162306a36Sopenharmony_ci/* SPDX-License-Identifier: LGPL-2.1 */ 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * 462306a36Sopenharmony_ci * Copyright (c) International Business Machines Corp., 2007 562306a36Sopenharmony_ci * Author(s): Steve French (sfrench@us.ibm.com) 662306a36Sopenharmony_ci * 762306a36Sopenharmony_ci */ 862306a36Sopenharmony_ci 962306a36Sopenharmony_ci#ifndef _CIFSACL_H 1062306a36Sopenharmony_ci#define _CIFSACL_H 1162306a36Sopenharmony_ci 1262306a36Sopenharmony_ci#define NUM_AUTHS (6) /* number of authority fields */ 1362306a36Sopenharmony_ci#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ 1462306a36Sopenharmony_ci 1562306a36Sopenharmony_ci#define READ_BIT 0x4 1662306a36Sopenharmony_ci#define WRITE_BIT 0x2 1762306a36Sopenharmony_ci#define EXEC_BIT 0x1 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ci#define ACL_OWNER_MASK 0700 2062306a36Sopenharmony_ci#define ACL_GROUP_MASK 0070 2162306a36Sopenharmony_ci#define ACL_EVERYONE_MASK 0007 2262306a36Sopenharmony_ci 2362306a36Sopenharmony_ci#define UBITSHIFT 6 2462306a36Sopenharmony_ci#define GBITSHIFT 3 2562306a36Sopenharmony_ci 2662306a36Sopenharmony_ci#define ACCESS_ALLOWED 0 2762306a36Sopenharmony_ci#define ACCESS_DENIED 1 2862306a36Sopenharmony_ci 2962306a36Sopenharmony_ci#define SIDOWNER 1 3062306a36Sopenharmony_ci#define SIDGROUP 2 3162306a36Sopenharmony_ci 3262306a36Sopenharmony_ci/* 3362306a36Sopenharmony_ci * Security Descriptor length containing DACL with 3 ACEs (one each for 3462306a36Sopenharmony_ci * owner, group and world). 3562306a36Sopenharmony_ci */ 3662306a36Sopenharmony_ci#define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \ 3762306a36Sopenharmony_ci sizeof(struct cifs_acl) + \ 3862306a36Sopenharmony_ci (sizeof(struct cifs_ace) * 4)) 3962306a36Sopenharmony_ci 4062306a36Sopenharmony_ci/* 4162306a36Sopenharmony_ci * Maximum size of a string representation of a SID: 4262306a36Sopenharmony_ci * 4362306a36Sopenharmony_ci * The fields are unsigned values in decimal. So: 4462306a36Sopenharmony_ci * 4562306a36Sopenharmony_ci * u8: max 3 bytes in decimal 4662306a36Sopenharmony_ci * u32: max 10 bytes in decimal 4762306a36Sopenharmony_ci * 4862306a36Sopenharmony_ci * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator 4962306a36Sopenharmony_ci * 5062306a36Sopenharmony_ci * For authority field, max is when all 6 values are non-zero and it must be 5162306a36Sopenharmony_ci * represented in hex. So "-0x" + 12 hex digits. 5262306a36Sopenharmony_ci * 5362306a36Sopenharmony_ci * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') 5462306a36Sopenharmony_ci */ 5562306a36Sopenharmony_ci#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) 5662306a36Sopenharmony_ci#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_cistruct cifs_ntsd { 5962306a36Sopenharmony_ci __le16 revision; /* revision level */ 6062306a36Sopenharmony_ci __le16 type; 6162306a36Sopenharmony_ci __le32 osidoffset; 6262306a36Sopenharmony_ci __le32 gsidoffset; 6362306a36Sopenharmony_ci __le32 sacloffset; 6462306a36Sopenharmony_ci __le32 dacloffset; 6562306a36Sopenharmony_ci} __attribute__((packed)); 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_cistruct cifs_sid { 6862306a36Sopenharmony_ci __u8 revision; /* revision level */ 6962306a36Sopenharmony_ci __u8 num_subauth; 7062306a36Sopenharmony_ci __u8 authority[NUM_AUTHS]; 7162306a36Sopenharmony_ci __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ 7262306a36Sopenharmony_ci} __attribute__((packed)); 7362306a36Sopenharmony_ci 7462306a36Sopenharmony_ci/* size of a struct cifs_sid, sans sub_auth array */ 7562306a36Sopenharmony_ci#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) 7662306a36Sopenharmony_ci 7762306a36Sopenharmony_cistruct cifs_acl { 7862306a36Sopenharmony_ci __le16 revision; /* revision level */ 7962306a36Sopenharmony_ci __le16 size; 8062306a36Sopenharmony_ci __le32 num_aces; 8162306a36Sopenharmony_ci} __attribute__((packed)); 8262306a36Sopenharmony_ci 8362306a36Sopenharmony_ci/* ACE types - see MS-DTYP 2.4.4.1 */ 8462306a36Sopenharmony_ci#define ACCESS_ALLOWED_ACE_TYPE 0x00 8562306a36Sopenharmony_ci#define ACCESS_DENIED_ACE_TYPE 0x01 8662306a36Sopenharmony_ci#define SYSTEM_AUDIT_ACE_TYPE 0x02 8762306a36Sopenharmony_ci#define SYSTEM_ALARM_ACE_TYPE 0x03 8862306a36Sopenharmony_ci#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 8962306a36Sopenharmony_ci#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 9062306a36Sopenharmony_ci#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 9162306a36Sopenharmony_ci#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 9262306a36Sopenharmony_ci#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 9362306a36Sopenharmony_ci#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 9462306a36Sopenharmony_ci#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A 9562306a36Sopenharmony_ci#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B 9662306a36Sopenharmony_ci#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C 9762306a36Sopenharmony_ci#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D 9862306a36Sopenharmony_ci#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ 9962306a36Sopenharmony_ci#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F 10062306a36Sopenharmony_ci#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ 10162306a36Sopenharmony_ci#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 10262306a36Sopenharmony_ci#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 10362306a36Sopenharmony_ci#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 10462306a36Sopenharmony_ci 10562306a36Sopenharmony_ci/* ACE flags */ 10662306a36Sopenharmony_ci#define OBJECT_INHERIT_ACE 0x01 10762306a36Sopenharmony_ci#define CONTAINER_INHERIT_ACE 0x02 10862306a36Sopenharmony_ci#define NO_PROPAGATE_INHERIT_ACE 0x04 10962306a36Sopenharmony_ci#define INHERIT_ONLY_ACE 0x08 11062306a36Sopenharmony_ci#define INHERITED_ACE 0x10 11162306a36Sopenharmony_ci#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 11262306a36Sopenharmony_ci#define FAILED_ACCESS_ACE_FLAG 0x80 11362306a36Sopenharmony_ci 11462306a36Sopenharmony_cistruct cifs_ace { 11562306a36Sopenharmony_ci __u8 type; /* see above and MS-DTYP 2.4.4.1 */ 11662306a36Sopenharmony_ci __u8 flags; 11762306a36Sopenharmony_ci __le16 size; 11862306a36Sopenharmony_ci __le32 access_req; 11962306a36Sopenharmony_ci struct cifs_sid sid; /* ie UUID of user or group who gets these perms */ 12062306a36Sopenharmony_ci} __attribute__((packed)); 12162306a36Sopenharmony_ci 12262306a36Sopenharmony_ci/* 12362306a36Sopenharmony_ci * The current SMB3 form of security descriptor is similar to what was used for 12462306a36Sopenharmony_ci * cifs (see above) but some fields are split, and fields in the struct below 12562306a36Sopenharmony_ci * matches names of fields to the spec, MS-DTYP (see sections 2.4.5 and 12662306a36Sopenharmony_ci * 2.4.6). Note that "CamelCase" fields are used in this struct in order to 12762306a36Sopenharmony_ci * match the MS-DTYP and MS-SMB2 specs which define the wire format. 12862306a36Sopenharmony_ci */ 12962306a36Sopenharmony_cistruct smb3_sd { 13062306a36Sopenharmony_ci __u8 Revision; /* revision level, MUST be one */ 13162306a36Sopenharmony_ci __u8 Sbz1; /* only meaningful if 'RM' flag set below */ 13262306a36Sopenharmony_ci __le16 Control; 13362306a36Sopenharmony_ci __le32 OffsetOwner; 13462306a36Sopenharmony_ci __le32 OffsetGroup; 13562306a36Sopenharmony_ci __le32 OffsetSacl; 13662306a36Sopenharmony_ci __le32 OffsetDacl; 13762306a36Sopenharmony_ci} __packed; 13862306a36Sopenharmony_ci 13962306a36Sopenharmony_ci/* Meaning of 'Control' field flags */ 14062306a36Sopenharmony_ci#define ACL_CONTROL_SR 0x8000 /* Self relative */ 14162306a36Sopenharmony_ci#define ACL_CONTROL_RM 0x4000 /* Resource manager control bits */ 14262306a36Sopenharmony_ci#define ACL_CONTROL_PS 0x2000 /* SACL protected from inherits */ 14362306a36Sopenharmony_ci#define ACL_CONTROL_PD 0x1000 /* DACL protected from inherits */ 14462306a36Sopenharmony_ci#define ACL_CONTROL_SI 0x0800 /* SACL Auto-Inherited */ 14562306a36Sopenharmony_ci#define ACL_CONTROL_DI 0x0400 /* DACL Auto-Inherited */ 14662306a36Sopenharmony_ci#define ACL_CONTROL_SC 0x0200 /* SACL computed through inheritance */ 14762306a36Sopenharmony_ci#define ACL_CONTROL_DC 0x0100 /* DACL computed through inheritence */ 14862306a36Sopenharmony_ci#define ACL_CONTROL_SS 0x0080 /* Create server ACL */ 14962306a36Sopenharmony_ci#define ACL_CONTROL_DT 0x0040 /* DACL provided by trusted source */ 15062306a36Sopenharmony_ci#define ACL_CONTROL_SD 0x0020 /* SACL defaulted */ 15162306a36Sopenharmony_ci#define ACL_CONTROL_SP 0x0010 /* SACL is present on object */ 15262306a36Sopenharmony_ci#define ACL_CONTROL_DD 0x0008 /* DACL defaulted */ 15362306a36Sopenharmony_ci#define ACL_CONTROL_DP 0x0004 /* DACL is present on object */ 15462306a36Sopenharmony_ci#define ACL_CONTROL_GD 0x0002 /* Group was defaulted */ 15562306a36Sopenharmony_ci#define ACL_CONTROL_OD 0x0001 /* User was defaulted */ 15662306a36Sopenharmony_ci 15762306a36Sopenharmony_ci/* Meaning of AclRevision flags */ 15862306a36Sopenharmony_ci#define ACL_REVISION 0x02 /* See section 2.4.4.1 of MS-DTYP */ 15962306a36Sopenharmony_ci#define ACL_REVISION_DS 0x04 /* Additional AceTypes allowed */ 16062306a36Sopenharmony_ci 16162306a36Sopenharmony_cistruct smb3_acl { 16262306a36Sopenharmony_ci u8 AclRevision; /* revision level */ 16362306a36Sopenharmony_ci u8 Sbz1; /* MBZ */ 16462306a36Sopenharmony_ci __le16 AclSize; 16562306a36Sopenharmony_ci __le16 AceCount; 16662306a36Sopenharmony_ci __le16 Sbz2; /* MBZ */ 16762306a36Sopenharmony_ci} __packed; 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_ci/* 17062306a36Sopenharmony_ci * Used to store the special 'NFS SIDs' used to persist the POSIX uid and gid 17162306a36Sopenharmony_ci * See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx 17262306a36Sopenharmony_ci */ 17362306a36Sopenharmony_cistruct owner_sid { 17462306a36Sopenharmony_ci u8 Revision; 17562306a36Sopenharmony_ci u8 NumAuth; 17662306a36Sopenharmony_ci u8 Authority[6]; 17762306a36Sopenharmony_ci __le32 SubAuthorities[3]; 17862306a36Sopenharmony_ci} __packed; 17962306a36Sopenharmony_ci 18062306a36Sopenharmony_cistruct owner_group_sids { 18162306a36Sopenharmony_ci struct owner_sid owner; 18262306a36Sopenharmony_ci struct owner_sid group; 18362306a36Sopenharmony_ci} __packed; 18462306a36Sopenharmony_ci 18562306a36Sopenharmony_ci/* 18662306a36Sopenharmony_ci * Minimum security identifier can be one for system defined Users 18762306a36Sopenharmony_ci * and Groups such as NULL SID and World or Built-in accounts such 18862306a36Sopenharmony_ci * as Administrator and Guest and consists of 18962306a36Sopenharmony_ci * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority) 19062306a36Sopenharmony_ci */ 19162306a36Sopenharmony_ci#define MIN_SID_LEN (1 + 1 + 6 + 4) /* in bytes */ 19262306a36Sopenharmony_ci 19362306a36Sopenharmony_ci/* 19462306a36Sopenharmony_ci * Minimum security descriptor can be one without any SACL and DACL and can 19562306a36Sopenharmony_ci * consist of revision, type, and two sids of minimum size for owner and group 19662306a36Sopenharmony_ci */ 19762306a36Sopenharmony_ci#define MIN_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN)) 19862306a36Sopenharmony_ci 19962306a36Sopenharmony_ci#endif /* _CIFSACL_H */ 200