cifsacl.c 20.4 KB
Newer Older
1 2 3
/*
 *   fs/cifs/cifsacl.c
 *
4
 *   Copyright (C) International Business Machines  Corp., 2007,2008
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   Contains the routines for mapping CIFS/NTFS ACLs
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

24 25 26
#include <linux/fs.h>
#include "cifspdu.h"
#include "cifsglob.h"
27
#include "cifsacl.h"
28 29 30
#include "cifsproto.h"
#include "cifs_debug.h"

S
Steve French 已提交
31 32 33

#ifdef CONFIG_CIFS_EXPERIMENTAL

34
static struct cifs_wksid wksidarr[NUM_WK_SIDS] = {
S
Steve French 已提交
35 36
	{{1, 0, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0} }, "null user"},
	{{1, 1, {0, 0, 0, 0, 0, 1}, {0, 0, 0, 0, 0} }, "nobody"},
37 38 39 40
	{{1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11), 0, 0, 0, 0} }, "net-users"},
	{{1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(18), 0, 0, 0, 0} }, "sys"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(544), 0, 0, 0} }, "root"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(545), 0, 0, 0} }, "users"},
S
Steve French 已提交
41 42
	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(546), 0, 0, 0} }, "guest"} }
;
S
Steve French 已提交
43 44


45
/* security id for everyone */
46 47
static const struct cifs_sid sid_everyone = {
	1, 1, {0, 0, 0, 0, 0, 1}, {0} };
48
/* group users */
S
Steve French 已提交
49
static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };
50

S
Steve French 已提交
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

int match_sid(struct cifs_sid *ctsid)
{
	int i, j;
	int num_subauth, num_sat, num_saw;
	struct cifs_sid *cwsid;

	if (!ctsid)
		return (-1);

	for (i = 0; i < NUM_WK_SIDS; ++i) {
		cwsid = &(wksidarr[i].cifssid);

		/* compare the revision */
		if (ctsid->revision != cwsid->revision)
			continue;

		/* compare all of the six auth values */
		for (j = 0; j < 6; ++j) {
			if (ctsid->authority[j] != cwsid->authority[j])
				break;
		}
		if (j < 6)
			continue; /* all of the auth values did not match */

		/* compare all of the subauth values if any */
77 78
		num_sat = ctsid->num_subauth;
		num_saw = cwsid->num_subauth;
S
Steve French 已提交
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
		num_subauth = num_sat < num_saw ? num_sat : num_saw;
		if (num_subauth) {
			for (j = 0; j < num_subauth; ++j) {
				if (ctsid->sub_auth[j] != cwsid->sub_auth[j])
					break;
			}
			if (j < num_subauth)
				continue; /* all sub_auth values do not match */
		}

		cFYI(1, ("matching sid: %s\n", wksidarr[i].sidname));
		return (0); /* sids compare/match */
	}

	cFYI(1, ("No matching sid"));
	return (-1);
}

S
Steve French 已提交
97 98
/* if the two SIDs (roughly equivalent to a UUID for a user or group) are
   the same returns 1, if they do not match returns 0 */
S
Steve French 已提交
99
int compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
S
Steve French 已提交
100 101 102 103 104
{
	int i;
	int num_subauth, num_sat, num_saw;

	if ((!ctsid) || (!cwsid))
S
Steve French 已提交
105
		return (0);
S
Steve French 已提交
106 107 108

	/* compare the revision */
	if (ctsid->revision != cwsid->revision)
S
Steve French 已提交
109
		return (0);
S
Steve French 已提交
110 111 112 113

	/* compare all of the six auth values */
	for (i = 0; i < 6; ++i) {
		if (ctsid->authority[i] != cwsid->authority[i])
S
Steve French 已提交
114
			return (0);
S
Steve French 已提交
115 116 117
	}

	/* compare all of the subauth values if any */
S
Steve French 已提交
118
	num_sat = ctsid->num_subauth;
S
Steve French 已提交
119
	num_saw = cwsid->num_subauth;
S
Steve French 已提交
120 121 122 123
	num_subauth = num_sat < num_saw ? num_sat : num_saw;
	if (num_subauth) {
		for (i = 0; i < num_subauth; ++i) {
			if (ctsid->sub_auth[i] != cwsid->sub_auth[i])
S
Steve French 已提交
124
				return (0);
S
Steve French 已提交
125 126 127
		}
	}

S
Steve French 已提交
128
	return (1); /* sids compare/match */
S
Steve French 已提交
129 130
}

131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178

/* copy ntsd, owner sid, and group sid from a security descriptor to another */
static void copy_sec_desc(const struct cifs_ntsd *pntsd,
				struct cifs_ntsd *pnntsd, __u32 sidsoffset)
{
	int i;

	struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
	struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;

	/* copy security descriptor control portion */
	pnntsd->revision = pntsd->revision;
	pnntsd->type = pntsd->type;
	pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
	pnntsd->sacloffset = 0;
	pnntsd->osidoffset = cpu_to_le32(sidsoffset);
	pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));

	/* copy owner sid */
	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->osidoffset));
	nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);

	nowner_sid_ptr->revision = owner_sid_ptr->revision;
	nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
	for (i = 0; i < 6; i++)
		nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
	for (i = 0; i < 5; i++)
		nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];

	/* copy group sid */
	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->gsidoffset));
	ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
					sizeof(struct cifs_sid));

	ngroup_sid_ptr->revision = group_sid_ptr->revision;
	ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
	for (i = 0; i < 6; i++)
		ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
	for (i = 0; i < 5; i++)
		ngroup_sid_ptr->sub_auth[i] =
				cpu_to_le32(group_sid_ptr->sub_auth[i]);

	return;
}


S
Steve French 已提交
179 180 181 182 183
/*
   change posix mode to reflect permissions
   pmode is the existing mode (we only want to overwrite part of this
   bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
*/
A
Al Viro 已提交
184
static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
185
				 umode_t *pbits_to_set)
S
Steve French 已提交
186
{
A
Al Viro 已提交
187
	__u32 flags = le32_to_cpu(ace_flags);
188
	/* the order of ACEs is important.  The canonical order is to begin with
189
	   DENY entries followed by ALLOW, otherwise an allow entry could be
190
	   encountered first, making the subsequent deny entry like "dead code"
191
	   which would be superflous since Windows stops when a match is made
192 193 194 195 196
	   for the operation you are trying to perform for your user */

	/* For deny ACEs we change the mask so that subsequent allow access
	   control entries do not turn on the bits we are denying */
	if (type == ACCESS_DENIED) {
S
Steve French 已提交
197
		if (flags & GENERIC_ALL)
198
			*pbits_to_set &= ~S_IRWXUGO;
S
Steve French 已提交
199

A
Al Viro 已提交
200 201
		if ((flags & GENERIC_WRITE) ||
			((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
202
			*pbits_to_set &= ~S_IWUGO;
A
Al Viro 已提交
203 204
		if ((flags & GENERIC_READ) ||
			((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
205
			*pbits_to_set &= ~S_IRUGO;
A
Al Viro 已提交
206 207
		if ((flags & GENERIC_EXECUTE) ||
			((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
208 209 210 211 212 213 214
			*pbits_to_set &= ~S_IXUGO;
		return;
	} else if (type != ACCESS_ALLOWED) {
		cERROR(1, ("unknown access control type %d", type));
		return;
	}
	/* else ACCESS_ALLOWED type */
S
Steve French 已提交
215

A
Al Viro 已提交
216
	if (flags & GENERIC_ALL) {
217
		*pmode |= (S_IRWXUGO & (*pbits_to_set));
218
		cFYI(DBG2, ("all perms"));
S
Steve French 已提交
219 220
		return;
	}
A
Al Viro 已提交
221 222
	if ((flags & GENERIC_WRITE) ||
			((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
223
		*pmode |= (S_IWUGO & (*pbits_to_set));
A
Al Viro 已提交
224 225
	if ((flags & GENERIC_READ) ||
			((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
226
		*pmode |= (S_IRUGO & (*pbits_to_set));
A
Al Viro 已提交
227 228
	if ((flags & GENERIC_EXECUTE) ||
			((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
229
		*pmode |= (S_IXUGO & (*pbits_to_set));
S
Steve French 已提交
230

231
	cFYI(DBG2, ("access flags 0x%x mode now 0x%x", flags, *pmode));
S
Steve French 已提交
232 233 234
	return;
}

235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259
/*
   Generate access flags to reflect permissions mode is the existing mode.
   This function is called for every ACE in the DACL whose SID matches
   with either owner or group or everyone.
*/

static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
				__u32 *pace_flags)
{
	/* reset access mask */
	*pace_flags = 0x0;

	/* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
	mode &= bits_to_use;

	/* check for R/W/X UGO since we do not know whose flags
	   is this but we have cleared all the bits sans RWX for
	   either user or group or other as per bits_to_use */
	if (mode & S_IRUGO)
		*pace_flags |= SET_FILE_READ_RIGHTS;
	if (mode & S_IWUGO)
		*pace_flags |= SET_FILE_WRITE_RIGHTS;
	if (mode & S_IXUGO)
		*pace_flags |= SET_FILE_EXEC_RIGHTS;

260
	cFYI(DBG2, ("mode: 0x%x, access flags now 0x%x", mode, *pace_flags));
261 262 263
	return;
}

A
Al Viro 已提交
264
static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290
			const struct cifs_sid *psid, __u64 nmode, umode_t bits)
{
	int i;
	__u16 size = 0;
	__u32 access_req = 0;

	pntace->type = ACCESS_ALLOWED;
	pntace->flags = 0x0;
	mode_to_access_flags(nmode, bits, &access_req);
	if (!access_req)
		access_req = SET_MINIMUM_RIGHTS;
	pntace->access_req = cpu_to_le32(access_req);

	pntace->sid.revision = psid->revision;
	pntace->sid.num_subauth = psid->num_subauth;
	for (i = 0; i < 6; i++)
		pntace->sid.authority[i] = psid->authority[i];
	for (i = 0; i < psid->num_subauth; i++)
		pntace->sid.sub_auth[i] = psid->sub_auth[i];

	size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
	pntace->size = cpu_to_le16(size);

	return (size);
}

S
Steve French 已提交
291

292 293
#ifdef CONFIG_CIFS_DEBUG2
static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
294 295 296 297
{
	int num_subauth;

	/* validate that we do not go past end of acl */
S
Steve French 已提交
298

S
Steve French 已提交
299 300 301 302 303 304
	if (le16_to_cpu(pace->size) < 16) {
		cERROR(1, ("ACE too small, %d", le16_to_cpu(pace->size)));
		return;
	}

	if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
305 306
		cERROR(1, ("ACL too small to parse ACE"));
		return;
S
Steve French 已提交
307
	}
308

S
Steve French 已提交
309
	num_subauth = pace->sid.num_subauth;
310
	if (num_subauth) {
311
		int i;
S
Steve French 已提交
312 313
		cFYI(1, ("ACE revision %d num_auth %d type %d flags %d size %d",
			pace->sid.revision, pace->sid.num_subauth, pace->type,
314
			pace->flags, le16_to_cpu(pace->size)));
S
Steve French 已提交
315 316
		for (i = 0; i < num_subauth; ++i) {
			cFYI(1, ("ACE sub_auth[%d]: 0x%x", i,
S
Steve French 已提交
317
				le32_to_cpu(pace->sid.sub_auth[i])));
S
Steve French 已提交
318 319 320 321 322 323 324 325
		}

		/* BB add length check to make sure that we do not have huge
			num auths and therefore go off the end */
	}

	return;
}
326
#endif
S
Steve French 已提交
327

328

S
Steve French 已提交
329
static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
S
Steve French 已提交
330
		       struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
S
Steve French 已提交
331
		       struct inode *inode)
332 333 334 335 336 337 338 339 340
{
	int i;
	int num_aces = 0;
	int acl_size;
	char *acl_base;
	struct cifs_ace **ppace;

	/* BB need to add parm so we can store the SID BB */

341 342 343 344 345 346 347
	if (!pdacl) {
		/* no DACL in the security descriptor, set
		   all the permissions for user/group/other */
		inode->i_mode |= S_IRWXUGO;
		return;
	}

348
	/* validate that we do not go past end of acl */
349
	if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
350 351 352 353
		cERROR(1, ("ACL too small to parse DACL"));
		return;
	}

354
	cFYI(DBG2, ("DACL revision %d size %d num aces %d",
355 356
		le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
		le32_to_cpu(pdacl->num_aces)));
357

358 359 360 361 362
	/* reset rwx permissions for user/group/other.
	   Also, if num_aces is 0 i.e. DACL has no ACEs,
	   user/group/other have no permissions */
	inode->i_mode &= ~(S_IRWXUGO);

363 364 365
	acl_base = (char *)pdacl;
	acl_size = sizeof(struct cifs_acl);

S
Steve French 已提交
366
	num_aces = le32_to_cpu(pdacl->num_aces);
367
	if (num_aces  > 0) {
368 369 370 371
		umode_t user_mask = S_IRWXU;
		umode_t group_mask = S_IRWXG;
		umode_t other_mask = S_IRWXO;

372 373 374 375
		ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
				GFP_KERNEL);

		for (i = 0; i < num_aces; ++i) {
S
Steve French 已提交
376
			ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
377 378 379
#ifdef CONFIG_CIFS_DEBUG2
			dump_ace(ppace[i], end_of_acl);
#endif
380 381
			if (compare_sids(&(ppace[i]->sid), pownersid))
				access_flags_to_mode(ppace[i]->access_req,
382 383 384
						     ppace[i]->type,
						     &(inode->i_mode),
						     &user_mask);
385 386
			if (compare_sids(&(ppace[i]->sid), pgrpsid))
				access_flags_to_mode(ppace[i]->access_req,
387 388 389
						     ppace[i]->type,
						     &(inode->i_mode),
						     &group_mask);
390 391
			if (compare_sids(&(ppace[i]->sid), &sid_everyone))
				access_flags_to_mode(ppace[i]->access_req,
392 393 394
						     ppace[i]->type,
						     &(inode->i_mode),
						     &other_mask);
395

S
Steve French 已提交
396
/*			memcpy((void *)(&(cifscred->aces[i])),
S
Steve French 已提交
397 398
				(void *)ppace[i],
				sizeof(struct cifs_ace)); */
399

S
Steve French 已提交
400 401
			acl_base = (char *)ppace[i];
			acl_size = le16_to_cpu(ppace[i]->size);
402 403 404 405 406 407 408 409
		}

		kfree(ppace);
	}

	return;
}

410

411 412 413
static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
			struct cifs_sid *pgrpsid, __u64 nmode)
{
A
Al Viro 已提交
414
	u16 size = 0;
415 416 417 418 419 420 421 422 423 424 425 426
	struct cifs_acl *pnndacl;

	pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));

	size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
					pownersid, nmode, S_IRWXU);
	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
					pgrpsid, nmode, S_IRWXG);
	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
					 &sid_everyone, nmode, S_IRWXO);

	pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
427
	pndacl->num_aces = cpu_to_le32(3);
428 429 430 431 432

	return (0);
}


433 434 435 436
static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
{
	/* BB need to add parm so we can store the SID BB */

S
Steve French 已提交
437 438 439 440
	/* validate that we do not go past end of ACL - sid must be at least 8
	   bytes long (assuming no sub-auths - e.g. the null SID */
	if (end_of_acl < (char *)psid + 8) {
		cERROR(1, ("ACL too small to parse SID %p", psid));
441 442
		return -EINVAL;
	}
443

444
	if (psid->num_subauth) {
445
#ifdef CONFIG_CIFS_DEBUG2
446
		int i;
S
Steve French 已提交
447 448
		cFYI(1, ("SID revision %d num_auth %d",
			psid->revision, psid->num_subauth));
449

450
		for (i = 0; i < psid->num_subauth; i++) {
451
			cFYI(1, ("SID sub_auth[%d]: 0x%x ", i,
S
Steve French 已提交
452
				le32_to_cpu(psid->sub_auth[i])));
453 454
		}

S
Steve French 已提交
455
		/* BB add length check to make sure that we do not have huge
456
			num auths and therefore go off the end */
S
Steve French 已提交
457
		cFYI(1, ("RID 0x%x",
458
			le32_to_cpu(psid->sub_auth[psid->num_subauth-1])));
459
#endif
460 461
	}

462 463 464
	return 0;
}

465

466
/* Convert CIFS ACL to POSIX form */
S
Steve French 已提交
467 468
static int parse_sec_desc(struct cifs_ntsd *pntsd, int acl_len,
			  struct inode *inode)
469
{
470
	int rc;
471 472 473
	struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
	struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
	char *end_of_acl = ((char *)pntsd) + acl_len;
474
	__u32 dacloffset;
475

S
Steve French 已提交
476 477 478
	if ((inode == NULL) || (pntsd == NULL))
		return -EIO;

479
	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
480
				le32_to_cpu(pntsd->osidoffset));
481
	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
482
				le32_to_cpu(pntsd->gsidoffset));
483
	dacloffset = le32_to_cpu(pntsd->dacloffset);
484
	dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
485
	cFYI(DBG2, ("revision %d type 0x%x ooffset 0x%x goffset 0x%x "
486
		 "sacloffset 0x%x dacloffset 0x%x",
487 488
		 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
		 le32_to_cpu(pntsd->gsidoffset),
489
		 le32_to_cpu(pntsd->sacloffset), dacloffset));
S
Steve French 已提交
490
/*	cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
491 492 493 494 495 496 497 498
	rc = parse_sid(owner_sid_ptr, end_of_acl);
	if (rc)
		return rc;

	rc = parse_sid(group_sid_ptr, end_of_acl);
	if (rc)
		return rc;

499 500
	if (dacloffset)
		parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
501
			   group_sid_ptr, inode);
502 503
	else
		cFYI(1, ("no ACL")); /* BB grant all or default perms? */
504

505 506 507
/*	cifscred->uid = owner_sid_ptr->rid;
	cifscred->gid = group_sid_ptr->rid;
	memcpy((void *)(&(cifscred->osid)), (void *)owner_sid_ptr,
S
Steve French 已提交
508
			sizeof(struct cifs_sid));
509
	memcpy((void *)(&(cifscred->gsid)), (void *)group_sid_ptr,
S
Steve French 已提交
510
			sizeof(struct cifs_sid)); */
511

S
Steve French 已提交
512

513 514
	return (0);
}
S
Steve French 已提交
515 516


517 518
/* Convert permission bits from mode to equivalent CIFS ACL */
static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
519
				struct inode *inode, __u64 nmode)
520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556
{
	int rc = 0;
	__u32 dacloffset;
	__u32 ndacloffset;
	__u32 sidsoffset;
	struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
	struct cifs_acl *dacl_ptr = NULL;  /* no need for SACL ptr */
	struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */

	if ((inode == NULL) || (pntsd == NULL) || (pnntsd == NULL))
		return (-EIO);

	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->osidoffset));
	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->gsidoffset));

	dacloffset = le32_to_cpu(pntsd->dacloffset);
	dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);

	ndacloffset = sizeof(struct cifs_ntsd);
	ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
	ndacl_ptr->revision = dacl_ptr->revision;
	ndacl_ptr->size = 0;
	ndacl_ptr->num_aces = 0;

	rc = set_chmod_dacl(ndacl_ptr, owner_sid_ptr, group_sid_ptr, nmode);

	sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);

	/* copy security descriptor control portion and owner and group sid */
	copy_sec_desc(pntsd, pnntsd, sidsoffset);

	return (rc);
}


557 558
/* Retrieve an ACL from the server */
static struct cifs_ntsd *get_cifs_acl(u32 *pacllen, struct inode *inode,
559
				       const char *path, const __u16 *pfid)
S
Steve French 已提交
560
{
561
	struct cifsFileInfo *open_file = NULL;
562
	bool unlock_file = false;
S
Steve French 已提交
563 564 565 566 567 568 569 570 571 572
	int xid;
	int rc = -EIO;
	__u16 fid;
	struct super_block *sb;
	struct cifs_sb_info *cifs_sb;
	struct cifs_ntsd *pntsd = NULL;

	cFYI(1, ("get mode from ACL for %s", path));

	if (inode == NULL)
573
		return NULL;
S
Steve French 已提交
574 575

	xid = GetXid();
576 577 578 579 580
	if (pfid == NULL)
		open_file = find_readable_file(CIFS_I(inode));
	else
		fid = *pfid;

S
Steve French 已提交
581 582 583
	sb = inode->i_sb;
	if (sb == NULL) {
		FreeXid(xid);
584
		return NULL;
S
Steve French 已提交
585 586 587 588
	}
	cifs_sb = CIFS_SB(sb);

	if (open_file) {
589
		unlock_file = true;
S
Steve French 已提交
590
		fid = open_file->netfid;
591
	} else if (pfid == NULL) {
S
Steve French 已提交
592
		int oplock = 0;
S
Steve French 已提交
593 594
		/* open file */
		rc = CIFSSMBOpen(xid, cifs_sb->tcon, path, FILE_OPEN,
595
				READ_CONTROL, 0, &fid, &oplock, NULL,
S
Steve French 已提交
596 597 598 599 600
				cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
					CIFS_MOUNT_MAP_SPECIAL_CHR);
		if (rc != 0) {
			cERROR(1, ("Unable to open file to get ACL"));
			FreeXid(xid);
601
			return NULL;
S
Steve French 已提交
602 603 604
		}
	}

605 606
	rc = CIFSSMBGetCIFSACL(xid, cifs_sb->tcon, fid, &pntsd, pacllen);
	cFYI(1, ("GetCIFSACL rc = %d ACL len %d", rc, *pacllen));
607
	if (unlock_file == true) /* find_readable_file increments ref count */
S
Steve French 已提交
608
		atomic_dec(&open_file->wrtPending);
609
	else if (pfid == NULL) /* if opened above we have to close the handle */
S
Steve French 已提交
610
		CIFSSMBClose(xid, cifs_sb->tcon, fid);
611
	/* else handle was passed in by caller */
S
Steve French 已提交
612

613 614 615 616
	FreeXid(xid);
	return pntsd;
}

617 618 619 620 621
/* Set an ACL on the server */
static int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
				struct inode *inode, const char *path)
{
	struct cifsFileInfo *open_file;
622
	bool unlock_file = false;
623 624 625 626 627 628
	int xid;
	int rc = -EIO;
	__u16 fid;
	struct super_block *sb;
	struct cifs_sb_info *cifs_sb;

629
	cFYI(DBG2, ("set ACL for %s from mode 0x%x", path, inode->i_mode));
630 631 632 633 634 635 636 637 638 639 640 641 642

	if (!inode)
		return (rc);

	sb = inode->i_sb;
	if (sb == NULL)
		return (rc);

	cifs_sb = CIFS_SB(sb);
	xid = GetXid();

	open_file = find_readable_file(CIFS_I(inode));
	if (open_file) {
643
		unlock_file = true;
644 645
		fid = open_file->netfid;
	} else {
646
		int oplock = 0;
647 648 649 650 651 652 653 654 655 656 657 658 659
		/* open file */
		rc = CIFSSMBOpen(xid, cifs_sb->tcon, path, FILE_OPEN,
				WRITE_DAC, 0, &fid, &oplock, NULL,
				cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
					CIFS_MOUNT_MAP_SPECIAL_CHR);
		if (rc != 0) {
			cERROR(1, ("Unable to open file to set ACL"));
			FreeXid(xid);
			return (rc);
		}
	}

	rc = CIFSSMBSetCIFSACL(xid, cifs_sb->tcon, fid, pnntsd, acllen);
660
	cFYI(DBG2, ("SetCIFSACL rc = %d", rc));
661
	if (unlock_file)
662 663 664 665 666 667 668 669 670
		atomic_dec(&open_file->wrtPending);
	else
		CIFSSMBClose(xid, cifs_sb->tcon, fid);

	FreeXid(xid);

	return (rc);
}

671
/* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */
672
void acl_to_uid_mode(struct inode *inode, const char *path, const __u16 *pfid)
673 674 675 676 677
{
	struct cifs_ntsd *pntsd = NULL;
	u32 acllen = 0;
	int rc = 0;

678
	cFYI(DBG2, ("converting ACL to mode for %s", path));
679
	pntsd = get_cifs_acl(&acllen, inode, path, pfid);
680 681 682

	/* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
	if (pntsd)
S
Steve French 已提交
683
		rc = parse_sec_desc(pntsd, acllen, inode);
684 685 686
	if (rc)
		cFYI(1, ("parse sec desc failed rc = %d", rc));

S
Steve French 已提交
687 688 689
	kfree(pntsd);
	return;
}
690

691
/* Convert mode bits to an ACL so we can update the ACL on the server */
692
int mode_to_acl(struct inode *inode, const char *path, __u64 nmode)
693 694
{
	int rc = 0;
695
	__u32 secdesclen = 0;
696 697
	struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
	struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
698

699
	cFYI(DBG2, ("set ACL from mode for %s", path));
700 701

	/* Get the security descriptor */
702
	pntsd = get_cifs_acl(&secdesclen, inode, path, NULL);
703

704 705
	/* Add three ACEs for owner, group, everyone getting rid of
	   other ACEs as chmod disables ACEs and set the security descriptor */
706

707 708 709 710
	if (pntsd) {
		/* allocate memory for the smb header,
		   set security descriptor request security descriptor
		   parameters, and secuirty descriptor itself */
711

712 713 714
		secdesclen = secdesclen < DEFSECDESCLEN ?
					DEFSECDESCLEN : secdesclen;
		pnntsd = kmalloc(secdesclen, GFP_KERNEL);
715 716 717 718 719
		if (!pnntsd) {
			cERROR(1, ("Unable to allocate security descriptor"));
			kfree(pntsd);
			return (-ENOMEM);
		}
720

721
		rc = build_sec_desc(pntsd, pnntsd, inode, nmode);
722

723
		cFYI(DBG2, ("build_sec_desc rc: %d", rc));
724 725 726

		if (!rc) {
			/* Set the security descriptor */
727
			rc = set_cifs_acl(pnntsd, secdesclen, inode, path);
728
			cFYI(DBG2, ("set_cifs_acl rc: %d", rc));
729 730 731 732 733 734 735
		}

		kfree(pnntsd);
		kfree(pntsd);
	}

	return (rc);
736
}
S
Steve French 已提交
737
#endif /* CONFIG_CIFS_EXPERIMENTAL */