1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * ACL support for smbfs 31 */ 32 33 #include <sys/systm.h> /* bcopy, ... */ 34 #include <sys/errno.h> 35 #include <sys/cred.h> 36 #include <sys/cmn_err.h> 37 #include <sys/kmem.h> 38 #include <sys/sunddi.h> 39 #include <sys/acl.h> 40 #include <sys/vnode.h> 41 #include <sys/vfs.h> 42 #include <sys/byteorder.h> 43 44 #include <netsmb/smb_osdep.h> 45 #include <netsmb/smb.h> 46 #include <netsmb/smb_conn.h> 47 #include <netsmb/smb_subr.h> 48 #include <netsmb/mchain.h> 49 50 #include <smbfs/smbfs.h> 51 #include <smbfs/smbfs_node.h> 52 #include <smbfs/smbfs_subr.h> 53 54 #include <sys/fs/smbfs_ioctl.h> 55 #include <fs/fs_subr.h> 56 57 /* Sanity check SD sizes */ 58 #define MAX_RAW_SD_SIZE 32768 59 #define SMALL_SD_SIZE 1024 60 61 #undef ACL_SUPPORT /* not yet */ 62 63 64 /* 65 * smbfs_getsd(), smbfs_setsd() are common functions used by 66 * both ioctl get/set ACL and VOP_GETSECATTR, VOP_SETSECATTR. 67 * Handles required rights, tmpopen/tmpclose. 68 * 69 * Note: smbfs_getsd allocates and returns an mblk chain, 70 * which the caller must free. 71 */ 72 int 73 smbfs_getsd(vnode_t *vp, uint32_t selector, mblk_t **mp, cred_t *cr) 74 { 75 struct smb_cred scred; 76 int error, cerror; 77 smbmntinfo_t *smi; 78 smbnode_t *np; 79 u_int16_t fid = SMB_FID_UNUSED; 80 uint32_t sdlen = SMALL_SD_SIZE; 81 uint32_t rights = STD_RIGHT_READ_CONTROL_ACCESS; 82 83 if (selector & SACL_SECURITY_INFORMATION) 84 rights |= SEC_RIGHT_SYSTEM_SECURITY; 85 86 np = VTOSMB(vp); 87 smi = VTOSMI(vp); 88 89 /* Shared lock for (possible) n_fid use. */ 90 if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_READER, SMBINTR(vp))) 91 return (EINTR); 92 smb_credinit(&scred, curproc, cr); 93 94 error = smbfs_smb_tmpopen(np, rights, &scred, &fid); 95 if (error) 96 goto out; 97 98 again: 99 /* 100 * This does the OTW Get 101 */ 102 error = smbfs_smb_getsec_m(smi->smi_share, fid, 103 &scred, selector, mp, &sdlen); 104 /* 105 * Server may give us an error indicating that we 106 * need a larger data buffer to receive the SD, 107 * and the size we'll need. Use the given size, 108 * but only after a sanity check. 109 * 110 * Let's check for specific error values here. 111 * The NT error is: STATUS_BUFFER_TOO_SMALL, 112 * or with old error codes, one of these: 113 * ERRSRV/ERRnoroom, ERRDOS/122, ERRDOS/111 114 * Those are mapped to: EMOREDATA, which is 115 * later converted to E2BIG. 116 */ 117 if (error == E2BIG && 118 sdlen > SMALL_SD_SIZE && 119 sdlen <= MAX_RAW_SD_SIZE) 120 goto again; 121 122 cerror = smbfs_smb_tmpclose(np, fid, &scred); 123 if (cerror) 124 SMBERROR("error %d closing file %s\n", 125 cerror, np->n_rpath); 126 127 out: 128 smb_credrele(&scred); 129 smbfs_rw_exit(&np->r_lkserlock); 130 131 return (error); 132 } 133 134 int 135 smbfs_setsd(vnode_t *vp, uint32_t selector, mblk_t **mp, cred_t *cr) 136 { 137 struct smb_cred scred; 138 int error, cerror; 139 smbmntinfo_t *smi; 140 smbnode_t *np; 141 uint32_t rights; 142 u_int16_t fid = SMB_FID_UNUSED; 143 144 np = VTOSMB(vp); 145 smi = VTOSMI(vp); 146 147 /* 148 * Which parts of the SD are we setting? 149 * What rights do we need for that? 150 */ 151 if (selector == 0) 152 return (0); 153 rights = 0; 154 if (selector & (OWNER_SECURITY_INFORMATION | 155 GROUP_SECURITY_INFORMATION)) 156 rights |= STD_RIGHT_WRITE_OWNER_ACCESS; 157 if (selector & DACL_SECURITY_INFORMATION) 158 rights |= STD_RIGHT_WRITE_DAC_ACCESS; 159 if (selector & SACL_SECURITY_INFORMATION) 160 rights |= SEC_RIGHT_SYSTEM_SECURITY; 161 162 /* Shared lock for (possible) n_fid use. */ 163 if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_READER, SMBINTR(vp))) 164 return (EINTR); 165 smb_credinit(&scred, curproc, cr); 166 167 error = smbfs_smb_tmpopen(np, rights, &scred, &fid); 168 if (error) 169 goto out; 170 171 /* 172 * This does the OTW Set 173 */ 174 error = smbfs_smb_setsec_m(smi->smi_share, fid, 175 &scred, selector, mp); 176 177 cerror = smbfs_smb_tmpclose(np, fid, &scred); 178 if (cerror) 179 SMBERROR("error %d closing file %s\n", 180 cerror, np->n_rpath); 181 182 out: 183 smb_credrele(&scred); 184 smbfs_rw_exit(&np->r_lkserlock); 185 186 return (error); 187 } 188 189 /* 190 * Entry points from VOP_IOCTL 191 */ 192 int 193 smbfs_ioc_getsd(vnode_t *vp, intptr_t arg, int flag, cred_t *cr) 194 { 195 ioc_sdbuf_t iocb; 196 mdchain_t *mdp, md_store; 197 mblk_t *m; 198 void *ubuf; 199 int error; 200 201 /* 202 * Get the buffer information 203 */ 204 if (ddi_copyin((void *)arg, &iocb, sizeof (iocb), flag)) 205 return (EFAULT); 206 207 /* 208 * This does the OTW Get (and maybe open, close) 209 * Allocates and returns an mblk in &m. 210 */ 211 error = smbfs_getsd(vp, iocb.selector, &m, cr); 212 if (error) 213 return (error); 214 215 /* 216 * Have m. Must free it before return. 217 */ 218 mdp = &md_store; 219 md_initm(mdp, m); 220 iocb.used = m_fixhdr(m); 221 222 /* 223 * Always copyout the buffer information, 224 * so the user can realloc and try again 225 * after an EOVERFLOW return. 226 */ 227 if (ddi_copyout(&iocb, (void *)arg, sizeof (iocb), flag)) { 228 error = EFAULT; 229 goto out; 230 } 231 232 if (iocb.used > iocb.alloc) { 233 error = EOVERFLOW; 234 goto out; 235 } 236 237 /* 238 * Copyout the buffer contents (SD) 239 */ 240 ubuf = (void *)(uintptr_t)iocb.addr; 241 error = md_get_mem(mdp, ubuf, iocb.used, MB_MUSER); 242 243 out: 244 /* Note: m_freem(m) is done by... */ 245 md_done(mdp); 246 247 return (error); 248 } 249 250 int 251 smbfs_ioc_setsd(vnode_t *vp, intptr_t arg, int flag, cred_t *cr) 252 { 253 ioc_sdbuf_t iocb; 254 mbchain_t *mbp, mb_store; 255 void *ubuf; 256 int error; 257 258 /* 259 * Get the buffer information 260 */ 261 if (ddi_copyin((void *)arg, &iocb, sizeof (iocb), flag)) 262 return (EFAULT); 263 264 if (iocb.used < sizeof (ntsecdesc_t) || 265 iocb.used >= MAX_RAW_SD_SIZE) 266 return (EINVAL); 267 268 /* 269 * Get the buffer contents (security descriptor data) 270 */ 271 mbp = &mb_store; 272 mb_init(mbp); 273 ubuf = (void *)(uintptr_t)iocb.addr; 274 error = mb_put_mem(mbp, ubuf, iocb.used, MB_MUSER); 275 if (error) 276 goto out; 277 278 /* 279 * This does the OTW Set (and maybe open, close) 280 * It clears mb_top when consuming the message. 281 */ 282 error = smbfs_setsd(vp, iocb.selector, &mbp->mb_top, cr); 283 284 out: 285 mb_done(mbp); 286 return (error); 287 288 } 289 290 #ifdef ACL_SUPPORT 291 /* 292 * Conversion functions for VOP_GETSECATTR, VOP_SETSECATTR 293 * 294 * XXX: We may or may not add conversion code here, or we 295 * may add that to usr/src/common (TBD). For now all the 296 * ACL conversion code is in libsmbfs. 297 */ 298 299 /* 300 * Convert a Windows SD (in the mdchain mdp) into a 301 * ZFS-style vsecattr_t and possibly uid, gid. 302 */ 303 /* ARGSUSED */ 304 static int 305 smb_ntsd2vsec(mdchain_t *mdp, vsecattr_t *vsa, 306 int *uidp, int *gidp, cred_t *cr) 307 { 308 /* XXX NOT_YET */ 309 return (ENOSYS); 310 } 311 312 /* 313 * Convert a ZFS-style vsecattr_t (and possibly uid, gid) 314 * into a Windows SD (built in the mbchain mbp). 315 */ 316 /* ARGSUSED */ 317 static int 318 smb_vsec2ntsd(vsecattr_t *vsa, int uid, int gid, 319 mbchain_t *mbp, cred_t *cr) 320 { 321 /* XXX NOT_YET */ 322 return (ENOSYS); 323 } 324 #endif /* ACL_SUPPORT */ 325 326 /* 327 * Entry points from VOP_GETSECATTR, VOP_SETSECATTR 328 * 329 * Disabled the real _getacl functionality for now, 330 * because we have no way to return the owner and 331 * primary group until we replace our fake uid/gid 332 * in getattr with something derived from _getsd. 333 */ 334 335 /* ARGSUSED */ 336 int 337 smbfs_getacl(vnode_t *vp, vsecattr_t *vsa, 338 int *uidp, int *gidp, int flag, cred_t *cr) 339 { 340 #ifdef ACL_SUPPORT 341 mdchain_t *mdp, md_store; 342 mblk_t *m; 343 uint32_t selector; 344 int error; 345 346 /* 347 * Which parts of the SD we request. 348 * XXX: We need a way to let the caller specify 349 * what parts she wants - i.e. the SACL? 350 * XXX: selector |= SACL_SECURITY_INFORMATION; 351 * Or maybe: if we get access denied, try the 352 * open/fetch again without the SACL bit. 353 */ 354 selector = 0; 355 if (vsa) 356 selector |= DACL_SECURITY_INFORMATION; 357 if (uidp) 358 selector |= OWNER_SECURITY_INFORMATION; 359 if (gidp) 360 selector |= GROUP_SECURITY_INFORMATION; 361 if (selector == 0) 362 return (0); 363 364 /* 365 * This does the OTW Get (and maybe open, close) 366 * Allocates and returns an mblk in &m. 367 */ 368 error = smbfs_getsd(vp, selector, &m, cr); 369 if (error) 370 return (error); 371 372 /* 373 * Have m. Must free it before return. 374 */ 375 mdp = &md_store; 376 md_initm(mdp, m); 377 378 /* 379 * Convert the Windows security descriptor to a 380 * ZFS ACL (and owner ID, primary group ID). 381 * This is the difficult part. (todo) 382 */ 383 error = smb_ntsd2vsec(mdp, vsa, uidp, gidp, cr); 384 385 /* Note: m_freem(m) is done by... */ 386 md_done(mdp); 387 388 return (error); 389 #else /* ACL_SUPPORT */ 390 return (ENOSYS); 391 #endif /* ACL_SUPPORT */ 392 } 393 394 395 /* ARGSUSED */ 396 int 397 smbfs_setacl(vnode_t *vp, vsecattr_t *vsa, 398 int uid, int gid, int flag, cred_t *cr) 399 { 400 #ifdef ACL_SUPPORT 401 mbchain_t *mbp, mb_store; 402 uint32_t selector; 403 int error; 404 405 /* 406 * Which parts of the SD we'll modify. 407 * Ditto comments above re. SACL 408 */ 409 selector = 0; 410 if (vsa) 411 selector |= DACL_SECURITY_INFORMATION; 412 if (uid != -1) 413 selector |= OWNER_SECURITY_INFORMATION; 414 if (gid != -1) 415 selector |= GROUP_SECURITY_INFORMATION; 416 if (selector == 0) 417 return (0); 418 419 /* 420 * Setup buffer for SD data. 421 */ 422 mbp = &mb_store; 423 mb_init(mbp); 424 425 /* 426 * Convert a ZFS ACL (and owner ID, group ID) 427 * to a Windows security descriptor. 428 * This is the difficult part. (todo) 429 */ 430 error = smb_vsec2ntsd(vsa, uid, gid, mbp, cr); 431 if (error) 432 goto out; 433 434 /* 435 * This does the OTW Set (and maybe open, close) 436 * It clears mb_top when consuming the message. 437 */ 438 error = smbfs_setsd(vp, selector, &mbp->mb_top, cr); 439 440 out: 441 mb_done(mbp); 442 return (error); 443 #else /* ACL_SUPPORT */ 444 return (ENOSYS); 445 #endif /* ACL_SUPPORT */ 446 } 447
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.