From c3f8e814f8b3339b3f9cc86333a72c4bd7621070 Mon Sep 17 00:00:00 2001 From: Boris Protopopov Date: Thu, 19 Nov 2020 21:40:42 +0000 Subject: Extend cifs acl utilities to handle SACLs Extend getcifsacl/setcifsacl utilities to handle System ACLs (SACLs) in addition to Discretionary ACLs (DACLs). The SACL extensions depend on CIFS client support for system.cifs_ntsd_full extended attribute. Signed-off-by: Boris Protopopov --- cifsacl.h | 57 ++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 15 deletions(-) (limited to 'cifsacl.h') diff --git a/cifsacl.h b/cifsacl.h index bd0c695..20309ef 100644 --- a/cifsacl.h +++ b/cifsacl.h @@ -25,13 +25,19 @@ #ifndef _CIFSACL_H #define _CIFSACL_H -#define BUFSIZE 1024 -#define ATTRNAME "system.cifs_acl" -#define ATTRNAME_ACL ATTRNAME -#define ATTRNAME_NTSD "system.cifs_ntsd" +#define BUFSIZE 1024 +#define ATTRNAME "system.cifs_acl" +#define ATTRNAME_ACL ATTRNAME +#define ATTRNAME_NTSD "system.cifs_ntsd" +#define ATTRNAME_NTSD_FULL "system.cifs_ntsd_full" #define MAX_NUM_AUTHS 6 +typedef enum { + ACE_KIND_DACL, + ACE_KIND_SACL +} ace_kinds; + /* File specific rights */ #define READ_DATA 0x00000001 /* R */ #define WRITE_DATA 0x00000002 /* W */ @@ -82,17 +88,36 @@ /* WA | WEA | A | W */ #define ALL_WRITE_BITS 0x40000116 -#define OBJECT_INHERIT_FLAG 0x01 /* OI */ -#define CONTAINER_INHERIT_FLAG 0x02 /* CI */ -#define NO_PROPAGATE_INHERIT_FLAG 0x04 /* NP */ -#define INHERIT_ONLY_FLAG 0x08 /* IO */ -#define INHERITED_ACE_FLAG 0x10 /* I */ -#define VFLAGS (OBJECT_INHERIT_FLAG|CONTAINER_INHERIT_FLAG|NO_PROPAGATE_INHERIT_FLAG|INHERIT_ONLY_FLAG|INHERITED_ACE_FLAG) - -#define ACCESS_ALLOWED 0 /* ALLOWED */ -#define ACCESS_DENIED 1 /* DENIED */ -#define ACCESS_ALLOWED_OBJECT 5 /* OBJECT_ALLOWED */ -#define ACCESS_DENIED_OBJECT 6 /* OBJECT_DENIED */ +/* R | W | A | REA | WEA | E | DC | RA | EA | D | RC | P | O */ +#define ALL_ACCESS_BITS 0x000f01ff + +/* ace flags */ +#define OBJECT_INHERIT_FLAG 0x01 /* OI */ +#define CONTAINER_INHERIT_FLAG 0x02 /* CI */ +#define NO_PROPAGATE_INHERIT_FLAG 0x04 /* NP */ +#define INHERIT_ONLY_FLAG 0x08 /* IO */ +#define INHERITED_ACE_FLAG 0x10 /* I */ +#define DACL_VFLAGS (OBJECT_INHERIT_FLAG|CONTAINER_INHERIT_FLAG|NO_PROPAGATE_INHERIT_FLAG|INHERIT_ONLY_FLAG|INHERITED_ACE_FLAG) + +#define SUCCESSFUL_ACCESS 0x40 /* SA */ +#define FAILED_ACCESS 0x80 /* FA */ +#define SACL_VFLAGS (SUCCESSFUL_ACCESS | FAILED_ACCESS) + +/* ace types */ +#define ACCESS_ALLOWED 0 /* ALLOWED */ +#define ACCESS_DENIED 1 /* DENIED */ +#define SYSTEM_AUDIT 2 /* AUDIT */ +#define ACCESS_ALLOWED_OBJECT 5 /* OBJECT_ALLOWED */ +#define ACCESS_DENIED_OBJECT 6 /* OBJECT_DENIED */ +#define SYSTEM_AUDIT_OBJECT 7 /* AUDIT_OBJECT */ +#define SYSTEM_AUDIT_CALLBACK 13 /* AUDIT_CALLBACK */ +#define SYSTEM_AUDIT_CALLBACK_OBJECT 15 /* AUDIT_CALLBACK_OBJECT */ +#define SYSTEM_MANDATORY_LABEL 17 /* MANDATORY_LABEL */ +#define SYSTEM_RESOURCE_ATTRIBUTE 18 /* RESOURCE_ATTRIBUTE */ +#define SYSTEM_SCOPED_POLICY_ID 19 /* SCOPED_POLICY_ID */ + +#define DACL_VTYPES (ACCESS_ALLOWED | ACCESS_DENIED | ACCESS_ALLOWED_OBJECT | ACCESS_DENIED_OBJECT) +#define SACL_VTYPES (SYSTEM_AUDIT | SYSTEM_AUDIT_OBJECT | SYSTEM_AUDIT_CALLBACK | SYSTEM_AUDIT_CALLBACK_OBJECT | SYSTEM_MANDATORY_LABEL | SYSTEM_RESOURCE_ATTRIBUTE | SYSTEM_SCOPED_POLICY_ID) #define COMPSID 0x1 #define COMPTYPE 0x2 @@ -100,6 +125,8 @@ #define COMPMASK 0x8 #define COMPALL (COMPSID|COMPTYPE|COMPFLAG|COMPMASK) +#define DEFAULT_ACL_REVISION 0x2 + /* * While not indicated here, the structs below represent on-the-wire data * structures. Any multi-byte values are expected to be little-endian! -- cgit v1.2.3