
	int rc = 0;
	__u32 dacloffset;
	__u32 ndacloffset;
	__u32 sidsoffset;
	struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
	struct cifs_acl *dacl_ptr = NULL;  /* no need for SACL ptr */
	struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */

	if ((inode == NULL) || (pntsd == NULL) || (pnntsd == NULL))
529
		return -EIO;
530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551

	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->osidoffset));
	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->gsidoffset));

	dacloffset = le32_to_cpu(pntsd->dacloffset);
	dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);

	ndacloffset = sizeof(struct cifs_ntsd);
	ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
	ndacl_ptr->revision = dacl_ptr->revision;
	ndacl_ptr->size = 0;
	ndacl_ptr->num_aces = 0;

	rc = set_chmod_dacl(ndacl_ptr, owner_sid_ptr, group_sid_ptr, nmode);

	sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);

	/* copy security descriptor control portion and owner and group sid */
	copy_sec_desc(pntsd, pnntsd, sidsoffset);

552
	return rc;
553 554
}

555 556
static struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
		__u16 fid, u32 *pacllen)
S
Steve French 已提交
557 558
{
	struct cifs_ntsd *pntsd = NULL;
559
	int xid, rc;
S
Steve French 已提交
560

561 562 563
	xid = GetXid();
	rc = CIFSSMBGetCIFSACL(xid, cifs_sb->tcon, fid, &pntsd, pacllen);
	FreeXid(xid);
S
Steve French 已提交
564 565


566 567 568
	cFYI(1, ("GetCIFSACL rc = %d ACL len %d", rc, *pacllen));
	return pntsd;
}
569

570 571 572 573 574 575 576
static struct cifs_ntsd *get_cifs_acl_by_path(struct cifs_sb_info *cifs_sb,
		const char *path, u32 *pacllen)
{
	struct cifs_ntsd *pntsd = NULL;
	int oplock = 0;
	int xid, rc;
	__u16 fid;
S
Steve French 已提交
577

578 579 580 581 582 583 584 585
	xid = GetXid();

	rc = CIFSSMBOpen(xid, cifs_sb->tcon, path, FILE_OPEN, READ_CONTROL, 0,
			 &fid, &oplock, NULL, cifs_sb->local_nls,
			 cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
	if (rc) {
		cERROR(1, ("Unable to open file to get ACL"));
		goto out;
S
Steve French 已提交
586 587
	}

588 589
	rc = CIFSSMBGetCIFSACL(xid, cifs_sb->tcon, fid, &pntsd, pacllen);
	cFYI(1, ("GetCIFSACL rc = %d ACL len %d", rc, *pacllen));
S
Steve French 已提交
590

591 592
	CIFSSMBClose(xid, cifs_sb->tcon, fid);
 out:
593 594 595 596
	FreeXid(xid);
	return pntsd;
}

597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614
/* Retrieve an ACL from the server */
static struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
				      struct inode *inode, const char *path,
				      u32 *pacllen)
{
	struct cifs_ntsd *pntsd = NULL;
	struct cifsFileInfo *open_file = NULL;

	if (inode)
		open_file = find_readable_file(CIFS_I(inode));
	if (!open_file)
		return get_cifs_acl_by_path(cifs_sb, path, pacllen);

	pntsd = get_cifs_acl_by_fid(cifs_sb, open_file->netfid, pacllen);
	atomic_dec(&open_file->wrtPending);
	return pntsd;
}

615 616
static int set_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb, __u16 fid,
		struct cifs_ntsd *pnntsd, u32 acllen)
617
{
618
	int xid, rc;
619

620 621 622
	xid = GetXid();
	rc = CIFSSMBSetCIFSACL(xid, cifs_sb->tcon, fid, pnntsd, acllen);
	FreeXid(xid);
623

624 625 626
	cFYI(DBG2, ("SetCIFSACL rc = %d", rc));
	return rc;
}
627

628 629 630 631 632 633
static int set_cifs_acl_by_path(struct cifs_sb_info *cifs_sb, const char *path,
		struct cifs_ntsd *pnntsd, u32 acllen)
{
	int oplock = 0;
	int xid, rc;
	__u16 fid;
634 635 636

	xid = GetXid();

637 638 639 640 641 642
	rc = CIFSSMBOpen(xid, cifs_sb->tcon, path, FILE_OPEN, WRITE_DAC, 0,
			 &fid, &oplock, NULL, cifs_sb->local_nls,
			 cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
	if (rc) {
		cERROR(1, ("Unable to open file to set ACL"));
		goto out;
643 644 645
	}

	rc = CIFSSMBSetCIFSACL(xid, cifs_sb->tcon, fid, pnntsd, acllen);
646
	cFYI(DBG2, ("SetCIFSACL rc = %d", rc));
647

648 649
	CIFSSMBClose(xid, cifs_sb->tcon, fid);
 out:
650
	FreeXid(xid);
651 652
	return rc;
}
653

654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669
/* Set an ACL on the server */
static int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
				struct inode *inode, const char *path)
{
	struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
	struct cifsFileInfo *open_file;
	int rc;

	cFYI(DBG2, ("set ACL for %s from mode 0x%x", path, inode->i_mode));

	open_file = find_readable_file(CIFS_I(inode));
	if (!open_file)
		return set_cifs_acl_by_path(cifs_sb, path, pnntsd, acllen);

	rc = set_cifs_acl_by_fid(cifs_sb, open_file->netfid, pnntsd, acllen);
	atomic_dec(&open_file->wrtPending);
670
	return rc;
671 672
}

673
/* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */
674 675
void acl_to_uid_mode(struct cifs_sb_info *cifs_sb, struct inode *inode,
		     const char *path, const __u16 *pfid)
676 677 678 679 680
{
	struct cifs_ntsd *pntsd = NULL;
	u32 acllen = 0;
	int rc = 0;

681
	cFYI(DBG2, ("converting ACL to mode for %s", path));
682 683 684 685 686

	if (pfid)
		pntsd = get_cifs_acl_by_fid(cifs_sb, *pfid, &acllen);
	else
		pntsd = get_cifs_acl(cifs_sb, inode, path, &acllen);
687 688 689

	/* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
	if (pntsd)
S
Steve French 已提交
690
		rc = parse_sec_desc(pntsd, acllen, inode);
691 692 693
	if (rc)
		cFYI(1, ("parse sec desc failed rc = %d", rc));

S
Steve French 已提交
694 695 696
	kfree(pntsd);
	return;
}
697

698
/* Convert mode bits to an ACL so we can update the ACL on the server */
699
int mode_to_acl(struct inode *inode, const char *path, __u64 nmode)
700 701
{
	int rc = 0;
702
	__u32 secdesclen = 0;
703 704
	struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
	struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
705

706
	cFYI(DBG2, ("set ACL from mode for %s", path));
707 708

	/* Get the security descriptor */
709
	pntsd = get_cifs_acl(CIFS_SB(inode->i_sb), inode, path, &secdesclen);
710

711 712
	/* Add three ACEs for owner, group, everyone getting rid of
	   other ACEs as chmod disables ACEs and set the security descriptor */
713

714 715 716 717
	if (pntsd) {
		/* allocate memory for the smb header,
		   set security descriptor request security descriptor
		   parameters, and secuirty descriptor itself */
718

719 720 721
		secdesclen = secdesclen < DEFSECDESCLEN ?
					DEFSECDESCLEN : secdesclen;
		pnntsd = kmalloc(secdesclen, GFP_KERNEL);
722 723 724
		if (!pnntsd) {
			cERROR(1, ("Unable to allocate security descriptor"));
			kfree(pntsd);
725
			return -ENOMEM;
726
		}
727

728
		rc = build_sec_desc(pntsd, pnntsd, inode, nmode);
729

730
		cFYI(DBG2, ("build_sec_desc rc: %d", rc));
731 732 733

		if (!rc) {
			/* Set the security descriptor */
734
			rc = set_cifs_acl(pnntsd, secdesclen, inode, path);
735
			cFYI(DBG2, ("set_cifs_acl rc: %d", rc));
736 737 738 739 740 741
		}

		kfree(pnntsd);
		kfree(pntsd);
	}

742
	return rc;
743
}
S
Steve French 已提交
744
#endif /* CONFIG_CIFS_EXPERIMENTAL */