[net-next-2.6.git] / fs / cifs / cifsacl.c

/*
 *   fs/cifs/cifsacl.c
 *
 *   Copyright (C) International Business Machines  Corp., 2007
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   Contains the routines for mapping CIFS/NTFS ACLs
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include <linux/fs.h>
#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsacl.h"
#include "cifsproto.h"
#include "cifs_debug.h"


#ifdef CONFIG_CIFS_EXPERIMENTAL

static struct cifs_wksid wksidarr[NUM_WK_SIDS] = {
	{{1, 0, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0} }, "null user"},
	{{1, 1, {0, 0, 0, 0, 0, 1}, {0, 0, 0, 0, 0} }, "nobody"},
	{{1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11), 0, 0, 0, 0} }, "net-users"},
	{{1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(18), 0, 0, 0, 0} }, "sys"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(544), 0, 0, 0} }, "root"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(545), 0, 0, 0} }, "users"},
	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(546), 0, 0, 0} }, "guest"} }
;


/* security id for everyone */
static const struct cifs_sid sid_everyone = {
	1, 1, {0, 0, 0, 0, 0, 1}, {0} };
/* group users */
static const struct cifs_sid sid_user =
		{1, 2 , {0, 0, 0, 0, 0, 5}, {} };


int match_sid(struct cifs_sid *ctsid)
{
	int i, j;
	int num_subauth, num_sat, num_saw;
	struct cifs_sid *cwsid;

	if (!ctsid)
		return (-1);

	for (i = 0; i < NUM_WK_SIDS; ++i) {
		cwsid = &(wksidarr[i].cifssid);

		/* compare the revision */
		if (ctsid->revision != cwsid->revision)
			continue;

		/* compare all of the six auth values */
		for (j = 0; j < 6; ++j) {
			if (ctsid->authority[j] != cwsid->authority[j])
				break;
		}
		if (j < 6)
			continue; /* all of the auth values did not match */

		/* compare all of the subauth values if any */
		num_sat = ctsid->num_subauth;
		num_saw = cwsid->num_subauth;
		num_subauth = num_sat < num_saw ? num_sat : num_saw;
		if (num_subauth) {
			for (j = 0; j < num_subauth; ++j) {
				if (ctsid->sub_auth[j] != cwsid->sub_auth[j])
					break;
			}
			if (j < num_subauth)
				continue; /* all sub_auth values do not match */
		}

		cFYI(1, ("matching sid: %s\n", wksidarr[i].sidname));
		return (0); /* sids compare/match */
	}

	cFYI(1, ("No matching sid"));
	return (-1);
}

/* if the two SIDs (roughly equivalent to a UUID for a user or group) are
   the same returns 1, if they do not match returns 0 */
int compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
{
	int i;
	int num_subauth, num_sat, num_saw;

	if ((!ctsid) || (!cwsid))
		return (0);

	/* compare the revision */
	if (ctsid->revision != cwsid->revision)
		return (0);

	/* compare all of the six auth values */
	for (i = 0; i < 6; ++i) {
		if (ctsid->authority[i] != cwsid->authority[i])
			return (0);
	}

	/* compare all of the subauth values if any */
	num_sat = ctsid->num_subauth;
	num_saw = cwsid->num_subauth;
	num_subauth = num_sat < num_saw ? num_sat : num_saw;
	if (num_subauth) {
		for (i = 0; i < num_subauth; ++i) {
			if (ctsid->sub_auth[i] != cwsid->sub_auth[i])
				return (0);
		}
	}

	return (1); /* sids compare/match */
}

/*
   change posix mode to reflect permissions
   pmode is the existing mode (we only want to overwrite part of this
   bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
*/
static void access_flags_to_mode(__u32 ace_flags, int type, umode_t *pmode,
				 umode_t *pbits_to_set)
{
	/* the order of ACEs is important.  The canonical order is to begin with
	   DENY entries followed by ALLOW, otherwise an allow entry could be
	   encountered first, making the subsequent deny entry like "dead code"
	   which would be superflous since Windows stops when a match is made
	   for the operation you are trying to perform for your user */

	/* For deny ACEs we change the mask so that subsequent allow access
	   control entries do not turn on the bits we are denying */
	if (type == ACCESS_DENIED) {
		if (ace_flags & GENERIC_ALL) {
			*pbits_to_set &= ~S_IRWXUGO;
		}
		if ((ace_flags & GENERIC_WRITE) ||
			((ace_flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
			*pbits_to_set &= ~S_IWUGO;
		if ((ace_flags & GENERIC_READ) ||
			((ace_flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
			*pbits_to_set &= ~S_IRUGO;
		if ((ace_flags & GENERIC_EXECUTE) ||
			((ace_flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
			*pbits_to_set &= ~S_IXUGO;
		return;
	} else if (type != ACCESS_ALLOWED) {
		cERROR(1, ("unknown access control type %d", type));
		return;
	}
	/* else ACCESS_ALLOWED type */

	if (ace_flags & GENERIC_ALL) {
		*pmode |= (S_IRWXUGO & (*pbits_to_set));
#ifdef CONFIG_CIFS_DEBUG2
		cFYI(1, ("all perms"));
#endif
		return;
	}
	if ((ace_flags & GENERIC_WRITE) ||
			((ace_flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
		*pmode |= (S_IWUGO & (*pbits_to_set));
	if ((ace_flags & GENERIC_READ) ||
			((ace_flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
		*pmode |= (S_IRUGO & (*pbits_to_set));
	if ((ace_flags & GENERIC_EXECUTE) ||
			((ace_flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
		*pmode |= (S_IXUGO & (*pbits_to_set));

#ifdef CONFIG_CIFS_DEBUG2
	cFYI(1, ("access flags 0x%x mode now 0x%x", ace_flags, *pmode));
#endif
	return;
}

/*
   Generate access flags to reflect permissions mode is the existing mode.
   This function is called for every ACE in the DACL whose SID matches
   with either owner or group or everyone.
*/

static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
				__u32 *pace_flags)
{
	/* reset access mask */
	*pace_flags = 0x0;

	/* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
	mode &= bits_to_use;

	/* check for R/W/X UGO since we do not know whose flags
	   is this but we have cleared all the bits sans RWX for
	   either user or group or other as per bits_to_use */
	if (mode & S_IRUGO)
		*pace_flags |= SET_FILE_READ_RIGHTS;
	if (mode & S_IWUGO)
		*pace_flags |= SET_FILE_WRITE_RIGHTS;
	if (mode & S_IXUGO)
		*pace_flags |= SET_FILE_EXEC_RIGHTS;

#ifdef CONFIG_CIFS_DEBUG2
	cFYI(1, ("mode: 0x%x, access flags now 0x%x", mode, *pace_flags));
#endif
	return;
}


#ifdef CONFIG_CIFS_DEBUG2
static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
{
	int num_subauth;

	/* validate that we do not go past end of acl */

	if (le16_to_cpu(pace->size) < 16) {
		cERROR(1, ("ACE too small, %d", le16_to_cpu(pace->size)));
		return;
	}

	if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
		cERROR(1, ("ACL too small to parse ACE"));
		return;
	}

	num_subauth = pace->sid.num_subauth;
	if (num_subauth) {
		int i;
		cFYI(1, ("ACE revision %d num_auth %d type %d flags %d size %d",
			pace->sid.revision, pace->sid.num_subauth, pace->type,
			pace->flags, pace->size));
		for (i = 0; i < num_subauth; ++i) {
			cFYI(1, ("ACE sub_auth[%d]: 0x%x", i,
				le32_to_cpu(pace->sid.sub_auth[i])));
		}

		/* BB add length check to make sure that we do not have huge
			num auths and therefore go off the end */
	}

	return;
}
#endif


static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
		       struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
		       struct inode *inode)
{
	int i;
	int num_aces = 0;
	int acl_size;
	char *acl_base;
	struct cifs_ace **ppace;

	/* BB need to add parm so we can store the SID BB */

	/* validate that we do not go past end of acl */
	if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
		cERROR(1, ("ACL too small to parse DACL"));
		return;
	}

#ifdef CONFIG_CIFS_DEBUG2
	cFYI(1, ("DACL revision %d size %d num aces %d",
		le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
		le32_to_cpu(pdacl->num_aces)));
#endif

	/* reset rwx permissions for user/group/other.
	   Also, if num_aces is 0 i.e. DACL has no ACEs,
	   user/group/other have no permissions */
	inode->i_mode &= ~(S_IRWXUGO);

	if (!pdacl) {
		/* no DACL in the security descriptor, set
		   all the permissions for user/group/other */
		inode->i_mode |= S_IRWXUGO;
		return;
	}
	acl_base = (char *)pdacl;
	acl_size = sizeof(struct cifs_acl);

	num_aces = le32_to_cpu(pdacl->num_aces);
	if (num_aces  > 0) {
		umode_t user_mask = S_IRWXU;
		umode_t group_mask = S_IRWXG;
		umode_t other_mask = S_IRWXO;

		ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
				GFP_KERNEL);

/*		cifscred->cecount = pdacl->num_aces;
		cifscred->aces = kmalloc(num_aces *
			sizeof(struct cifs_ace *), GFP_KERNEL);*/

		for (i = 0; i < num_aces; ++i) {
			ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
#ifdef CONFIG_CIFS_DEBUG2
			dump_ace(ppace[i], end_of_acl);
#endif
			if (compare_sids(&(ppace[i]->sid), pownersid))
				access_flags_to_mode(ppace[i]->access_req,
						     ppace[i]->type,
						     &(inode->i_mode),
						     &user_mask);
			if (compare_sids(&(ppace[i]->sid), pgrpsid))
				access_flags_to_mode(ppace[i]->access_req,
						     ppace[i]->type,
						     &(inode->i_mode),
						     &group_mask);
			if (compare_sids(&(ppace[i]->sid), &sid_everyone))
				access_flags_to_mode(ppace[i]->access_req,
						     ppace[i]->type,
						     &(inode->i_mode),
						     &other_mask);

/*			memcpy((void *)(&(cifscred->aces[i])),
				(void *)ppace[i],
				sizeof(struct cifs_ace)); */

			acl_base = (char *)ppace[i];
			acl_size = le16_to_cpu(ppace[i]->size);
		}

		kfree(ppace);
	}

	return;
}


static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
{
	/* BB need to add parm so we can store the SID BB */

	/* validate that we do not go past end of ACL - sid must be at least 8
	   bytes long (assuming no sub-auths - e.g. the null SID */
	if (end_of_acl < (char *)psid + 8) {
		cERROR(1, ("ACL too small to parse SID %p", psid));
		return -EINVAL;
	}

	if (psid->num_subauth) {
#ifdef CONFIG_CIFS_DEBUG2
		int i;
		cFYI(1, ("SID revision %d num_auth %d",
			psid->revision, psid->num_subauth));

		for (i = 0; i < psid->num_subauth; i++) {
			cFYI(1, ("SID sub_auth[%d]: 0x%x ", i,
				le32_to_cpu(psid->sub_auth[i])));
		}

		/* BB add length check to make sure that we do not have huge
			num auths and therefore go off the end */
		cFYI(1, ("RID 0x%x",
			le32_to_cpu(psid->sub_auth[psid->num_subauth-1])));
#endif
	}

	return 0;
}


/* Convert CIFS ACL to POSIX form */
static int parse_sec_desc(struct cifs_ntsd *pntsd, int acl_len,
			  struct inode *inode)
{
	int rc;
	struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
	struct cifs_acl *dacl_ptr; /* no need for SACL ptr */
	char *end_of_acl = ((char *)pntsd) + acl_len;
	__u32 dacloffset;

	if ((inode == NULL) || (pntsd == NULL))
		return -EIO;

	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->osidoffset));
	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
				le32_to_cpu(pntsd->gsidoffset));
	dacloffset = le32_to_cpu(pntsd->dacloffset);
	dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
#ifdef CONFIG_CIFS_DEBUG2
	cFYI(1, ("revision %d type 0x%x ooffset 0x%x goffset 0x%x "
		 "sacloffset 0x%x dacloffset 0x%x",
		 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
		 le32_to_cpu(pntsd->gsidoffset),
		 le32_to_cpu(pntsd->sacloffset), dacloffset));
#endif
/*	cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
	rc = parse_sid(owner_sid_ptr, end_of_acl);
	if (rc)
		return rc;

	rc = parse_sid(group_sid_ptr, end_of_acl);
	if (rc)
		return rc;

	if (dacloffset)
		parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
			   group_sid_ptr, inode);
	else
		cFYI(1, ("no ACL")); /* BB grant all or default perms? */

/*	cifscred->uid = owner_sid_ptr->rid;
	cifscred->gid = group_sid_ptr->rid;
	memcpy((void *)(&(cifscred->osid)), (void *)owner_sid_ptr,
			sizeof(struct cifs_sid));
	memcpy((void *)(&(cifscred->gsid)), (void *)group_sid_ptr,
			sizeof(struct cifs_sid)); */


	return (0);
}


/* Retrieve an ACL from the server */
static struct cifs_ntsd *get_cifs_acl(u32 *pacllen, struct inode *inode,
				       const char *path)
{
	struct cifsFileInfo *open_file;
	int unlock_file = FALSE;
	int xid;
	int rc = -EIO;
	__u16 fid;
	struct super_block *sb;
	struct cifs_sb_info *cifs_sb;
	struct cifs_ntsd *pntsd = NULL;

	cFYI(1, ("get mode from ACL for %s", path));

	if (inode == NULL)
		return NULL;

	xid = GetXid();
	open_file = find_readable_file(CIFS_I(inode));
	sb = inode->i_sb;
	if (sb == NULL) {
		FreeXid(xid);
		return NULL;
	}
	cifs_sb = CIFS_SB(sb);

	if (open_file) {
		unlock_file = TRUE;
		fid = open_file->netfid;
	} else {
		int oplock = FALSE;
		/* open file */
		rc = CIFSSMBOpen(xid, cifs_sb->tcon, path, FILE_OPEN,
				READ_CONTROL, 0, &fid, &oplock, NULL,
				cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
					CIFS_MOUNT_MAP_SPECIAL_CHR);
		if (rc != 0) {
			cERROR(1, ("Unable to open file to get ACL"));
			FreeXid(xid);
			return NULL;
		}
	}

	rc = CIFSSMBGetCIFSACL(xid, cifs_sb->tcon, fid, &pntsd, pacllen);
	cFYI(1, ("GetCIFSACL rc = %d ACL len %d", rc, *pacllen));
	if (unlock_file == TRUE)
		atomic_dec(&open_file->wrtPending);
	else
		CIFSSMBClose(xid, cifs_sb->tcon, fid);

	FreeXid(xid);
	return pntsd;
}

/* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */
void acl_to_uid_mode(struct inode *inode, const char *path)
{
	struct cifs_ntsd *pntsd = NULL;
	u32 acllen = 0;
	int rc = 0;

#ifdef CONFIG_CIFS_DEBUG2
	cFYI(1, ("converting ACL to mode for %s", path));
#endif
	pntsd = get_cifs_acl(&acllen, inode, path);

	/* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
	if (pntsd)
		rc = parse_sec_desc(pntsd, acllen, inode);
	if (rc)
		cFYI(1, ("parse sec desc failed rc = %d", rc));

	kfree(pntsd);
	return;
}

/* Convert mode bits to an ACL so we can update the ACL on the server */
int mode_to_acl(struct inode *inode, const char *path)
{
	int rc = 0;
	__u32 acllen = 0;
	struct cifs_ntsd *pntsd = NULL;

	cFYI(1, ("set ACL from mode for %s", path));

	/* Get the security descriptor */
	pntsd = get_cifs_acl(&acllen, inode, path);

	/* Add/Modify the three ACEs for owner, group, everyone
	   while retaining the other ACEs */

	/* Set the security descriptor */


	kfree(pntsd);
	return rc;
}
#endif /* CONFIG_CIFS_EXPERIMENTAL */
Commit	Line	Data
bcb02034 SF	1	/*
	2	* fs/cifs/cifsacl.c
	3	*
	4	* Copyright (C) International Business Machines Corp., 2007
	5	* Author(s): Steve French (sfrench@us.ibm.com)
	6	*
	7	* Contains the routines for mapping CIFS/NTFS ACLs
	8	*
	9	* This library is free software; you can redistribute it and/or modify
	10	* it under the terms of the GNU Lesser General Public License as published
	11	* by the Free Software Foundation; either version 2.1 of the License, or
	12	* (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	17	* the GNU Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public License
	20	* along with this library; if not, write to the Free Software
	21	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	22	*/
	23
65874007 SF	24	#include <linux/fs.h>
	25	#include "cifspdu.h"
	26	#include "cifsglob.h"
d0d66c44	27	#include "cifsacl.h"
65874007 SF	28	#include "cifsproto.h"
65874007 SF	29	#include "cifs_debug.h"
65874007	30
297647c2 SF	31
	32	#ifdef CONFIG_CIFS_EXPERIMENTAL
	33
af6f4612	34	static struct cifs_wksid wksidarr[NUM_WK_SIDS] = {
297647c2 SF	35	{{1, 0, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0} }, "null user"},
297647c2 SF	36	{{1, 1, {0, 0, 0, 0, 0, 1}, {0, 0, 0, 0, 0} }, "nobody"},
ce51ae14 DK	37	{{1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11), 0, 0, 0, 0} }, "net-users"},
	38	{{1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(18), 0, 0, 0, 0} }, "sys"},
	39	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(544), 0, 0, 0} }, "root"},
	40	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(545), 0, 0, 0} }, "users"},
44093ca2 SF	41	{{1, 2, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(32), cpu_to_le32(546), 0, 0, 0} }, "guest"} }
44093ca2 SF	42	;
297647c2 SF	43
297647c2 SF	44
bcb02034	45	/* security id for everyone */
e01b6400 SP	46	static const struct cifs_sid sid_everyone = {
e01b6400 SP	47	1, 1, {0, 0, 0, 0, 0, 1}, {0} };
bcb02034 SF	48	/* group users */
bcb02034 SF	49	static const struct cifs_sid sid_user =
d12fd121	50	{1, 2 , {0, 0, 0, 0, 0, 5}, {} };
d0d66c44	51
297647c2 SF	52
	53	int match_sid(struct cifs_sid *ctsid)
	54	{
	55	int i, j;
	56	int num_subauth, num_sat, num_saw;
	57	struct cifs_sid *cwsid;
	58
	59	if (!ctsid)
	60	return (-1);
	61
	62	for (i = 0; i < NUM_WK_SIDS; ++i) {
	63	cwsid = &(wksidarr[i].cifssid);
	64
	65	/* compare the revision */
	66	if (ctsid->revision != cwsid->revision)
	67	continue;
	68
	69	/* compare all of the six auth values */
	70	for (j = 0; j < 6; ++j) {
	71	if (ctsid->authority[j] != cwsid->authority[j])
	72	break;
	73	}
	74	if (j < 6)
	75	continue; /* all of the auth values did not match */
	76
	77	/* compare all of the subauth values if any */
ce51ae14 DK	78	num_sat = ctsid->num_subauth;
ce51ae14 DK	79	num_saw = cwsid->num_subauth;
297647c2 SF	80	num_subauth = num_sat < num_saw ? num_sat : num_saw;
	81	if (num_subauth) {
	82	for (j = 0; j < num_subauth; ++j) {
	83	if (ctsid->sub_auth[j] != cwsid->sub_auth[j])
	84	break;
	85	}
	86	if (j < num_subauth)
	87	continue; /* all sub_auth values do not match */
	88	}
	89
	90	cFYI(1, ("matching sid: %s\n", wksidarr[i].sidname));
	91	return (0); /* sids compare/match */
	92	}
	93
	94	cFYI(1, ("No matching sid"));
	95	return (-1);
	96	}
	97
a750e77c SF	98	/* if the two SIDs (roughly equivalent to a UUID for a user or group) are
a750e77c SF	99	the same returns 1, if they do not match returns 0 */
630f3f0c	100	int compare_sids(const struct cifs_sid ctsid, const struct cifs_sid cwsid)
297647c2 SF	101	{
	102	int i;
	103	int num_subauth, num_sat, num_saw;
	104
	105	if ((!ctsid) \|\| (!cwsid))
a750e77c	106	return (0);
297647c2 SF	107
	108	/* compare the revision */
	109	if (ctsid->revision != cwsid->revision)
a750e77c	110	return (0);
297647c2 SF	111
	112	/* compare all of the six auth values */
	113	for (i = 0; i < 6; ++i) {
	114	if (ctsid->authority[i] != cwsid->authority[i])
a750e77c	115	return (0);
297647c2 SF	116	}
	117
	118	/* compare all of the subauth values if any */
adbc0358	119	num_sat = ctsid->num_subauth;
adddd49d	120	num_saw = cwsid->num_subauth;
297647c2 SF	121	num_subauth = num_sat < num_saw ? num_sat : num_saw;
	122	if (num_subauth) {
	123	for (i = 0; i < num_subauth; ++i) {
	124	if (ctsid->sub_auth[i] != cwsid->sub_auth[i])
a750e77c	125	return (0);
297647c2 SF	126	}
	127	}
	128
a750e77c	129	return (1); /* sids compare/match */
297647c2 SF	130	}
297647c2 SF	131
630f3f0c SF	132	/*
	133	change posix mode to reflect permissions
	134	pmode is the existing mode (we only want to overwrite part of this
	135	bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
	136	*/
15b03959 SF	137	static void access_flags_to_mode(__u32 ace_flags, int type, umode_t *pmode,
15b03959 SF	138	umode_t *pbits_to_set)
630f3f0c	139	{
15b03959	140	/* the order of ACEs is important. The canonical order is to begin with
ce06c9f0	141	DENY entries followed by ALLOW, otherwise an allow entry could be
15b03959	142	encountered first, making the subsequent deny entry like "dead code"
ce06c9f0	143	which would be superflous since Windows stops when a match is made
15b03959 SF	144	for the operation you are trying to perform for your user */
	145
	146	/* For deny ACEs we change the mask so that subsequent allow access
	147	control entries do not turn on the bits we are denying */
	148	if (type == ACCESS_DENIED) {
	149	if (ace_flags & GENERIC_ALL) {
	150	*pbits_to_set &= ~S_IRWXUGO;
	151	}
	152	if ((ace_flags & GENERIC_WRITE) \|\|
	153	((ace_flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
	154	*pbits_to_set &= ~S_IWUGO;
	155	if ((ace_flags & GENERIC_READ) \|\|
	156	((ace_flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
	157	*pbits_to_set &= ~S_IRUGO;
	158	if ((ace_flags & GENERIC_EXECUTE) \|\|
	159	((ace_flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
	160	*pbits_to_set &= ~S_IXUGO;
	161	return;
	162	} else if (type != ACCESS_ALLOWED) {
	163	cERROR(1, ("unknown access control type %d", type));
	164	return;
	165	}
	166	/* else ACCESS_ALLOWED type */
630f3f0c	167
d61e5808	168	if (ace_flags & GENERIC_ALL) {
15b03959	169	pmode \|= (S_IRWXUGO & (pbits_to_set));
630f3f0c	170	#ifdef CONFIG_CIFS_DEBUG2
d61e5808	171	cFYI(1, ("all perms"));
630f3f0c	172	#endif
d61e5808 SF	173	return;
d61e5808 SF	174	}
e01b6400 SP	175	if ((ace_flags & GENERIC_WRITE) \|\|
e01b6400 SP	176	((ace_flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
15b03959	177	pmode \|= (S_IWUGO & (pbits_to_set));
e01b6400 SP	178	if ((ace_flags & GENERIC_READ) \|\|
e01b6400 SP	179	((ace_flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
15b03959	180	pmode \|= (S_IRUGO & (pbits_to_set));
e01b6400 SP	181	if ((ace_flags & GENERIC_EXECUTE) \|\|
e01b6400 SP	182	((ace_flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
15b03959	183	pmode \|= (S_IXUGO & (pbits_to_set));
630f3f0c	184
d61e5808	185	#ifdef CONFIG_CIFS_DEBUG2
b9c7a2bb	186	cFYI(1, ("access flags 0x%x mode now 0x%x", ace_flags, *pmode));
d61e5808	187	#endif
630f3f0c SF	188	return;
	189	}
	190
ce06c9f0 SF	191	/*
	192	Generate access flags to reflect permissions mode is the existing mode.
	193	This function is called for every ACE in the DACL whose SID matches
	194	with either owner or group or everyone.
	195	*/
	196
	197	static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
	198	__u32 *pace_flags)
	199	{
	200	/* reset access mask */
	201	*pace_flags = 0x0;
	202
	203	/* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */
	204	mode &= bits_to_use;
	205
	206	/* check for R/W/X UGO since we do not know whose flags
	207	is this but we have cleared all the bits sans RWX for
	208	either user or group or other as per bits_to_use */
	209	if (mode & S_IRUGO)
	210	*pace_flags \|= SET_FILE_READ_RIGHTS;
	211	if (mode & S_IWUGO)
	212	*pace_flags \|= SET_FILE_WRITE_RIGHTS;
	213	if (mode & S_IXUGO)
	214	*pace_flags \|= SET_FILE_EXEC_RIGHTS;
	215
	216	#ifdef CONFIG_CIFS_DEBUG2
	217	cFYI(1, ("mode: 0x%x, access flags now 0x%x", mode, *pace_flags));
	218	#endif
	219	return;
	220	}
	221
297647c2	222
953f8681 SF	223	#ifdef CONFIG_CIFS_DEBUG2
953f8681 SF	224	static void dump_ace(struct cifs_ace pace, char end_of_acl)
d0d66c44	225	{
d0d66c44	226	int num_subauth;
d0d66c44 SP	227
d0d66c44 SP	228	/* validate that we do not go past end of acl */
297647c2	229
44093ca2 SF	230	if (le16_to_cpu(pace->size) < 16) {
	231	cERROR(1, ("ACE too small, %d", le16_to_cpu(pace->size)));
	232	return;
	233	}
	234
	235	if (end_of_acl < (char *)pace + le16_to_cpu(pace->size)) {
d0d66c44 SP	236	cERROR(1, ("ACL too small to parse ACE"));
d0d66c44 SP	237	return;
44093ca2	238	}
d0d66c44	239
44093ca2	240	num_subauth = pace->sid.num_subauth;
d0d66c44	241	if (num_subauth) {
8f18c131	242	int i;
44093ca2 SF	243	cFYI(1, ("ACE revision %d num_auth %d type %d flags %d size %d",
	244	pace->sid.revision, pace->sid.num_subauth, pace->type,
	245	pace->flags, pace->size));
d12fd121 SF	246	for (i = 0; i < num_subauth; ++i) {
d12fd121 SF	247	cFYI(1, ("ACE sub_auth[%d]: 0x%x", i,
44093ca2	248	le32_to_cpu(pace->sid.sub_auth[i])));
d12fd121 SF	249	}
	250
	251	/* BB add length check to make sure that we do not have huge
	252	num auths and therefore go off the end */
d12fd121 SF	253	}
	254
	255	return;
	256	}
953f8681	257	#endif
d12fd121	258
d0d66c44	259
a750e77c	260	static void parse_dacl(struct cifs_acl pdacl, char end_of_acl,
d61e5808	261	struct cifs_sid pownersid, struct cifs_sid pgrpsid,
630f3f0c	262	struct inode *inode)
d0d66c44 SP	263	{
	264	int i;
	265	int num_aces = 0;
	266	int acl_size;
	267	char *acl_base;
d0d66c44 SP	268	struct cifs_ace **ppace;
	269
	270	/* BB need to add parm so we can store the SID BB */
	271
	272	/* validate that we do not go past end of acl */
af6f4612	273	if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
d0d66c44 SP	274	cERROR(1, ("ACL too small to parse DACL"));
	275	return;
	276	}
	277
	278	#ifdef CONFIG_CIFS_DEBUG2
	279	cFYI(1, ("DACL revision %d size %d num aces %d",
af6f4612 SF	280	le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
af6f4612 SF	281	le32_to_cpu(pdacl->num_aces)));
d0d66c44 SP	282	#endif
d0d66c44 SP	283
7505e052 SF	284	/* reset rwx permissions for user/group/other.
	285	Also, if num_aces is 0 i.e. DACL has no ACEs,
	286	user/group/other have no permissions */
	287	inode->i_mode &= ~(S_IRWXUGO);
	288
	289	if (!pdacl) {
	290	/* no DACL in the security descriptor, set
	291	all the permissions for user/group/other */
	292	inode->i_mode \|= S_IRWXUGO;
	293	return;
	294	}
d0d66c44 SP	295	acl_base = (char *)pdacl;
	296	acl_size = sizeof(struct cifs_acl);
	297
adbc0358	298	num_aces = le32_to_cpu(pdacl->num_aces);
d0d66c44	299	if (num_aces > 0) {
15b03959 SF	300	umode_t user_mask = S_IRWXU;
	301	umode_t group_mask = S_IRWXG;
	302	umode_t other_mask = S_IRWXO;
	303
d0d66c44 SP	304	ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
	305	GFP_KERNEL);
	306
d12fd121	307	/* cifscred->cecount = pdacl->num_aces;
d12fd121 SF	308	cifscred->aces = kmalloc(num_aces *
d12fd121 SF	309	sizeof(struct cifs_ace ), GFP_KERNEL);/
d0d66c44	310
d0d66c44	311	for (i = 0; i < num_aces; ++i) {
44093ca2	312	ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
953f8681 SF	313	#ifdef CONFIG_CIFS_DEBUG2
	314	dump_ace(ppace[i], end_of_acl);
	315	#endif
e01b6400 SP	316	if (compare_sids(&(ppace[i]->sid), pownersid))
e01b6400 SP	317	access_flags_to_mode(ppace[i]->access_req,
15b03959 SF	318	ppace[i]->type,
	319	&(inode->i_mode),
	320	&user_mask);
e01b6400 SP	321	if (compare_sids(&(ppace[i]->sid), pgrpsid))
e01b6400 SP	322	access_flags_to_mode(ppace[i]->access_req,
15b03959 SF	323	ppace[i]->type,
	324	&(inode->i_mode),
	325	&group_mask);
e01b6400 SP	326	if (compare_sids(&(ppace[i]->sid), &sid_everyone))
e01b6400 SP	327	access_flags_to_mode(ppace[i]->access_req,
15b03959 SF	328	ppace[i]->type,
	329	&(inode->i_mode),
	330	&other_mask);
e01b6400	331
44093ca2	332	/* memcpy((void *)(&(cifscred->aces[i])),
d12fd121 SF	333	(void *)ppace[i],
d12fd121 SF	334	sizeof(struct cifs_ace)); */
d0d66c44	335
44093ca2 SF	336	acl_base = (char *)ppace[i];
44093ca2 SF	337	acl_size = le16_to_cpu(ppace[i]->size);
d0d66c44 SP	338	}
	339
	340	kfree(ppace);
d0d66c44 SP	341	}
	342
	343	return;
	344	}
	345
bcb02034 SF	346
	347	static int parse_sid(struct cifs_sid psid, char end_of_acl)
	348	{
	349	/* BB need to add parm so we can store the SID BB */
	350
b9c7a2bb SF	351	/* validate that we do not go past end of ACL - sid must be at least 8
	352	bytes long (assuming no sub-auths - e.g. the null SID */
	353	if (end_of_acl < (char *)psid + 8) {
	354	cERROR(1, ("ACL too small to parse SID %p", psid));
bcb02034 SF	355	return -EINVAL;
bcb02034 SF	356	}
d0d66c44	357
af6f4612	358	if (psid->num_subauth) {
bcb02034	359	#ifdef CONFIG_CIFS_DEBUG2
8f18c131	360	int i;
44093ca2 SF	361	cFYI(1, ("SID revision %d num_auth %d",
44093ca2 SF	362	psid->revision, psid->num_subauth));
bcb02034	363
af6f4612	364	for (i = 0; i < psid->num_subauth; i++) {
d0d66c44	365	cFYI(1, ("SID sub_auth[%d]: 0x%x ", i,
297647c2	366	le32_to_cpu(psid->sub_auth[i])));
d0d66c44 SP	367	}
d0d66c44 SP	368
d12fd121	369	/* BB add length check to make sure that we do not have huge
d0d66c44	370	num auths and therefore go off the end */
d12fd121	371	cFYI(1, ("RID 0x%x",
af6f4612	372	le32_to_cpu(psid->sub_auth[psid->num_subauth-1])));
bcb02034	373	#endif
d0d66c44 SP	374	}
d0d66c44 SP	375
bcb02034 SF	376	return 0;
	377	}
	378
d0d66c44	379
bcb02034	380	/* Convert CIFS ACL to POSIX form */
630f3f0c SF	381	static int parse_sec_desc(struct cifs_ntsd *pntsd, int acl_len,
630f3f0c SF	382	struct inode *inode)
bcb02034	383	{
d0d66c44	384	int rc;
bcb02034 SF	385	struct cifs_sid owner_sid_ptr, group_sid_ptr;
bcb02034 SF	386	struct cifs_acl dacl_ptr; / no need for SACL ptr */
bcb02034	387	char end_of_acl = ((char )pntsd) + acl_len;
7505e052	388	__u32 dacloffset;
bcb02034	389
b9c7a2bb SF	390	if ((inode == NULL) \|\| (pntsd == NULL))
	391	return -EIO;
	392
bcb02034	393	owner_sid_ptr = (struct cifs_sid )((char )pntsd +
af6f4612	394	le32_to_cpu(pntsd->osidoffset));
bcb02034	395	group_sid_ptr = (struct cifs_sid )((char )pntsd +
af6f4612	396	le32_to_cpu(pntsd->gsidoffset));
7505e052	397	dacloffset = le32_to_cpu(pntsd->dacloffset);
63d2583f	398	dacl_ptr = (struct cifs_acl )((char )pntsd + dacloffset);
bcb02034 SF	399	#ifdef CONFIG_CIFS_DEBUG2
	400	cFYI(1, ("revision %d type 0x%x ooffset 0x%x goffset 0x%x "
	401	"sacloffset 0x%x dacloffset 0x%x",
af6f4612 SF	402	pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
af6f4612 SF	403	le32_to_cpu(pntsd->gsidoffset),
7505e052	404	le32_to_cpu(pntsd->sacloffset), dacloffset));
bcb02034	405	#endif
b9c7a2bb	406	/* cifs_dump_mem("owner_sid: ", owner_sid_ptr, 64); */
bcb02034 SF	407	rc = parse_sid(owner_sid_ptr, end_of_acl);
	408	if (rc)
	409	return rc;
	410
	411	rc = parse_sid(group_sid_ptr, end_of_acl);
	412	if (rc)
	413	return rc;
	414
7505e052 SF	415	if (dacloffset)
7505e052 SF	416	parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
63d2583f	417	group_sid_ptr, inode);
7505e052 SF	418	else
7505e052 SF	419	cFYI(1, ("no ACL")); /* BB grant all or default perms? */
d0d66c44	420
bcb02034 SF	421	/* cifscred->uid = owner_sid_ptr->rid;
	422	cifscred->gid = group_sid_ptr->rid;
	423	memcpy((void )(&(cifscred->osid)), (void )owner_sid_ptr,
630f3f0c	424	sizeof(struct cifs_sid));
bcb02034	425	memcpy((void )(&(cifscred->gsid)), (void )group_sid_ptr,
630f3f0c	426	sizeof(struct cifs_sid)); */
bcb02034	427
297647c2	428
bcb02034 SF	429	return (0);
bcb02034 SF	430	}
b9c7a2bb SF	431
b9c7a2bb SF	432
7505e052 SF	433	/* Retrieve an ACL from the server */
	434	static struct cifs_ntsd get_cifs_acl(u32 pacllen, struct inode *inode,
	435	const char *path)
b9c7a2bb SF	436	{
	437	struct cifsFileInfo *open_file;
	438	int unlock_file = FALSE;
	439	int xid;
	440	int rc = -EIO;
	441	__u16 fid;
	442	struct super_block *sb;
	443	struct cifs_sb_info *cifs_sb;
	444	struct cifs_ntsd *pntsd = NULL;
b9c7a2bb SF	445
	446	cFYI(1, ("get mode from ACL for %s", path));
	447
	448	if (inode == NULL)
7505e052	449	return NULL;
b9c7a2bb SF	450
	451	xid = GetXid();
	452	open_file = find_readable_file(CIFS_I(inode));
	453	sb = inode->i_sb;
	454	if (sb == NULL) {
	455	FreeXid(xid);
7505e052	456	return NULL;
b9c7a2bb SF	457	}
	458	cifs_sb = CIFS_SB(sb);
	459
	460	if (open_file) {
	461	unlock_file = TRUE;
	462	fid = open_file->netfid;
	463	} else {
	464	int oplock = FALSE;
	465	/* open file */
	466	rc = CIFSSMBOpen(xid, cifs_sb->tcon, path, FILE_OPEN,
953f8681	467	READ_CONTROL, 0, &fid, &oplock, NULL,
b9c7a2bb SF	468	cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
	469	CIFS_MOUNT_MAP_SPECIAL_CHR);
	470	if (rc != 0) {
	471	cERROR(1, ("Unable to open file to get ACL"));
	472	FreeXid(xid);
7505e052	473	return NULL;
b9c7a2bb SF	474	}
	475	}
	476
7505e052 SF	477	rc = CIFSSMBGetCIFSACL(xid, cifs_sb->tcon, fid, &pntsd, pacllen);
7505e052 SF	478	cFYI(1, ("GetCIFSACL rc = %d ACL len %d", rc, *pacllen));
b9c7a2bb SF	479	if (unlock_file == TRUE)
	480	atomic_dec(&open_file->wrtPending);
	481	else
	482	CIFSSMBClose(xid, cifs_sb->tcon, fid);
	483
7505e052 SF	484	FreeXid(xid);
	485	return pntsd;
	486	}
	487
	488	/* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */
	489	void acl_to_uid_mode(struct inode inode, const char path)
	490	{
	491	struct cifs_ntsd *pntsd = NULL;
	492	u32 acllen = 0;
	493	int rc = 0;
	494
	495	#ifdef CONFIG_CIFS_DEBUG2
	496	cFYI(1, ("converting ACL to mode for %s", path));
	497	#endif
	498	pntsd = get_cifs_acl(&acllen, inode, path);
	499
	500	/* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
	501	if (pntsd)
b9c7a2bb	502	rc = parse_sec_desc(pntsd, acllen, inode);
7505e052 SF	503	if (rc)
	504	cFYI(1, ("parse sec desc failed rc = %d", rc));
	505
b9c7a2bb	506	kfree(pntsd);
b9c7a2bb SF	507	return;
b9c7a2bb SF	508	}
953f8681	509
7505e052	510	/* Convert mode bits to an ACL so we can update the ACL on the server */
953f8681 SF	511	int mode_to_acl(struct inode inode, const char path)
	512	{
	513	int rc = 0;
	514	__u32 acllen = 0;
	515	struct cifs_ntsd *pntsd = NULL;
	516
	517	cFYI(1, ("set ACL from mode for %s", path));
	518
	519	/* Get the security descriptor */
7505e052	520	pntsd = get_cifs_acl(&acllen, inode, path);
953f8681	521
7505e052 SF	522	/* Add/Modify the three ACEs for owner, group, everyone
7505e052 SF	523	while retaining the other ACEs */
953f8681 SF	524
953f8681 SF	525	/* Set the security descriptor */
953f8681	526
7505e052 SF	527
7505e052 SF	528	kfree(pntsd);
953f8681 SF	529	return rc;
953f8681 SF	530	}
297647c2	531	#endif /* CONFIG_CIFS_EXPERIMENTAL */