#include "librpc/gen_ndr/xattr.h"
#include "auth.h"
#include "vfs_acl_common.h"
+#include "lib/util/tevent_ntstatus.h"
+#include "lib/util/tevent_unix.h"
/* Pull in the common functions. */
#define ACL_MODULE_NAME "acl_xattr"
const char *service,
const char *user)
{
+ const char *security_acl_xattr_name = NULL;
int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
bool ok;
struct acl_common_config *config = NULL;
"yes");
}
+ security_acl_xattr_name = lp_parm_const_string(SNUM(handle->conn),
+ "acl_xattr",
+ "security_acl_name",
+ NULL);
+ if (security_acl_xattr_name != NULL) {
+ config->security_acl_xattr_name = talloc_strdup(config, security_acl_xattr_name);
+ if (config->security_acl_xattr_name == NULL) {
+ return -1;
+ }
+ }
+
return 0;
}
return status;
}
+struct acl_xattr_getxattrat_state {
+ struct vfs_aio_state aio_state;
+ ssize_t xattr_size;
+ uint8_t *xattr_value;
+};
+
+static void acl_xattr_getxattrat_done(struct tevent_req *subreq);
+
+static struct tevent_req *acl_xattr_getxattrat_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct vfs_handle_struct *handle,
+ files_struct *dirfsp,
+ const struct smb_filename *smb_fname,
+ const char *xattr_name,
+ size_t alloc_hint)
+{
+ struct tevent_req *req = NULL;
+ struct tevent_req *subreq = NULL;
+ struct acl_xattr_getxattrat_state *state = NULL;
+ struct acl_common_config *config = NULL;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, config,
+ struct acl_common_config,
+ return NULL);
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct acl_xattr_getxattrat_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ if (strequal(xattr_name, config->security_acl_xattr_name)) {
+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return tevent_req_post(req, ev);
+ }
+ if (config->security_acl_xattr_name != NULL &&
+ strequal(xattr_name, XATTR_NTACL_NAME))
+ {
+ xattr_name = config->security_acl_xattr_name;
+ }
+
+ subreq = SMB_VFS_NEXT_GETXATTRAT_SEND(state,
+ ev,
+ handle,
+ dirfsp,
+ smb_fname,
+ xattr_name,
+ alloc_hint);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, acl_xattr_getxattrat_done, req);
+
+ return req;
+}
+
+static void acl_xattr_getxattrat_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct acl_xattr_getxattrat_state *state = tevent_req_data(
+ req, struct acl_xattr_getxattrat_state);
+
+ state->xattr_size = SMB_VFS_NEXT_GETXATTRAT_RECV(subreq,
+ &state->aio_state,
+ state,
+ &state->xattr_value);
+ TALLOC_FREE(subreq);
+ if (state->xattr_size == -1) {
+ tevent_req_error(req, state->aio_state.error);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+static ssize_t acl_xattr_getxattrat_recv(struct tevent_req *req,
+ struct vfs_aio_state *aio_state,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **xattr_value)
+{
+ struct acl_xattr_getxattrat_state *state = tevent_req_data(
+ req, struct acl_xattr_getxattrat_state);
+ ssize_t xattr_size;
+
+ if (tevent_req_is_unix_error(req, &aio_state->error)) {
+ tevent_req_received(req);
+ return -1;
+ }
+
+ *aio_state = state->aio_state;
+ xattr_size = state->xattr_size;
+ if (xattr_value != NULL) {
+ *xattr_value = talloc_move(mem_ctx, &state->xattr_value);
+ }
+
+ tevent_req_received(req);
+ return xattr_size;
+}
+
+static ssize_t acl_xattr_fgetxattr(struct vfs_handle_struct *handle,
+ struct files_struct *fsp,
+ const char *name,
+ void *value,
+ size_t size)
+{
+ struct acl_common_config *config = NULL;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, config,
+ struct acl_common_config,
+ return -1);
+
+ if (strequal(name, config->security_acl_xattr_name)) {
+ errno = EACCES;
+ return -1;
+ }
+ if (config->security_acl_xattr_name != NULL &&
+ strequal(name, XATTR_NTACL_NAME))
+ {
+ name = config->security_acl_xattr_name;
+ }
+
+ return SMB_VFS_NEXT_FGETXATTR(handle, fsp, name, value, size);
+}
+
+static ssize_t acl_xattr_flistxattr(struct vfs_handle_struct *handle,
+ struct files_struct *fsp,
+ char *listbuf,
+ size_t bufsize)
+{
+ struct acl_common_config *config = NULL;
+ ssize_t size;
+ char *p = NULL;
+ size_t nlen, consumed;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, config,
+ struct acl_common_config,
+ return -1);
+
+ size = SMB_VFS_NEXT_FLISTXATTR(handle, fsp, listbuf, bufsize);
+ if (size < 0) {
+ return -1;
+ }
+
+ p = listbuf;
+ while (p - listbuf < size) {
+ nlen = strlen(p) + 1;
+ if (strequal(p, config->security_acl_xattr_name)) {
+ break;
+ }
+ p += nlen;
+ }
+ if (p - listbuf >= size) {
+ /* No match */
+ return size;
+ }
+
+ /*
+ * The consumed helper variable just makes the math
+ * a bit more digestible.
+ */
+ consumed = p - listbuf;
+ if (consumed + nlen < size) {
+ /* If not the last name move, else just skip */
+ memmove(p, p + nlen, size - consumed - nlen);
+ }
+ size -= nlen;
+
+ return size;
+}
+
+static int acl_xattr_fremovexattr(struct vfs_handle_struct *handle,
+ struct files_struct *fsp,
+ const char *name)
+{
+ struct acl_common_config *config = NULL;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, config,
+ struct acl_common_config,
+ return -1);
+
+ if (strequal(name, config->security_acl_xattr_name)) {
+ errno = EACCES;
+ return -1;
+ }
+ if (config->security_acl_xattr_name != NULL &&
+ strequal(name, XATTR_NTACL_NAME))
+ {
+ name = config->security_acl_xattr_name;
+ }
+
+ return SMB_VFS_NEXT_FREMOVEXATTR(handle, fsp, name);
+}
+
+static int acl_xattr_fsetxattr(struct vfs_handle_struct *handle,
+ struct files_struct *fsp,
+ const char *name,
+ const void *value,
+ size_t size,
+ int flags)
+{
+ struct acl_common_config *config = NULL;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, config,
+ struct acl_common_config,
+ return -1);
+
+ if (strequal(name, config->security_acl_xattr_name)) {
+ errno = EACCES;
+ return -1;
+ }
+ if (config->security_acl_xattr_name != NULL &&
+ strequal(name, XATTR_NTACL_NAME))
+ {
+ name = config->security_acl_xattr_name;
+ }
+
+ return SMB_VFS_NEXT_FSETXATTR(handle, fsp, name, value, size, flags);
+}
+
static struct vfs_fn_pointers vfs_acl_xattr_fns = {
.connect_fn = connect_acl_xattr,
.unlinkat_fn = acl_xattr_unlinkat,
.fchmod_fn = fchmod_acl_module_common,
.fget_nt_acl_fn = acl_xattr_fget_nt_acl,
.fset_nt_acl_fn = acl_xattr_fset_nt_acl,
- .sys_acl_set_fd_fn = sys_acl_set_fd_xattr
+ .sys_acl_set_fd_fn = sys_acl_set_fd_xattr,
+ .getxattrat_send_fn = acl_xattr_getxattrat_send,
+ .getxattrat_recv_fn = acl_xattr_getxattrat_recv,
+ .fgetxattr_fn = acl_xattr_fgetxattr,
+ .flistxattr_fn = acl_xattr_flistxattr,
+ .fremovexattr_fn = acl_xattr_fremovexattr,
+ .fsetxattr_fn = acl_xattr_fsetxattr,
};
static_decl_vfs;
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ SMB2 EA tests
+
+ Copyright (C) Ralph Boehme 2022
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ntstatus_gen.h"
+#include "system/time.h"
+#include "libcli/smb2/smb2.h"
+#include "libcli/smb2/smb2_calls.h"
+#include "torture/torture.h"
+#include "torture/smb2/proto.h"
+
+#define BASEDIR "test_ea"
+
+static bool find_returned_ea(union smb_fileinfo *finfo2,
+ const char *eaname)
+{
+ unsigned int i;
+ unsigned int num_eas = finfo2->all_eas.out.num_eas;
+ struct ea_struct *eas = finfo2->all_eas.out.eas;
+
+ for (i = 0; i < num_eas; i++) {
+ if (eas[i].name.s == NULL) {
+ continue;
+ }
+ /* Windows capitalizes returned EA names. */
+ if (strequal(eas[i].name.s, eaname)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static bool torture_smb2_acl_xattr(struct torture_context *tctx,
+ struct smb2_tree *tree)
+{
+ const char *fname = BASEDIR "\\test_acl_xattr";
+ const char *xattr_name = NULL;
+ struct smb2_handle h1;
+ struct ea_struct ea;
+ union smb_fileinfo finfo;
+ union smb_setfileinfo sfinfo;
+ NTSTATUS status;
+ bool ret = true;
+
+ torture_comment(tctx, "Verify NTACL xattr can't be accessed\n");
+
+ xattr_name = torture_setting_string(tctx, "acl_xattr_name", NULL);
+ torture_assert_not_null(tctx, xattr_name, "Missing acl_xattr_name option\n");
+
+ smb2_deltree(tree, BASEDIR);
+
+ status = torture_smb2_testdir(tree, BASEDIR, &h1);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "torture_smb2_testdir\n");
+ smb2_util_close(tree, h1);
+
+ status = torture_smb2_testfile(tree, fname, &h1);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "torture_smb2_testfile failed\n");
+
+ /*
+ * 1. Set an EA, so we have somthing to list
+ */
+ ZERO_STRUCT(ea);
+ ea.name.s = "void";
+ ea.name.private_length = strlen("void") + 1;
+ ea.value = data_blob_string_const("testme");
+
+ ZERO_STRUCT(sfinfo);
+ sfinfo.generic.level = RAW_SFILEINFO_FULL_EA_INFORMATION;
+ sfinfo.generic.in.file.handle = h1;
+ sfinfo.full_ea_information.in.eas.num_eas = 1;
+ sfinfo.full_ea_information.in.eas.eas = &ea;
+
+ status = smb2_setinfo_file(tree, &sfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "Setting EA should faild\n");
+
+ /*
+ * 2. Verify NT ACL EA is not listed
+ */
+ ZERO_STRUCT(finfo);
+ finfo.generic.level = RAW_FILEINFO_SMB2_ALL_EAS;
+ finfo.generic.in.file.handle = h1;
+
+ status = smb2_getinfo_file(tree, tctx, &finfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "torture_smb2_testdir\n");
+
+ if (find_returned_ea(&finfo, xattr_name)) {
+ torture_result(tctx, TORTURE_FAIL,
+ "%s: NTACL EA leaked\n",
+ __location__);
+ ret = false;
+ goto done;
+ }
+
+ /*
+ * 3. Try to set EA, should fail
+ */
+ ZERO_STRUCT(ea);
+ ea.name.s = xattr_name;
+ ea.name.private_length = strlen(xattr_name) + 1;
+ ea.value = data_blob_string_const("testme");
+
+ ZERO_STRUCT(sfinfo);
+ sfinfo.generic.level = RAW_SFILEINFO_FULL_EA_INFORMATION;
+ sfinfo.generic.in.file.handle = h1;
+ sfinfo.full_ea_information.in.eas.num_eas = 1;
+ sfinfo.full_ea_information.in.eas.eas = &ea;
+
+ status = smb2_setinfo_file(tree, &sfinfo);
+ torture_assert_ntstatus_equal_goto(
+ tctx, status, NT_STATUS_ACCESS_DENIED,
+ ret, done, "Setting EA should fail\n");
+
+done:
+ if (!smb2_util_handle_empty(h1)) {
+ smb2_util_close(tree, h1);
+ }
+
+ smb2_deltree(tree, BASEDIR);
+
+ return ret;
+}
+
+struct torture_suite *torture_smb2_ea(TALLOC_CTX *ctx)
+{
+ struct torture_suite *suite = torture_suite_create(ctx, "ea");
+ suite->description = talloc_strdup(suite, "SMB2-EA tests");
+
+ torture_suite_add_1smb2_test(suite, "acl_xattr", torture_smb2_acl_xattr);
+
+ return suite;
+}
git.samba.org / samba.git / commitdiff