Line data Source code
1 : /*
2 : * Convert NFSv4 acls stored per http://www.suse.de/~agruen/nfs4acl/ to NT acls and vice versa.
3 : *
4 : * Copyright (C) Jiri Sasek, 2007
5 : * based on the foobar.c module which is copyrighted by Volker Lendecke
6 : * based on pvfs_acl_nfs4.c Copyright (C) Andrew Tridgell 2006
7 : *
8 : * based on vfs_fake_acls:
9 : * Copyright (C) Tim Potter, 1999-2000
10 : * Copyright (C) Alexander Bokovoy, 2002
11 : * Copyright (C) Andrew Bartlett, 2002,2012
12 : * Copyright (C) Ralph Boehme 2017
13 : *
14 : * This program is free software; you can redistribute it and/or modify
15 : * it under the terms of the GNU General Public License as published by
16 : * the Free Software Foundation; either version 3 of the License, or
17 : * (at your option) any later version.
18 : *
19 : * This program is distributed in the hope that it will be useful,
20 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 : * GNU General Public License for more details.
23 : *
24 : * You should have received a copy of the GNU General Public License
25 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
26 : *
27 : */
28 :
29 : #include "includes.h"
30 : #include "system/filesys.h"
31 : #include "smbd/smbd.h"
32 : #include "nfs4_acls.h"
33 : #include "librpc/gen_ndr/ndr_nfs4acl.h"
34 : #include "nfs4acl_xattr.h"
35 : #include "nfs4acl_xattr_ndr.h"
36 :
37 : #undef DBGC_CLASS
38 : #define DBGC_CLASS DBGC_VFS
39 :
40 0 : static struct nfs4acl *nfs4acl_blob2acl(DATA_BLOB *blob, TALLOC_CTX *mem_ctx)
41 : {
42 : enum ndr_err_code ndr_err;
43 0 : struct nfs4acl *acl = talloc_zero(mem_ctx, struct nfs4acl);
44 :
45 0 : if (acl == NULL) {
46 0 : errno = ENOMEM;
47 0 : return NULL;
48 : }
49 :
50 0 : ndr_err = ndr_pull_struct_blob(blob, acl, acl,
51 : (ndr_pull_flags_fn_t)ndr_pull_nfs4acl);
52 :
53 0 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
54 0 : DBG_ERR("ndr_pull_acl_t failed: %s\n", ndr_errstr(ndr_err));
55 0 : TALLOC_FREE(acl);
56 0 : return NULL;
57 : }
58 0 : return acl;
59 : }
60 :
61 0 : static DATA_BLOB nfs4acl_acl2blob(TALLOC_CTX *mem_ctx, struct nfs4acl *acl)
62 : {
63 : enum ndr_err_code ndr_err;
64 : DATA_BLOB blob;
65 :
66 0 : ndr_err = ndr_push_struct_blob(&blob, mem_ctx, acl,
67 : (ndr_push_flags_fn_t)ndr_push_nfs4acl);
68 :
69 0 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
70 0 : DBG_ERR("ndr_push_acl_t failed: %s\n", ndr_errstr(ndr_err));
71 0 : return data_blob_null;
72 : }
73 0 : return blob;
74 : }
75 :
76 0 : static uint16_t nfs4acl_to_smb4acl_flags(uint8_t nfs4acl_flags)
77 : {
78 0 : uint16_t smb4acl_flags = SEC_DESC_SELF_RELATIVE;
79 :
80 0 : if (nfs4acl_flags & ACL4_AUTO_INHERIT) {
81 0 : smb4acl_flags |= SEC_DESC_DACL_AUTO_INHERITED;
82 : }
83 0 : if (nfs4acl_flags & ACL4_PROTECTED) {
84 0 : smb4acl_flags |= SEC_DESC_DACL_PROTECTED;
85 : }
86 0 : if (nfs4acl_flags & ACL4_DEFAULTED) {
87 0 : smb4acl_flags |= SEC_DESC_DACL_DEFAULTED;
88 : }
89 :
90 0 : return smb4acl_flags;
91 : }
92 :
93 0 : NTSTATUS nfs4acl_ndr_blob_to_smb4(struct vfs_handle_struct *handle,
94 : TALLOC_CTX *mem_ctx,
95 : DATA_BLOB *blob,
96 : struct SMB4ACL_T **_smb4acl)
97 : {
98 0 : struct nfs4acl *nfs4acl = NULL;
99 0 : struct SMB4ACL_T *smb4acl = NULL;
100 0 : TALLOC_CTX *frame = talloc_stackframe();
101 0 : struct nfs4acl_config *config = NULL;
102 : int i;
103 :
104 0 : SMB_VFS_HANDLE_GET_DATA(handle, config,
105 : struct nfs4acl_config,
106 : return NT_STATUS_INTERNAL_ERROR);
107 :
108 0 : nfs4acl = nfs4acl_blob2acl(blob, frame);
109 0 : if (nfs4acl == NULL) {
110 0 : TALLOC_FREE(frame);
111 0 : return NT_STATUS_INTERNAL_ERROR;
112 : }
113 :
114 0 : smb4acl = smb_create_smb4acl(mem_ctx);
115 0 : if (smb4acl == NULL) {
116 0 : TALLOC_FREE(frame);
117 0 : return NT_STATUS_NO_MEMORY;
118 : }
119 :
120 0 : if (config->nfs_version > ACL4_XATTR_VERSION_40 &&
121 0 : nfs4acl->a_version > ACL4_XATTR_VERSION_40)
122 : {
123 : uint16_t smb4acl_flags;
124 :
125 0 : smb4acl_flags = nfs4acl_to_smb4acl_flags(nfs4acl->a_flags);
126 0 : smbacl4_set_controlflags(smb4acl, smb4acl_flags);
127 : }
128 :
129 0 : for (i = 0; i < nfs4acl->a_count; i++) {
130 : SMB_ACE4PROP_T aceprop;
131 :
132 0 : aceprop.aceType = (uint32_t) nfs4acl->ace[i].e_type;
133 0 : aceprop.aceFlags = (uint32_t) nfs4acl->ace[i].e_flags;
134 0 : aceprop.aceMask = (uint32_t) nfs4acl->ace[i].e_mask;
135 0 : aceprop.who.id = (uint32_t) nfs4acl->ace[i].e_id;
136 :
137 0 : if (!strcmp(nfs4acl->ace[i].e_who,
138 : NFS4ACL_XATTR_OWNER_WHO)) {
139 0 : aceprop.flags = SMB_ACE4_ID_SPECIAL;
140 0 : aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
141 0 : } else if (!strcmp(nfs4acl->ace[i].e_who,
142 : NFS4ACL_XATTR_GROUP_WHO)) {
143 0 : aceprop.flags = SMB_ACE4_ID_SPECIAL;
144 0 : aceprop.who.special_id = SMB_ACE4_WHO_GROUP;
145 0 : } else if (!strcmp(nfs4acl->ace[i].e_who,
146 : NFS4ACL_XATTR_EVERYONE_WHO)) {
147 0 : aceprop.flags = SMB_ACE4_ID_SPECIAL;
148 0 : aceprop.who.special_id = SMB_ACE4_WHO_EVERYONE;
149 : } else {
150 0 : aceprop.flags = 0;
151 : }
152 :
153 0 : if (smb_add_ace4(smb4acl, &aceprop) == NULL) {
154 0 : TALLOC_FREE(frame);
155 0 : return NT_STATUS_NO_MEMORY;
156 : }
157 : }
158 :
159 0 : *_smb4acl = smb4acl;
160 0 : TALLOC_FREE(frame);
161 0 : return NT_STATUS_OK;
162 : }
163 :
164 0 : static uint8_t smb4acl_to_nfs4acl_flags(uint16_t smb4acl_flags)
165 : {
166 0 : uint8_t flags = 0;
167 :
168 0 : if (smb4acl_flags & SEC_DESC_DACL_AUTO_INHERITED) {
169 0 : flags |= ACL4_AUTO_INHERIT;
170 : }
171 0 : if (smb4acl_flags & SEC_DESC_DACL_PROTECTED) {
172 0 : flags |= ACL4_PROTECTED;
173 : }
174 0 : if (smb4acl_flags & SEC_DESC_DACL_DEFAULTED) {
175 0 : flags |= ACL4_DEFAULTED;
176 : }
177 :
178 0 : return flags;
179 : }
180 :
181 0 : static bool nfs4acl_smb4acl2nfs4acl(vfs_handle_struct *handle,
182 : TALLOC_CTX *mem_ctx,
183 : struct SMB4ACL_T *smbacl,
184 : struct nfs4acl **_nfs4acl,
185 : bool denymissingspecial)
186 : {
187 0 : struct nfs4acl_config *config = NULL;
188 0 : struct nfs4acl *nfs4acl = NULL;
189 0 : struct SMB4ACE_T *smbace = NULL;
190 0 : bool have_special_id = false;
191 : int i;
192 :
193 0 : SMB_VFS_HANDLE_GET_DATA(handle, config,
194 : struct nfs4acl_config,
195 : return false);
196 :
197 0 : nfs4acl = talloc_zero(mem_ctx, struct nfs4acl);
198 0 : if (nfs4acl == NULL) {
199 0 : errno = ENOMEM;
200 0 : return false;
201 : }
202 :
203 0 : nfs4acl->a_count = smb_get_naces(smbacl);
204 :
205 0 : nfs4acl->ace = talloc_zero_array(nfs4acl, struct nfs4ace,
206 : nfs4acl->a_count);
207 0 : if (nfs4acl->ace == NULL) {
208 0 : TALLOC_FREE(nfs4acl);
209 0 : errno = ENOMEM;
210 0 : return false;
211 : }
212 :
213 0 : nfs4acl->a_version = config->nfs_version;
214 0 : if (nfs4acl->a_version > ACL4_XATTR_VERSION_40) {
215 : uint16_t smb4acl_flags;
216 : uint8_t flags;
217 :
218 0 : smb4acl_flags = smbacl4_get_controlflags(smbacl);
219 0 : flags = smb4acl_to_nfs4acl_flags(smb4acl_flags);
220 0 : nfs4acl->a_flags = flags;
221 : }
222 :
223 0 : for (smbace = smb_first_ace4(smbacl), i = 0;
224 : smbace != NULL;
225 0 : smbace = smb_next_ace4(smbace), i++)
226 : {
227 0 : SMB_ACE4PROP_T *aceprop = smb_get_ace4(smbace);
228 :
229 0 : nfs4acl->ace[i].e_type = aceprop->aceType;
230 0 : nfs4acl->ace[i].e_flags = aceprop->aceFlags;
231 0 : nfs4acl->ace[i].e_mask = aceprop->aceMask;
232 0 : nfs4acl->ace[i].e_id = aceprop->who.id;
233 0 : if(aceprop->flags & SMB_ACE4_ID_SPECIAL) {
234 0 : switch(aceprop->who.special_id) {
235 0 : case SMB_ACE4_WHO_EVERYONE:
236 0 : nfs4acl->ace[i].e_who =
237 : NFS4ACL_XATTR_EVERYONE_WHO;
238 0 : break;
239 0 : case SMB_ACE4_WHO_OWNER:
240 0 : nfs4acl->ace[i].e_who =
241 : NFS4ACL_XATTR_OWNER_WHO;
242 0 : break;
243 0 : case SMB_ACE4_WHO_GROUP:
244 0 : nfs4acl->ace[i].e_who =
245 : NFS4ACL_XATTR_GROUP_WHO;
246 0 : break;
247 0 : default:
248 0 : DBG_DEBUG("unsupported special_id %d\n",
249 : aceprop->who.special_id);
250 0 : continue; /* don't add it !!! */
251 : }
252 0 : have_special_id = true;
253 : } else {
254 0 : nfs4acl->ace[i].e_who = "";
255 : }
256 : }
257 :
258 0 : if (!have_special_id && denymissingspecial) {
259 0 : TALLOC_FREE(nfs4acl);
260 0 : errno = EACCES;
261 0 : return false;
262 : }
263 :
264 0 : SMB_ASSERT(i == nfs4acl->a_count);
265 :
266 0 : *_nfs4acl = nfs4acl;
267 0 : return true;
268 : }
269 :
270 0 : NTSTATUS nfs4acl_smb4acl_to_ndr_blob(vfs_handle_struct *handle,
271 : TALLOC_CTX *mem_ctx,
272 : struct SMB4ACL_T *smb4acl,
273 : DATA_BLOB *_blob)
274 : {
275 0 : struct nfs4acl *nfs4acl = NULL;
276 : DATA_BLOB blob;
277 : bool denymissingspecial;
278 : bool ok;
279 :
280 0 : denymissingspecial = lp_parm_bool(SNUM(handle->conn),
281 : "nfs4acl_xattr",
282 : "denymissingspecial", false);
283 :
284 0 : ok = nfs4acl_smb4acl2nfs4acl(handle, talloc_tos(), smb4acl, &nfs4acl,
285 : denymissingspecial);
286 0 : if (!ok) {
287 0 : DBG_ERR("Failed to convert smb ACL to nfs4 ACL.\n");
288 0 : return NT_STATUS_INTERNAL_ERROR;
289 : }
290 :
291 0 : blob = nfs4acl_acl2blob(mem_ctx, nfs4acl);
292 0 : TALLOC_FREE(nfs4acl);
293 0 : if (blob.data == NULL) {
294 0 : DBG_ERR("Failed to convert ACL to linear blob for xattr\n");
295 0 : return NT_STATUS_INTERNAL_ERROR;
296 : }
297 :
298 0 : *_blob = blob;
299 0 : return NT_STATUS_OK;
300 : }
|