]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - fs/cifs/cifsacl.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
CIFS: Fix possible data coherency problem after oplock break to None
[mirror_ubuntu-artful-kernel.git] / fs / cifs / cifsacl.c
CommitLineData
bcb02034
SF		 1/*
2 * fs/cifs/cifsacl.c
3 *
8b1327f6 4 * Copyright (C) International Business Machines Corp., 2007,2008
bcb02034
SF		 5 * Author(s): Steve French (sfrench@us.ibm.com)
6 *
7 * Contains the routines for mapping CIFS/NTFS ACLs
8 *
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
65874007 24#include <linux/fs.h>
5a0e3ad6 25#include <linux/slab.h>
4d79dba0
SP		 26#include <linux/string.h>
27#include <linux/keyctl.h>
28#include <linux/key-type.h>
29#include <keys/user-type.h>
65874007
SF		 30#include "cifspdu.h"
31#include "cifsglob.h"
d0d66c44 32#include "cifsacl.h"
65874007
SF		 33#include "cifsproto.h"
34#include "cifs_debug.h"
65874007 35
2fbc2f17 36/* security id for everyone/world system group */
e01b6400
SP		 37static const struct cifs_sid sid_everyone = {
38 1, 1, {0, 0, 0, 0, 0, 1}, {0} };
2fbc2f17
SP		 39/* security id for Authenticated Users system group */
40static const struct cifs_sid sid_authusers = {
4f61258f 41 1, 1, {0, 0, 0, 0, 0, 5}, {__constant_cpu_to_le32(11)} };
bcb02034 42/* group users */
ad7a2926 43static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };
d0d66c44 44
b1a6dc21 45static const struct cred *root_cred;
9409ae58
SP		 46
47static void
48shrink_idmap_tree(struct rb_root *root, int nr_to_scan, int *nr_rem,
49 int *nr_del)
50{
51 struct rb_node *node;
52 struct rb_node *tmp;
53 struct cifs_sid_id *psidid;
54
55 node = rb_first(root);
56 while (node) {
57 tmp = node;
58 node = rb_next(tmp);
59 psidid = rb_entry(tmp, struct cifs_sid_id, rbnode);
60 if (nr_to_scan == 0 || *nr_del == nr_to_scan)
61 ++(*nr_rem);
62 else {
63 if (time_after(jiffies, psidid->time + SID_MAP_EXPIRE)
64 && psidid->refcount == 0) {
65 rb_erase(tmp, root);
66 ++(*nr_del);
67 } else
68 ++(*nr_rem);
69 }
70 }
71}
4d79dba0
SP		 72
73/*
74 * Run idmap cache shrinker.
75 */
76static int
ef1d5759 77cifs_idmap_shrinker(struct shrinker *shrink, struct shrink_control *sc)
4d79dba0 78{
ef1d5759 79 int nr_to_scan = sc->nr_to_scan;
9409ae58
SP		 80 int nr_del = 0;
81 int nr_rem = 0;
82 struct rb_root *root;
83
84 root = &uidtree;
85 spin_lock(&siduidlock);
86 shrink_idmap_tree(root, nr_to_scan, &nr_rem, &nr_del);
87 spin_unlock(&siduidlock);
88
89 root = &gidtree;
90 spin_lock(&sidgidlock);
91 shrink_idmap_tree(root, nr_to_scan, &nr_rem, &nr_del);
92 spin_unlock(&sidgidlock);
93
21fed0d5
SP		 94 root = &siduidtree;
95 spin_lock(&uidsidlock);
96 shrink_idmap_tree(root, nr_to_scan, &nr_rem, &nr_del);
97 spin_unlock(&uidsidlock);
98
99 root = &sidgidtree;
100 spin_lock(&gidsidlock);
101 shrink_idmap_tree(root, nr_to_scan, &nr_rem, &nr_del);
102 spin_unlock(&gidsidlock);
103
9409ae58 104 return nr_rem;
4d79dba0
SP		 105}
106
21fed0d5
SP		 107static void
108sid_rb_insert(struct rb_root *root, unsigned long cid,
109 struct cifs_sid_id **psidid, char *typestr)
110{
111 char *strptr;
112 struct rb_node *node = root->rb_node;
113 struct rb_node *parent = NULL;
114 struct rb_node **linkto = &(root->rb_node);
115 struct cifs_sid_id *lsidid;
116
117 while (node) {
118 lsidid = rb_entry(node, struct cifs_sid_id, rbnode);
119 parent = node;
120 if (cid > lsidid->id) {
121 linkto = &(node->rb_left);
122 node = node->rb_left;
123 }
124 if (cid < lsidid->id) {
125 linkto = &(node->rb_right);
126 node = node->rb_right;
127 }
128 }
129
130 (*psidid)->id = cid;
131 (*psidid)->time = jiffies - (SID_MAP_RETRY + 1);
132 (*psidid)->refcount = 0;
133
134 sprintf((*psidid)->sidstr, "%s", typestr);
135 strptr = (*psidid)->sidstr + strlen((*psidid)->sidstr);
136 sprintf(strptr, "%ld", cid);
137
138 clear_bit(SID_ID_PENDING, &(*psidid)->state);
139 clear_bit(SID_ID_MAPPED, &(*psidid)->state);
140
141 rb_link_node(&(*psidid)->rbnode, parent, linkto);
142 rb_insert_color(&(*psidid)->rbnode, root);
143}
144
145static struct cifs_sid_id *
146sid_rb_search(struct rb_root *root, unsigned long cid)
147{
148 struct rb_node *node = root->rb_node;
149 struct cifs_sid_id *lsidid;
150
151 while (node) {
152 lsidid = rb_entry(node, struct cifs_sid_id, rbnode);
153 if (cid > lsidid->id)
154 node = node->rb_left;
155 else if (cid < lsidid->id)
156 node = node->rb_right;
157 else /* node found */
158 return lsidid;
159 }
160
161 return NULL;
162}
163
4d79dba0
SP		 164static struct shrinker cifs_shrinker = {
165 .shrink = cifs_idmap_shrinker,
166 .seeks = DEFAULT_SEEKS,
167};
168
169static int
cf7f601c 170cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
4d79dba0
SP		 171{
172 char *payload;
173
cf7f601c 174 payload = kmalloc(prep->datalen, GFP_KERNEL);
4d79dba0
SP		 175 if (!payload)
176 return -ENOMEM;
177
cf7f601c 178 memcpy(payload, prep->data, prep->datalen);
4d79dba0 179 key->payload.data = payload;
cf7f601c 180 key->datalen = prep->datalen;
4d79dba0
SP		 181 return 0;
182}
183
184static inline void
185cifs_idmap_key_destroy(struct key *key)
186{
187 kfree(key->payload.data);
188}
189
b1a6dc21 190static struct key_type cifs_idmap_key_type = {
c4aca0c0 191 .name = "cifs.idmap",
4d79dba0
SP		 192 .instantiate = cifs_idmap_key_instantiate,
193 .destroy = cifs_idmap_key_destroy,
194 .describe = user_describe,
195 .match = user_match,
196};
197
9409ae58
SP		 198static void
199sid_to_str(struct cifs_sid *sidptr, char *sidstr)
200{
201 int i;
ee13b2ba 202 unsigned int saval;
9409ae58
SP		 203 char *strptr;
204
205 strptr = sidstr;
206
ee13b2ba 207 sprintf(strptr, "S-%hhu", sidptr->revision);
9409ae58
SP		 208 strptr = sidstr + strlen(sidstr);
209
852e2295 210 for (i = 0; i < NUM_AUTHS; ++i) {
9409ae58 211 if (sidptr->authority[i]) {
ee13b2ba 212 sprintf(strptr, "-%hhu", sidptr->authority[i]);
9409ae58
SP		 213 strptr = sidstr + strlen(sidstr);
214 }
215 }
216
217 for (i = 0; i < sidptr->num_subauth; ++i) {
218 saval = le32_to_cpu(sidptr->sub_auth[i]);
ee13b2ba 219 sprintf(strptr, "-%u", saval);
9409ae58
SP		 220 strptr = sidstr + strlen(sidstr);
221 }
222}
223
436bb435
JL		 224/*
225 * if the two SIDs (roughly equivalent to a UUID for a user or group) are
226 * the same returns zero, if they do not match returns non-zero.
227 */
228static int
229compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
230{
231 int i;
232 int num_subauth, num_sat, num_saw;
233
234 if ((!ctsid) || (!cwsid))
235 return 1;
236
237 /* compare the revision */
238 if (ctsid->revision != cwsid->revision) {
239 if (ctsid->revision > cwsid->revision)
240 return 1;
241 else
242 return -1;
243 }
244
245 /* compare all of the six auth values */
246 for (i = 0; i < NUM_AUTHS; ++i) {
247 if (ctsid->authority[i] != cwsid->authority[i]) {
248 if (ctsid->authority[i] > cwsid->authority[i])
249 return 1;
250 else
251 return -1;
252 }
253 }
254
255 /* compare all of the subauth values if any */
256 num_sat = ctsid->num_subauth;
257 num_saw = cwsid->num_subauth;
258 num_subauth = num_sat < num_saw ? num_sat : num_saw;
259 if (num_subauth) {
260 for (i = 0; i < num_subauth; ++i) {
261 if (ctsid->sub_auth[i] != cwsid->sub_auth[i]) {
262 if (le32_to_cpu(ctsid->sub_auth[i]) >
263 le32_to_cpu(cwsid->sub_auth[i]))
264 return 1;
265 else
266 return -1;
267 }
268 }
269 }
270
271 return 0; /* sids compare/match */
272}
273
36960e44
JL		 274static void
275cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
276{
36f87ee7
JL		 277 int i;
278
279 dst->revision = src->revision;
30c9d6cc 280 dst->num_subauth = min_t(u8, src->num_subauth, SID_MAX_SUB_AUTHORITIES);
36f87ee7
JL		 281 for (i = 0; i < NUM_AUTHS; ++i)
282 dst->authority[i] = src->authority[i];
283 for (i = 0; i < dst->num_subauth; ++i)
284 dst->sub_auth[i] = src->sub_auth[i];
36960e44
JL		 285}
286
9409ae58
SP		 287static void
288id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr,
289 struct cifs_sid_id **psidid, char *typestr)
290{
291 int rc;
292 char *strptr;
293 struct rb_node *node = root->rb_node;
294 struct rb_node *parent = NULL;
295 struct rb_node **linkto = &(root->rb_node);
296 struct cifs_sid_id *lsidid;
297
298 while (node) {
299 lsidid = rb_entry(node, struct cifs_sid_id, rbnode);
300 parent = node;
301 rc = compare_sids(sidptr, &((lsidid)->sid));
302 if (rc > 0) {
303 linkto = &(node->rb_left);
304 node = node->rb_left;
305 } else if (rc < 0) {
306 linkto = &(node->rb_right);
307 node = node->rb_right;
308 }
309 }
310
36960e44 311 cifs_copy_sid(&(*psidid)->sid, sidptr);
9409ae58
SP		 312 (*psidid)->time = jiffies - (SID_MAP_RETRY + 1);
313 (*psidid)->refcount = 0;
314
315 sprintf((*psidid)->sidstr, "%s", typestr);
316 strptr = (*psidid)->sidstr + strlen((*psidid)->sidstr);
317 sid_to_str(&(*psidid)->sid, strptr);
318
319 clear_bit(SID_ID_PENDING, &(*psidid)->state);
320 clear_bit(SID_ID_MAPPED, &(*psidid)->state);
321
322 rb_link_node(&(*psidid)->rbnode, parent, linkto);
323 rb_insert_color(&(*psidid)->rbnode, root);
324}
325
326static struct cifs_sid_id *
327id_rb_search(struct rb_root *root, struct cifs_sid *sidptr)
328{
329 int rc;
330 struct rb_node *node = root->rb_node;
9409ae58
SP		 331 struct cifs_sid_id *lsidid;
332
333 while (node) {
334 lsidid = rb_entry(node, struct cifs_sid_id, rbnode);
9409ae58
SP		 335 rc = compare_sids(sidptr, &((lsidid)->sid));
336 if (rc > 0) {
9409ae58
SP		 337 node = node->rb_left;
338 } else if (rc < 0) {
9409ae58
SP		 339 node = node->rb_right;
340 } else /* node found */
341 return lsidid;
342 }
343
344 return NULL;
345}
346
347static int
348sidid_pending_wait(void *unused)
349{
350 schedule();
351 return signal_pending(current) ? -ERESTARTSYS : 0;
352}
353
21fed0d5
SP		 354static int
355id_to_sid(unsigned long cid, uint sidtype, struct cifs_sid *ssid)
356{
357 int rc = 0;
358 struct key *sidkey;
359 const struct cred *saved_cred;
360 struct cifs_sid *lsid;
361 struct cifs_sid_id *psidid, *npsidid;
362 struct rb_root *cidtree;
363 spinlock_t *cidlock;
364
365 if (sidtype == SIDOWNER) {
366 cidlock = &siduidlock;
367 cidtree = &uidtree;
368 } else if (sidtype == SIDGROUP) {
369 cidlock = &sidgidlock;
370 cidtree = &gidtree;
371 } else
372 return -EINVAL;
373
374 spin_lock(cidlock);
375 psidid = sid_rb_search(cidtree, cid);
376
377 if (!psidid) { /* node does not exist, allocate one & attempt adding */
378 spin_unlock(cidlock);
379 npsidid = kzalloc(sizeof(struct cifs_sid_id), GFP_KERNEL);
380 if (!npsidid)
381 return -ENOMEM;
382
30c9d6cc 383 npsidid->sidstr = kmalloc(SID_STRING_MAX, GFP_KERNEL);
21fed0d5
SP		 384 if (!npsidid->sidstr) {
385 kfree(npsidid);
386 return -ENOMEM;
387 }
388
389 spin_lock(cidlock);
390 psidid = sid_rb_search(cidtree, cid);
391 if (psidid) { /* node happened to get inserted meanwhile */
392 ++psidid->refcount;
393 spin_unlock(cidlock);
394 kfree(npsidid->sidstr);
395 kfree(npsidid);
396 } else {
397 psidid = npsidid;
398 sid_rb_insert(cidtree, cid, &psidid,
399 sidtype == SIDOWNER ? "oi:" : "gi:");
400 ++psidid->refcount;
401 spin_unlock(cidlock);
402 }
403 } else {
404 ++psidid->refcount;
405 spin_unlock(cidlock);
406 }
407
408 /*
409 * If we are here, it is safe to access psidid and its fields
410 * since a reference was taken earlier while holding the spinlock.
411 * A reference on the node is put without holding the spinlock
412 * and it is OK to do so in this case, shrinker will not erase
413 * this node until all references are put and we do not access
414 * any fields of the node after a reference is put .
415 */
416 if (test_bit(SID_ID_MAPPED, &psidid->state)) {
36960e44 417 cifs_copy_sid(ssid, &psidid->sid);
21fed0d5
SP		 418 psidid->time = jiffies; /* update ts for accessing */
419 goto id_sid_out;
420 }
421
422 if (time_after(psidid->time + SID_MAP_RETRY, jiffies)) {
423 rc = -EINVAL;
424 goto id_sid_out;
425 }
426
427 if (!test_and_set_bit(SID_ID_PENDING, &psidid->state)) {
428 saved_cred = override_creds(root_cred);
429 sidkey = request_key(&cifs_idmap_key_type, psidid->sidstr, "");
430 if (IS_ERR(sidkey)) {
431 rc = -EINVAL;
432 cFYI(1, "%s: Can't map and id to a SID", __func__);
36f87ee7 433 } else if (sidkey->datalen < CIFS_SID_BASE_SIZE) {
36960e44
JL		 434 rc = -EIO;
435 cFYI(1, "%s: Downcall contained malformed key "
436 "(datalen=%hu)", __func__, sidkey->datalen);
21fed0d5
SP		 437 } else {
438 lsid = (struct cifs_sid *)sidkey->payload.data;
36960e44
JL		 439 cifs_copy_sid(&psidid->sid, lsid);
440 cifs_copy_sid(ssid, &psidid->sid);
21fed0d5
SP		 441 set_bit(SID_ID_MAPPED, &psidid->state);
442 key_put(sidkey);
443 kfree(psidid->sidstr);
444 }
445 psidid->time = jiffies; /* update ts for accessing */
446 revert_creds(saved_cred);
447 clear_bit(SID_ID_PENDING, &psidid->state);
448 wake_up_bit(&psidid->state, SID_ID_PENDING);
449 } else {
450 rc = wait_on_bit(&psidid->state, SID_ID_PENDING,
451 sidid_pending_wait, TASK_INTERRUPTIBLE);
452 if (rc) {
453 cFYI(1, "%s: sidid_pending_wait interrupted %d",
454 __func__, rc);
455 --psidid->refcount;
456 return rc;
457 }
458 if (test_bit(SID_ID_MAPPED, &psidid->state))
36960e44 459 cifs_copy_sid(ssid, &psidid->sid);
21fed0d5
SP		 460 else
461 rc = -EINVAL;
462 }
463id_sid_out:
464 --psidid->refcount;
465 return rc;
466}
467
9409ae58
SP		 468static int
469sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid,
470 struct cifs_fattr *fattr, uint sidtype)
471{
472 int rc;
473 unsigned long cid;
474 struct key *idkey;
475 const struct cred *saved_cred;
476 struct cifs_sid_id *psidid, *npsidid;
477 struct rb_root *cidtree;
478 spinlock_t *cidlock;
479
480 if (sidtype == SIDOWNER) {
481 cid = cifs_sb->mnt_uid; /* default uid, in case upcall fails */
482 cidlock = &siduidlock;
483 cidtree = &uidtree;
484 } else if (sidtype == SIDGROUP) {
485 cid = cifs_sb->mnt_gid; /* default gid, in case upcall fails */
486 cidlock = &sidgidlock;
487 cidtree = &gidtree;
488 } else
489 return -ENOENT;
490
491 spin_lock(cidlock);
492 psidid = id_rb_search(cidtree, psid);
493
494 if (!psidid) { /* node does not exist, allocate one & attempt adding */
495 spin_unlock(cidlock);
496 npsidid = kzalloc(sizeof(struct cifs_sid_id), GFP_KERNEL);
497 if (!npsidid)
498 return -ENOMEM;
499
30c9d6cc 500 npsidid->sidstr = kmalloc(SID_STRING_MAX, GFP_KERNEL);
9409ae58
SP		 501 if (!npsidid->sidstr) {
502 kfree(npsidid);
503 return -ENOMEM;
504 }
505
506 spin_lock(cidlock);
507 psidid = id_rb_search(cidtree, psid);
508 if (psidid) { /* node happened to get inserted meanwhile */
509 ++psidid->refcount;
510 spin_unlock(cidlock);
511 kfree(npsidid->sidstr);
512 kfree(npsidid);
513 } else {
514 psidid = npsidid;
515 id_rb_insert(cidtree, psid, &psidid,
516 sidtype == SIDOWNER ? "os:" : "gs:");
517 ++psidid->refcount;
518 spin_unlock(cidlock);
519 }
520 } else {
521 ++psidid->refcount;
522 spin_unlock(cidlock);
523 }
524
525 /*
526 * If we are here, it is safe to access psidid and its fields
527 * since a reference was taken earlier while holding the spinlock.
528 * A reference on the node is put without holding the spinlock
529 * and it is OK to do so in this case, shrinker will not erase
530 * this node until all references are put and we do not access
531 * any fields of the node after a reference is put .
532 */
533 if (test_bit(SID_ID_MAPPED, &psidid->state)) {
534 cid = psidid->id;
535 psidid->time = jiffies; /* update ts for accessing */
536 goto sid_to_id_out;
537 }
538
539 if (time_after(psidid->time + SID_MAP_RETRY, jiffies))
540 goto sid_to_id_out;
541
542 if (!test_and_set_bit(SID_ID_PENDING, &psidid->state)) {
543 saved_cred = override_creds(root_cred);
544 idkey = request_key(&cifs_idmap_key_type, psidid->sidstr, "");
545 if (IS_ERR(idkey))
546 cFYI(1, "%s: Can't map SID to an id", __func__);
547 else {
548 cid = *(unsigned long *)idkey->payload.value;
549 psidid->id = cid;
550 set_bit(SID_ID_MAPPED, &psidid->state);
551 key_put(idkey);
552 kfree(psidid->sidstr);
553 }
554 revert_creds(saved_cred);
555 psidid->time = jiffies; /* update ts for accessing */
556 clear_bit(SID_ID_PENDING, &psidid->state);
557 wake_up_bit(&psidid->state, SID_ID_PENDING);
558 } else {
559 rc = wait_on_bit(&psidid->state, SID_ID_PENDING,
560 sidid_pending_wait, TASK_INTERRUPTIBLE);
561 if (rc) {
562 cFYI(1, "%s: sidid_pending_wait interrupted %d",
563 __func__, rc);
564 --psidid->refcount; /* decremented without spinlock */
565 return rc;
566 }
567 if (test_bit(SID_ID_MAPPED, &psidid->state))
568 cid = psidid->id;
569 }
570
571sid_to_id_out:
572 --psidid->refcount; /* decremented without spinlock */
573 if (sidtype == SIDOWNER)
574 fattr->cf_uid = cid;
575 else
576 fattr->cf_gid = cid;
577
578 return 0;
579}
580
4d79dba0
SP		 581int
582init_cifs_idmap(void)
583{
584 struct cred *cred;
585 struct key *keyring;
586 int ret;
587
ac3aa2f8 588 cFYI(1, "Registering the %s key type", cifs_idmap_key_type.name);
4d79dba0
SP		 589
590 /* create an override credential set with a special thread keyring in
591 * which requests are cached
592 *
593 * this is used to prevent malicious redirections from being installed
594 * with add_key().
595 */
596 cred = prepare_kernel_cred(NULL);
597 if (!cred)
598 return -ENOMEM;
599
600 keyring = key_alloc(&key_type_keyring, ".cifs_idmap", 0, 0, cred,
601 (KEY_POS_ALL & ~KEY_POS_SETATTR) |
602 KEY_USR_VIEW | KEY_USR_READ,
603 KEY_ALLOC_NOT_IN_QUOTA);
604 if (IS_ERR(keyring)) {
605 ret = PTR_ERR(keyring);
606 goto failed_put_cred;
607 }
608
609 ret = key_instantiate_and_link(keyring, NULL, 0, NULL, NULL);
610 if (ret < 0)
611 goto failed_put_key;
612
613 ret = register_key_type(&cifs_idmap_key_type);
614 if (ret < 0)
615 goto failed_put_key;
616
617 /* instruct request_key() to use this special keyring as a cache for
618 * the results it looks up */
700920eb 619 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
4d79dba0
SP		 620 cred->thread_keyring = keyring;
621 cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
622 root_cred = cred;
623
624 spin_lock_init(&siduidlock);
625 uidtree = RB_ROOT;
626 spin_lock_init(&sidgidlock);
627 gidtree = RB_ROOT;
628
21fed0d5
SP		 629 spin_lock_init(&uidsidlock);
630 siduidtree = RB_ROOT;
631 spin_lock_init(&gidsidlock);
632 sidgidtree = RB_ROOT;
4d79dba0
SP		 633 register_shrinker(&cifs_shrinker);
634
ac3aa2f8 635 cFYI(1, "cifs idmap keyring: %d", key_serial(keyring));
4d79dba0
SP		 636 return 0;
637
638failed_put_key:
639 key_put(keyring);
640failed_put_cred:
641 put_cred(cred);
642 return ret;
643}
644
645void
646exit_cifs_idmap(void)
647{
648 key_revoke(root_cred->thread_keyring);
649 unregister_key_type(&cifs_idmap_key_type);
650 put_cred(root_cred);
651 unregister_shrinker(&cifs_shrinker);
ac3aa2f8 652 cFYI(1, "Unregistered %s key type", cifs_idmap_key_type.name);
4d79dba0
SP		 653}
654
655void
656cifs_destroy_idmaptrees(void)
657{
658 struct rb_root *root;
659 struct rb_node *node;
660
661 root = &uidtree;
662 spin_lock(&siduidlock);
663 while ((node = rb_first(root)))
664 rb_erase(node, root);
665 spin_unlock(&siduidlock);
666
667 root = &gidtree;
668 spin_lock(&sidgidlock);
669 while ((node = rb_first(root)))
670 rb_erase(node, root);
671 spin_unlock(&sidgidlock);
21fed0d5
SP		 672
673 root = &siduidtree;
674 spin_lock(&uidsidlock);
675 while ((node = rb_first(root)))
676 rb_erase(node, root);
677 spin_unlock(&uidsidlock);
678
679 root = &sidgidtree;
680 spin_lock(&gidsidlock);
681 while ((node = rb_first(root)))
682 rb_erase(node, root);
683 spin_unlock(&gidsidlock);
4d79dba0 684}
297647c2 685
97837582
SF		 686/* copy ntsd, owner sid, and group sid from a security descriptor to another */
687static void copy_sec_desc(const struct cifs_ntsd *pntsd,
688 struct cifs_ntsd *pnntsd, __u32 sidsoffset)
689{
97837582
SF		 690 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
691 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
692
693 /* copy security descriptor control portion */
694 pnntsd->revision = pntsd->revision;
695 pnntsd->type = pntsd->type;
696 pnntsd->dacloffset = cpu_to_le32(sizeof(struct cifs_ntsd));
697 pnntsd->sacloffset = 0;
698 pnntsd->osidoffset = cpu_to_le32(sidsoffset);
699 pnntsd->gsidoffset = cpu_to_le32(sidsoffset + sizeof(struct cifs_sid));
700
701 /* copy owner sid */
702 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
703 le32_to_cpu(pntsd->osidoffset));
704 nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
36960e44 705 cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr);
97837582
SF		 706
707 /* copy group sid */
708 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
709 le32_to_cpu(pntsd->gsidoffset));
710 ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
711 sizeof(struct cifs_sid));
36960e44 712 cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr);
97837582
SF		 713
714 return;
715}
716
717
630f3f0c
SF		 718/*
719 change posix mode to reflect permissions
720 pmode is the existing mode (we only want to overwrite part of this
721 bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
722*/
9b5e6857 723static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
15b03959 724 umode_t *pbits_to_set)
630f3f0c 725{
9b5e6857 726 __u32 flags = le32_to_cpu(ace_flags);
15b03959 727 /* the order of ACEs is important. The canonical order is to begin with
ce06c9f0 728 DENY entries followed by ALLOW, otherwise an allow entry could be
15b03959 729 encountered first, making the subsequent deny entry like "dead code"
ce06c9f0 730 which would be superflous since Windows stops when a match is made
15b03959
SF		 731 for the operation you are trying to perform for your user */
732
733 /* For deny ACEs we change the mask so that subsequent allow access
734 control entries do not turn on the bits we are denying */
735 if (type == ACCESS_DENIED) {
ad7a2926 736 if (flags & GENERIC_ALL)
15b03959 737 *pbits_to_set &= ~S_IRWXUGO;
ad7a2926 738
9b5e6857
AV		 739 if ((flags & GENERIC_WRITE) ||
740 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
15b03959 741 *pbits_to_set &= ~S_IWUGO;
9b5e6857
AV		 742 if ((flags & GENERIC_READ) ||
743 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
15b03959 744 *pbits_to_set &= ~S_IRUGO;
9b5e6857
AV		 745 if ((flags & GENERIC_EXECUTE) ||
746 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
15b03959
SF		 747 *pbits_to_set &= ~S_IXUGO;
748 return;
749 } else if (type != ACCESS_ALLOWED) {
b6b38f70 750 cERROR(1, "unknown access control type %d", type);
15b03959
SF		 751 return;
752 }
753 /* else ACCESS_ALLOWED type */
630f3f0c 754
9b5e6857 755 if (flags & GENERIC_ALL) {
15b03959 756 *pmode |= (S_IRWXUGO & (*pbits_to_set));
b6b38f70 757 cFYI(DBG2, "all perms");
d61e5808
SF		 758 return;
759 }
9b5e6857
AV		 760 if ((flags & GENERIC_WRITE) ||
761 ((flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
15b03959 762 *pmode |= (S_IWUGO & (*pbits_to_set));
9b5e6857
AV		 763 if ((flags & GENERIC_READ) ||
764 ((flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
15b03959 765 *pmode |= (S_IRUGO & (*pbits_to_set));
9b5e6857
AV		 766 if ((flags & GENERIC_EXECUTE) ||
767 ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
15b03959 768 *pmode |= (S_IXUGO & (*pbits_to_set));
630f3f0c 769
b6b38f70 770 cFYI(DBG2, "access flags 0x%x mode now 0x%x", flags, *pmode);
630f3f0c
SF		 771 return;
772}
773
ce06c9f0
SF		 774/*
775 Generate access flags to reflect permissions mode is the existing mode.
776 This function is called for every ACE in the DACL whose SID matches
777 with either owner or group or everyone.
778*/
779
780static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
781 __u32 *pace_flags)
782{
783 /* reset access mask */
784 *pace_flags = 0x0;
785
786 /* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
787 mode &= bits_to_use;
788
789 /* check for R/W/X UGO since we do not know whose flags
790 is this but we have cleared all the bits sans RWX for
791 either user or group or other as per bits_to_use */
792 if (mode & S_IRUGO)
793 *pace_flags |= SET_FILE_READ_RIGHTS;
794 if (mode & S_IWUGO)
795 *pace_flags |= SET_FILE_WRITE_RIGHTS;
796 if (mode & S_IXUGO)
797 *pace_flags |= SET_FILE_EXEC_RIGHTS;
798
b6b38f70 799 cFYI(DBG2, "mode: 0x%x, access flags now 0x%x", mode, *pace_flags);
ce06c9f0
SF		 800 return;
801}
802
2b210adc 803static __u16 fill_ace_for_sid(struct cifs_ace *pntace,
97837582
SF		 804 const struct cifs_sid *psid, __u64 nmode, umode_t bits)
805{
806 int i;
807 __u16 size = 0;
808 __u32 access_req = 0;
809
810 pntace->type = ACCESS_ALLOWED;
811 pntace->flags = 0x0;
812 mode_to_access_flags(nmode, bits, &access_req);
813 if (!access_req)
814 access_req = SET_MINIMUM_RIGHTS;
815 pntace->access_req = cpu_to_le32(access_req);
816
817 pntace->sid.revision = psid->revision;
818 pntace->sid.num_subauth = psid->num_subauth;
852e2295 819 for (i = 0; i < NUM_AUTHS; i++)
97837582
SF		 820 pntace->sid.authority[i] = psid->authority[i];
821 for (i = 0; i < psid->num_subauth; i++)
822 pntace->sid.sub_auth[i] = psid->sub_auth[i];
823
824 size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4);
825 pntace->size = cpu_to_le16(size);
826
ef571cad 827 return size;
97837582
SF		 828}
829
297647c2 830
953f8681
SF		 831#ifdef CONFIG_CIFS_DEBUG2
832static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
d0d66c44 833{
d0d66c44 834 int num_subauth;
d0d66c44
SP		 835
836 /* validate that we do not go past end of acl */
297647c2 837
44093ca2 838 if (le16_to_cpu(pace->size) < 16) {
b6b38f70 839 cERROR(1, "ACE too small %d", le16_to_cpu(pace->size));
44093ca2
SF		 840 return;
841 }
842
843 if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
b6b38f70 844 cERROR(1, "ACL too small to parse ACE");
d0d66c44 845 return;
44093ca2 846 }
d0d66c44 847
44093ca2 848 num_subauth = pace->sid.num_subauth;
d0d66c44 849 if (num_subauth) {
8f18c131 850 int i;
b6b38f70 851 cFYI(1, "ACE revision %d num_auth %d type %d flags %d size %d",
44093ca2 852 pace->sid.revision, pace->sid.num_subauth, pace->type,
b6b38f70 853 pace->flags, le16_to_cpu(pace->size));
d12fd121 854 for (i = 0; i < num_subauth; ++i) {
b6b38f70
JP		 855 cFYI(1, "ACE sub_auth[%d]: 0x%x", i,
856 le32_to_cpu(pace->sid.sub_auth[i]));
d12fd121
SF		 857 }
858
859 /* BB add length check to make sure that we do not have huge
860 num auths and therefore go off the end */
d12fd121
SF		 861 }
862
863 return;
864}
953f8681 865#endif
d12fd121 866
d0d66c44 867
a750e77c 868static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
d61e5808 869 struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
0b8f18e3 870 struct cifs_fattr *fattr)
d0d66c44
SP		 871{
872 int i;
873 int num_aces = 0;
874 int acl_size;
875 char *acl_base;
d0d66c44
SP		 876 struct cifs_ace **ppace;
877
878 /* BB need to add parm so we can store the SID BB */
879
2b83457b
SF		 880 if (!pdacl) {
881 /* no DACL in the security descriptor, set
882 all the permissions for user/group/other */
0b8f18e3 883 fattr->cf_mode |= S_IRWXUGO;
2b83457b
SF		 884 return;
885 }
886
d0d66c44 887 /* validate that we do not go past end of acl */
af6f4612 888 if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
b6b38f70 889 cERROR(1, "ACL too small to parse DACL");
d0d66c44
SP		 890 return;
891 }
892
b6b38f70 893 cFYI(DBG2, "DACL revision %d size %d num aces %d",
af6f4612 894 le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
b6b38f70 895 le32_to_cpu(pdacl->num_aces));
d0d66c44 896
7505e052
SF		 897 /* reset rwx permissions for user/group/other.
898 Also, if num_aces is 0 i.e. DACL has no ACEs,
899 user/group/other have no permissions */
0b8f18e3 900 fattr->cf_mode &= ~(S_IRWXUGO);
7505e052 901
d0d66c44
SP		 902 acl_base = (char *)pdacl;
903 acl_size = sizeof(struct cifs_acl);
904
adbc0358 905 num_aces = le32_to_cpu(pdacl->num_aces);
a5ff3769 906 if (num_aces > 0) {
15b03959
SF		 907 umode_t user_mask = S_IRWXU;
908 umode_t group_mask = S_IRWXG;
2fbc2f17 909 umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
15b03959 910
7250170c
DC		 911 if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
912 return;
d0d66c44
SP		 913 ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
914 GFP_KERNEL);
8132b65b
SF		 915 if (!ppace) {
916 cERROR(1, "DACL memory allocation error");
917 return;
918 }
d0d66c44 919
d0d66c44 920 for (i = 0; i < num_aces; ++i) {
44093ca2 921 ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
953f8681
SF		 922#ifdef CONFIG_CIFS_DEBUG2
923 dump_ace(ppace[i], end_of_acl);
924#endif
9409ae58 925 if (compare_sids(&(ppace[i]->sid), pownersid) == 0)
e01b6400 926 access_flags_to_mode(ppace[i]->access_req,
15b03959 927 ppace[i]->type,
0b8f18e3 928 &fattr->cf_mode,
15b03959 929 &user_mask);
9409ae58 930 if (compare_sids(&(ppace[i]->sid), pgrpsid) == 0)
e01b6400 931 access_flags_to_mode(ppace[i]->access_req,
15b03959 932 ppace[i]->type,
0b8f18e3 933 &fattr->cf_mode,
15b03959 934 &group_mask);
9409ae58 935 if (compare_sids(&(ppace[i]->sid), &sid_everyone) == 0)
e01b6400 936 access_flags_to_mode(ppace[i]->access_req,
15b03959 937 ppace[i]->type,
0b8f18e3 938 &fattr->cf_mode,
15b03959 939 &other_mask);
9409ae58 940 if (compare_sids(&(ppace[i]->sid), &sid_authusers) == 0)
2fbc2f17
SP		 941 access_flags_to_mode(ppace[i]->access_req,
942 ppace[i]->type,
943 &fattr->cf_mode,
944 &other_mask);
945
e01b6400 946
44093ca2 947/* memcpy((void *)(&(cifscred->aces[i])),
d12fd121
SF		 948 (void *)ppace[i],
949 sizeof(struct cifs_ace)); */
d0d66c44 950
44093ca2
SF		 951 acl_base = (char *)ppace[i];
952 acl_size = le16_to_cpu(ppace[i]->size);
d0d66c44
SP		 953 }
954
955 kfree(ppace);
d0d66c44
SP		 956 }
957
958 return;
959}
960
bcb02034 961
97837582
SF		 962static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
963 struct cifs_sid *pgrpsid, __u64 nmode)
964{
2b210adc 965 u16 size = 0;
97837582
SF		 966 struct cifs_acl *pnndacl;
967
968 pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));
969
970 size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
971 pownersid, nmode, S_IRWXU);
972 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
973 pgrpsid, nmode, S_IRWXG);
974 size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
975 &sid_everyone, nmode, S_IRWXO);
976
977 pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
d9f382ef 978 pndacl->num_aces = cpu_to_le32(3);
97837582 979
ef571cad 980 return 0;
97837582
SF		 981}
982
983
bcb02034
SF		 984static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
985{
986 /* BB need to add parm so we can store the SID BB */
987
b9c7a2bb
SF		 988 /* validate that we do not go past end of ACL - sid must be at least 8
989 bytes long (assuming no sub-auths - e.g. the null SID */
990 if (end_of_acl < (char *)psid + 8) {
b6b38f70 991 cERROR(1, "ACL too small to parse SID %p", psid);
bcb02034
SF		 992 return -EINVAL;
993 }
d0d66c44 994
bcb02034 995#ifdef CONFIG_CIFS_DEBUG2
fc03d8a5 996 if (psid->num_subauth) {
8f18c131 997 int i;
b6b38f70
JP		 998 cFYI(1, "SID revision %d num_auth %d",
999 psid->revision, psid->num_subauth);
bcb02034 1000
af6f4612 1001 for (i = 0; i < psid->num_subauth; i++) {
b6b38f70
JP		 1002 cFYI(1, "SID sub_auth[%d]: 0x%x ", i,
1003 le32_to_cpu(psid->sub_auth[i]));
d0d66c44
SP		 1004 }
1005
d12fd121 1006 /* BB add length check to make sure that we do not have huge
d0d66c44 1007 num auths and therefore go off the end */
b6b38f70
JP		 1008 cFYI(1, "RID 0x%x",
1009 le32_to_cpu(psid->sub_auth[psid->num_subauth-1]));
d0d66c44 1010 }
fc03d8a5 1011#endif
d0d66c44 1012
bcb02034
SF		 1013 return 0;
1014}
1015
d0d66c44 1016
bcb02034 1017/* Convert CIFS ACL to POSIX form */
9409ae58
SP		 1018static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
1019 struct cifs_ntsd *pntsd, int acl_len, struct cifs_fattr *fattr)
bcb02034 1020{
9409ae58 1021 int rc = 0;
bcb02034
SF		 1022 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
1023 struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
bcb02034 1024 char *end_of_acl = ((char *)pntsd) + acl_len;
7505e052 1025 __u32 dacloffset;
bcb02034 1026
0b8f18e3 1027 if (pntsd == NULL)
b9c7a2bb
SF		 1028 return -EIO;
1029
bcb02034 1030 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
af6f4612 1031 le32_to_cpu(pntsd->osidoffset));
bcb02034 1032 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
af6f4612 1033 le32_to_cpu(pntsd->gsidoffset));
7505e052 1034 dacloffset = le32_to_cpu(pntsd->dacloffset);
63d2583f 1035 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
b6b38f70 1036 cFYI(DBG2, "revision %d type 0x%x ooffset 0x%x goffset 0x%x "
bcb02034 1037 "sacloffset 0x%x dacloffset 0x%x",
af6f4612
SF		 1038 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
1039 le32_to_cpu(pntsd->gsidoffset),
b6b38f70 1040 le32_to_cpu(pntsd->sacloffset), dacloffset);
b9c7a2bb 1041/* cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
bcb02034 1042 rc = parse_sid(owner_sid_ptr, end_of_acl);
9409ae58
SP		 1043 if (rc) {
1044 cFYI(1, "%s: Error %d parsing Owner SID", __func__, rc);
1045 return rc;
1046 }
1047 rc = sid_to_id(cifs_sb, owner_sid_ptr, fattr, SIDOWNER);
1048 if (rc) {
1049 cFYI(1, "%s: Error %d mapping Owner SID to uid", __func__, rc);
bcb02034 1050 return rc;
9409ae58 1051 }
bcb02034
SF		 1052
1053 rc = parse_sid(group_sid_ptr, end_of_acl);
9409ae58
SP		 1054 if (rc) {
1055 cFYI(1, "%s: Error %d mapping Owner SID to gid", __func__, rc);
bcb02034 1056 return rc;
9409ae58
SP		 1057 }
1058 rc = sid_to_id(cifs_sb, group_sid_ptr, fattr, SIDGROUP);
1059 if (rc) {
1060 cFYI(1, "%s: Error %d mapping Group SID to gid", __func__, rc);
1061 return rc;
1062 }
bcb02034 1063
7505e052
SF		 1064 if (dacloffset)
1065 parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
0b8f18e3 1066 group_sid_ptr, fattr);
7505e052 1067 else
b6b38f70 1068 cFYI(1, "no ACL"); /* BB grant all or default perms? */
d0d66c44 1069
9409ae58 1070 return rc;
bcb02034 1071}
b9c7a2bb 1072
97837582
SF		 1073/* Convert permission bits from mode to equivalent CIFS ACL */
1074static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
a5ff3769 1075 __u32 secdesclen, __u64 nmode, uid_t uid, gid_t gid, int *aclflag)
97837582
SF		 1076{
1077 int rc = 0;
1078 __u32 dacloffset;
1079 __u32 ndacloffset;
1080 __u32 sidsoffset;
1081 struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
a5ff3769 1082 struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
97837582
SF		 1083 struct cifs_acl *dacl_ptr = NULL; /* no need for SACL ptr */
1084 struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */
1085
a5ff3769
SP		 1086 if (nmode != NO_CHANGE_64) { /* chmod */
1087 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
97837582 1088 le32_to_cpu(pntsd->osidoffset));
a5ff3769 1089 group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
97837582 1090 le32_to_cpu(pntsd->gsidoffset));
a5ff3769
SP		 1091 dacloffset = le32_to_cpu(pntsd->dacloffset);
1092 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
1093 ndacloffset = sizeof(struct cifs_ntsd);
1094 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset);
1095 ndacl_ptr->revision = dacl_ptr->revision;
1096 ndacl_ptr->size = 0;
1097 ndacl_ptr->num_aces = 0;
1098
1099 rc = set_chmod_dacl(ndacl_ptr, owner_sid_ptr, group_sid_ptr,
1100 nmode);
1101 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size);
1102 /* copy sec desc control portion & owner and group sids */
1103 copy_sec_desc(pntsd, pnntsd, sidsoffset);
1104 *aclflag = CIFS_ACL_DACL;
1105 } else {
1106 memcpy(pnntsd, pntsd, secdesclen);
1107 if (uid != NO_CHANGE_32) { /* chown */
1108 owner_sid_ptr = (struct cifs_sid *)((char *)pnntsd +
1109 le32_to_cpu(pnntsd->osidoffset));
1110 nowner_sid_ptr = kmalloc(sizeof(struct cifs_sid),
1111 GFP_KERNEL);
1112 if (!nowner_sid_ptr)
1113 return -ENOMEM;
1114 rc = id_to_sid(uid, SIDOWNER, nowner_sid_ptr);
1115 if (rc) {
1116 cFYI(1, "%s: Mapping error %d for owner id %d",
1117 __func__, rc, uid);
1118 kfree(nowner_sid_ptr);
1119 return rc;
1120 }
36960e44 1121 cifs_copy_sid(owner_sid_ptr, nowner_sid_ptr);
a5ff3769
SP		 1122 kfree(nowner_sid_ptr);
1123 *aclflag = CIFS_ACL_OWNER;
1124 }
1125 if (gid != NO_CHANGE_32) { /* chgrp */
1126 group_sid_ptr = (struct cifs_sid *)((char *)pnntsd +
1127 le32_to_cpu(pnntsd->gsidoffset));
1128 ngroup_sid_ptr = kmalloc(sizeof(struct cifs_sid),
1129 GFP_KERNEL);
1130 if (!ngroup_sid_ptr)
1131 return -ENOMEM;
1132 rc = id_to_sid(gid, SIDGROUP, ngroup_sid_ptr);
1133 if (rc) {
1134 cFYI(1, "%s: Mapping error %d for group id %d",
1135 __func__, rc, gid);
1136 kfree(ngroup_sid_ptr);
1137 return rc;
1138 }
36960e44 1139 cifs_copy_sid(group_sid_ptr, ngroup_sid_ptr);
a5ff3769
SP		 1140 kfree(ngroup_sid_ptr);
1141 *aclflag = CIFS_ACL_GROUP;
1142 }
1143 }
97837582 1144
ef571cad 1145 return rc;
97837582
SF		 1146}
1147
1bf4072d
CH		 1148static struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
1149 __u16 fid, u32 *pacllen)
b9c7a2bb 1150{
b9c7a2bb 1151 struct cifs_ntsd *pntsd = NULL;
6d5786a3
PS		 1152 unsigned int xid;
1153 int rc;
7ffec372
JL		 1154 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1155
1156 if (IS_ERR(tlink))
987b21d7 1157 return ERR_CAST(tlink);
b9c7a2bb 1158
6d5786a3 1159 xid = get_xid();
7ffec372 1160 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), fid, &pntsd, pacllen);
6d5786a3 1161 free_xid(xid);
b9c7a2bb 1162
7ffec372 1163 cifs_put_tlink(tlink);
b9c7a2bb 1164
987b21d7
SP		 1165 cFYI(1, "%s: rc = %d ACL len %d", __func__, rc, *pacllen);
1166 if (rc)
1167 return ERR_PTR(rc);
1bf4072d
CH		 1168 return pntsd;
1169}
8b1327f6 1170
1bf4072d
CH		 1171static struct cifs_ntsd *get_cifs_acl_by_path(struct cifs_sb_info *cifs_sb,
1172 const char *path, u32 *pacllen)
1173{
1174 struct cifs_ntsd *pntsd = NULL;
1175 int oplock = 0;
6d5786a3
PS		 1176 unsigned int xid;
1177 int rc, create_options = 0;
1bf4072d 1178 __u16 fid;
96daf2b0 1179 struct cifs_tcon *tcon;
7ffec372
JL		 1180 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1181
1182 if (IS_ERR(tlink))
987b21d7 1183 return ERR_CAST(tlink);
b9c7a2bb 1184
7ffec372 1185 tcon = tlink_tcon(tlink);
6d5786a3 1186 xid = get_xid();
1bf4072d 1187
3d3ea8e6
SP		 1188 if (backup_cred(cifs_sb))
1189 create_options |= CREATE_OPEN_BACKUP_INTENT;
1190
1191 rc = CIFSSMBOpen(xid, tcon, path, FILE_OPEN, READ_CONTROL,
1192 create_options, &fid, &oplock, NULL, cifs_sb->local_nls,
1193 cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
987b21d7
SP		 1194 if (!rc) {
1195 rc = CIFSSMBGetCIFSACL(xid, tcon, fid, &pntsd, pacllen);
1196 CIFSSMBClose(xid, tcon, fid);
b9c7a2bb
SF		 1197 }
1198
7ffec372 1199 cifs_put_tlink(tlink);
6d5786a3 1200 free_xid(xid);
987b21d7
SP		 1201
1202 cFYI(1, "%s: rc = %d ACL len %d", __func__, rc, *pacllen);
1203 if (rc)
1204 return ERR_PTR(rc);
7505e052
SF		 1205 return pntsd;
1206}
1207
1bf4072d 1208/* Retrieve an ACL from the server */
fbeba8bb 1209struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
1bf4072d
CH		 1210 struct inode *inode, const char *path,
1211 u32 *pacllen)
1212{
1213 struct cifs_ntsd *pntsd = NULL;
1214 struct cifsFileInfo *open_file = NULL;
1215
1216 if (inode)
6508d904 1217 open_file = find_readable_file(CIFS_I(inode), true);
1bf4072d
CH		 1218 if (!open_file)
1219 return get_cifs_acl_by_path(cifs_sb, path, pacllen);
1220
4b4de76e 1221 pntsd = get_cifs_acl_by_fid(cifs_sb, open_file->fid.netfid, pacllen);
6ab409b5 1222 cifsFileInfo_put(open_file);
1bf4072d
CH		 1223 return pntsd;
1224}
1225
a5ff3769
SP		 1226 /* Set an ACL on the server */
1227int set_cifs_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
1228 struct inode *inode, const char *path, int aclflag)
b96d31a6
CH		 1229{
1230 int oplock = 0;
6d5786a3
PS		 1231 unsigned int xid;
1232 int rc, access_flags, create_options = 0;
b96d31a6 1233 __u16 fid;
96daf2b0 1234 struct cifs_tcon *tcon;
a5ff3769 1235 struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
7ffec372 1236 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
97837582 1237
7ffec372
JL		 1238 if (IS_ERR(tlink))
1239 return PTR_ERR(tlink);
1240
1241 tcon = tlink_tcon(tlink);
6d5786a3 1242 xid = get_xid();
97837582 1243
3d3ea8e6
SP		 1244 if (backup_cred(cifs_sb))
1245 create_options |= CREATE_OPEN_BACKUP_INTENT;
1246
a5ff3769
SP		 1247 if (aclflag == CIFS_ACL_OWNER || aclflag == CIFS_ACL_GROUP)
1248 access_flags = WRITE_OWNER;
1249 else
1250 access_flags = WRITE_DAC;
1251
1252 rc = CIFSSMBOpen(xid, tcon, path, FILE_OPEN, access_flags,
1253 create_options, &fid, &oplock, NULL, cifs_sb->local_nls,
1254 cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
b96d31a6 1255 if (rc) {
b6b38f70 1256 cERROR(1, "Unable to open file to set ACL");
b96d31a6 1257 goto out;
97837582
SF		 1258 }
1259
a5ff3769 1260 rc = CIFSSMBSetCIFSACL(xid, tcon, fid, pnntsd, acllen, aclflag);
b6b38f70 1261 cFYI(DBG2, "SetCIFSACL rc = %d", rc);
97837582 1262
7ffec372
JL		 1263 CIFSSMBClose(xid, tcon, fid);
1264out:
6d5786a3 1265 free_xid(xid);
7ffec372 1266 cifs_put_tlink(tlink);
b96d31a6
CH		 1267 return rc;
1268}
97837582 1269
7505e052 1270/* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */
987b21d7 1271int
0b8f18e3
JL		 1272cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
1273 struct inode *inode, const char *path, const __u16 *pfid)
7505e052
SF		 1274{
1275 struct cifs_ntsd *pntsd = NULL;
1276 u32 acllen = 0;
1277 int rc = 0;
1278
b6b38f70 1279 cFYI(DBG2, "converting ACL to mode for %s", path);
1bf4072d
CH		 1280
1281 if (pfid)
1282 pntsd = get_cifs_acl_by_fid(cifs_sb, *pfid, &acllen);
1283 else
1284 pntsd = get_cifs_acl(cifs_sb, inode, path, &acllen);
7505e052
SF		 1285
1286 /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
987b21d7
SP		 1287 if (IS_ERR(pntsd)) {
1288 rc = PTR_ERR(pntsd);
1289 cERROR(1, "%s: error %d getting sec desc", __func__, rc);
1290 } else {
9409ae58 1291 rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr);
987b21d7
SP		 1292 kfree(pntsd);
1293 if (rc)
1294 cERROR(1, "parse sec desc failed rc = %d", rc);
1295 }
7505e052 1296
987b21d7 1297 return rc;
b9c7a2bb 1298}
953f8681 1299
7505e052 1300/* Convert mode bits to an ACL so we can update the ACL on the server */
a5ff3769
SP		 1301int
1302id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 nmode,
1303 uid_t uid, gid_t gid)
953f8681
SF		 1304{
1305 int rc = 0;
a5ff3769 1306 int aclflag = CIFS_ACL_DACL; /* default flag to set */
cce246ee 1307 __u32 secdesclen = 0;
97837582
SF		 1308 struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
1309 struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
953f8681 1310
b6b38f70 1311 cFYI(DBG2, "set ACL from mode for %s", path);
953f8681
SF		 1312
1313 /* Get the security descriptor */
1bf4072d 1314 pntsd = get_cifs_acl(CIFS_SB(inode->i_sb), inode, path, &secdesclen);
987b21d7
SP		 1315 if (IS_ERR(pntsd)) {
1316 rc = PTR_ERR(pntsd);
1317 cERROR(1, "%s: error %d getting sec desc", __func__, rc);
c78cd838
JL		 1318 goto out;
1319 }
7505e052 1320
c78cd838
JL		 1321 /*
1322 * Add three ACEs for owner, group, everyone getting rid of other ACEs
1323 * as chmod disables ACEs and set the security descriptor. Allocate
1324 * memory for the smb header, set security descriptor request security
1325 * descriptor parameters, and secuirty descriptor itself
1326 */
1327 secdesclen = max_t(u32, secdesclen, DEFSECDESCLEN);
1328 pnntsd = kmalloc(secdesclen, GFP_KERNEL);
1329 if (!pnntsd) {
1330 cERROR(1, "Unable to allocate security descriptor");
1331 kfree(pntsd);
1332 return -ENOMEM;
1333 }
97837582 1334
c78cd838
JL		 1335 rc = build_sec_desc(pntsd, pnntsd, secdesclen, nmode, uid, gid,
1336 &aclflag);
97837582 1337
c78cd838 1338 cFYI(DBG2, "build_sec_desc rc: %d", rc);
97837582 1339
c78cd838
JL		 1340 if (!rc) {
1341 /* Set the security descriptor */
1342 rc = set_cifs_acl(pnntsd, secdesclen, inode, path, aclflag);
1343 cFYI(DBG2, "set_cifs_acl rc: %d", rc);
97837582
SF		 1344 }
1345
c78cd838
JL		 1346 kfree(pnntsd);
1347 kfree(pntsd);
1348out:
ef571cad 1349 return rc;
953f8681 1350}
Ubuntu Artful kernel mirror