cifs: get mode bits from special sid on stat

When mounting with "modefromsid" retrieve mode bits from
special SID (S-1-5-88-3) on stat.  Subsequent patch will fix
setattr (chmod) to save mode bits in S-1-5-88-3-<mode>

Note that when an ACE matching S-1-5-88-3 is not found, we
default the mode to an approximation based on the owner, group
and everyone permissions (as with the "cifsacl" mount option).

See See e.g.
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh509017(v=ws.10)

Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index 1d377b7f286055fa0b8c2117c89f843704fb9c3c..7fe4509e6c03cfaeb6b18466bb6dfba34cec1250 100644 (file)
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -701,10 +701,9 @@ static void dump_ace(struct cifs_ace *pace, char *end_of_acl)
 }
 #endif
 
-
 static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
                       struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
-                      struct cifs_fattr *fattr)
+                      struct cifs_fattr *fattr, bool mode_from_special_sid)
 {
        int i;
        int num_aces = 0;
@@ -757,22 +756,34 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
 #ifdef CONFIG_CIFS_DEBUG2
                        dump_ace(ppace[i], end_of_acl);
 #endif
-                       if (compare_sids(&(ppace[i]->sid), pownersid) == 0)
+                       if (mode_from_special_sid &&
+                           (compare_sids(&(ppace[i]->sid),
+                                         &sid_unix_NFS_mode) == 0)) {
+                               /*
+                                * Full permissions are:
+                                * 07777 = S_ISUID | S_ISGID | S_ISVTX |
+                                *         S_IRWXU | S_IRWXG | S_IRWXO
+                                */
+                               fattr->cf_mode &= ~07777;
+                               fattr->cf_mode |=
+                                       le32_to_cpu(ppace[i]->sid.sub_auth[2]);
+                               break;
+                       } else if (compare_sids(&(ppace[i]->sid), pownersid) == 0)
                                access_flags_to_mode(ppace[i]->access_req,
                                                     ppace[i]->type,
                                                     &fattr->cf_mode,
                                                     &user_mask);
-                       if (compare_sids(&(ppace[i]->sid), pgrpsid) == 0)
+                       else if (compare_sids(&(ppace[i]->sid), pgrpsid) == 0)
                                access_flags_to_mode(ppace[i]->access_req,
                                                     ppace[i]->type,
                                                     &fattr->cf_mode,
                                                     &group_mask);
-                       if (compare_sids(&(ppace[i]->sid), &sid_everyone) == 0)
+                       else if (compare_sids(&(ppace[i]->sid), &sid_everyone) == 0)
                                access_flags_to_mode(ppace[i]->access_req,
                                                     ppace[i]->type,
                                                     &fattr->cf_mode,
                                                     &other_mask);
-                       if (compare_sids(&(ppace[i]->sid), &sid_authusers) == 0)
+                       else if (compare_sids(&(ppace[i]->sid), &sid_authusers) == 0)
                                access_flags_to_mode(ppace[i]->access_req,
                                                     ppace[i]->type,
                                                     &fattr->cf_mode,
@@ -851,7 +862,8 @@ static int parse_sid(struct cifs_sid *psid, char *end_of_acl)
 
 /* Convert CIFS ACL to POSIX form */
 static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
-               struct cifs_ntsd *pntsd, int acl_len, struct cifs_fattr *fattr)
+               struct cifs_ntsd *pntsd, int acl_len, struct cifs_fattr *fattr,
+               bool get_mode_from_special_sid)
 {
        int rc = 0;
        struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
@@ -900,7 +912,7 @@ static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
 
        if (dacloffset)
                parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
-                          group_sid_ptr, fattr);
+                          group_sid_ptr, fattr, get_mode_from_special_sid);
        else
                cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
 
@@ -1128,8 +1140,8 @@ out:
 /* Translate the CIFS ACL (similar to NTFS ACL) for a file into mode bits */
 int
 cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
-                 struct inode *inode, const char *path,
-                 const struct cifs_fid *pfid)
+                 struct inode *inode, bool mode_from_special_sid,
+                 const char *path, const struct cifs_fid *pfid)
 {
        struct cifs_ntsd *pntsd = NULL;
        u32 acllen = 0;
@@ -1156,8 +1168,11 @@ cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
        if (IS_ERR(pntsd)) {
                rc = PTR_ERR(pntsd);
                cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
+       } else if (mode_from_special_sid) {
+               rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, true);
        } else {
-               rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr);
+               /* get approximated mode from ACL */
+               rc = parse_sec_desc(cifs_sb, pntsd, acllen, fattr, false);
                kfree(pntsd);
                if (rc)
                        cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc);

diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index 592a6cea2b79f52df986bd9df7c1dcced837ccdd..dd75746e60cd2fe9d2cae59dc8ce9db4df3377db 100644 (file)
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -197,6 +197,7 @@ extern int cifs_rename_pending_delete(const char *full_path,
                                      const unsigned int xid);
 extern int cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb,
                              struct cifs_fattr *fattr, struct inode *inode,
+                             bool get_mode_from_special_sid,
                              const char *path, const struct cifs_fid *pfid);
 extern int id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64,
                                        kuid_t, kgid_t);

diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 56ca4b8ccabac909abc312602506020363b52948..c1e620ebcf7c1898eebac1452f3d9ab7c4b2ed70 100644 (file)
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -893,8 +893,17 @@ cifs_get_inode_info(struct inode **inode, const char *full_path,
        }
 
        /* fill in 0777 bits from ACL */
-       if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_CIFS_ACL) {
-               rc = cifs_acl_to_fattr(cifs_sb, &fattr, *inode, full_path, fid);
+       if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MODE_FROM_SID) {
+               rc = cifs_acl_to_fattr(cifs_sb, &fattr, *inode, true,
+                                      full_path, fid);
+               if (rc) {
+                       cifs_dbg(FYI, "%s: Get mode from SID failed. rc=%d\n",
+                               __func__, rc);
+                       goto cgii_exit;
+               }
+       } else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_CIFS_ACL) {
+               rc = cifs_acl_to_fattr(cifs_sb, &fattr, *inode, false,
+                                      full_path, fid);
                if (rc) {
                        cifs_dbg(FYI, "%s: Getting ACL failed with error: %d\n",
                                 __func__, rc);