1/*
2 * security.h - Exports for handling security/ACLs in NTFS.
3 *              Originated from the Linux-NTFS project.
4 *
5 * Copyright (c) 2004      Anton Altaparmakov
6 * Copyright (c) 2005-2006 Szabolcs Szakacsits
7 * Copyright (c) 2007-2010 Jean-Pierre Andre
8 *
9 * This program/include file is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as published
11 * by the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program/include file is distributed in the hope that it will be
15 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
16 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (in the main directory of the NTFS-3G
21 * distribution in the file COPYING); if not, write to the Free Software
22 * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
23 */
24
25#ifndef _NTFS_SECURITY_H
26#define _NTFS_SECURITY_H
27
28#include "types.h"
29#include "layout.h"
30#include "inode.h"
31#include "dir.h"
32#include "endians.h"
33
34#ifndef POSIXACLS
35#define POSIXACLS 0
36#endif
37
38/*
39 *          item in the mapping list
40 */
41
42struct MAPPING {
43	struct MAPPING *next;
44	int xid;		/* linux id : uid or gid */
45	SID *sid;		/* Windows id : usid or gsid */
46	int grcnt;		/* group count (for users only) */
47	gid_t *groups;		/* groups which the user is member of */
48};
49
50/*
51 *		Entry in the permissions cache
52 *	Note : this cache is not organized as a generic cache
53 */
54
55struct CACHED_PERMISSIONS {
56	uid_t uid;
57	gid_t gid;
58	le32 inh_fileid;
59	le32 inh_dirid;
60#if POSIXACLS
61	struct POSIX_SECURITY *pxdesc;
62	unsigned int pxdescsize:16;
63#endif
64	unsigned int mode:12;
65	unsigned int valid:1;
66} ;
67
68/*
69 *	Entry in the permissions cache for directories with no security_id
70 */
71
72struct CACHED_PERMISSIONS_LEGACY {
73	struct CACHED_PERMISSIONS_LEGACY *next;
74	struct CACHED_PERMISSIONS_LEGACY *previous;
75	void *variable;
76	size_t varsize;
77	union ALIGNMENT payload[0];
78		/* above fields must match "struct CACHED_GENERIC" */
79	u64 mft_no;
80	struct CACHED_PERMISSIONS perm;
81} ;
82
83/*
84 *	Entry in the securid cache
85 */
86
87struct CACHED_SECURID {
88	struct CACHED_SECURID *next;
89	struct CACHED_SECURID *previous;
90	void *variable;
91	size_t varsize;
92	union ALIGNMENT payload[0];
93		/* above fields must match "struct CACHED_GENERIC" */
94	uid_t uid;
95	gid_t gid;
96	unsigned int dmode;
97	le32 securid;
98} ;
99
100/*
101 *	Header of the security cache
102 *	(has no cache structure by itself)
103 */
104
105struct CACHED_PERMISSIONS_HEADER {
106	unsigned int last;
107			/* statistics for permissions */
108	unsigned long p_writes;
109	unsigned long p_reads;
110	unsigned long p_hits;
111} ;
112
113/*
114 *	The whole permissions cache
115 */
116
117struct PERMISSIONS_CACHE {
118	struct CACHED_PERMISSIONS_HEADER head;
119	struct CACHED_PERMISSIONS *cachetable[1]; /* array of variable size */
120} ;
121
122/*
123 *	Security flags values
124 */
125
126enum {
127	SECURITY_DEFAULT,	/* rely on fuse for permissions checking */
128	SECURITY_RAW,		/* force same ownership/permissions on files */
129	SECURITY_ACL,		/* enable Posix ACLs (when compiled in) */
130	SECURITY_ADDSECURIDS,	/* upgrade old security descriptors */
131	SECURITY_STATICGRPS,	/* use static groups for access control */
132	SECURITY_WANTED		/* a security related option was present */
133} ;
134
135/*
136 *	Security context, needed by most security functions
137 */
138
139enum { MAPUSERS, MAPGROUPS, MAPCOUNT } ;
140
141struct SECURITY_CONTEXT {
142	ntfs_volume *vol;
143	struct MAPPING *mapping[MAPCOUNT];
144	struct PERMISSIONS_CACHE **pseccache;
145	uid_t uid; /* uid of user requesting (not the mounter) */
146	gid_t gid; /* gid of user requesting (not the mounter) */
147	pid_t tid; /* thread id of thread requesting */
148	mode_t umask; /* umask of requesting thread */
149	} ;
150
151#if POSIXACLS
152
153/*
154 *		       Posix ACL structures
155 */
156
157struct POSIX_ACE {
158	u16 tag;
159	u16 perms;
160	s32 id;
161} __attribute__((__packed__));
162
163struct POSIX_ACL {
164	u8 version;
165	u8 flags;
166	u16 filler;
167	struct POSIX_ACE ace[0];
168} __attribute__((__packed__));
169
170struct POSIX_SECURITY {
171	mode_t mode;
172	int acccnt;
173	int defcnt;
174	int firstdef;
175	u16 tagsset;
176	u16 filler;
177	struct POSIX_ACL acl;
178} ;
179
180/*
181 *		Posix tags, cpu-endian 16 bits
182 */
183
184enum {
185	POSIX_ACL_USER_OBJ =	1,
186	POSIX_ACL_USER =	2,
187	POSIX_ACL_GROUP_OBJ =	4,
188	POSIX_ACL_GROUP =	8,
189	POSIX_ACL_MASK =	16,
190	POSIX_ACL_OTHER =	32,
191	POSIX_ACL_SPECIAL =	64  /* internal use only */
192} ;
193
194#define POSIX_ACL_EXTENSIONS (POSIX_ACL_USER | POSIX_ACL_GROUP | POSIX_ACL_MASK)
195
196/*
197 *		Posix permissions, cpu-endian 16 bits
198 */
199
200enum {
201	POSIX_PERM_X =		1,
202	POSIX_PERM_W =		2,
203	POSIX_PERM_R =		4,
204	POSIX_PERM_DENIAL =	64 /* internal use only */
205} ;
206
207#define POSIX_VERSION 2
208
209#endif
210
211extern BOOL ntfs_guid_is_zero(const GUID *guid);
212extern char *ntfs_guid_to_mbs(const GUID *guid, char *guid_str);
213
214extern int ntfs_sid_to_mbs_size(const SID *sid);
215extern char *ntfs_sid_to_mbs(const SID *sid, char *sid_str,
216		size_t sid_str_size);
217extern void ntfs_generate_guid(GUID *guid);
218extern int ntfs_sd_add_everyone(ntfs_inode *ni);
219
220extern le32 ntfs_security_hash(const SECURITY_DESCRIPTOR_RELATIVE *sd,
221			       const u32 len);
222
223int ntfs_build_mapping(struct SECURITY_CONTEXT *scx, const char *usermap_path,
224		BOOL allowdef);
225int ntfs_get_owner_mode(struct SECURITY_CONTEXT *scx,
226		ntfs_inode *ni, struct stat*);
227int ntfs_set_mode(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, mode_t mode);
228BOOL ntfs_allowed_as_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni);
229int ntfs_allowed_access(struct SECURITY_CONTEXT *scx,
230		ntfs_inode *ni, int accesstype);
231int ntfs_allowed_create(struct SECURITY_CONTEXT *scx,
232		ntfs_inode *ni, gid_t *pgid, mode_t *pdsetgid);
233BOOL old_ntfs_allowed_dir_access(struct SECURITY_CONTEXT *scx,
234		const char *path, int accesstype);
235
236#if POSIXACLS
237le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx,
238		uid_t uid, gid_t gid, ntfs_inode *dir_ni,
239		mode_t mode, BOOL isdir);
240#else
241le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx,
242		uid_t uid, gid_t gid, mode_t mode, BOOL isdir);
243#endif
244int ntfs_set_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
245		uid_t uid, gid_t gid);
246int ntfs_set_ownmod(struct SECURITY_CONTEXT *scx,
247		ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode);
248#if POSIXACLS
249int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx,
250		ntfs_inode *ni, uid_t uid, gid_t gid,
251		mode_t mode, struct POSIX_SECURITY *pxdesc);
252#else
253int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx,
254		ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode);
255#endif
256le32 ntfs_inherited_id(struct SECURITY_CONTEXT *scx,
257		ntfs_inode *dir_ni, BOOL fordir);
258int ntfs_open_secure(ntfs_volume *vol);
259int ntfs_close_secure(ntfs_volume *vol);
260
261void ntfs_destroy_security_context(struct SECURITY_CONTEXT *scx);
262
263#if POSIXACLS
264
265int ntfs_set_inherited_posix(struct SECURITY_CONTEXT *scx,
266		ntfs_inode *ni, uid_t uid, gid_t gid,
267		ntfs_inode *dir_ni, mode_t mode);
268int ntfs_get_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
269			const char *name, char *value, size_t size);
270int ntfs_set_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
271			const char *name, const char *value, size_t size,
272			int flags);
273int ntfs_remove_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
274			const char *name);
275#endif
276
277int ntfs_get_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
278			char *value, size_t size);
279int ntfs_set_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
280			const char *value, size_t size, int flags);
281
282int ntfs_get_ntfs_attrib(ntfs_inode *ni, char *value, size_t size);
283int ntfs_set_ntfs_attrib(ntfs_inode *ni,
284			const char *value, size_t size,	int flags);
285
286
287/*
288 *		Security API for direct access to security descriptors
289 *	based on Win32 API
290 */
291
292#define MAGIC_API 0x09042009
293
294struct SECURITY_API {
295	u32 magic;
296	struct SECURITY_CONTEXT security;
297	struct PERMISSIONS_CACHE *seccache;
298} ;
299
300/*
301 *  The following constants are used in interfacing external programs.
302 *  They are not to be stored on disk and must be defined in their
303 *  native cpu representation.
304 *  When disk representation (le) is needed, use SE_DACL_PRESENT, etc.
305 */
306enum {	OWNER_SECURITY_INFORMATION = 1,
307	GROUP_SECURITY_INFORMATION = 2,
308	DACL_SECURITY_INFORMATION = 4,
309	SACL_SECURITY_INFORMATION = 8
310} ;
311
312int ntfs_get_file_security(struct SECURITY_API *scapi,
313                const char *path, u32 selection,
314                char *buf, u32 buflen, u32 *psize);
315int ntfs_set_file_security(struct SECURITY_API *scapi,
316		const char *path, u32 selection, const char *attr);
317int ntfs_get_file_attributes(struct SECURITY_API *scapi,
318		const char *path);
319BOOL ntfs_set_file_attributes(struct SECURITY_API *scapi,
320		const char *path, s32 attrib);
321BOOL ntfs_read_directory(struct SECURITY_API *scapi,
322		const char *path, ntfs_filldir_t callback, void *context);
323int ntfs_read_sds(struct SECURITY_API *scapi,
324		char *buf, u32 size, u32 offset);
325INDEX_ENTRY *ntfs_read_sii(struct SECURITY_API *scapi,
326		INDEX_ENTRY *entry);
327INDEX_ENTRY *ntfs_read_sdh(struct SECURITY_API *scapi,
328		INDEX_ENTRY *entry);
329struct SECURITY_API *ntfs_initialize_file_security(const char *device,
330                                unsigned long flags);
331BOOL ntfs_leave_file_security(struct SECURITY_API *scx);
332
333int ntfs_get_usid(struct SECURITY_API *scapi, uid_t uid, char *buf);
334int ntfs_get_gsid(struct SECURITY_API *scapi, gid_t gid, char *buf);
335int ntfs_get_user(struct SECURITY_API *scapi, const SID *usid);
336int ntfs_get_group(struct SECURITY_API *scapi, const SID *gsid);
337
338#endif /* defined _NTFS_SECURITY_H */
339