1 /* SPDX-License-Identifier: LGPL-2.1 */
2 /*
3  *
4  *   Copyright (c) International Business Machines  Corp., 2007
5  *   Author(s): Steve French (sfrench@us.ibm.com)
6  *
7  */
8 
9 #ifndef _CIFSACL_H
10 #define _CIFSACL_H
11 
12 #include "../common/smbacl.h"
13 
14 #define READ_BIT        0x4
15 #define WRITE_BIT       0x2
16 #define EXEC_BIT        0x1
17 
18 #define ACL_OWNER_MASK 0700
19 #define ACL_GROUP_MASK 0070
20 #define ACL_EVERYONE_MASK 0007
21 
22 #define UBITSHIFT	6
23 #define GBITSHIFT	3
24 
25 /*
26  * Security Descriptor length containing DACL with 3 ACEs (one each for
27  * owner, group and world).
28  */
29 #define DEFAULT_SEC_DESC_LEN (sizeof(struct smb_ntsd) + \
30 			      sizeof(struct smb_acl) + \
31 			      (sizeof(struct smb_ace) * 4))
32 
33 /*
34  * The current SMB3 form of security descriptor is similar to what was used for
35  * cifs (see above) but some fields are split, and fields in the struct below
36  * matches names of fields to the spec, MS-DTYP (see sections 2.4.5 and
37  * 2.4.6). Note that "CamelCase" fields are used in this struct in order to
38  * match the MS-DTYP and MS-SMB2 specs which define the wire format.
39  */
40 struct smb3_sd {
41 	__u8 Revision; /* revision level, MUST be one */
42 	__u8 Sbz1; /* only meaningful if 'RM' flag set below */
43 	__le16 Control;
44 	__le32 OffsetOwner;
45 	__le32 OffsetGroup;
46 	__le32 OffsetSacl;
47 	__le32 OffsetDacl;
48 } __packed;
49 
50 /* Meaning of 'Control' field flags */
51 #define ACL_CONTROL_SR	0x8000	/* Self relative */
52 #define ACL_CONTROL_RM	0x4000	/* Resource manager control bits */
53 #define ACL_CONTROL_PS	0x2000	/* SACL protected from inherits */
54 #define ACL_CONTROL_PD	0x1000	/* DACL protected from inherits */
55 #define ACL_CONTROL_SI	0x0800	/* SACL Auto-Inherited */
56 #define ACL_CONTROL_DI	0x0400	/* DACL Auto-Inherited */
57 #define ACL_CONTROL_SC	0x0200	/* SACL computed through inheritance */
58 #define ACL_CONTROL_DC	0x0100	/* DACL computed through inheritance */
59 #define ACL_CONTROL_SS	0x0080	/* Create server ACL */
60 #define ACL_CONTROL_DT	0x0040	/* DACL provided by trusted source */
61 #define ACL_CONTROL_SD	0x0020	/* SACL defaulted */
62 #define ACL_CONTROL_SP	0x0010	/* SACL is present on object */
63 #define ACL_CONTROL_DD	0x0008	/* DACL defaulted */
64 #define ACL_CONTROL_DP	0x0004	/* DACL is present on object */
65 #define ACL_CONTROL_GD	0x0002	/* Group was defaulted */
66 #define ACL_CONTROL_OD	0x0001	/* User was defaulted */
67 
68 /* Meaning of AclRevision flags */
69 #define ACL_REVISION	0x02 /* See section 2.4.4.1 of MS-DTYP */
70 #define ACL_REVISION_DS	0x04 /* Additional AceTypes allowed */
71 
72 struct smb3_acl {
73 	u8 AclRevision; /* revision level */
74 	u8 Sbz1; /* MBZ */
75 	__le16 AclSize;
76 	__le16 AceCount;
77 	__le16 Sbz2; /* MBZ */
78 } __packed;
79 
80 /*
81  * Used to store the special 'NFS SIDs' used to persist the POSIX uid and gid
82  * See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
83  */
84 struct owner_sid {
85 	u8 Revision;
86 	u8 NumAuth;
87 	u8 Authority[6];
88 	__le32 SubAuthorities[3];
89 } __packed;
90 
91 struct owner_group_sids {
92 	struct owner_sid owner;
93 	struct owner_sid group;
94 } __packed;
95 
96 /*
97  * Minimum security identifier can be one for system defined Users
98  * and Groups such as NULL SID and World or Built-in accounts such
99  * as Administrator and Guest and consists of
100  * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority)
101  */
102 #define MIN_SID_LEN  (1 + 1 + 6 + 4) /* in bytes */
103 
104 /*
105  * Minimum security descriptor can be one without any SACL and DACL and can
106  * consist of revision, type, and two sids of minimum size for owner and group
107  */
108 #define MIN_SEC_DESC_LEN  (sizeof(struct smb_ntsd) + (2 * MIN_SID_LEN))
109 
110 #endif /* _CIFSACL_H */
111