Commit | Line | Data |
---|---|---|
bf820679 SF |
1 | /* |
2 | * fs/cifs/cifsacl.h | |
3 | * | |
bcb02034 | 4 | * Copyright (c) International Business Machines Corp., 2007 |
bf820679 SF |
5 | * Author(s): Steve French (sfrench@us.ibm.com) |
6 | * | |
7 | * This library is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU Lesser General Public License as published | |
9 | * by the Free Software Foundation; either version 2.1 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This library is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | |
15 | * the GNU Lesser General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU Lesser General Public License | |
18 | * along with this library; if not, write to the Free Software | |
19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
20 | */ | |
21 | ||
22 | #ifndef _CIFSACL_H | |
23 | #define _CIFSACL_H | |
24 | ||
297647c2 | 25 | |
faa65f07 | 26 | #define NUM_AUTHS (6) /* number of authority fields */ |
30c9d6cc | 27 | #define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ |
297647c2 | 28 | |
a750e77c SF |
29 | #define READ_BIT 0x4 |
30 | #define WRITE_BIT 0x2 | |
31 | #define EXEC_BIT 0x1 | |
32 | ||
33 | #define UBITSHIFT 6 | |
34 | #define GBITSHIFT 3 | |
35 | ||
63d2583f SF |
36 | #define ACCESS_ALLOWED 0 |
37 | #define ACCESS_DENIED 1 | |
38 | ||
9409ae58 SP |
39 | #define SIDOWNER 1 |
40 | #define SIDGROUP 2 | |
30c9d6cc | 41 | |
7ee0b4c6 JL |
42 | /* |
43 | * Security Descriptor length containing DACL with 3 ACEs (one each for | |
44 | * owner, group and world). | |
45 | */ | |
46 | #define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \ | |
47 | sizeof(struct cifs_acl) + \ | |
0892ba69 | 48 | (sizeof(struct cifs_ace) * 4)) |
7ee0b4c6 | 49 | |
30c9d6cc JL |
50 | /* |
51 | * Maximum size of a string representation of a SID: | |
52 | * | |
53 | * The fields are unsigned values in decimal. So: | |
54 | * | |
55 | * u8: max 3 bytes in decimal | |
56 | * u32: max 10 bytes in decimal | |
57 | * | |
193cdd8a JL |
58 | * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator |
59 | * | |
60 | * For authority field, max is when all 6 values are non-zero and it must be | |
61 | * represented in hex. So "-0x" + 12 hex digits. | |
faa65f07 JL |
62 | * |
63 | * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') | |
30c9d6cc | 64 | */ |
193cdd8a | 65 | #define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) |
faa65f07 | 66 | #define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ |
9409ae58 | 67 | |
442aa310 | 68 | struct cifs_ntsd { |
af6f4612 SF |
69 | __le16 revision; /* revision level */ |
70 | __le16 type; | |
71 | __le32 osidoffset; | |
72 | __le32 gsidoffset; | |
73 | __le32 sacloffset; | |
74 | __le32 dacloffset; | |
442aa310 SF |
75 | } __attribute__((packed)); |
76 | ||
bf820679 SF |
77 | struct cifs_sid { |
78 | __u8 revision; /* revision level */ | |
4084973d | 79 | __u8 num_subauth; |
852e2295 | 80 | __u8 authority[NUM_AUTHS]; |
30c9d6cc | 81 | __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ |
442aa310 SF |
82 | } __attribute__((packed)); |
83 | ||
36f87ee7 JL |
84 | /* size of a struct cifs_sid, sans sub_auth array */ |
85 | #define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) | |
86 | ||
442aa310 | 87 | struct cifs_acl { |
af6f4612 SF |
88 | __le16 revision; /* revision level */ |
89 | __le16 size; | |
90 | __le32 num_aces; | |
442aa310 SF |
91 | } __attribute__((packed)); |
92 | ||
ff3ee62a SF |
93 | /* ACE types - see MS-DTYP 2.4.4.1 */ |
94 | #define ACCESS_ALLOWED_ACE_TYPE 0x00 | |
95 | #define ACCESS_DENIED_ACE_TYPE 0x01 | |
96 | #define SYSTEM_AUDIT_ACE_TYPE 0x02 | |
97 | #define SYSTEM_ALARM_ACE_TYPE 0x03 | |
98 | #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 | |
99 | #define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 | |
100 | #define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 | |
101 | #define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 | |
102 | #define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 | |
103 | #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 | |
104 | #define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A | |
105 | #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B | |
106 | #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C | |
107 | #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D | |
108 | #define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ | |
109 | #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F | |
110 | #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ | |
111 | #define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 | |
112 | #define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 | |
113 | #define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 | |
114 | ||
115 | /* ACE flags */ | |
116 | #define OBJECT_INHERIT_ACE 0x01 | |
117 | #define CONTAINER_INHERIT_ACE 0x02 | |
118 | #define NO_PROPAGATE_INHERIT_ACE 0x04 | |
119 | #define INHERIT_ONLY_ACE 0x08 | |
120 | #define INHERITED_ACE 0x10 | |
121 | #define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 | |
122 | #define FAILED_ACCESS_ACE_FLAG 0x80 | |
123 | ||
44093ca2 | 124 | struct cifs_ace { |
ff3ee62a | 125 | __u8 type; /* see above and MS-DTYP 2.4.4.1 */ |
442aa310 | 126 | __u8 flags; |
8f2376ad CG |
127 | __le16 size; |
128 | __le32 access_req; | |
44093ca2 | 129 | struct cifs_sid sid; /* ie UUID of user or group who gets these perms */ |
297647c2 SF |
130 | } __attribute__((packed)); |
131 | ||
ff3ee62a SF |
132 | /* |
133 | * The current SMB3 form of security descriptor is similar to what was used for | |
134 | * cifs (see above) but some fields are split, and fields in the struct below | |
135 | * matches names of fields to the the spec, MS-DTYP (see sections 2.4.5 and | |
136 | * 2.4.6). Note that "CamelCase" fields are used in this struct in order to | |
137 | * match the MS-DTYP and MS-SMB2 specs which define the wire format. | |
138 | */ | |
139 | struct smb3_sd { | |
140 | __u8 Revision; /* revision level, MUST be one */ | |
141 | __u8 Sbz1; /* only meaningful if 'RM' flag set below */ | |
142 | __le16 Control; | |
143 | __le32 OffsetOwner; | |
144 | __le32 OffsetGroup; | |
145 | __le32 OffsetSacl; | |
146 | __le32 OffsetDacl; | |
147 | } __packed; | |
148 | ||
149 | /* Meaning of 'Control' field flags */ | |
150 | #define ACL_CONTROL_SR 0x0001 /* Self relative */ | |
151 | #define ACL_CONTROL_RM 0x0002 /* Resource manager control bits */ | |
152 | #define ACL_CONTROL_PS 0x0004 /* SACL protected from inherits */ | |
153 | #define ACL_CONTROL_PD 0x0008 /* DACL protected from inherits */ | |
154 | #define ACL_CONTROL_SI 0x0010 /* SACL Auto-Inherited */ | |
155 | #define ACL_CONTROL_DI 0x0020 /* DACL Auto-Inherited */ | |
156 | #define ACL_CONTROL_SC 0x0040 /* SACL computed through inheritance */ | |
157 | #define ACL_CONTROL_DC 0x0080 /* DACL computed through inheritence */ | |
158 | #define ACL_CONTROL_SS 0x0100 /* Create server ACL */ | |
159 | #define ACL_CONTROL_DT 0x0200 /* DACL provided by trusteed source */ | |
160 | #define ACL_CONTROL_SD 0x0400 /* SACL defaulted */ | |
161 | #define ACL_CONTROL_SP 0x0800 /* SACL is present on object */ | |
162 | #define ACL_CONTROL_DD 0x1000 /* DACL defaulted */ | |
163 | #define ACL_CONTROL_DP 0x2000 /* DACL is present on object */ | |
164 | #define ACL_CONTROL_GD 0x4000 /* Group was defaulted */ | |
165 | #define ACL_CONTROL_OD 0x8000 /* User was defaulted */ | |
166 | ||
167 | /* Meaning of AclRevision flags */ | |
168 | #define ACL_REVISION 0x02 /* See section 2.4.4.1 of MS-DTYP */ | |
169 | #define ACL_REVISION_DS 0x04 /* Additional AceTypes allowed */ | |
170 | ||
171 | struct smb3_acl { | |
172 | u8 AclRevision; /* revision level */ | |
173 | u8 Sbz1; /* MBZ */ | |
174 | __le16 AclSize; | |
175 | __le16 AceCount; | |
176 | __le16 Sbz2; /* MBZ */ | |
177 | } __packed; | |
178 | ||
179 | ||
ee25c6dd SP |
180 | /* |
181 | * Minimum security identifier can be one for system defined Users | |
182 | * and Groups such as NULL SID and World or Built-in accounts such | |
183 | * as Administrator and Guest and consists of | |
184 | * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority) | |
185 | */ | |
186 | #define MIN_SID_LEN (1 + 1 + 6 + 4) /* in bytes */ | |
187 | ||
188 | /* | |
189 | * Minimum security descriptor can be one without any SACL and DACL and can | |
190 | * consist of revision, type, and two sids of minimum size for owner and group | |
191 | */ | |
192 | #define MIN_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN)) | |
193 | ||
a6230af7 | 194 | #endif /* _CIFSACL_H */ |