summaryrefslogtreecommitdiffstats
path: root/fs/cifs/cifsacl.h
Commit message (Collapse)AuthorAgeFilesLines
* cifs: remove pathname for file from SPDX headerSteve French2021-09-131-1/+0
| | | | | | | | | | | checkpatch complains about source files with filenames (e.g. in these cases just below the SPDX header in comments at the top of various files in fs/cifs). It also is helpful to change this now so will be less confusing when the parent directory is renamed e.g. from fs/cifs to fs/smb_client (or fs/smbfs) Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com>
* cifs: use SPDX-Licence-IdentifierSteve French2021-06-201-14/+1
| | | | | | | | Add SPDX license identifier and replace license boilerplate. Corrects various checkpatch errors with the older format for noting the LGPL license. Signed-off-by: Steve French <stfrench@microsoft.com>
* cifs: Fix cifsacl ACE mask for group and others.Shyam Prasad N2021-02-221-2/+2
| | | | | | | | | A two line fix which I made while testing my prev fix with cifsacl mode conversions seem to have gone missing in the final fix that was submitted. This is that fix. Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com>
* cifs: Enable sticky bit with cifsacl mount option.Shyam Prasad N2020-12-131-0/+4
| | | | | | | | | | For the cifsacl mount option, we did not support sticky bits. With this patch, we do support it, by setting the DELETE_CHILD perm on the directory only for the owner user. When sticky bit is not enabled, allow DELETE_CHILD perm for everyone. Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com>
* cifs: delete duplicated words in header filesRandy Dunlap2020-08-021-2/+2
| | | | | | | | | | | Drop repeated words in multiple comments. (be, use, the, See) Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: Steve French <sfrench@samba.org> Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Steve French <stfrench@microsoft.com>
* smb3: allow uid and gid owners to be set on create with idsfromsid mount optionSteve French2020-06-121-0/+15
| | | | | | | | | | Currently idsfromsid mount option allows querying owner information from the special sids used to represent POSIX uids and gids but needed changes to populate the security descriptor context with the owner information when idsfromsid mount option was used. Signed-off-by: Steve French <stfrench@microsoft.com> Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
* smb3: fix mode passed in on create for modetosid mount optionSteve French2019-12-061-16/+16
| | | | | | | | | | | | | | | | | | | | | When using the special SID to store the mode bits in an ACE (See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx) which is enabled with mount parm "modefromsid" we were not passing in the mode via SMB3 create (although chmod was enabled). SMB3 create allows a security descriptor context to be passed in (which is more atomic and thus preferable to setting the mode bits after create via a setinfo). This patch enables setting the mode bits on create when using modefromsid mount option. In addition it fixes an endian error in the definition of the Control field flags in the SMB3 security descriptor. It also makes the ACE type of the special SID better match the documentation (and behavior of servers which use this to store mode bits in SMB3 ACLs). Signed-off-by: Steve French <stfrench@microsoft.com> Acked-by: Ronnie Sahlberg <lsahlber@redhat.com> Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
* smb3: missing ACL related flagsSteve French2019-09-261-1/+80
| | | | | | | | | | | Various SMB3 ACL related flags (for security descriptor and ACEs for example) were missing and some fields are different in SMB3 and CIFS. Update cifsacl.h definitions based on current MS-DTYP specification. Signed-off-by: Steve French <stfrench@microsoft.com> Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> Reviewed-by: Aurelien Aptel <aaptel@suse.com>
* cifs: modefromsid: make room for 4 ACEAurelien Aptel2019-09-161-1/+1
| | | | | | | | | when mounting with modefromsid, we end up writing 4 ACE in a security descriptor that only has room for 3, thus triggering an out-of-bounds write. fix this by changing the min size of a security descriptor. Signed-off-by: Aurelien Aptel <aaptel@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
* cifs: For SMB2 security informaion query, check for minimum sized security ↵Shirish Pargaonkar2018-06-041-0/+14
| | | | | | | | | | | | | | | | descriptor instead of sizeof FileAllInformation class Validate_buf () function checks for an expected minimum sized response passed to query_info() function. For security information, the size of a security descriptor can be smaller (one subauthority, no ACEs) than the size of the structure that defines FileInfoClass of FileAllInformation. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199725 Cc: <stable@vger.kernel.org> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Noah Morrison <noah.morrison@rubrik.com> Signed-off-by: Steve French <stfrench@microsoft.com>
* cifs: fix SID binary to string conversionJeff Layton2012-12-111-3/+5
| | | | | | | | | | | | The authority fields are supposed to be represented by a single 48-bit value. It's also supposed to represent the value as hex if it's equal to or greater than 2^32. This is documented in MS-DTYP, section 2.4.2.1. Also, fix up the max string length to account for this fix. Acked-by: Pavel Shilovsky <piastry@etersoft.ru> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: fix hardcoded default security descriptor lengthJeff Layton2012-12-081-3/+8
| | | | | | | | | | | | It was hardcoded to 192 bytes, which was not enough when the max number of subauthorities went to 15. Redefine this constant in terms of sizeof the structs involved, and rename it for better clarity. While we're at it, remove a couple more unused constants from cifsacl.h. Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: simplify id_to_sid and sid_to_id mapping codeJeff Layton2012-12-081-23/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The cifs.idmap handling code currently causes the kernel to cache the data from userspace twice. It first looks in a rbtree to see if there is a matching entry for the given id. If there isn't then it calls request_key which then checks its cache and then calls out to userland if it doesn't have one. If the userland program establishes a mapping and downcalls with that info, it then gets cached in the keyring and in this rbtree. Aside from the double memory usage and the performance penalty in doing all of these extra copies, there are some nasty bugs in here too. The code declares four rbtrees and spinlocks to protect them, but only seems to use two of them. The upshot is that the same tree is used to hold (eg) uid:sid and sid:uid mappings. The comparitors aren't equipped to deal with that. I think we'd be best off to remove a layer of caching in this code. If this was originally done for performance reasons, then that really seems like a premature optimization. This patch does that -- it removes the rbtrees and the locks that protect them and simply has the code do a request_key call on each call into sid_to_id and id_to_sid. This greatly simplifies this code and should roughly halve the memory utilization from using the idmapping code. Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: remove uneeded __KERNEL__ block from cifsacl.hJeff Layton2012-12-051-5/+0
| | | | | | | | | ...and make those symbols static in cifsacl.c. Nothing outside of that file refers to them. Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: redefine NUM_SUBAUTH constant from 5 to 15Jeff Layton2012-12-051-3/+16
| | | | | | | | | | | | | | | | | According to several places on the Internet and the samba winbind code, this is hard limited to 15 in windows, not 5. This does balloon out the allocation of each by 40 bytes, but I don't see any alternative. Also, rename it to SID_MAX_SUB_AUTHORITIES to match the alleged name of this constant in the windows header files Finally, rename SIDLEN to SID_STRING_MAX, fix the value to reflect the change to SID_MAX_SUB_AUTHORITIES and document how it was determined. Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: make cifs_copy_sid handle a source sid with variable size subauth arraysJeff Layton2012-12-051-0/+3
| | | | | | | | | ...and lift the restriction in id_to_sid upcall that the size must be at least as big as a full cifs_sid. Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: make compare_sids staticJeff Layton2012-12-051-2/+0
| | | | | | | | | ..nothing outside of cifsacl.c calls it. Also fix the incorrect comment on the function. It returns 0 when they match. Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: use the NUM_AUTHS and NUM_SUBAUTHS constants in cifsacl codeJeff Layton2012-12-051-2/+2
| | | | | | | | ...instead of hardcoding in '5' and '6' all over the place. Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
* cifs: Change key name to cifs.idmap, misc. clean-upShirish Pargaonkar2011-05-191-1/+0
| | | | | | | | | | Change idmap key name from cifs.cifs_idmap to cifs.idmap. Removed unused structure wksidarr and function match_sid(). Handle errors correctly in function init_cifs(). Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* cifs: Invoke id mapping functions (try #17 repost)Shirish Pargaonkar2011-05-191-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | rb tree search and insertion routines. A SID which needs to be mapped, is looked up in one of the rb trees depending on whether SID is either owner or group SID. If found in the tree, a (mapped) id from that node is assigned to uid or gid as appropriate. If unmapped, an upcall is attempted to map the SID to an id. If upcall is successful, node is marked as mapped. If upcall fails, node stays marked as unmapped and a mapping is attempted again only after an arbitrary time period has passed. To map a SID, which can be either a Owner SID or a Group SID, key description starts with the string "os" or "gs" followed by SID converted to a string. Without "os" or "gs", cifs.upcall does not know whether SID needs to be mapped to either an uid or a gid. Nodes in rb tree have fields to prevent multiple upcalls for a SID. Searching, adding, and removing nodes is done within global locks. Whenever a node is either found or inserted in a tree, a reference is taken on that node. Shrinker routine prunes a node if it has expired but does not prune an expired node if its refcount is not zero (i.e. sid/id of that node is_being/will_be accessed). Thus a node, if its SID needs to be mapped by making an upcall, can safely stay and its fields accessed without shrinker pruning it. A reference (refcount) is put on the node without holding the spinlock but a reference is get on the node by holding the spinlock. Every time an existing mapped node is accessed or mapping is attempted, its timestamp is updated to prevent it from getting erased or a to prevent multiple unnecessary repeat mapping retries respectively. For now, cifs.upcall is only used to map a SID to an id (uid or gid) but it would be used to obtain an SID for an id. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* cifs: fix use of CONFIG_CIFS_ACLJeff Layton2010-12-061-4/+0
| | | | | | | | | | | | | | Some of the code under CONFIG_CIFS_ACL is dependent upon code under CONFIG_CIFS_EXPERIMENTAL, but the Kconfig options don't reflect that dependency. Move more of the ACL code out from under CONFIG_CIFS_EXPERIMENTAL and under CONFIG_CIFS_ACL. Also move find_readable_file out from other any sort of Kconfig option and make it a function normally compiled in. Reported-and-Acked-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Fix acl length when very short ACL being modified by chmodSteve French2008-04-091-0/+1
| | | | | Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Fix walking out end of cifs daclSteve French2007-11-051-0/+3
| | | | | Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] acl support part 7Steve French2007-10-261-1/+1
| | | | | | Also fixes typo, build break Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] acl support part 6Steve French2007-10-231-9/+3
| | | | | CC: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] acl support part 4Steve French2007-10-171-0/+9
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Fix some endianness problems in new acl codeSteve French2007-10-161-12/+11
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Fix endian conversion problem in posix mkdirCyril Gorcunov2007-10-141-2/+2
| | | | | Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] CIFS ACL support part 3Steve French2007-10-121-6/+18
| | | | | Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] CIFS ACL support (part 2)Shirish Pargaonkar2007-10-031-2/+2
| | | | | Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] change misleading field nameSteve French2007-10-011-6/+4
| | | | | | num_auth is really num_subauth in ACL terminology Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] move cifs acl code to new file and fix build breakSteve French2007-09-251-1/+1
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Support for CIFS ACLs (part 1)Steve French2007-09-241-2/+32
| | | | | | | | Add code to be able to dump CIFS ACL information when Query Posix ACL with cifsacl mount parm enabled. Signed-off-by: Shirish Pargoankar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Remove static and unused symbolsSteve French2006-09-281-2/+2
| | | | | | | | | Most cases of the ones found by Shaggy by "make namespacecheck" could be removed or made static Ack: Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Fix CIFS to recognize share mode securitySteve French2006-01-131-3/+3
| | | | | | | | | Fix Samba bugzilla bug 3301 In share mode encrypted password must be sent on tree connection (in our case only the NTLM password is sent, not the older LANMAN one). Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Minor cleanup to new cifs acl header.Steve French2006-01-081-0/+2
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Kerberos and CIFS ACL support part 1Steve French2005-12-011-0/+36
Signed-off-by: Steve French <sfrench@us.ibm.com>