blob: 8a83d32d047b290634ac86139d99a400945b97d0
1 | /* |
2 | * |
3 | * Copyright (c) 2007-2008 Jean-Pierre Andre |
4 | * |
5 | */ |
6 | |
7 | /* |
8 | * This program is free software; you can redistribute it and/or modify |
9 | * it under the terms of the GNU General Public License as published by |
10 | * the Free Software Foundation; either version 2 of the License, or |
11 | * (at your option) any later version. |
12 | * |
13 | * This program is distributed in the hope that it will be useful, |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | * GNU General Public License for more details. |
17 | * |
18 | * You should have received a copy of the GNU General Public License |
19 | * along with this program (in the main directory of the NTFS-3G |
20 | * distribution in the file COPYING); if not, write to the Free Software |
21 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
22 | */ |
23 | |
24 | #ifndef ACLS_H |
25 | #define ACLS_H |
26 | |
27 | /* |
28 | * JPA configuration modes for security.c / acls.c |
29 | * should be moved to some config file |
30 | */ |
31 | |
32 | #define BUFSZ 1024 /* buffer size to read mapping file */ |
33 | #define MAPPINGFILE ".NTFS-3G/UserMapping" /* default mapping file */ |
34 | #define LINESZ 120 /* maximum useful size of a mapping line */ |
35 | #define CACHE_PERMISSIONS_BITS 6 /* log2 of unitary allocation of permissions */ |
36 | #define CACHE_PERMISSIONS_SIZE 262144 /* max cacheable permissions */ |
37 | |
38 | /* |
39 | * JPA The following must be in some library... |
40 | * but did not found out where |
41 | */ |
42 | |
43 | #define endian_rev16(x) (((x >> 8) & 255) | ((x & 255) << 8)) |
44 | #define endian_rev32(x) (((x >> 24) & 255) | ((x >> 8) & 0xff00) \ |
45 | | ((x & 0xff00) << 8) | ((x & 255) << 24)) |
46 | |
47 | #define cpu_to_be16(x) endian_rev16(cpu_to_le16(x)) |
48 | #define cpu_to_be32(x) endian_rev32(cpu_to_le32(x)) |
49 | |
50 | /* |
51 | * Macro definitions needed to share code with secaudit |
52 | */ |
53 | |
54 | #define NTFS_FIND_USID(map,uid,buf) ntfs_find_usid(map,uid,buf) |
55 | #define NTFS_FIND_GSID(map,gid,buf) ntfs_find_gsid(map,gid,buf) |
56 | #define NTFS_FIND_USER(map,usid) ntfs_find_user(map,usid) |
57 | #define NTFS_FIND_GROUP(map,gsid) ntfs_find_group(map,gsid) |
58 | |
59 | |
60 | /* |
61 | * Matching of ntfs permissions to Linux permissions |
62 | * these constants are adapted to endianness |
63 | * when setting, set them all |
64 | * when checking, check one is present |
65 | */ |
66 | |
67 | /* flags which are set to mean exec, write or read */ |
68 | |
69 | #define FILE_READ (FILE_READ_DATA) |
70 | #define FILE_WRITE (FILE_WRITE_DATA | FILE_APPEND_DATA \ |
71 | | READ_CONTROL | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA) |
72 | #define FILE_EXEC (FILE_EXECUTE) |
73 | #define DIR_READ FILE_LIST_DIRECTORY |
74 | #define DIR_WRITE (FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY | FILE_DELETE_CHILD \ |
75 | | READ_CONTROL | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA) |
76 | #define DIR_EXEC (FILE_TRAVERSE) |
77 | |
78 | /* flags tested for meaning exec, write or read */ |
79 | /* tests for write allow for interpretation of a sticky bit */ |
80 | |
81 | #define FILE_GREAD (FILE_READ_DATA | GENERIC_READ) |
82 | #define FILE_GWRITE (FILE_WRITE_DATA | FILE_APPEND_DATA | GENERIC_WRITE) |
83 | #define FILE_GEXEC (FILE_EXECUTE | GENERIC_EXECUTE) |
84 | #define DIR_GREAD (FILE_LIST_DIRECTORY | GENERIC_READ) |
85 | #define DIR_GWRITE (FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY | GENERIC_WRITE) |
86 | #define DIR_GEXEC (FILE_TRAVERSE | GENERIC_EXECUTE) |
87 | |
88 | /* standard owner (and administrator) rights */ |
89 | |
90 | #define OWNER_RIGHTS (DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER \ |
91 | | SYNCHRONIZE \ |
92 | | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES \ |
93 | | FILE_READ_EA | FILE_WRITE_EA) |
94 | |
95 | /* standard world rights */ |
96 | |
97 | #define WORLD_RIGHTS (READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_READ_EA \ |
98 | | SYNCHRONIZE) |
99 | |
100 | /* inheritance flags for files and directories */ |
101 | |
102 | #define FILE_INHERITANCE NO_PROPAGATE_INHERIT_ACE |
103 | #define DIR_INHERITANCE (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE) |
104 | |
105 | /* |
106 | * To identify NTFS ACL meaning Posix ACL granted to root |
107 | * we use rights always granted to anybody, so they have no impact |
108 | * either on Windows or on Linux. |
109 | */ |
110 | |
111 | #define ROOT_OWNER_UNMARK SYNCHRONIZE /* ACL granted to root as owner */ |
112 | #define ROOT_GROUP_UNMARK FILE_READ_EA /* ACL granted to root as group */ |
113 | |
114 | /* |
115 | * A type large enough to hold any SID |
116 | */ |
117 | |
118 | typedef char BIGSID[40]; |
119 | |
120 | /* |
121 | * Struct to hold the input mapping file |
122 | * (private to this module) |
123 | */ |
124 | |
125 | struct MAPLIST { |
126 | struct MAPLIST *next; |
127 | char *uidstr; /* uid text from the same record */ |
128 | char *gidstr; /* gid text from the same record */ |
129 | char *sidstr; /* sid text from the same record */ |
130 | char maptext[LINESZ + 1]; |
131 | }; |
132 | |
133 | typedef int (*FILEREADER)(void *fileid, char *buf, size_t size, off_t pos); |
134 | |
135 | /* |
136 | * Constants defined in acls.c |
137 | */ |
138 | |
139 | extern const SID *adminsid; |
140 | extern const SID *worldsid; |
141 | |
142 | /* |
143 | * Functions defined in acls.c |
144 | */ |
145 | |
146 | BOOL ntfs_valid_descr(const char *securattr, unsigned int attrsz); |
147 | BOOL ntfs_valid_pattern(const SID *sid); |
148 | BOOL ntfs_valid_sid(const SID *sid); |
149 | BOOL ntfs_same_sid(const SID *first, const SID *second); |
150 | |
151 | BOOL ntfs_is_user_sid(const SID *usid); |
152 | |
153 | |
154 | int ntfs_sid_size(const SID * sid); |
155 | unsigned int ntfs_attr_size(const char *attr); |
156 | |
157 | const SID *ntfs_find_usid(const struct MAPPING *usermapping, |
158 | uid_t uid, SID *pdefsid); |
159 | const SID *ntfs_find_gsid(const struct MAPPING *groupmapping, |
160 | gid_t gid, SID *pdefsid); |
161 | uid_t ntfs_find_user(const struct MAPPING *usermapping, const SID *usid); |
162 | gid_t ntfs_find_group(const struct MAPPING *groupmapping, const SID * gsid); |
163 | const SID *ntfs_acl_owner(const char *secattr); |
164 | |
165 | #if POSIXACLS |
166 | |
167 | BOOL ntfs_valid_posix(const struct POSIX_SECURITY *pxdesc); |
168 | void ntfs_sort_posix(struct POSIX_SECURITY *pxdesc); |
169 | int ntfs_merge_mode_posix(struct POSIX_SECURITY *pxdesc, mode_t mode); |
170 | struct POSIX_SECURITY *ntfs_build_inherited_posix( |
171 | const struct POSIX_SECURITY *pxdesc, mode_t mode, |
172 | mode_t umask, BOOL isdir); |
173 | struct POSIX_SECURITY *ntfs_replace_acl(const struct POSIX_SECURITY *oldpxdesc, |
174 | const struct POSIX_ACL *newacl, int count, BOOL deflt); |
175 | struct POSIX_SECURITY *ntfs_build_permissions_posix( |
176 | struct MAPPING* const mapping[], |
177 | const char *securattr, |
178 | const SID *usid, const SID *gsid, BOOL isdir); |
179 | struct POSIX_SECURITY *ntfs_merge_descr_posix(const struct POSIX_SECURITY *first, |
180 | const struct POSIX_SECURITY *second); |
181 | char *ntfs_build_descr_posix(struct MAPPING* const mapping[], |
182 | struct POSIX_SECURITY *pxdesc, |
183 | int isdir, const SID *usid, const SID *gsid); |
184 | |
185 | #endif /* POSIXACLS */ |
186 | |
187 | int ntfs_inherit_acl(const ACL *oldacl, ACL *newacl, |
188 | const SID *usid, const SID *gsid, BOOL fordir); |
189 | int ntfs_build_permissions(const char *securattr, |
190 | const SID *usid, const SID *gsid, BOOL isdir); |
191 | char *ntfs_build_descr(mode_t mode, |
192 | int isdir, const SID * usid, const SID * gsid); |
193 | struct MAPLIST *ntfs_read_mapping(FILEREADER reader, void *fileid); |
194 | struct MAPPING *ntfs_do_user_mapping(struct MAPLIST *firstitem); |
195 | struct MAPPING *ntfs_do_group_mapping(struct MAPLIST *firstitem); |
196 | void ntfs_free_mapping(struct MAPPING *mapping[]); |
197 | |
198 | #endif /* ACLS_H */ |
199 | |
200 |