xref: /openbmc/linux/fs/smb/client/cifsacl.h (revision 38c8a9a5) 
1*38c8a9a5SSteve French /* SPDX-License-Identifier: LGPL-2.1 */
2*38c8a9a5SSteve French /*
3*38c8a9a5SSteve French  *
4*38c8a9a5SSteve French  *   Copyright (c) International Business Machines  Corp., 2007
5*38c8a9a5SSteve French  *   Author(s): Steve French (sfrench@us.ibm.com)
6*38c8a9a5SSteve French  *
7*38c8a9a5SSteve French  */
8*38c8a9a5SSteve French 
9*38c8a9a5SSteve French #ifndef _CIFSACL_H
10*38c8a9a5SSteve French #define _CIFSACL_H
11*38c8a9a5SSteve French 
12*38c8a9a5SSteve French #define NUM_AUTHS (6)	/* number of authority fields */
13*38c8a9a5SSteve French #define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */
14*38c8a9a5SSteve French 
15*38c8a9a5SSteve French #define READ_BIT        0x4
16*38c8a9a5SSteve French #define WRITE_BIT       0x2
17*38c8a9a5SSteve French #define EXEC_BIT        0x1
18*38c8a9a5SSteve French 
19*38c8a9a5SSteve French #define ACL_OWNER_MASK 0700
20*38c8a9a5SSteve French #define ACL_GROUP_MASK 0070
21*38c8a9a5SSteve French #define ACL_EVERYONE_MASK 0007
22*38c8a9a5SSteve French 
23*38c8a9a5SSteve French #define UBITSHIFT	6
24*38c8a9a5SSteve French #define GBITSHIFT	3
25*38c8a9a5SSteve French 
26*38c8a9a5SSteve French #define ACCESS_ALLOWED	0
27*38c8a9a5SSteve French #define ACCESS_DENIED	1
28*38c8a9a5SSteve French 
29*38c8a9a5SSteve French #define SIDOWNER 1
30*38c8a9a5SSteve French #define SIDGROUP 2
31*38c8a9a5SSteve French 
32*38c8a9a5SSteve French /*
33*38c8a9a5SSteve French  * Security Descriptor length containing DACL with 3 ACEs (one each for
34*38c8a9a5SSteve French  * owner, group and world).
35*38c8a9a5SSteve French  */
36*38c8a9a5SSteve French #define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \
37*38c8a9a5SSteve French 			      sizeof(struct cifs_acl) + \
38*38c8a9a5SSteve French 			      (sizeof(struct cifs_ace) * 4))
39*38c8a9a5SSteve French 
40*38c8a9a5SSteve French /*
41*38c8a9a5SSteve French  * Maximum size of a string representation of a SID:
42*38c8a9a5SSteve French  *
43*38c8a9a5SSteve French  * The fields are unsigned values in decimal. So:
44*38c8a9a5SSteve French  *
45*38c8a9a5SSteve French  * u8:  max 3 bytes in decimal
46*38c8a9a5SSteve French  * u32: max 10 bytes in decimal
47*38c8a9a5SSteve French  *
48*38c8a9a5SSteve French  * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator
49*38c8a9a5SSteve French  *
50*38c8a9a5SSteve French  * For authority field, max is when all 6 values are non-zero and it must be
51*38c8a9a5SSteve French  * represented in hex. So "-0x" + 12 hex digits.
52*38c8a9a5SSteve French  *
53*38c8a9a5SSteve French  * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-')
54*38c8a9a5SSteve French  */
55*38c8a9a5SSteve French #define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1)
56*38c8a9a5SSteve French #define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */
57*38c8a9a5SSteve French 
58*38c8a9a5SSteve French struct cifs_ntsd {
59*38c8a9a5SSteve French 	__le16 revision; /* revision level */
60*38c8a9a5SSteve French 	__le16 type;
61*38c8a9a5SSteve French 	__le32 osidoffset;
62*38c8a9a5SSteve French 	__le32 gsidoffset;
63*38c8a9a5SSteve French 	__le32 sacloffset;
64*38c8a9a5SSteve French 	__le32 dacloffset;
65*38c8a9a5SSteve French } __attribute__((packed));
66*38c8a9a5SSteve French 
67*38c8a9a5SSteve French struct cifs_sid {
68*38c8a9a5SSteve French 	__u8 revision; /* revision level */
69*38c8a9a5SSteve French 	__u8 num_subauth;
70*38c8a9a5SSteve French 	__u8 authority[NUM_AUTHS];
71*38c8a9a5SSteve French 	__le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
72*38c8a9a5SSteve French } __attribute__((packed));
73*38c8a9a5SSteve French 
74*38c8a9a5SSteve French /* size of a struct cifs_sid, sans sub_auth array */
75*38c8a9a5SSteve French #define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS)
76*38c8a9a5SSteve French 
77*38c8a9a5SSteve French struct cifs_acl {
78*38c8a9a5SSteve French 	__le16 revision; /* revision level */
79*38c8a9a5SSteve French 	__le16 size;
80*38c8a9a5SSteve French 	__le32 num_aces;
81*38c8a9a5SSteve French } __attribute__((packed));
82*38c8a9a5SSteve French 
83*38c8a9a5SSteve French /* ACE types - see MS-DTYP 2.4.4.1 */
84*38c8a9a5SSteve French #define ACCESS_ALLOWED_ACE_TYPE	0x00
85*38c8a9a5SSteve French #define ACCESS_DENIED_ACE_TYPE	0x01
86*38c8a9a5SSteve French #define SYSTEM_AUDIT_ACE_TYPE	0x02
87*38c8a9a5SSteve French #define SYSTEM_ALARM_ACE_TYPE	0x03
88*38c8a9a5SSteve French #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04
89*38c8a9a5SSteve French #define ACCESS_ALLOWED_OBJECT_ACE_TYPE	0x05
90*38c8a9a5SSteve French #define ACCESS_DENIED_OBJECT_ACE_TYPE	0x06
91*38c8a9a5SSteve French #define SYSTEM_AUDIT_OBJECT_ACE_TYPE	0x07
92*38c8a9a5SSteve French #define SYSTEM_ALARM_OBJECT_ACE_TYPE	0x08
93*38c8a9a5SSteve French #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09
94*38c8a9a5SSteve French #define ACCESS_DENIED_CALLBACK_ACE_TYPE	0x0A
95*38c8a9a5SSteve French #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B
96*38c8a9a5SSteve French #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE  0x0C
97*38c8a9a5SSteve French #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE	0x0D
98*38c8a9a5SSteve French #define SYSTEM_ALARM_CALLBACK_ACE_TYPE	0x0E /* Reserved */
99*38c8a9a5SSteve French #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F
100*38c8a9a5SSteve French #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */
101*38c8a9a5SSteve French #define SYSTEM_MANDATORY_LABEL_ACE_TYPE	0x11
102*38c8a9a5SSteve French #define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12
103*38c8a9a5SSteve French #define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13
104*38c8a9a5SSteve French 
105*38c8a9a5SSteve French /* ACE flags */
106*38c8a9a5SSteve French #define OBJECT_INHERIT_ACE	0x01
107*38c8a9a5SSteve French #define CONTAINER_INHERIT_ACE	0x02
108*38c8a9a5SSteve French #define NO_PROPAGATE_INHERIT_ACE 0x04
109*38c8a9a5SSteve French #define INHERIT_ONLY_ACE	0x08
110*38c8a9a5SSteve French #define INHERITED_ACE		0x10
111*38c8a9a5SSteve French #define SUCCESSFUL_ACCESS_ACE_FLAG 0x40
112*38c8a9a5SSteve French #define FAILED_ACCESS_ACE_FLAG	0x80
113*38c8a9a5SSteve French 
114*38c8a9a5SSteve French struct cifs_ace {
115*38c8a9a5SSteve French 	__u8 type; /* see above and MS-DTYP 2.4.4.1 */
116*38c8a9a5SSteve French 	__u8 flags;
117*38c8a9a5SSteve French 	__le16 size;
118*38c8a9a5SSteve French 	__le32 access_req;
119*38c8a9a5SSteve French 	struct cifs_sid sid; /* ie UUID of user or group who gets these perms */
120*38c8a9a5SSteve French } __attribute__((packed));
121*38c8a9a5SSteve French 
122*38c8a9a5SSteve French /*
123*38c8a9a5SSteve French  * The current SMB3 form of security descriptor is similar to what was used for
124*38c8a9a5SSteve French  * cifs (see above) but some fields are split, and fields in the struct below
125*38c8a9a5SSteve French  * matches names of fields to the spec, MS-DTYP (see sections 2.4.5 and
126*38c8a9a5SSteve French  * 2.4.6). Note that "CamelCase" fields are used in this struct in order to
127*38c8a9a5SSteve French  * match the MS-DTYP and MS-SMB2 specs which define the wire format.
128*38c8a9a5SSteve French  */
129*38c8a9a5SSteve French struct smb3_sd {
130*38c8a9a5SSteve French 	__u8 Revision; /* revision level, MUST be one */
131*38c8a9a5SSteve French 	__u8 Sbz1; /* only meaningful if 'RM' flag set below */
132*38c8a9a5SSteve French 	__le16 Control;
133*38c8a9a5SSteve French 	__le32 OffsetOwner;
134*38c8a9a5SSteve French 	__le32 OffsetGroup;
135*38c8a9a5SSteve French 	__le32 OffsetSacl;
136*38c8a9a5SSteve French 	__le32 OffsetDacl;
137*38c8a9a5SSteve French } __packed;
138*38c8a9a5SSteve French 
139*38c8a9a5SSteve French /* Meaning of 'Control' field flags */
140*38c8a9a5SSteve French #define ACL_CONTROL_SR	0x8000	/* Self relative */
141*38c8a9a5SSteve French #define ACL_CONTROL_RM	0x4000	/* Resource manager control bits */
142*38c8a9a5SSteve French #define ACL_CONTROL_PS	0x2000	/* SACL protected from inherits */
143*38c8a9a5SSteve French #define ACL_CONTROL_PD	0x1000	/* DACL protected from inherits */
144*38c8a9a5SSteve French #define ACL_CONTROL_SI	0x0800	/* SACL Auto-Inherited */
145*38c8a9a5SSteve French #define ACL_CONTROL_DI	0x0400	/* DACL Auto-Inherited */
146*38c8a9a5SSteve French #define ACL_CONTROL_SC	0x0200	/* SACL computed through inheritance */
147*38c8a9a5SSteve French #define ACL_CONTROL_DC	0x0100	/* DACL computed through inheritence */
148*38c8a9a5SSteve French #define ACL_CONTROL_SS	0x0080	/* Create server ACL */
149*38c8a9a5SSteve French #define ACL_CONTROL_DT	0x0040	/* DACL provided by trusted source */
150*38c8a9a5SSteve French #define ACL_CONTROL_SD	0x0020	/* SACL defaulted */
151*38c8a9a5SSteve French #define ACL_CONTROL_SP	0x0010	/* SACL is present on object */
152*38c8a9a5SSteve French #define ACL_CONTROL_DD	0x0008	/* DACL defaulted */
153*38c8a9a5SSteve French #define ACL_CONTROL_DP	0x0004	/* DACL is present on object */
154*38c8a9a5SSteve French #define ACL_CONTROL_GD	0x0002	/* Group was defaulted */
155*38c8a9a5SSteve French #define ACL_CONTROL_OD	0x0001	/* User was defaulted */
156*38c8a9a5SSteve French 
157*38c8a9a5SSteve French /* Meaning of AclRevision flags */
158*38c8a9a5SSteve French #define ACL_REVISION	0x02 /* See section 2.4.4.1 of MS-DTYP */
159*38c8a9a5SSteve French #define ACL_REVISION_DS	0x04 /* Additional AceTypes allowed */
160*38c8a9a5SSteve French 
161*38c8a9a5SSteve French struct smb3_acl {
162*38c8a9a5SSteve French 	u8 AclRevision; /* revision level */
163*38c8a9a5SSteve French 	u8 Sbz1; /* MBZ */
164*38c8a9a5SSteve French 	__le16 AclSize;
165*38c8a9a5SSteve French 	__le16 AceCount;
166*38c8a9a5SSteve French 	__le16 Sbz2; /* MBZ */
167*38c8a9a5SSteve French } __packed;
168*38c8a9a5SSteve French 
169*38c8a9a5SSteve French /*
170*38c8a9a5SSteve French  * Used to store the special 'NFS SIDs' used to persist the POSIX uid and gid
171*38c8a9a5SSteve French  * See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
172*38c8a9a5SSteve French  */
173*38c8a9a5SSteve French struct owner_sid {
174*38c8a9a5SSteve French 	u8 Revision;
175*38c8a9a5SSteve French 	u8 NumAuth;
176*38c8a9a5SSteve French 	u8 Authority[6];
177*38c8a9a5SSteve French 	__le32 SubAuthorities[3];
178*38c8a9a5SSteve French } __packed;
179*38c8a9a5SSteve French 
180*38c8a9a5SSteve French struct owner_group_sids {
181*38c8a9a5SSteve French 	struct owner_sid owner;
182*38c8a9a5SSteve French 	struct owner_sid group;
183*38c8a9a5SSteve French } __packed;
184*38c8a9a5SSteve French 
185*38c8a9a5SSteve French /*
186*38c8a9a5SSteve French  * Minimum security identifier can be one for system defined Users
187*38c8a9a5SSteve French  * and Groups such as NULL SID and World or Built-in accounts such
188*38c8a9a5SSteve French  * as Administrator and Guest and consists of
189*38c8a9a5SSteve French  * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority)
190*38c8a9a5SSteve French  */
191*38c8a9a5SSteve French #define MIN_SID_LEN  (1 + 1 + 6 + 4) /* in bytes */
192*38c8a9a5SSteve French 
193*38c8a9a5SSteve French /*
194*38c8a9a5SSteve French  * Minimum security descriptor can be one without any SACL and DACL and can
195*38c8a9a5SSteve French  * consist of revision, type, and two sids of minimum size for owner and group
196*38c8a9a5SSteve French  */
197*38c8a9a5SSteve French #define MIN_SEC_DESC_LEN  (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN))
198*38c8a9a5SSteve French 
199*38c8a9a5SSteve French #endif /* _CIFSACL_H */
200