1 /*
2  * NFS4 ACL handling
3  *
4  * Copyright (C) Jim McDonough, 2006
5  * Reused & renamed some parts of AIX 5.3 sys/acl.h structures
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 3 of the License, or
10  * (at your option) any later version.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20 
21 #ifndef __NFS4_ACLS_H__
22 #define __NFS4_ACLS_H__
23 
24 /*
25  * Following union captures the identity as
26  * used in the NFS4 ACL structures.
27  */
28 typedef union _SMB_NFS4_ACEWHOID_T {
29 	uid_t		uid;	/* User id */
30 	gid_t		gid;	/* Group id */
31 	uint32_t	special_id; /* Identifies special identities in NFS4 */
32 
33 #define SMB_ACE4_WHO_OWNER         0x00000001 /*The owner of the file. */
34 #define SMB_ACE4_WHO_GROUP         0x00000002 /*The group associated with the file. */
35 #define SMB_ACE4_WHO_EVERYONE      0x00000003 /*The world. */
36 #define SMB_ACE4_WHO_INTERACTIVE   0x00000004 /*Accessed from an interactive terminal. */
37 #define SMB_ACE4_WHO_NETWORK       0x00000005 /*Accessed via the network. */
38 #define SMB_ACE4_WHO_DIALUP        0x00000006 /*Accessed as a dialup user to the server. */
39 #define SMB_ACE4_WHO_BATCH         0x00000007 /*Accessed from a batch job. */
40 #define SMB_ACE4_WHO_ANONYMOUS     0x00000008 /*Accessed without any authentication. */
41 #define SMB_ACE4_WHO_AUTHENTICATED 0x00000009 /*Any authenticated user (opposite of ANONYMOUS) */
42 #define SMB_ACE4_WHO_SERVICE       0x0000000A /*Access from a system service. */
43 #define SMB_ACE4_WHO_MAX		SMB_ACE4_WHO_SERVICE  /* largest valid ACE4_WHO */
44 	uint32_t id;
45 } SMB_NFS4_ACEWHOID_T;
46 
47 typedef struct _SMB_ACE4PROP_T {
48 	uint32_t flags;		/* Bit mask defining details of ACE */
49 /*The following are constants for flags field */
50 /* #define	SMB_ACE4_ID_NOT_VALID	0x00000001 - from aix/jfs2 */
51 #define	SMB_ACE4_ID_SPECIAL		0x00000002
52 
53 	SMB_NFS4_ACEWHOID_T	who;	/* Identifies to whom this ACE applies */
54 
55 	/* The following part of ACE has the same layout as NFSv4 wire format. */
56 
57 	uint32_t aceType;	/* Type of ACE PERMIT/ALLOW etc*/
58 /*The constants used for the type field (acetype4) are as follows: */
59 #define	SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE	0x00000000
60 #define	SMB_ACE4_ACCESS_DENIED_ACE_TYPE	0x00000001
61 #define	SMB_ACE4_SYSTEM_AUDIT_ACE_TYPE	0x00000002
62 #define	SMB_ACE4_SYSTEM_ALARM_ACE_TYPE	0x00000003
63 #define SMB_ACE4_MAX_TYPE	SMB_ACE4_SYSTEM_ALARM_ACE_TYPE  /* largest valid ACE4_TYPE */
64 
65 	uint32_t aceFlags;	/* Controls Inheritance and such */
66 /*The bitmask constants used for the flag field are as follows: */
67 #define SMB_ACE4_FILE_INHERIT_ACE             0x00000001
68 #define SMB_ACE4_DIRECTORY_INHERIT_ACE        0x00000002
69 #define SMB_ACE4_NO_PROPAGATE_INHERIT_ACE     0x00000004
70 #define SMB_ACE4_INHERIT_ONLY_ACE             0x00000008
71 #define SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG   0x00000010
72 #define SMB_ACE4_FAILED_ACCESS_ACE_FLAG       0x00000020
73 #define SMB_ACE4_IDENTIFIER_GROUP             0x00000040
74 #define SMB_ACE4_INHERITED_ACE                0x00000080
75 #define SMB_ACE4_ALL_FLAGS	( SMB_ACE4_FILE_INHERIT_ACE | SMB_ACE4_DIRECTORY_INHERIT_ACE \
76 | SMB_ACE4_NO_PROPAGATE_INHERIT_ACE | SMB_ACE4_INHERIT_ONLY_ACE | SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG \
77 | SMB_ACE4_FAILED_ACCESS_ACE_FLAG | SMB_ACE4_IDENTIFIER_GROUP | SMB_ACE4_INHERITED_ACE)
78 
79 	uint32_t aceMask;	/* Access rights */
80 /*The bitmask constants used for the access mask field are as follows: */
81 #define SMB_ACE4_READ_DATA            0x00000001
82 #define SMB_ACE4_LIST_DIRECTORY       0x00000001
83 #define SMB_ACE4_WRITE_DATA           0x00000002
84 #define SMB_ACE4_ADD_FILE             0x00000002
85 #define SMB_ACE4_APPEND_DATA          0x00000004
86 #define SMB_ACE4_ADD_SUBDIRECTORY     0x00000004
87 #define SMB_ACE4_READ_NAMED_ATTRS     0x00000008
88 #define SMB_ACE4_WRITE_NAMED_ATTRS    0x00000010
89 #define SMB_ACE4_EXECUTE              0x00000020
90 #define SMB_ACE4_DELETE_CHILD         0x00000040
91 #define SMB_ACE4_READ_ATTRIBUTES      0x00000080
92 #define SMB_ACE4_WRITE_ATTRIBUTES     0x00000100
93 #define SMB_ACE4_DELETE               0x00010000
94 #define SMB_ACE4_READ_ACL             0x00020000
95 #define SMB_ACE4_WRITE_ACL            0x00040000
96 #define SMB_ACE4_WRITE_OWNER          0x00080000
97 #define SMB_ACE4_SYNCHRONIZE          0x00100000
98 #define SMB_ACE4_ALL_MASKS	( SMB_ACE4_READ_DATA | SMB_ACE4_LIST_DIRECTORY \
99 | SMB_ACE4_WRITE_DATA | SMB_ACE4_ADD_FILE | SMB_ACE4_APPEND_DATA | SMB_ACE4_ADD_SUBDIRECTORY \
100 | SMB_ACE4_READ_NAMED_ATTRS | SMB_ACE4_WRITE_NAMED_ATTRS | SMB_ACE4_EXECUTE | SMB_ACE4_DELETE_CHILD \
101 | SMB_ACE4_READ_ATTRIBUTES | SMB_ACE4_WRITE_ATTRIBUTES | SMB_ACE4_DELETE | SMB_ACE4_READ_ACL \
102 | SMB_ACE4_WRITE_ACL | SMB_ACE4_WRITE_OWNER | SMB_ACE4_SYNCHRONIZE )
103 } SMB_ACE4PROP_T;
104 
105 struct SMB4ACL_T;
106 struct SMB4ACE_T;
107 
108 enum smbacl4_mode_enum {e_simple=0, e_special=1};
109 enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
110 
111 struct smbacl4_vfs_params {
112 	enum smbacl4_mode_enum mode;
113 	bool do_chown;
114 	enum smbacl4_acedup_enum acedup;
115 	bool map_full_control;
116 };
117 
118 int smbacl4_get_vfs_params(struct connection_struct *conn,
119 			   struct smbacl4_vfs_params *params);
120 
121 struct SMB4ACL_T *smb_create_smb4acl(TALLOC_CTX *mem_ctx);
122 
123 /* prop's contents are copied */
124 /* it doesn't change the order, appends */
125 struct SMB4ACE_T *smb_add_ace4(struct SMB4ACL_T *theacl, SMB_ACE4PROP_T *prop);
126 
127 SMB_ACE4PROP_T *smb_get_ace4(struct SMB4ACE_T *ace);
128 
129 /* Returns NULL if none - or error */
130 struct SMB4ACE_T *smb_first_ace4(struct SMB4ACL_T *theacl);
131 
132 /* Returns NULL in the end - or error */
133 struct SMB4ACE_T *smb_next_ace4(struct SMB4ACE_T *ace);
134 
135 uint32_t smb_get_naces(struct SMB4ACL_T *theacl);
136 
137 uint16_t smbacl4_get_controlflags(struct SMB4ACL_T *theacl);
138 
139 bool smbacl4_set_controlflags(struct SMB4ACL_T *theacl, uint16_t controlflags);
140 
141 bool nfs_ace_is_inherit(SMB_ACE4PROP_T *ace);
142 
143 NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
144 	const struct smbacl4_vfs_params *pparams,
145 	uint32_t security_info,
146 	TALLOC_CTX *mem_ctx,
147 	struct security_descriptor **ppdesc, struct SMB4ACL_T *theacl);
148 
149 NTSTATUS smb_get_nt_acl_nfs4(connection_struct *conn,
150 	const struct smb_filename *smb_fname,
151 	const struct smbacl4_vfs_params *pparams,
152 	uint32_t security_info,
153 	TALLOC_CTX *mem_ctx,
154 	struct security_descriptor **ppdesc, struct SMB4ACL_T *theacl);
155 
156 /* Callback function needed to set the native acl
157  * when applicable */
158 typedef bool (*set_nfs4acl_native_fn_t)(vfs_handle_struct *handle,
159 					files_struct *,
160 					struct SMB4ACL_T *);
161 
162 NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle, files_struct *fsp,
163 	const struct smbacl4_vfs_params *pparams,
164 	uint32_t security_info_sent,
165 	const struct security_descriptor *psd,
166 	set_nfs4acl_native_fn_t set_nfs4_native);
167 
168 #endif /* __NFS4_ACLS_H__ */
169