1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright 2020 Tintri by DDN, Inc. All rights reserved. 25 * Copyright 2022 RackTop Systems, Inc. 26 */ 27 28 /* 29 * This module provides the common open functionality to the various 30 * open and create SMB interface functions. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/cmn_err.h> 35 #include <sys/fcntl.h> 36 #include <sys/nbmlock.h> 37 #include <smbsrv/string.h> 38 #include <smbsrv/smb2_kproto.h> 39 #include <smbsrv/smb_fsops.h> 40 #include <smbsrv/smbinfo.h> 41 42 int smb_session_ofile_max = 32768; 43 44 extern uint32_t smb_is_executable(char *); 45 static void smb_delete_new_object(smb_request_t *); 46 static int smb_set_open_attributes(smb_request_t *, smb_ofile_t *); 47 48 /* 49 * smb_access_generic_to_file 50 * 51 * Search MSDN for IoCreateFile to see following mapping. 52 * 53 * GENERIC_READ STANDARD_RIGHTS_READ, FILE_READ_DATA, 54 * FILE_READ_ATTRIBUTES and FILE_READ_EA 55 * 56 * GENERIC_WRITE STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA, 57 * FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and FILE_APPEND_DATA 58 * 59 * GENERIC_EXECUTE STANDARD_RIGHTS_EXECUTE, SYNCHRONIZE, and FILE_EXECUTE. 60 */ 61 static uint32_t 62 smb_access_generic_to_file(uint32_t desired_access) 63 { 64 uint32_t access = 0; 65 66 if (desired_access & GENERIC_ALL) 67 return (FILE_ALL_ACCESS & ~SYNCHRONIZE); 68 69 if (desired_access & GENERIC_EXECUTE) { 70 desired_access &= ~GENERIC_EXECUTE; 71 access |= (STANDARD_RIGHTS_EXECUTE | 72 SYNCHRONIZE | FILE_EXECUTE); 73 } 74 75 if (desired_access & GENERIC_WRITE) { 76 desired_access &= ~GENERIC_WRITE; 77 access |= (FILE_GENERIC_WRITE & ~SYNCHRONIZE); 78 } 79 80 if (desired_access & GENERIC_READ) { 81 desired_access &= ~GENERIC_READ; 82 access |= FILE_GENERIC_READ; 83 } 84 85 return (access | desired_access); 86 } 87 88 /* 89 * smb_omode_to_amask 90 * 91 * This function converts open modes used by Open and Open AndX 92 * commands to desired access bits used by NT Create AndX command. 93 */ 94 uint32_t 95 smb_omode_to_amask(uint32_t desired_access) 96 { 97 switch (desired_access & SMB_DA_ACCESS_MASK) { 98 case SMB_DA_ACCESS_READ: 99 return (FILE_GENERIC_READ); 100 101 case SMB_DA_ACCESS_WRITE: 102 return (FILE_GENERIC_WRITE); 103 104 case SMB_DA_ACCESS_READ_WRITE: 105 return (FILE_GENERIC_READ | FILE_GENERIC_WRITE); 106 107 case SMB_DA_ACCESS_EXECUTE: 108 return (FILE_GENERIC_READ | FILE_GENERIC_EXECUTE); 109 110 default: 111 return (FILE_GENERIC_ALL); 112 } 113 } 114 115 /* 116 * smb_denymode_to_sharemode 117 * 118 * This function converts deny modes used by Open and Open AndX 119 * commands to share access bits used by NT Create AndX command. 120 */ 121 uint32_t 122 smb_denymode_to_sharemode(uint32_t desired_access, char *fname) 123 { 124 switch (desired_access & SMB_DA_SHARE_MASK) { 125 case SMB_DA_SHARE_COMPATIBILITY: 126 if (smb_is_executable(fname)) 127 return (FILE_SHARE_READ | FILE_SHARE_WRITE); 128 129 return (FILE_SHARE_ALL); 130 131 case SMB_DA_SHARE_EXCLUSIVE: 132 return (FILE_SHARE_NONE); 133 134 case SMB_DA_SHARE_DENY_WRITE: 135 return (FILE_SHARE_READ); 136 137 case SMB_DA_SHARE_DENY_READ: 138 return (FILE_SHARE_WRITE); 139 140 case SMB_DA_SHARE_DENY_NONE: 141 default: 142 return (FILE_SHARE_READ | FILE_SHARE_WRITE); 143 } 144 } 145 146 /* 147 * smb_ofun_to_crdisposition 148 * 149 * This function converts open function values used by Open and Open AndX 150 * commands to create disposition values used by NT Create AndX command. 151 */ 152 uint32_t 153 smb_ofun_to_crdisposition(uint16_t ofun) 154 { 155 static int ofun_cr_map[3][2] = 156 { 157 { -1, FILE_CREATE }, 158 { FILE_OPEN, FILE_OPEN_IF }, 159 { FILE_OVERWRITE, FILE_OVERWRITE_IF } 160 }; 161 162 int row = ofun & SMB_OFUN_OPEN_MASK; 163 int col = (ofun & SMB_OFUN_CREATE_MASK) >> 4; 164 165 if (row == 3) 166 return (FILE_MAXIMUM_DISPOSITION + 1); 167 168 return (ofun_cr_map[row][col]); 169 } 170 171 /* 172 * smb_common_open 173 * 174 * Notes on write-through behaviour. It looks like pre-LM0.12 versions 175 * of the protocol specify the write-through mode when a file is opened, 176 * (SmbOpen, SmbOpenAndX) so the write calls (SmbWrite, SmbWriteAndClose, 177 * SmbWriteAndUnlock) don't need to contain a write-through flag. 178 * 179 * With LM0.12, the open calls (SmbCreateAndX, SmbNtTransactCreate) 180 * don't indicate which write-through mode to use. Instead the write 181 * calls (SmbWriteAndX, SmbWriteRaw) specify the mode on a per call 182 * basis. 183 * 184 * We don't care which open call was used to get us here, we just need 185 * to ensure that the write-through mode flag is copied from the open 186 * parameters to the node. We test the omode write-through flag in all 187 * write functions. 188 * 189 * This function returns NT status codes. 190 * 191 * The following rules apply when processing a file open request: 192 * 193 * - Oplocks must be broken prior to share checking as the break may 194 * cause other clients to close the file, which would affect sharing 195 * checks. 196 * 197 * - Share checks must take place prior to access checks for correct 198 * Windows semantics and to prevent unnecessary NFS delegation recalls. 199 * 200 * - Oplocks must be acquired after open to ensure the correct 201 * synchronization with NFS delegation and FEM installation. 202 * 203 * DOS readonly bit rules 204 * 205 * 1. The creator of a readonly file can write to/modify the size of the file 206 * using the original create fid, even though the file will appear as readonly 207 * to all other fids and via a CIFS getattr call. 208 * 209 * 2. A setinfo operation (using either an open fid or a path) to set/unset 210 * readonly will be successful regardless of whether a creator of a readonly 211 * file has an open fid. 212 * 213 * 3. The DOS readonly bit affects only data and some metadata. 214 * The following metadata can be changed regardless of the readonly bit: 215 * - security descriptors 216 * - DOS attributes 217 * - timestamps 218 * 219 * In the current implementation, the file size cannot be changed (except for 220 * the exceptions in #1 and #2, above). 221 * 222 * 223 * DOS attribute rules 224 * 225 * These rules are specific to creating / opening files and directories. 226 * How the attribute value (specifically ZERO or FILE_ATTRIBUTE_NORMAL) 227 * should be interpreted may differ in other requests. 228 * 229 * - An attribute value equal to ZERO or FILE_ATTRIBUTE_NORMAL means that the 230 * file's attributes should be cleared. 231 * - If FILE_ATTRIBUTE_NORMAL is specified with any other attributes, 232 * FILE_ATTRIBUTE_NORMAL is ignored. 233 * 234 * 1. Creating a new file 235 * - The request attributes + FILE_ATTRIBUTE_ARCHIVE are applied to the file. 236 * 237 * 2. Creating a new directory 238 * - The request attributes + FILE_ATTRIBUTE_DIRECTORY are applied to the file. 239 * - FILE_ATTRIBUTE_ARCHIVE does not get set. 240 * 241 * 3. Overwriting an existing file 242 * - the request attributes are used as search attributes. If the existing 243 * file does not meet the search criteria access is denied. 244 * - otherwise, applies attributes + FILE_ATTRIBUTE_ARCHIVE. 245 * 246 * 4. Opening an existing file or directory 247 * The request attributes are ignored. 248 */ 249 uint32_t 250 smb_common_open(smb_request_t *sr) 251 { 252 smb_server_t *sv = sr->sr_server; 253 smb_tree_t *tree = sr->tid_tree; 254 smb_node_t *fnode = NULL; 255 smb_node_t *dnode = NULL; 256 smb_node_t *cur_node = NULL; 257 smb_node_t *tmp_node = NULL; 258 smb_arg_open_t *op = &sr->sr_open; 259 smb_pathname_t *pn = &op->fqi.fq_path; 260 smb_ofile_t *of = NULL; 261 smb_attr_t new_attr; 262 hrtime_t shrlock_t0; 263 int max_requested = 0; 264 uint32_t max_allowed; 265 uint32_t status = NT_STATUS_SUCCESS; 266 int is_dir; 267 int rc; 268 boolean_t is_stream = B_FALSE; 269 int lookup_flags = SMB_FOLLOW_LINKS; 270 uint32_t uniq_fid = 0; 271 uint16_t tree_fid = 0; 272 boolean_t created = B_FALSE; 273 boolean_t last_comp_found = B_FALSE; 274 boolean_t stream_found = B_FALSE; 275 boolean_t opening_incr = B_FALSE; 276 boolean_t dnode_held = B_FALSE; 277 boolean_t dnode_wlock = B_FALSE; 278 boolean_t fnode_held = B_FALSE; 279 boolean_t fnode_wlock = B_FALSE; 280 boolean_t fnode_shrlk = B_FALSE; 281 boolean_t did_open = B_FALSE; 282 boolean_t did_break_handle = B_FALSE; 283 boolean_t did_cleanup_orphans = B_FALSE; 284 char *sname = NULL; 285 286 /* Get out now if we've been cancelled. */ 287 mutex_enter(&sr->sr_mutex); 288 if (sr->sr_state != SMB_REQ_STATE_ACTIVE) { 289 mutex_exit(&sr->sr_mutex); 290 return (NT_STATUS_CANCELLED); 291 } 292 mutex_exit(&sr->sr_mutex); 293 294 is_dir = (op->create_options & FILE_DIRECTORY_FILE) ? 1 : 0; 295 296 /* 297 * If the object being created or opened is a directory 298 * the Disposition parameter must be one of FILE_CREATE, 299 * FILE_OPEN, or FILE_OPEN_IF 300 */ 301 if (is_dir) { 302 if ((op->create_disposition != FILE_CREATE) && 303 (op->create_disposition != FILE_OPEN_IF) && 304 (op->create_disposition != FILE_OPEN)) { 305 return (NT_STATUS_INVALID_PARAMETER); 306 } 307 } 308 309 if (op->desired_access & MAXIMUM_ALLOWED) { 310 max_requested = 1; 311 op->desired_access &= ~MAXIMUM_ALLOWED; 312 } 313 op->desired_access = smb_access_generic_to_file(op->desired_access); 314 315 if (sr->session->s_file_cnt >= smb_session_ofile_max) { 316 ASSERT(sr->uid_user); 317 cmn_err(CE_NOTE, "smbsrv[%s\\%s]: TOO_MANY_OPENED_FILES", 318 sr->uid_user->u_domain, sr->uid_user->u_name); 319 return (NT_STATUS_TOO_MANY_OPENED_FILES); 320 } 321 322 if (smb_idpool_alloc(&tree->t_fid_pool, &tree_fid)) 323 return (NT_STATUS_TOO_MANY_OPENED_FILES); 324 325 /* This must be NULL at this point */ 326 sr->fid_ofile = NULL; 327 328 op->devstate = 0; 329 330 switch (sr->tid_tree->t_res_type & STYPE_MASK) { 331 case STYPE_DISKTREE: 332 case STYPE_PRINTQ: 333 break; 334 335 case STYPE_IPC: 336 /* 337 * Security descriptors for pipes are not implemented, 338 * so just setup a reasonable access mask. 339 */ 340 op->desired_access = (READ_CONTROL | SYNCHRONIZE | 341 FILE_READ_DATA | FILE_READ_ATTRIBUTES | 342 FILE_WRITE_DATA | FILE_APPEND_DATA); 343 344 /* 345 * Limit the number of open pipe instances. 346 */ 347 if ((rc = smb_threshold_enter(&sv->sv_opipe_ct)) != 0) { 348 status = RPC_NT_SERVER_TOO_BUSY; 349 goto errout; 350 } 351 352 /* 353 * Most of IPC open is handled in smb_opipe_open() 354 */ 355 op->create_options = 0; 356 of = smb_ofile_alloc(sr, op, NULL, SMB_FTYPE_MESG_PIPE, 357 tree_fid); 358 tree_fid = 0; // given to the ofile 359 status = smb_opipe_open(sr, of); 360 smb_threshold_exit(&sv->sv_opipe_ct); 361 if (status != NT_STATUS_SUCCESS) 362 goto errout; 363 return (NT_STATUS_SUCCESS); 364 365 default: 366 status = NT_STATUS_BAD_DEVICE_TYPE; 367 goto errout; 368 } 369 370 smb_pathname_init(sr, pn, pn->pn_path); 371 if (!smb_pathname_validate(sr, pn)) { 372 status = sr->smb_error.status; 373 goto errout; 374 } 375 376 if (strlen(pn->pn_path) >= SMB_MAXPATHLEN) { 377 status = NT_STATUS_OBJECT_PATH_INVALID; 378 goto errout; 379 } 380 381 if (is_dir) { 382 if (!smb_validate_dirname(sr, pn)) { 383 status = sr->smb_error.status; 384 goto errout; 385 } 386 } else { 387 if (!smb_validate_object_name(sr, pn)) { 388 status = sr->smb_error.status; 389 goto errout; 390 } 391 } 392 393 cur_node = op->fqi.fq_dnode ? 394 op->fqi.fq_dnode : sr->tid_tree->t_snode; 395 396 rc = smb_pathname_reduce(sr, sr->user_cr, pn->pn_path, 397 sr->tid_tree->t_snode, cur_node, &op->fqi.fq_dnode, 398 op->fqi.fq_last_comp); 399 if (rc != 0) { 400 status = smb_errno2status(rc); 401 goto errout; 402 } 403 dnode = op->fqi.fq_dnode; 404 dnode_held = B_TRUE; 405 406 /* 407 * Lock the parent dir node in case another create 408 * request to the same parent directory comes in. 409 * Drop this once either lookup succeeds, or we've 410 * created the object in this directory. 411 */ 412 smb_node_wrlock(dnode); 413 dnode_wlock = B_TRUE; 414 415 /* 416 * If the access mask has only DELETE set (ignore 417 * FILE_READ_ATTRIBUTES), then assume that this 418 * is a request to delete the link (if a link) 419 * and do not follow links. Otherwise, follow 420 * the link to the target. 421 */ 422 if ((op->desired_access & ~FILE_READ_ATTRIBUTES) == DELETE) 423 lookup_flags &= ~SMB_FOLLOW_LINKS; 424 425 /* 426 * Lookup *just* the file portion of the name. 427 * Returns stream name in sname, which this allocates 428 */ 429 rc = smb_fsop_lookup_file(sr, zone_kcred(), lookup_flags, 430 sr->tid_tree->t_snode, op->fqi.fq_dnode, op->fqi.fq_last_comp, 431 &sname, &op->fqi.fq_fnode); 432 433 if (rc == 0) { 434 last_comp_found = B_TRUE; 435 fnode = op->fqi.fq_fnode; 436 fnode_held = B_TRUE; 437 438 /* 439 * Need the DOS attributes below, where we 440 * check the search attributes (sattr). 441 * Also UID, for owner check below. 442 */ 443 op->fqi.fq_fattr.sa_mask = SMB_AT_DOSATTR | SMB_AT_UID; 444 rc = smb_node_getattr(sr, op->fqi.fq_fnode, zone_kcred(), 445 NULL, &op->fqi.fq_fattr); 446 if (rc != 0) { 447 status = NT_STATUS_INTERNAL_ERROR; 448 goto errout; 449 } 450 } else if (rc == ENOENT) { 451 last_comp_found = B_FALSE; 452 op->fqi.fq_fnode = NULL; 453 rc = 0; 454 } else { 455 status = smb_errno2status(rc); 456 goto errout; 457 } 458 459 if (last_comp_found) { 460 461 fnode = op->fqi.fq_fnode; 462 dnode = op->fqi.fq_dnode; 463 464 if (!smb_node_is_file(fnode) && 465 !smb_node_is_dir(fnode) && 466 !smb_node_is_symlink(fnode)) { 467 status = NT_STATUS_ACCESS_DENIED; 468 goto errout; 469 } 470 471 /* 472 * Reject this request if either: 473 * - the target IS a directory and the client requires that 474 * it must NOT be (required by Lotus Notes) 475 * - the target is NOT a directory and client requires that 476 * it MUST be. 477 * Streams are never directories. 478 */ 479 if (smb_node_is_dir(fnode) && sname == NULL) { 480 if (op->create_options & FILE_NON_DIRECTORY_FILE) { 481 status = NT_STATUS_FILE_IS_A_DIRECTORY; 482 goto errout; 483 } 484 } else { 485 if ((op->create_options & FILE_DIRECTORY_FILE) || 486 (op->nt_flags & NT_CREATE_FLAG_OPEN_TARGET_DIR)) { 487 status = NT_STATUS_NOT_A_DIRECTORY; 488 goto errout; 489 } 490 } 491 492 /* If we're given a stream name, look it up now */ 493 if (sname != NULL) { 494 tmp_node = fnode; 495 rc = smb_fsop_lookup_stream(sr, zone_kcred(), 496 lookup_flags, sr->tid_tree->t_snode, fnode, sname, 497 &fnode); 498 } else { 499 rc = 0; 500 } 501 502 if (rc == 0) { /* Stream Exists (including unnamed stream) */ 503 stream_found = B_TRUE; 504 smb_node_unlock(dnode); 505 dnode_wlock = B_FALSE; 506 507 if (tmp_node != NULL) 508 smb_node_release(tmp_node); 509 510 /* 511 * No more open should be accepted when 512 * "Delete on close" flag is set. 513 */ 514 if (fnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) { 515 status = NT_STATUS_DELETE_PENDING; 516 goto errout; 517 } 518 519 /* 520 * Specified file already exists 521 * so the operation should fail. 522 */ 523 if (op->create_disposition == FILE_CREATE) { 524 status = NT_STATUS_OBJECT_NAME_COLLISION; 525 goto errout; 526 } 527 528 if ((op->create_disposition == FILE_SUPERSEDE) || 529 (op->create_disposition == FILE_OVERWRITE_IF) || 530 (op->create_disposition == FILE_OVERWRITE)) { 531 532 if (sname == NULL) { 533 if (!smb_sattr_check( 534 op->fqi.fq_fattr.sa_dosattr, 535 op->dattr)) { 536 status = 537 NT_STATUS_ACCESS_DENIED; 538 goto errout; 539 } 540 op->desired_access |= 541 FILE_WRITE_ATTRIBUTES; 542 } 543 544 if (smb_node_is_dir(fnode)) { 545 status = NT_STATUS_ACCESS_DENIED; 546 goto errout; 547 } 548 } 549 550 /* MS-FSA 2.1.5.1.2 */ 551 if (op->create_disposition == FILE_SUPERSEDE) 552 op->desired_access |= DELETE; 553 if ((op->create_disposition == FILE_OVERWRITE_IF) || 554 (op->create_disposition == FILE_OVERWRITE)) 555 op->desired_access |= FILE_WRITE_DATA; 556 } else if (rc == ENOENT) { /* File Exists, but Stream doesn't */ 557 if (op->create_disposition == FILE_OPEN || 558 op->create_disposition == FILE_OVERWRITE) { 559 status = NT_STATUS_OBJECT_NAME_NOT_FOUND; 560 goto errout; 561 } 562 563 op->desired_access |= FILE_WRITE_DATA; 564 } else { /* Error looking up stream */ 565 status = smb_errno2status(rc); 566 fnode = tmp_node; 567 goto errout; 568 } 569 570 /* 571 * Windows seems to check read-only access before file 572 * sharing check. 573 * 574 * Check to see if the file is currently readonly (regardless 575 * of whether this open will make it readonly). 576 * Readonly is ignored on directories. 577 */ 578 if (SMB_PATHFILE_IS_READONLY(sr, fnode) && 579 !smb_node_is_dir(fnode)) { 580 if (op->desired_access & 581 (FILE_WRITE_DATA | FILE_APPEND_DATA)) { 582 status = NT_STATUS_ACCESS_DENIED; 583 goto errout; 584 } 585 if (op->create_options & FILE_DELETE_ON_CLOSE) { 586 status = NT_STATUS_CANNOT_DELETE; 587 goto errout; 588 } 589 } 590 591 /* Dataset roots can't be deleted, so don't set DOC */ 592 if ((op->create_options & FILE_DELETE_ON_CLOSE) != 0 && 593 (fnode->flags & NODE_FLAGS_VFSROOT) != 0) { 594 status = NT_STATUS_CANNOT_DELETE; 595 goto errout; 596 } 597 598 status = smb_fsop_access(sr, sr->user_cr, fnode, 599 op->desired_access); 600 601 if (status != NT_STATUS_SUCCESS) 602 goto errout; 603 604 if (max_requested) { 605 smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed); 606 op->desired_access |= max_allowed; 607 } 608 609 /* 610 * File owner should always get read control + read attr. 611 */ 612 if (crgetuid(sr->user_cr) == op->fqi.fq_fattr.sa_vattr.va_uid) 613 op->desired_access |= 614 (READ_CONTROL | FILE_READ_ATTRIBUTES); 615 616 /* 617 * According to MS "dochelp" mail in Mar 2015, any handle 618 * on which read or write access is granted implicitly 619 * gets "read attributes", even if it was not requested. 620 */ 621 if ((op->desired_access & FILE_DATA_ALL) != 0) 622 op->desired_access |= FILE_READ_ATTRIBUTES; 623 624 /* If the stream didn't exist, create it now */ 625 if (!stream_found) { 626 smb_node_t *tmp_node = fnode; 627 628 bzero(&new_attr, sizeof (new_attr)); 629 new_attr.sa_vattr.va_type = VREG; 630 new_attr.sa_vattr.va_mode = S_IRUSR; 631 new_attr.sa_mask |= SMB_AT_TYPE | SMB_AT_MODE; 632 633 rc = smb_fsop_create_stream(sr, sr->user_cr, dnode, 634 fnode, sname, lookup_flags, &new_attr, &fnode); 635 smb_node_release(tmp_node); 636 637 if (rc != 0) { 638 status = smb_errno2status(rc); 639 fnode_held = B_FALSE; 640 goto errout; 641 } 642 op->action_taken = SMB_OACT_CREATED; 643 created = B_TRUE; 644 645 smb_node_unlock(dnode); 646 dnode_wlock = B_FALSE; 647 } 648 649 /* 650 * Oplock break is done prior to sharing checks as the break 651 * may cause other clients to close the file which would 652 * affect the sharing checks, and may delete the file due to 653 * DELETE_ON_CLOSE. This may block, so set the file opening 654 * count before oplock stuff. 655 * 656 * Need the "proposed" ofile (and its TargetOplockKey) for 657 * correct oplock break semantics. 658 */ 659 of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK, 660 tree_fid); 661 tree_fid = 0; // given to the ofile 662 uniq_fid = of->f_uniqid; 663 664 smb_node_inc_opening_count(fnode); 665 opening_incr = B_TRUE; 666 667 if (!stream_found) { 668 /* 669 * Stake our Share Access claim. 670 */ 671 smb_node_wrlock(fnode); 672 fnode_wlock = B_TRUE; 673 674 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid, 675 op->desired_access, op->share_access); 676 if (status != 0) 677 goto errout; 678 679 fnode_shrlk = B_TRUE; 680 smb_node_unlock(fnode); 681 fnode_wlock = B_FALSE; 682 goto stream_created; 683 } 684 685 /* 686 * XXX Supposed to do share access checks next. 687 * [MS-FSA] describes that as part of access check: 688 * 2.1.5.1.2.1 Alg... Check Access to an Existing File 689 * 690 * If CreateDisposition is FILE_OPEN or FILE_OPEN_IF: 691 * If Open.Stream.Oplock is not empty and 692 * Open.Stream.Oplock.State contains BATCH_OPLOCK, 693 * the object store MUST check for an oplock 694 * break according to the algorithm in section 2.1.4.12, 695 * with input values as follows: 696 * Open equal to this operation's Open 697 * Oplock equal to Open.Stream.Oplock 698 * Operation equal to "OPEN" 699 * OpParams containing two members: 700 * DesiredAccess, CreateDisposition 701 * 702 * It's not clear how Windows would ask the FS layer if 703 * the file has a BATCH oplock. We'll use a call to the 704 * common oplock code, which calls smb_oplock_break_OPEN 705 * only if the oplock state contains BATCH_OPLOCK. 706 * See: smb_oplock_break_BATCH() 707 * 708 * Also note: There's a nearly identical section in the 709 * spec. at the start of the "else" part of the above 710 * "if (disposition is overwrite, overwrite_if)" so this 711 * section (oplock break, the share mode check, and the 712 * next oplock_break_HANDLE) are all factored out to be 713 * in all cases above that if/else from the spec. 714 */ 715 status = smb_oplock_break_BATCH(fnode, of, 716 op->desired_access, op->create_disposition); 717 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) { 718 if (sr->session->dialect >= SMB_VERS_2_BASE) 719 (void) smb2sr_go_async(sr); 720 status = smb_oplock_wait_break(sr, fnode, 0); 721 } 722 if (status != NT_STATUS_SUCCESS) 723 goto errout; 724 725 /* 726 * Check for sharing violations, and if any, 727 * do oplock break of handle caching. 728 * 729 * Need node_wrlock during shrlock checks, 730 * and not locked during oplock breaks etc. 731 */ 732 shrlock_t0 = gethrtime(); 733 shrlock_again: 734 smb_node_wrlock(fnode); 735 fnode_wlock = B_TRUE; 736 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid, 737 op->desired_access, op->share_access); 738 smb_node_unlock(fnode); 739 fnode_wlock = B_FALSE; 740 741 /* 742 * [MS-FSA] "OPEN_BREAK_H" 743 * If the (proposed) new open would violate sharing rules, 744 * indicate an oplock break with OPEN_BREAK_H (to break 745 * handle level caching rights) then try again. 746 */ 747 if (status == NT_STATUS_SHARING_VIOLATION && 748 did_break_handle == B_FALSE) { 749 did_break_handle = B_TRUE; 750 751 status = smb_oplock_break_HANDLE(fnode, of); 752 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) { 753 if (sr->session->dialect >= SMB_VERS_2_BASE) 754 (void) smb2sr_go_async(sr); 755 status = smb_oplock_wait_break(sr, fnode, 0); 756 } else { 757 /* 758 * Even when the oplock layer does NOT 759 * give us the special status indicating 760 * we should wait, it may have scheduled 761 * taskq jobs that may close handles. 762 * Give those a chance to run before we 763 * check again for sharing violations. 764 */ 765 delay(MSEC_TO_TICK(10)); 766 } 767 if (status != NT_STATUS_SUCCESS) 768 goto errout; 769 770 goto shrlock_again; 771 } 772 773 /* 774 * If we still have orphaned durable handles on this file, 775 * let's assume the client has lost interest in those and 776 * close them so they don't cause sharing violations. 777 * See longer comment at smb2_dh_close_my_orphans(). 778 */ 779 if (status == NT_STATUS_SHARING_VIOLATION && 780 sr->session->dialect >= SMB_VERS_2_BASE && 781 did_cleanup_orphans == B_FALSE) { 782 783 did_cleanup_orphans = B_TRUE; 784 smb2_dh_close_my_orphans(sr, of); 785 786 goto shrlock_again; 787 } 788 789 /* 790 * SMB1 expects a 1 sec. delay before returning a 791 * sharing violation error. If breaking oplocks 792 * above took less than a sec, wait some more. 793 * See: smbtorture base.defer_open 794 */ 795 if (status == NT_STATUS_SHARING_VIOLATION && 796 sr->session->dialect < SMB_VERS_2_BASE) { 797 hrtime_t t1 = shrlock_t0 + NANOSEC; 798 hrtime_t now = gethrtime(); 799 if (now < t1) { 800 delay(NSEC_TO_TICK_ROUNDUP(t1 - now)); 801 } 802 } 803 804 if (status != NT_STATUS_SUCCESS) 805 goto errout; 806 fnode_shrlk = B_TRUE; 807 808 /* 809 * The [MS-FSA] spec. describes this oplock break as 810 * part of the sharing access checks. See: 811 * 2.1.5.1.2.2 Algorithm to Check Sharing Access... 812 * At the end of the share mode tests described there, 813 * if it has not returned "sharing violation", it 814 * specifies a call to the alg. in sec. 2.1.4.12, 815 * that boils down to: smb_oplock_break_OPEN() 816 */ 817 status = smb_oplock_break_OPEN(fnode, of, 818 op->desired_access, 819 op->create_disposition); 820 if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) { 821 if (sr->session->dialect >= SMB_VERS_2_BASE) 822 (void) smb2sr_go_async(sr); 823 status = smb_oplock_wait_break(sr, fnode, 0); 824 } 825 if (status != NT_STATUS_SUCCESS) 826 goto errout; 827 828 if ((fnode->flags & NODE_FLAGS_DELETE_COMMITTED) != 0) { 829 /* 830 * Breaking the oplock caused the file to be deleted, 831 * so let's bail and pretend the file wasn't found. 832 * Have to duplicate much of the logic found a the 833 * "errout" label here. 834 * 835 * This code path is exercised by smbtorture 836 * smb2.durable-open.delete_on_close1 837 */ 838 DTRACE_PROBE1(node_deleted, smb_node_t *, fnode); 839 tree_fid = of->f_fid; 840 of->f_fid = 0; 841 smb_ofile_free(of); 842 of = NULL; 843 last_comp_found = B_FALSE; 844 845 /* 846 * Get all the holds and locks into the state 847 * they would have if lookup had failed. 848 */ 849 fnode_shrlk = B_FALSE; 850 smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid); 851 852 opening_incr = B_FALSE; 853 smb_node_dec_opening_count(fnode); 854 855 fnode_held = B_FALSE; 856 smb_node_release(fnode); 857 858 dnode_wlock = B_TRUE; 859 smb_node_wrlock(dnode); 860 861 goto create; 862 } 863 864 /* 865 * Go ahead with modifications as necessary. 866 */ 867 switch (op->create_disposition) { 868 case FILE_SUPERSEDE: 869 case FILE_OVERWRITE_IF: 870 case FILE_OVERWRITE: 871 bzero(&new_attr, sizeof (new_attr)); 872 if (sname == NULL) { 873 op->dattr |= FILE_ATTRIBUTE_ARCHIVE; 874 /* 875 * Don't apply readonly until 876 * smb_set_open_attributes 877 */ 878 if (op->dattr & FILE_ATTRIBUTE_READONLY) { 879 op->dattr &= ~FILE_ATTRIBUTE_READONLY; 880 op->created_readonly = B_TRUE; 881 } 882 new_attr.sa_dosattr = op->dattr; 883 } else { 884 new_attr.sa_dosattr = FILE_ATTRIBUTE_ARCHIVE; 885 } 886 887 /* 888 * Truncate the file data here. 889 * We set alloc_size = op->dsize later, 890 * after we have an ofile. See: 891 * smb_set_open_attributes 892 */ 893 new_attr.sa_vattr.va_size = 0; 894 new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_SIZE; 895 rc = smb_fsop_setattr(sr, sr->user_cr, fnode, 896 &new_attr); 897 if (rc != 0) { 898 status = smb_errno2status(rc); 899 goto errout; 900 } 901 902 /* 903 * If file is being replaced, remove existing streams 904 */ 905 if (SMB_IS_STREAM(fnode) == 0) { 906 status = smb_fsop_remove_streams(sr, 907 sr->user_cr, fnode); 908 if (status != 0) 909 goto errout; 910 } 911 912 op->action_taken = SMB_OACT_TRUNCATED; 913 break; 914 915 default: 916 /* 917 * FILE_OPEN or FILE_OPEN_IF. 918 */ 919 /* 920 * Ignore any user-specified alloc_size for 921 * existing files, to avoid truncation in 922 * smb_set_open_attributes 923 */ 924 op->dsize = 0L; 925 op->action_taken = SMB_OACT_OPENED; 926 break; 927 } 928 } else { 929 create: 930 /* Last component was not found. */ 931 dnode = op->fqi.fq_dnode; 932 933 if (is_dir == 0) 934 is_stream = smb_is_stream_name(pn->pn_path); 935 936 if ((op->create_disposition == FILE_OPEN) || 937 (op->create_disposition == FILE_OVERWRITE)) { 938 status = NT_STATUS_OBJECT_NAME_NOT_FOUND; 939 goto errout; 940 } 941 942 if (is_dir != 0 && 943 (op->dattr & FILE_ATTRIBUTE_TEMPORARY) != 0) { 944 status = NT_STATUS_INVALID_PARAMETER; 945 goto errout; 946 } 947 948 if ((op->dattr & FILE_ATTRIBUTE_READONLY) != 0 && 949 (op->create_options & FILE_DELETE_ON_CLOSE) != 0) { 950 status = NT_STATUS_CANNOT_DELETE; 951 goto errout; 952 } 953 954 if ((op->desired_access & ACCESS_SYSTEM_SECURITY) != 0 && 955 !smb_user_has_security_priv(sr->uid_user, sr->user_cr)) { 956 status = NT_STATUS_ACCESS_DENIED; 957 goto errout; 958 } 959 960 if (pn->pn_fname && smb_is_invalid_filename(pn->pn_fname)) { 961 status = NT_STATUS_OBJECT_NAME_INVALID; 962 goto errout; 963 } 964 965 /* 966 * Don't create in directories marked "Delete on close". 967 */ 968 if (dnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) { 969 status = NT_STATUS_DELETE_PENDING; 970 goto errout; 971 } 972 973 /* 974 * Create always sets the DOS attributes, type, and mode 975 * in the if/else below (different for file vs directory). 976 * Don't set the readonly bit until smb_set_open_attributes 977 * or that would prevent this open. Note that op->dattr 978 * needs to be what smb_set_open_attributes will use, 979 * except for the readonly bit. 980 */ 981 bzero(&new_attr, sizeof (new_attr)); 982 new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_TYPE | SMB_AT_MODE; 983 if (op->dattr & FILE_ATTRIBUTE_READONLY) { 984 op->dattr &= ~FILE_ATTRIBUTE_READONLY; 985 op->created_readonly = B_TRUE; 986 } 987 988 /* 989 * SMB create can specify the create time. 990 */ 991 if ((op->crtime.tv_sec != 0) && 992 (op->crtime.tv_sec != UINT_MAX)) { 993 new_attr.sa_mask |= SMB_AT_CRTIME; 994 new_attr.sa_crtime = op->crtime; 995 } 996 997 if (is_dir == 0) { 998 op->dattr |= FILE_ATTRIBUTE_ARCHIVE; 999 new_attr.sa_dosattr = op->dattr; 1000 new_attr.sa_vattr.va_type = VREG; 1001 if (is_stream) 1002 new_attr.sa_vattr.va_mode = S_IRUSR | S_IWUSR; 1003 else 1004 new_attr.sa_vattr.va_mode = 1005 S_IRUSR | S_IRGRP | S_IROTH | 1006 S_IWUSR | S_IWGRP | S_IWOTH; 1007 1008 /* 1009 * We set alloc_size = op->dsize later, 1010 * (in smb_set_open_attributes) after we 1011 * have an ofile on which to save that. 1012 * 1013 * Legacy Open&X sets size to alloc_size 1014 * when creating a new file. 1015 */ 1016 if (sr->smb_com == SMB_COM_OPEN_ANDX) { 1017 new_attr.sa_vattr.va_size = op->dsize; 1018 new_attr.sa_mask |= SMB_AT_SIZE; 1019 } 1020 1021 rc = smb_fsop_create(sr, sr->user_cr, dnode, 1022 op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode); 1023 } else { 1024 op->dattr |= FILE_ATTRIBUTE_DIRECTORY; 1025 new_attr.sa_dosattr = op->dattr; 1026 new_attr.sa_vattr.va_type = VDIR; 1027 new_attr.sa_vattr.va_mode = 0777; 1028 1029 rc = smb_fsop_mkdir(sr, sr->user_cr, dnode, 1030 op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode); 1031 } 1032 if (rc != 0) { 1033 status = smb_errno2status(rc); 1034 goto errout; 1035 } 1036 1037 /* Create done. */ 1038 smb_node_unlock(dnode); 1039 dnode_wlock = B_FALSE; 1040 1041 created = B_TRUE; 1042 op->action_taken = SMB_OACT_CREATED; 1043 1044 /* Note: hold from create */ 1045 fnode = op->fqi.fq_fnode; 1046 fnode_held = B_TRUE; 1047 1048 if (max_requested) { 1049 smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed); 1050 op->desired_access |= max_allowed; 1051 } 1052 /* 1053 * We created this object (we own it) so grant 1054 * read_control + read_attributes on this handle, 1055 * even if that was not requested. This avoids 1056 * unexpected access failures later. 1057 */ 1058 op->desired_access |= (READ_CONTROL | FILE_READ_ATTRIBUTES); 1059 1060 /* Allocate the ofile and fill in most of it. */ 1061 of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK, 1062 tree_fid); 1063 tree_fid = 0; // given to the ofile 1064 uniq_fid = of->f_uniqid; 1065 1066 smb_node_inc_opening_count(fnode); 1067 opening_incr = B_TRUE; 1068 1069 /* 1070 * Share access checks... 1071 */ 1072 smb_node_wrlock(fnode); 1073 fnode_wlock = B_TRUE; 1074 1075 status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid, 1076 op->desired_access, op->share_access); 1077 if (status != 0) 1078 goto errout; 1079 fnode_shrlk = B_TRUE; 1080 1081 /* 1082 * MS-FSA 2.1.5.1.1 1083 * If the Oplock member of the DirectoryStream in 1084 * Link.ParentFile.StreamList (ParentOplock) is 1085 * not empty ... oplock break on the parent... 1086 * (dnode is the parent directory) 1087 * 1088 * This compares of->ParentOplockKey with each 1089 * oplock of->TargetOplockKey and breaks... 1090 * so it's OK that we're passing an OF that's 1091 * NOT a member of dnode->n_ofile_list 1092 * 1093 * The break never blocks, so ignore the return. 1094 */ 1095 (void) smb_oplock_break_PARENT(dnode, of); 1096 } 1097 1098 stream_created: 1099 /* 1100 * We might have blocked in smb_oplock_break_OPEN long enough 1101 * so a tree disconnect might have happened. In that case, 1102 * we would be adding an ofile to a tree that's disconnecting, 1103 * which would interfere with tear-down. If so, error out. 1104 */ 1105 if (!smb_tree_is_connected(sr->tid_tree)) { 1106 status = NT_STATUS_INVALID_PARAMETER; 1107 goto errout; 1108 } 1109 1110 /* 1111 * Moved this up from smb_ofile_open() 1112 */ 1113 if ((rc = smb_fsop_open(fnode, of->f_mode, of->f_cr)) != 0) { 1114 status = smb_errno2status(rc); 1115 goto errout; 1116 } 1117 1118 /* 1119 * Complete this open (add to ofile lists) 1120 */ 1121 smb_ofile_open(sr, op, of); 1122 did_open = B_TRUE; 1123 1124 /* 1125 * This MUST be done after ofile creation, so that explicitly 1126 * set timestamps can be remembered on the ofile, and setting 1127 * the readonly flag won't affect access via this open. 1128 */ 1129 if ((rc = smb_set_open_attributes(sr, of)) != 0) { 1130 status = smb_errno2status(rc); 1131 goto errout; 1132 } 1133 1134 /* 1135 * We've already done access checks above, 1136 * and want this call to succeed even when 1137 * !(desired_access & FILE_READ_ATTRIBUTES), 1138 * so pass kcred here. 1139 */ 1140 op->fqi.fq_fattr.sa_mask = SMB_AT_ALL; 1141 (void) smb_node_getattr(sr, fnode, zone_kcred(), of, 1142 &op->fqi.fq_fattr); 1143 1144 /* 1145 * Propagate the write-through mode from the open params 1146 * to the node: see the notes in the function header. 1147 * XXX: write_through should be a flag on the ofile. 1148 */ 1149 if (sr->sr_cfg->skc_sync_enable || 1150 (op->create_options & FILE_WRITE_THROUGH)) 1151 fnode->flags |= NODE_FLAGS_WRITE_THROUGH; 1152 1153 /* 1154 * Set up the fileid and dosattr in open_param for response 1155 */ 1156 op->fileid = op->fqi.fq_fattr.sa_vattr.va_nodeid; 1157 op->dattr = op->fqi.fq_fattr.sa_dosattr; 1158 1159 /* 1160 * Set up the file type in open_param for the response 1161 */ 1162 op->ftype = SMB_FTYPE_DISK; 1163 sr->smb_fid = of->f_fid; 1164 sr->fid_ofile = of; 1165 1166 if (smb_node_is_file(fnode)) { 1167 op->dsize = op->fqi.fq_fattr.sa_vattr.va_size; 1168 } else { 1169 /* directory or symlink */ 1170 op->dsize = 0; 1171 } 1172 1173 /* 1174 * Note: oplock_acquire happens in callers, because 1175 * how that happens is protocol-specific. 1176 */ 1177 1178 if (sname != NULL) 1179 kmem_free(sname, MAXNAMELEN); 1180 if (fnode_wlock) 1181 smb_node_unlock(fnode); 1182 if (opening_incr) 1183 smb_node_dec_opening_count(fnode); 1184 if (fnode_held) 1185 smb_node_release(fnode); 1186 if (dnode_wlock) 1187 smb_node_unlock(dnode); 1188 if (dnode_held) 1189 smb_node_release(dnode); 1190 1191 return (NT_STATUS_SUCCESS); 1192 1193 errout: 1194 if (did_open) { 1195 smb_ofile_close(of, 0); 1196 /* rele via sr->fid_ofile */ 1197 } else if (of != NULL) { 1198 /* No other refs possible */ 1199 smb_ofile_free(of); 1200 } 1201 1202 if (fnode_shrlk) 1203 smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid); 1204 1205 if (created) { 1206 /* Try to roll-back create. */ 1207 smb_delete_new_object(sr); 1208 } 1209 1210 if (sname != NULL) 1211 kmem_free(sname, MAXNAMELEN); 1212 if (fnode_wlock) 1213 smb_node_unlock(fnode); 1214 if (opening_incr) 1215 smb_node_dec_opening_count(fnode); 1216 if (fnode_held) 1217 smb_node_release(fnode); 1218 if (dnode_wlock) 1219 smb_node_unlock(dnode); 1220 if (dnode_held) 1221 smb_node_release(dnode); 1222 1223 if (tree_fid != 0) 1224 smb_idpool_free(&tree->t_fid_pool, tree_fid); 1225 1226 return (status); 1227 } 1228 1229 /* 1230 * smb_set_open_attributes 1231 * 1232 * Last write time: 1233 * - If the last_write time specified in the open params is not 0 or -1, 1234 * use it as file's mtime. This will be considered an explicitly set 1235 * timestamps, not reset by subsequent writes. 1236 * 1237 * DOS attributes 1238 * - If we created_readonly, we now store the real DOS attributes 1239 * (including the readonly bit) so subsequent opens will see it. 1240 * 1241 * Returns: errno 1242 */ 1243 static int 1244 smb_set_open_attributes(smb_request_t *sr, smb_ofile_t *of) 1245 { 1246 smb_attr_t attr; 1247 smb_arg_open_t *op = &sr->sr_open; 1248 smb_node_t *node = of->f_node; 1249 int rc = 0; 1250 1251 bzero(&attr, sizeof (smb_attr_t)); 1252 1253 if (op->created_readonly) { 1254 attr.sa_dosattr = op->dattr | FILE_ATTRIBUTE_READONLY; 1255 attr.sa_mask |= SMB_AT_DOSATTR; 1256 } 1257 1258 if (op->dsize != 0) { 1259 attr.sa_allocsz = op->dsize; 1260 attr.sa_mask |= SMB_AT_ALLOCSZ; 1261 } 1262 1263 if ((op->mtime.tv_sec != 0) && (op->mtime.tv_sec != UINT_MAX)) { 1264 attr.sa_vattr.va_mtime = op->mtime; 1265 attr.sa_mask |= SMB_AT_MTIME; 1266 } 1267 1268 if (attr.sa_mask != 0) 1269 rc = smb_node_setattr(sr, node, of->f_cr, of, &attr); 1270 1271 return (rc); 1272 } 1273 1274 /* 1275 * This function is used to delete a newly created object (file or 1276 * directory) if an error occurs after creation of the object. 1277 */ 1278 static void 1279 smb_delete_new_object(smb_request_t *sr) 1280 { 1281 smb_arg_open_t *op = &sr->sr_open; 1282 smb_fqi_t *fqi = &(op->fqi); 1283 uint32_t flags = 0; 1284 1285 if (SMB_TREE_IS_CASEINSENSITIVE(sr)) 1286 flags |= SMB_IGNORE_CASE; 1287 if (SMB_TREE_SUPPORTS_CATIA(sr)) 1288 flags |= SMB_CATIA; 1289 1290 if (op->create_options & FILE_DIRECTORY_FILE) 1291 (void) smb_fsop_rmdir(sr, sr->user_cr, fqi->fq_dnode, 1292 fqi->fq_last_comp, flags); 1293 else 1294 (void) smb_fsop_remove(sr, sr->user_cr, fqi->fq_dnode, 1295 fqi->fq_last_comp, flags); 1296 } 1297