From bb99cf1f729b789290202e573ea3dcedf2f253a0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 10 Oct 2012 16:42:38 +1100 Subject: posixacls: Add IDL changes for vfs_acl_xattr using hash of the sys acl This will isolate the hash of the ACL from any intermediate mapping that the POSIX -> NT mapping subsystem might need to do, and which might change if we need to correct that mapping. Andrew Bartlett --- librpc/idl/smb_acl.idl | 20 +++++++++++++++++++- librpc/idl/xattr.idl | 13 +++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/librpc/idl/smb_acl.idl b/librpc/idl/smb_acl.idl index f7332d9ac7..ffd1ee278f 100644 --- a/librpc/idl/smb_acl.idl +++ b/librpc/idl/smb_acl.idl @@ -19,7 +19,14 @@ */ -/* Allow the smb_acl interface to be pushed into an NDR blob and read/written in python */ +/* + * Allow the smb_acl interface to be pushed into an NDR blob and + * read/written in python. + * + * The exact layout of these stuctures is CRITICAL, as a SHA-256 hash is + * taken over these after they are pushed as NDR blobs, and stored in an + * xattr for ACL verification. + */ [ pointer_default(unique) ] @@ -75,4 +82,15 @@ interface smb_acl const int SMB_ACL_TYPE_ACCESS = 0; const int SMB_ACL_TYPE_DEFAULT = 1; + + /* A wrapper of all the information required to reproduce an + * ACL, so we can hash it for the acl_xattr and acl_tdb + * modules */ + [public] typedef struct { + smb_acl_t *access_acl; + smb_acl_t *default_acl; /* NULL on files */ + uid_t owner; + gid_t group; + mode_t mode; + } smb_acl_wrapper; } diff --git a/librpc/idl/xattr.idl b/librpc/idl/xattr.idl index bc8c20c9ea..f7e698429b 100644 --- a/librpc/idl/xattr.idl +++ b/librpc/idl/xattr.idl @@ -184,10 +184,23 @@ interface xattr uint8 hash[64]; /* 64 bytes hash. */ } security_descriptor_hash_v3; + typedef [public] struct { + security_descriptor *sd; + uint16 hash_type; + uint8 hash[64]; /* 64 bytes hash. */ + utf8string description; /* description of what created + * this hash (to allow + * foresnics later, if we have + * a bug in one codepath */ + NTTIME time; + uint8 sys_acl_hash[64]; /* 64 bytes hash. */ + } security_descriptor_hash_v4; + typedef [switch_type(uint16)] union { [case(1)] security_descriptor *sd; [case(2)] security_descriptor_hash_v2 *sd_hs2; [case(3)] security_descriptor_hash_v3 *sd_hs3; + [case(4)] security_descriptor_hash_v4 *sd_hs4; } xattr_NTACL_Info; typedef [public] struct { -- cgit