18c2ecf20Sopenharmony_ci/* 28c2ecf20Sopenharmony_ci * fs/cifs/cifsacl.h 38c2ecf20Sopenharmony_ci * 48c2ecf20Sopenharmony_ci * Copyright (c) International Business Machines Corp., 2007 58c2ecf20Sopenharmony_ci * Author(s): Steve French (sfrench@us.ibm.com) 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * This library is free software; you can redistribute it and/or modify 88c2ecf20Sopenharmony_ci * it under the terms of the GNU Lesser General Public License as published 98c2ecf20Sopenharmony_ci * by the Free Software Foundation; either version 2.1 of the License, or 108c2ecf20Sopenharmony_ci * (at your option) any later version. 118c2ecf20Sopenharmony_ci * 128c2ecf20Sopenharmony_ci * This library is distributed in the hope that it will be useful, 138c2ecf20Sopenharmony_ci * but WITHOUT ANY WARRANTY; without even the implied warranty of 148c2ecf20Sopenharmony_ci * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 158c2ecf20Sopenharmony_ci * the GNU Lesser General Public License for more details. 168c2ecf20Sopenharmony_ci * 178c2ecf20Sopenharmony_ci * You should have received a copy of the GNU Lesser General Public License 188c2ecf20Sopenharmony_ci * along with this library; if not, write to the Free Software 198c2ecf20Sopenharmony_ci * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 208c2ecf20Sopenharmony_ci */ 218c2ecf20Sopenharmony_ci 228c2ecf20Sopenharmony_ci#ifndef _CIFSACL_H 238c2ecf20Sopenharmony_ci#define _CIFSACL_H 248c2ecf20Sopenharmony_ci 258c2ecf20Sopenharmony_ci 268c2ecf20Sopenharmony_ci#define NUM_AUTHS (6) /* number of authority fields */ 278c2ecf20Sopenharmony_ci#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ 288c2ecf20Sopenharmony_ci 298c2ecf20Sopenharmony_ci#define READ_BIT 0x4 308c2ecf20Sopenharmony_ci#define WRITE_BIT 0x2 318c2ecf20Sopenharmony_ci#define EXEC_BIT 0x1 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ci#define UBITSHIFT 6 348c2ecf20Sopenharmony_ci#define GBITSHIFT 3 358c2ecf20Sopenharmony_ci 368c2ecf20Sopenharmony_ci#define ACCESS_ALLOWED 0 378c2ecf20Sopenharmony_ci#define ACCESS_DENIED 1 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ci#define SIDOWNER 1 408c2ecf20Sopenharmony_ci#define SIDGROUP 2 418c2ecf20Sopenharmony_ci 428c2ecf20Sopenharmony_ci/* 438c2ecf20Sopenharmony_ci * Security Descriptor length containing DACL with 3 ACEs (one each for 448c2ecf20Sopenharmony_ci * owner, group and world). 458c2ecf20Sopenharmony_ci */ 468c2ecf20Sopenharmony_ci#define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \ 478c2ecf20Sopenharmony_ci sizeof(struct cifs_acl) + \ 488c2ecf20Sopenharmony_ci (sizeof(struct cifs_ace) * 4)) 498c2ecf20Sopenharmony_ci 508c2ecf20Sopenharmony_ci/* 518c2ecf20Sopenharmony_ci * Maximum size of a string representation of a SID: 528c2ecf20Sopenharmony_ci * 538c2ecf20Sopenharmony_ci * The fields are unsigned values in decimal. So: 548c2ecf20Sopenharmony_ci * 558c2ecf20Sopenharmony_ci * u8: max 3 bytes in decimal 568c2ecf20Sopenharmony_ci * u32: max 10 bytes in decimal 578c2ecf20Sopenharmony_ci * 588c2ecf20Sopenharmony_ci * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator 598c2ecf20Sopenharmony_ci * 608c2ecf20Sopenharmony_ci * For authority field, max is when all 6 values are non-zero and it must be 618c2ecf20Sopenharmony_ci * represented in hex. So "-0x" + 12 hex digits. 628c2ecf20Sopenharmony_ci * 638c2ecf20Sopenharmony_ci * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') 648c2ecf20Sopenharmony_ci */ 658c2ecf20Sopenharmony_ci#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) 668c2ecf20Sopenharmony_ci#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ 678c2ecf20Sopenharmony_ci 688c2ecf20Sopenharmony_cistruct cifs_ntsd { 698c2ecf20Sopenharmony_ci __le16 revision; /* revision level */ 708c2ecf20Sopenharmony_ci __le16 type; 718c2ecf20Sopenharmony_ci __le32 osidoffset; 728c2ecf20Sopenharmony_ci __le32 gsidoffset; 738c2ecf20Sopenharmony_ci __le32 sacloffset; 748c2ecf20Sopenharmony_ci __le32 dacloffset; 758c2ecf20Sopenharmony_ci} __attribute__((packed)); 768c2ecf20Sopenharmony_ci 778c2ecf20Sopenharmony_cistruct cifs_sid { 788c2ecf20Sopenharmony_ci __u8 revision; /* revision level */ 798c2ecf20Sopenharmony_ci __u8 num_subauth; 808c2ecf20Sopenharmony_ci __u8 authority[NUM_AUTHS]; 818c2ecf20Sopenharmony_ci __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ 828c2ecf20Sopenharmony_ci} __attribute__((packed)); 838c2ecf20Sopenharmony_ci 848c2ecf20Sopenharmony_ci/* size of a struct cifs_sid, sans sub_auth array */ 858c2ecf20Sopenharmony_ci#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) 868c2ecf20Sopenharmony_ci 878c2ecf20Sopenharmony_cistruct cifs_acl { 888c2ecf20Sopenharmony_ci __le16 revision; /* revision level */ 898c2ecf20Sopenharmony_ci __le16 size; 908c2ecf20Sopenharmony_ci __le32 num_aces; 918c2ecf20Sopenharmony_ci} __attribute__((packed)); 928c2ecf20Sopenharmony_ci 938c2ecf20Sopenharmony_ci/* ACE types - see MS-DTYP 2.4.4.1 */ 948c2ecf20Sopenharmony_ci#define ACCESS_ALLOWED_ACE_TYPE 0x00 958c2ecf20Sopenharmony_ci#define ACCESS_DENIED_ACE_TYPE 0x01 968c2ecf20Sopenharmony_ci#define SYSTEM_AUDIT_ACE_TYPE 0x02 978c2ecf20Sopenharmony_ci#define SYSTEM_ALARM_ACE_TYPE 0x03 988c2ecf20Sopenharmony_ci#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 998c2ecf20Sopenharmony_ci#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 1008c2ecf20Sopenharmony_ci#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 1018c2ecf20Sopenharmony_ci#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 1028c2ecf20Sopenharmony_ci#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 1038c2ecf20Sopenharmony_ci#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 1048c2ecf20Sopenharmony_ci#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A 1058c2ecf20Sopenharmony_ci#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B 1068c2ecf20Sopenharmony_ci#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C 1078c2ecf20Sopenharmony_ci#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D 1088c2ecf20Sopenharmony_ci#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ 1098c2ecf20Sopenharmony_ci#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F 1108c2ecf20Sopenharmony_ci#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ 1118c2ecf20Sopenharmony_ci#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 1128c2ecf20Sopenharmony_ci#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 1138c2ecf20Sopenharmony_ci#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 1148c2ecf20Sopenharmony_ci 1158c2ecf20Sopenharmony_ci/* ACE flags */ 1168c2ecf20Sopenharmony_ci#define OBJECT_INHERIT_ACE 0x01 1178c2ecf20Sopenharmony_ci#define CONTAINER_INHERIT_ACE 0x02 1188c2ecf20Sopenharmony_ci#define NO_PROPAGATE_INHERIT_ACE 0x04 1198c2ecf20Sopenharmony_ci#define INHERIT_ONLY_ACE 0x08 1208c2ecf20Sopenharmony_ci#define INHERITED_ACE 0x10 1218c2ecf20Sopenharmony_ci#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 1228c2ecf20Sopenharmony_ci#define FAILED_ACCESS_ACE_FLAG 0x80 1238c2ecf20Sopenharmony_ci 1248c2ecf20Sopenharmony_cistruct cifs_ace { 1258c2ecf20Sopenharmony_ci __u8 type; /* see above and MS-DTYP 2.4.4.1 */ 1268c2ecf20Sopenharmony_ci __u8 flags; 1278c2ecf20Sopenharmony_ci __le16 size; 1288c2ecf20Sopenharmony_ci __le32 access_req; 1298c2ecf20Sopenharmony_ci struct cifs_sid sid; /* ie UUID of user or group who gets these perms */ 1308c2ecf20Sopenharmony_ci} __attribute__((packed)); 1318c2ecf20Sopenharmony_ci 1328c2ecf20Sopenharmony_ci/* 1338c2ecf20Sopenharmony_ci * The current SMB3 form of security descriptor is similar to what was used for 1348c2ecf20Sopenharmony_ci * cifs (see above) but some fields are split, and fields in the struct below 1358c2ecf20Sopenharmony_ci * matches names of fields to the spec, MS-DTYP (see sections 2.4.5 and 1368c2ecf20Sopenharmony_ci * 2.4.6). Note that "CamelCase" fields are used in this struct in order to 1378c2ecf20Sopenharmony_ci * match the MS-DTYP and MS-SMB2 specs which define the wire format. 1388c2ecf20Sopenharmony_ci */ 1398c2ecf20Sopenharmony_cistruct smb3_sd { 1408c2ecf20Sopenharmony_ci __u8 Revision; /* revision level, MUST be one */ 1418c2ecf20Sopenharmony_ci __u8 Sbz1; /* only meaningful if 'RM' flag set below */ 1428c2ecf20Sopenharmony_ci __le16 Control; 1438c2ecf20Sopenharmony_ci __le32 OffsetOwner; 1448c2ecf20Sopenharmony_ci __le32 OffsetGroup; 1458c2ecf20Sopenharmony_ci __le32 OffsetSacl; 1468c2ecf20Sopenharmony_ci __le32 OffsetDacl; 1478c2ecf20Sopenharmony_ci} __packed; 1488c2ecf20Sopenharmony_ci 1498c2ecf20Sopenharmony_ci/* Meaning of 'Control' field flags */ 1508c2ecf20Sopenharmony_ci#define ACL_CONTROL_SR 0x8000 /* Self relative */ 1518c2ecf20Sopenharmony_ci#define ACL_CONTROL_RM 0x4000 /* Resource manager control bits */ 1528c2ecf20Sopenharmony_ci#define ACL_CONTROL_PS 0x2000 /* SACL protected from inherits */ 1538c2ecf20Sopenharmony_ci#define ACL_CONTROL_PD 0x1000 /* DACL protected from inherits */ 1548c2ecf20Sopenharmony_ci#define ACL_CONTROL_SI 0x0800 /* SACL Auto-Inherited */ 1558c2ecf20Sopenharmony_ci#define ACL_CONTROL_DI 0x0400 /* DACL Auto-Inherited */ 1568c2ecf20Sopenharmony_ci#define ACL_CONTROL_SC 0x0200 /* SACL computed through inheritance */ 1578c2ecf20Sopenharmony_ci#define ACL_CONTROL_DC 0x0100 /* DACL computed through inheritence */ 1588c2ecf20Sopenharmony_ci#define ACL_CONTROL_SS 0x0080 /* Create server ACL */ 1598c2ecf20Sopenharmony_ci#define ACL_CONTROL_DT 0x0040 /* DACL provided by trusted source */ 1608c2ecf20Sopenharmony_ci#define ACL_CONTROL_SD 0x0020 /* SACL defaulted */ 1618c2ecf20Sopenharmony_ci#define ACL_CONTROL_SP 0x0010 /* SACL is present on object */ 1628c2ecf20Sopenharmony_ci#define ACL_CONTROL_DD 0x0008 /* DACL defaulted */ 1638c2ecf20Sopenharmony_ci#define ACL_CONTROL_DP 0x0004 /* DACL is present on object */ 1648c2ecf20Sopenharmony_ci#define ACL_CONTROL_GD 0x0002 /* Group was defaulted */ 1658c2ecf20Sopenharmony_ci#define ACL_CONTROL_OD 0x0001 /* User was defaulted */ 1668c2ecf20Sopenharmony_ci 1678c2ecf20Sopenharmony_ci/* Meaning of AclRevision flags */ 1688c2ecf20Sopenharmony_ci#define ACL_REVISION 0x02 /* See section 2.4.4.1 of MS-DTYP */ 1698c2ecf20Sopenharmony_ci#define ACL_REVISION_DS 0x04 /* Additional AceTypes allowed */ 1708c2ecf20Sopenharmony_ci 1718c2ecf20Sopenharmony_cistruct smb3_acl { 1728c2ecf20Sopenharmony_ci u8 AclRevision; /* revision level */ 1738c2ecf20Sopenharmony_ci u8 Sbz1; /* MBZ */ 1748c2ecf20Sopenharmony_ci __le16 AclSize; 1758c2ecf20Sopenharmony_ci __le16 AceCount; 1768c2ecf20Sopenharmony_ci __le16 Sbz2; /* MBZ */ 1778c2ecf20Sopenharmony_ci} __packed; 1788c2ecf20Sopenharmony_ci 1798c2ecf20Sopenharmony_ci/* 1808c2ecf20Sopenharmony_ci * Used to store the special 'NFS SIDs' used to persist the POSIX uid and gid 1818c2ecf20Sopenharmony_ci * See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx 1828c2ecf20Sopenharmony_ci */ 1838c2ecf20Sopenharmony_cistruct owner_sid { 1848c2ecf20Sopenharmony_ci u8 Revision; 1858c2ecf20Sopenharmony_ci u8 NumAuth; 1868c2ecf20Sopenharmony_ci u8 Authority[6]; 1878c2ecf20Sopenharmony_ci __le32 SubAuthorities[3]; 1888c2ecf20Sopenharmony_ci} __packed; 1898c2ecf20Sopenharmony_ci 1908c2ecf20Sopenharmony_cistruct owner_group_sids { 1918c2ecf20Sopenharmony_ci struct owner_sid owner; 1928c2ecf20Sopenharmony_ci struct owner_sid group; 1938c2ecf20Sopenharmony_ci} __packed; 1948c2ecf20Sopenharmony_ci 1958c2ecf20Sopenharmony_ci/* 1968c2ecf20Sopenharmony_ci * Minimum security identifier can be one for system defined Users 1978c2ecf20Sopenharmony_ci * and Groups such as NULL SID and World or Built-in accounts such 1988c2ecf20Sopenharmony_ci * as Administrator and Guest and consists of 1998c2ecf20Sopenharmony_ci * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority) 2008c2ecf20Sopenharmony_ci */ 2018c2ecf20Sopenharmony_ci#define MIN_SID_LEN (1 + 1 + 6 + 4) /* in bytes */ 2028c2ecf20Sopenharmony_ci 2038c2ecf20Sopenharmony_ci/* 2048c2ecf20Sopenharmony_ci * Minimum security descriptor can be one without any SACL and DACL and can 2058c2ecf20Sopenharmony_ci * consist of revision, type, and two sids of minimum size for owner and group 2068c2ecf20Sopenharmony_ci */ 2078c2ecf20Sopenharmony_ci#define MIN_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN)) 2088c2ecf20Sopenharmony_ci 2098c2ecf20Sopenharmony_ci#endif /* _CIFSACL_H */ 210