]>
Commit | Line | Data |
---|---|---|
929be906 | 1 | /* SPDX-License-Identifier: LGPL-2.1 */ |
bf820679 | 2 | /* |
bf820679 | 3 | * |
bcb02034 | 4 | * Copyright (c) International Business Machines Corp., 2007 |
bf820679 SF |
5 | * Author(s): Steve French (sfrench@us.ibm.com) |
6 | * | |
bf820679 SF |
7 | */ |
8 | ||
9 | #ifndef _CIFSACL_H | |
10 | #define _CIFSACL_H | |
11 | ||
faa65f07 | 12 | #define NUM_AUTHS (6) /* number of authority fields */ |
30c9d6cc | 13 | #define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ |
297647c2 | 14 | |
a750e77c SF |
15 | #define READ_BIT 0x4 |
16 | #define WRITE_BIT 0x2 | |
17 | #define EXEC_BIT 0x1 | |
18 | ||
f2156d35 | 19 | #define ACL_OWNER_MASK 0700 |
c12ead71 SP |
20 | #define ACL_GROUP_MASK 0070 |
21 | #define ACL_EVERYONE_MASK 0007 | |
f2156d35 | 22 | |
a750e77c SF |
23 | #define UBITSHIFT 6 |
24 | #define GBITSHIFT 3 | |
25 | ||
63d2583f SF |
26 | #define ACCESS_ALLOWED 0 |
27 | #define ACCESS_DENIED 1 | |
28 | ||
9409ae58 SP |
29 | #define SIDOWNER 1 |
30 | #define SIDGROUP 2 | |
30c9d6cc | 31 | |
7ee0b4c6 JL |
32 | /* |
33 | * Security Descriptor length containing DACL with 3 ACEs (one each for | |
34 | * owner, group and world). | |
35 | */ | |
36 | #define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \ | |
37 | sizeof(struct cifs_acl) + \ | |
0892ba69 | 38 | (sizeof(struct cifs_ace) * 4)) |
7ee0b4c6 | 39 | |
30c9d6cc JL |
40 | /* |
41 | * Maximum size of a string representation of a SID: | |
42 | * | |
43 | * The fields are unsigned values in decimal. So: | |
44 | * | |
45 | * u8: max 3 bytes in decimal | |
46 | * u32: max 10 bytes in decimal | |
47 | * | |
193cdd8a JL |
48 | * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator |
49 | * | |
50 | * For authority field, max is when all 6 values are non-zero and it must be | |
51 | * represented in hex. So "-0x" + 12 hex digits. | |
faa65f07 JL |
52 | * |
53 | * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') | |
30c9d6cc | 54 | */ |
193cdd8a | 55 | #define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) |
faa65f07 | 56 | #define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ |
9409ae58 | 57 | |
442aa310 | 58 | struct cifs_ntsd { |
af6f4612 SF |
59 | __le16 revision; /* revision level */ |
60 | __le16 type; | |
61 | __le32 osidoffset; | |
62 | __le32 gsidoffset; | |
63 | __le32 sacloffset; | |
64 | __le32 dacloffset; | |
442aa310 SF |
65 | } __attribute__((packed)); |
66 | ||
bf820679 SF |
67 | struct cifs_sid { |
68 | __u8 revision; /* revision level */ | |
4084973d | 69 | __u8 num_subauth; |
852e2295 | 70 | __u8 authority[NUM_AUTHS]; |
30c9d6cc | 71 | __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ |
442aa310 SF |
72 | } __attribute__((packed)); |
73 | ||
36f87ee7 JL |
74 | /* size of a struct cifs_sid, sans sub_auth array */ |
75 | #define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) | |
76 | ||
442aa310 | 77 | struct cifs_acl { |
af6f4612 SF |
78 | __le16 revision; /* revision level */ |
79 | __le16 size; | |
80 | __le32 num_aces; | |
442aa310 SF |
81 | } __attribute__((packed)); |
82 | ||
ff3ee62a SF |
83 | /* ACE types - see MS-DTYP 2.4.4.1 */ |
84 | #define ACCESS_ALLOWED_ACE_TYPE 0x00 | |
85 | #define ACCESS_DENIED_ACE_TYPE 0x01 | |
86 | #define SYSTEM_AUDIT_ACE_TYPE 0x02 | |
87 | #define SYSTEM_ALARM_ACE_TYPE 0x03 | |
88 | #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 | |
89 | #define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 | |
90 | #define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 | |
91 | #define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 | |
92 | #define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 | |
93 | #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 | |
94 | #define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A | |
95 | #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B | |
96 | #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C | |
97 | #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D | |
98 | #define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ | |
99 | #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F | |
100 | #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ | |
101 | #define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 | |
102 | #define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 | |
103 | #define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 | |
104 | ||
105 | /* ACE flags */ | |
106 | #define OBJECT_INHERIT_ACE 0x01 | |
107 | #define CONTAINER_INHERIT_ACE 0x02 | |
108 | #define NO_PROPAGATE_INHERIT_ACE 0x04 | |
109 | #define INHERIT_ONLY_ACE 0x08 | |
110 | #define INHERITED_ACE 0x10 | |
111 | #define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 | |
112 | #define FAILED_ACCESS_ACE_FLAG 0x80 | |
113 | ||
44093ca2 | 114 | struct cifs_ace { |
ff3ee62a | 115 | __u8 type; /* see above and MS-DTYP 2.4.4.1 */ |
442aa310 | 116 | __u8 flags; |
8f2376ad CG |
117 | __le16 size; |
118 | __le32 access_req; | |
44093ca2 | 119 | struct cifs_sid sid; /* ie UUID of user or group who gets these perms */ |
297647c2 SF |
120 | } __attribute__((packed)); |
121 | ||
ff3ee62a SF |
122 | /* |
123 | * The current SMB3 form of security descriptor is similar to what was used for | |
124 | * cifs (see above) but some fields are split, and fields in the struct below | |
a03f507d | 125 | * matches names of fields to the spec, MS-DTYP (see sections 2.4.5 and |
ff3ee62a SF |
126 | * 2.4.6). Note that "CamelCase" fields are used in this struct in order to |
127 | * match the MS-DTYP and MS-SMB2 specs which define the wire format. | |
128 | */ | |
129 | struct smb3_sd { | |
130 | __u8 Revision; /* revision level, MUST be one */ | |
131 | __u8 Sbz1; /* only meaningful if 'RM' flag set below */ | |
132 | __le16 Control; | |
133 | __le32 OffsetOwner; | |
134 | __le32 OffsetGroup; | |
135 | __le32 OffsetSacl; | |
136 | __le32 OffsetDacl; | |
137 | } __packed; | |
138 | ||
139 | /* Meaning of 'Control' field flags */ | |
fdef665b SF |
140 | #define ACL_CONTROL_SR 0x8000 /* Self relative */ |
141 | #define ACL_CONTROL_RM 0x4000 /* Resource manager control bits */ | |
142 | #define ACL_CONTROL_PS 0x2000 /* SACL protected from inherits */ | |
143 | #define ACL_CONTROL_PD 0x1000 /* DACL protected from inherits */ | |
144 | #define ACL_CONTROL_SI 0x0800 /* SACL Auto-Inherited */ | |
145 | #define ACL_CONTROL_DI 0x0400 /* DACL Auto-Inherited */ | |
146 | #define ACL_CONTROL_SC 0x0200 /* SACL computed through inheritance */ | |
147 | #define ACL_CONTROL_DC 0x0100 /* DACL computed through inheritence */ | |
148 | #define ACL_CONTROL_SS 0x0080 /* Create server ACL */ | |
149 | #define ACL_CONTROL_DT 0x0040 /* DACL provided by trusted source */ | |
150 | #define ACL_CONTROL_SD 0x0020 /* SACL defaulted */ | |
151 | #define ACL_CONTROL_SP 0x0010 /* SACL is present on object */ | |
152 | #define ACL_CONTROL_DD 0x0008 /* DACL defaulted */ | |
153 | #define ACL_CONTROL_DP 0x0004 /* DACL is present on object */ | |
154 | #define ACL_CONTROL_GD 0x0002 /* Group was defaulted */ | |
155 | #define ACL_CONTROL_OD 0x0001 /* User was defaulted */ | |
ff3ee62a SF |
156 | |
157 | /* Meaning of AclRevision flags */ | |
158 | #define ACL_REVISION 0x02 /* See section 2.4.4.1 of MS-DTYP */ | |
159 | #define ACL_REVISION_DS 0x04 /* Additional AceTypes allowed */ | |
160 | ||
161 | struct smb3_acl { | |
162 | u8 AclRevision; /* revision level */ | |
163 | u8 Sbz1; /* MBZ */ | |
164 | __le16 AclSize; | |
165 | __le16 AceCount; | |
166 | __le16 Sbz2; /* MBZ */ | |
167 | } __packed; | |
168 | ||
975221ec SF |
169 | /* |
170 | * Used to store the special 'NFS SIDs' used to persist the POSIX uid and gid | |
a03f507d | 171 | * See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx |
975221ec SF |
172 | */ |
173 | struct owner_sid { | |
174 | u8 Revision; | |
175 | u8 NumAuth; | |
176 | u8 Authority[6]; | |
177 | __le32 SubAuthorities[3]; | |
178 | } __packed; | |
179 | ||
180 | struct owner_group_sids { | |
181 | struct owner_sid owner; | |
182 | struct owner_sid group; | |
183 | } __packed; | |
ff3ee62a | 184 | |
ee25c6dd SP |
185 | /* |
186 | * Minimum security identifier can be one for system defined Users | |
187 | * and Groups such as NULL SID and World or Built-in accounts such | |
188 | * as Administrator and Guest and consists of | |
189 | * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority) | |
190 | */ | |
191 | #define MIN_SID_LEN (1 + 1 + 6 + 4) /* in bytes */ | |
192 | ||
193 | /* | |
194 | * Minimum security descriptor can be one without any SACL and DACL and can | |
195 | * consist of revision, type, and two sids of minimum size for owner and group | |
196 | */ | |
197 | #define MIN_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN)) | |
198 | ||
a6230af7 | 199 | #endif /* _CIFSACL_H */ |