From patchwork Tue Apr  1 07:11:51 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve French <smfrench@gmail.com>
X-Patchwork-Id: 14034407
Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com
 [209.85.208.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CB672111
	for <linux-cifs@vger.kernel.org>; Tue,  1 Apr 2025 07:12:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1743491529; cv=none;
 b=ZJiT3Gh9toTLhXx71fCLYzzJRt6pH8mO9jcwhEsH6WJqg4J0Mk9ukRFaEVDon/rEBnIT7QH/vjnPbgyC8+LZBOYKsX+eIVo5t1xmpZNRePshDePJlpoShzcaN9s1mDtZI+4v8eI+E2jCCtmCKNaQjdmhyPsBThiwIVvawSFy0gI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1743491529; c=relaxed/simple;
	bh=hyG0nG55NFhcU6jOgRYDqNdDLVAgMtwP2aIe/p65Zhs=;
	h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type;
 b=Tm1v5XINoXEyNwDjXIU5xJoo4F66+Fr2XnPjzSoX8vZy5HejGI+H8OPRVYZnXFj3ecOlUVZA4AWQvX04kc1G/zOfEZgrNVXxKi4tufwt5Fq1lfkVCRYKvxNNgVnQtBpWIdWOjT2JqZ7iovmTijx8vC3juKVi3+nDlhdX3SPXLGQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=h+QN9+Ps; arc=none smtp.client-ip=209.85.208.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="h+QN9+Ps"
Received: by mail-lj1-f182.google.com with SMTP id
 38308e7fff4ca-307c13298eeso59213701fa.0
        for <linux-cifs@vger.kernel.org>;
 Tue, 01 Apr 2025 00:12:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1743491524; x=1744096324;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=LQdJWN7CR/WICZhuayiwVMRgtOvWvR7jC+G3y5BbeEU=;
        b=h+QN9+PsqnGMCGbL32Dx5C45Lhh1GhG0xVgnOGmYR9EESxcN5BqKePElrYzv0Q1cHp
         clQ1EVZQ7aY3NZZavs2WYWp5l5NdJO7V2ZCuOiIM8J3xbU06gBtikcg1AwPHeHoEMHjp
         zb8JXgTrA69IpICYtckw22GikBgoR4SU9NDOlYM3J31do08HV5T1jUUuVVPUw8ge8gHy
         AKaPiN+dz8YhJT4/g3XapVTqt8J/s0bks9agaGyCURwfP6fSnOZznGVeb+B4qCh8Mtak
         NuJXL7rYs7Tl8ACIVuDTANn8bTQTfs+z06psq9QZKjFxe+ru0fn50FtRXvCXGsVOj04n
         2HDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1743491524; x=1744096324;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=LQdJWN7CR/WICZhuayiwVMRgtOvWvR7jC+G3y5BbeEU=;
        b=hiz6I/qqZFjHwX8GMKcbwP18HcQ4nDCp5IcGFJwswZLZgF7ETaONL8NhTF+ys4O/74
         QdD0cRuqTYos0FR/Awi2pwUs9zqgg2CsA+5ubujCSF1buG9baCos08L1lf2yg6y3xX7P
         eCVaTnUg3OsYI7ko5p6JxBkaN97kdnANIALz7D8F1Qafq01hSGQWdBGYVK3Qk/LGn+5f
         n4GvOx1SuG/RYL+d3i4M5PoA8mqAN+xTrmeLbxOHyWGFDmA3d/Q7oTO6yWh8pi8APiJe
         CWwTdqUAa7SoqC48fex5+nd80hd6C0Pk43s2lq+23zuPTWsNTIWMyHqZpzSmNjMkq6UF
         HgXg==
X-Gm-Message-State: AOJu0YwJ09jMUvTrB1T0CdjLsR+QC3fMs6DyGfXtni1MWOjkgLRG4v1w
	8n0gkupIUKJ5N8ZqlkdsClOTB3PmG3tUqQx04lu7VzRo6YFgk3PoQnnmAsECwf+oihcixYr1xKD
	XDpgsiWlGCqmjZTWdfsXQZwn4vgPXK/sq
X-Gm-Gg: ASbGncu9nb72lY5NjTDtbZsNI92Vh/5GtXXB54ETUCWKokNLjO34qMgVHxT4hpRZdKZ
	46UH4e/rZBXJ53Kplsz5spU3ddPKEattYADYmL5rmweCfXTMRStJ9/DCRE9E55KiA8H5Xkwrbv7
	pQHiAltl9hUFHXhD1HPltzRzlHjQfdCMFhXb0RDCLQgKfVftIHgRnWdMwttXg9
X-Google-Smtp-Source: 
 AGHT+IHGfldiLJ406PIJ32xUjO+qeCsB0uQ4RPX62IWRxra0mrhwt3X+jWJBe5WLCLjt+M9cpOiW3Q7Ydx2KVziLklk=
X-Received: by 2002:a05:651c:1590:b0:30b:eb0a:ed63 with SMTP id
 38308e7fff4ca-30ddfa01d9dmr32794381fa.18.1743491523736; Tue, 01 Apr 2025
 00:12:03 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-cifs@vger.kernel.org
List-Id: <linux-cifs.vger.kernel.org>
List-Subscribe: <mailto:linux-cifs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-cifs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
From: Steve French <smfrench@gmail.com>
Date: Tue, 1 Apr 2025 02:11:51 -0500
X-Gm-Features: AQ5f1Jqccd52zkTkB-TuaUm0L3ZG2JhIb87hGzCRzyKLXIXxJnU2KF7EHS7YPLw
Message-ID: 
 <CAH2r5murjsjwoFBs0okQq=if0mbXK_nnChkF==3x781zJjVhOA@mail.gmail.com>
Subject: Additional patches added to for-next
To: CIFS <linux-cifs@vger.kernel.org>
Cc: =?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>

Added seven additional patches from Pali's cifs branch to cifs-2.6.git
for-next (six others from that branch have already been merged to
mainline)

His branch with all 41 patches is
https://git.kernel.org/pub/scm/linux/kernel/git/pali/linux.git

The seven that I have tentatively added to for-next are:
4236ac9fe5b8 cifs: Fix querying and creating MF symlinks over SMB1
6aa9f1c9cd09 cifs: Fix access_flags_to_smbopen_mode
e94e882a6d69 cifs: Fix negotiate retry functionality
665e18794804 cifs: Improve handling of NetBIOS packets
7d14dd683b1b cifs: Allow to disable or force initialization of NetBIOS session
b1a37df6ba2f cifs: Add a new xattr system.smb3_ntsd_owner for getting
or setting owner
bf782ada459e cifs: Add a new xattr system.smb3_ntsd_sacl for getting
or setting SACLs

See attached.  If any objections, or if additional RB or Tested-By let me know.

The other 28 in that branch are trickier to review/test since many
require older SMB1 servers, and many of those are lower priority, but
review feedback on those would still be appreciated especially if any

From f1f1ef811c90bad17c61cba369e7dbb7e40a5055 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
Date: Mon, 14 Oct 2024 13:51:21 +0200
Subject: [PATCH 14/41] cifs: Add a new xattr system.smb3_ntsd_sacl for getting
 or setting SACLs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Access to SACL part of SMB security descriptor is granted by SACL privilege
which by default is accessible only for local administrator. But it can be
granted to any other user by local GPO or AD. SACL access is not granted by
DACL permissions and therefore is it possible that some user would not have
access to DACLs of some file, but would have access to SACLs of all files.
So it means that for accessing SACLs (either getting or setting) in some
cases requires not touching or asking for DACLs.

Currently Linux SMB client does not allow to get or set SACLs without
touching DACLs. Which means that user without DACL access is not able to
get or set SACLs even if it has access to SACLs.

Fix this problem by introducing a new xattr "system.smb3_ntsd_sacl" for
accessing only SACLs part of the security descriptor (therefore without
DACLs and OWNER/GROUP).

Signed-off-by: Pali Rohár <pali@kernel.org>
---
 fs/smb/client/xattr.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/fs/smb/client/xattr.c b/fs/smb/client/xattr.c
index 7d49f38f01f3..95b8269851f3 100644
--- a/fs/smb/client/xattr.c
+++ b/fs/smb/client/xattr.c
@@ -31,6 +31,7 @@
  * secure, replaced by SMB2 (then even more highly secure SMB3) many years ago
  */
 #define SMB3_XATTR_CIFS_ACL "system.smb3_acl" /* DACL only */
+#define SMB3_XATTR_CIFS_NTSD_SACL "system.smb3_ntsd_sacl" /* SACL only */
 #define SMB3_XATTR_CIFS_NTSD "system.smb3_ntsd" /* owner plus DACL */
 #define SMB3_XATTR_CIFS_NTSD_FULL "system.smb3_ntsd_full" /* owner/DACL/SACL */
 #define SMB3_XATTR_ATTRIB "smb3.dosattrib"  /* full name: user.smb3.dosattrib */
@@ -38,6 +39,7 @@
 /* BB need to add server (Samba e.g) support for security and trusted prefix */
 
 enum { XATTR_USER, XATTR_CIFS_ACL, XATTR_ACL_ACCESS, XATTR_ACL_DEFAULT,
+	XATTR_CIFS_NTSD_SACL,
 	XATTR_CIFS_NTSD, XATTR_CIFS_NTSD_FULL };
 
 static int cifs_attrib_set(unsigned int xid, struct cifs_tcon *pTcon,
@@ -160,6 +162,7 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
 		break;
 
 	case XATTR_CIFS_ACL:
+	case XATTR_CIFS_NTSD_SACL:
 	case XATTR_CIFS_NTSD:
 	case XATTR_CIFS_NTSD_FULL: {
 		struct smb_ntsd *pacl;
@@ -187,6 +190,9 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
 						    CIFS_ACL_GROUP |
 						    CIFS_ACL_DACL);
 					break;
+				case XATTR_CIFS_NTSD_SACL:
+					aclflags = CIFS_ACL_SACL;
+					break;
 				case XATTR_CIFS_ACL:
 				default:
 					aclflags = CIFS_ACL_DACL;
@@ -308,6 +314,7 @@ static int cifs_xattr_get(const struct xattr_handler *handler,
 		break;
 
 	case XATTR_CIFS_ACL:
+	case XATTR_CIFS_NTSD_SACL:
 	case XATTR_CIFS_NTSD:
 	case XATTR_CIFS_NTSD_FULL: {
 		/*
@@ -327,6 +334,9 @@ static int cifs_xattr_get(const struct xattr_handler *handler,
 		case XATTR_CIFS_NTSD:
 			extra_info = OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO;
 			break;
+		case XATTR_CIFS_NTSD_SACL:
+			extra_info = SACL_SECINFO;
+			break;
 		case XATTR_CIFS_ACL:
 		default:
 			extra_info = DACL_SECINFO;
@@ -448,6 +458,13 @@ static const struct xattr_handler smb3_acl_xattr_handler = {
 	.set = cifs_xattr_set,
 };
 
+static const struct xattr_handler smb3_ntsd_sacl_xattr_handler = {
+	.name = SMB3_XATTR_CIFS_NTSD_SACL,
+	.flags = XATTR_CIFS_NTSD_SACL,
+	.get = cifs_xattr_get,
+	.set = cifs_xattr_set,
+};
+
 static const struct xattr_handler cifs_cifs_ntsd_xattr_handler = {
 	.name = CIFS_XATTR_CIFS_NTSD,
 	.flags = XATTR_CIFS_NTSD,
@@ -493,6 +510,7 @@ const struct xattr_handler * const cifs_xattr_handlers[] = {
 	&cifs_os2_xattr_handler,
 	&cifs_cifs_acl_xattr_handler,
 	&smb3_acl_xattr_handler, /* alias for above since avoiding "cifs" */
+	&smb3_ntsd_sacl_xattr_handler,
 	&cifs_cifs_ntsd_xattr_handler,
 	&smb3_ntsd_xattr_handler, /* alias for above since avoiding "cifs" */
 	&cifs_cifs_ntsd_full_xattr_handler,
-- 
2.43.0