diff options
author | Dan McDonald <danmcd@mnx.io> | 2022-10-14 14:24:51 -0400 |
---|---|---|
committer | Dan McDonald <danmcd@mnx.io> | 2022-10-14 14:24:51 -0400 |
commit | f1e5b922ed8766e68b9264a57a94dd9a28cddd69 (patch) | |
tree | baf3cb572d2f85a6f5da8d5b14e6ba80ead1c872 | |
parent | 3f653c6a7986f96d0481d47988b138c6c75aeaff (diff) | |
parent | 5e1bbccc35c7d7d0b6abd200b510d8d5b99ae31c (diff) | |
download | illumos-joyent-f1e5b922ed8766e68b9264a57a94dd9a28cddd69.tar.gz |
[illumos-gate merge]
commit 5e1bbccc35c7d7d0b6abd200b510d8d5b99ae31c
15064 vmm: unused variable 'iommu_initted'
commit d9be5d44a919e9dbfe9d1e3e7a5557d9208b1de7
15050 SMB server mishandles some SIDs
commit 5cfb18f0d1f59686e64a1bf142efa2bf653d86a0
15032 SMB: Can't create a file with a NULL DACL
commit 34b17f87fc4c121059d3ab4102a276cbe7ed609a
15059 Update AMD microcode to 20220930
commit fab57d1b740f6df905ebda23c9345ef88a7a046a
15027 The ls command should show SIDs instead of ephemeral IDs
commit 3cdfcc971afcfbc67664057ef3e59e02fb78871d
15063 vmm: cast to smaller integer type 'boolean_t' from 'void *'
commit 13a19b244f4bf70feb407e14979f084b7cb47270
15077 ficl: make sure the loader emulator does set console
-rw-r--r-- | exception_lists/check_rtime | 2 | ||||
-rw-r--r-- | usr/src/cmd/ls/ls.c | 129 | ||||
-rw-r--r-- | usr/src/common/ficl/emu/loader_emu.c | 1 | ||||
-rw-r--r-- | usr/src/common/smbsrv/smb_sid.c | 77 | ||||
-rw-r--r-- | usr/src/data/ucode/amd/A010-00 | bin | 5568 -> 5568 bytes | |||
-rw-r--r-- | usr/src/data/ucode/amd/A011-00 | bin | 5568 -> 5568 bytes | |||
-rw-r--r-- | usr/src/data/ucode/amd/A012-00 | bin | 5568 -> 5568 bytes | |||
-rw-r--r-- | usr/src/data/ucode/amd/THIRDPARTYLICENSE | 2 | ||||
-rw-r--r-- | usr/src/lib/libsec/common/acltext.c | 49 | ||||
-rw-r--r-- | usr/src/lib/libsec/common/aclutils.h | 3 | ||||
-rw-r--r-- | usr/src/lib/libsec/common/mapfile-vers | 3 | ||||
-rw-r--r-- | usr/src/man/man1/ls.1 | 15 | ||||
-rw-r--r-- | usr/src/pkg/manifests/system-microcode-amd.p5m | 2 | ||||
-rw-r--r-- | usr/src/pkg/manifests/system-test-smbsrvtest.p5m | 5 | ||||
-rw-r--r-- | usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh | 4 | ||||
-rw-r--r-- | usr/src/test/smbsrv-tests/tests/smb_sid/Makefile | 66 | ||||
-rw-r--r-- | usr/src/test/smbsrv-tests/tests/smb_sid/large_sids.c | 104 | ||||
-rw-r--r-- | usr/src/uts/common/fs/smbsrv/smb_sd.c | 7 | ||||
-rw-r--r-- | usr/src/uts/intel/io/vmm/io/iommu.c | 4 |
19 files changed, 408 insertions, 65 deletions
diff --git a/exception_lists/check_rtime b/exception_lists/check_rtime index ad7d80eae1..2d8fa710e8 100644 --- a/exception_lists/check_rtime +++ b/exception_lists/check_rtime @@ -28,6 +28,7 @@ # Copyright 2018 Joyent, Inc. # Copyright 2020 Oxide Computer Company # Copyright 2022 Garrett D'Amore <garrett@damore.org> +# Copyright 2022 Tintri by DDN, Inc. All rights reserved. # # This file provides exceptions to the usual rules applied to ELF objects by @@ -233,6 +234,7 @@ FORBIDDEN_DEP usr/lib/netsvc/yp/ypxfrd # C++ # libfakekernel is a test environment, not intended for general use FORBIDDEN libfakekernel\.so +FORBIDDEN_DEP opt/smbsrv-tests/tests/smb_sid/large_sids_kern FORBIDDEN_DEP usr/MACH(lib)/libzpool.so.1 FORBIDDEN_DEP usr/bin/ztest FORBIDDEN_DEP usr/bin/raidz_test diff --git a/usr/src/cmd/ls/ls.c b/usr/src/cmd/ls/ls.c index 0479e6a46c..bdcf162522 100644 --- a/usr/src/cmd/ls/ls.c +++ b/usr/src/cmd/ls/ls.c @@ -23,6 +23,7 @@ * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2012, Joyent, Inc. All rights reserved. * Copyright 2015 Gary Mills + * Copyright 2016 Nexenta Systems, Inc. All rights reserved. * Copyright 2020 Peter Tribble */ @@ -233,6 +234,8 @@ static struct lbuf **flist; /* ptr to list of lbuf pointers */ static struct lbuf *gstat(char *, int, struct ditem *); static char *getname(uid_t); static char *getgroup(gid_t); +static char *getusid(uid_t); +static char *getgsid(gid_t); static char *makename(char *, char *); static void pentry(struct lbuf *); static void column(void); @@ -1279,20 +1282,36 @@ pentry(struct lbuf *ap) (void) putchar(p->acl); curcol++; + /* + * When handling owner/group options (-o -g) note -n: + * With no -n options, getname/getroup converts any + * ephemeral IDs to a winname (if possible) or a SID. + * With just one -n option, convert ephemeral IDs to SIDs + * With two or more -n options, show the ephemeral ID + * (which is a lot less helpful than the SID). + */ curcol += printf("%3lu ", (ulong_t)p->lnl); if (oflg) { - if (!nflg) { + if (nflg == 0) { cp = getname(p->luid); curcol += printf("%-8s ", cp); - } else + } else if (nflg == 1 && p->luid > MAXUID) { + cp = getusid(p->luid); + curcol += printf("%-8s ", cp); + } else { curcol += printf("%-8lu ", (ulong_t)p->luid); + } } if (gflg) { - if (!nflg) { + if (nflg == 0) { cp = getgroup(p->lgid); curcol += printf("%-8s ", cp); - } else + } else if (nflg == 1 && p->lgid > MAXUID) { + cp = getgsid(p->lgid); + curcol += printf("%-8s ", cp); + } else { curcol += printf("%-8lu ", (ulong_t)p->lgid); + } } if (p->ltype == 'b' || p->ltype == 'c') { curcol += printf("%3u, %2u", @@ -1427,7 +1446,16 @@ pentry(struct lbuf *ap) if (vflg) { new_line(); if (p->aclp) { - acl_printacl(p->aclp, num_cols, Vflg); + int pa_flags = 0; + + if (Vflg) + pa_flags |= ACL_COMPACT_FMT; + if (nflg) + pa_flags |= ACL_NORESOLVE; + if (nflg < 2) + pa_flags |= ACL_SID_FMT; + + acl_printacl2(p->aclp, num_cols, pa_flags); } } /* Free extended system attribute lists */ @@ -2162,25 +2190,18 @@ makename(char *dir, char *file) return (dfile); } - -#include <pwd.h> -#include <grp.h> -#include <utmpx.h> - -struct utmpx utmp; - -#define NMAX (sizeof (utmp.ut_name)) -#define SCPYN(a, b) (void) strncpy(a, b, NMAX) - +#define NMAX 256 /* The maximum size of a SID in string format */ +#define SCPYN(a, b) (void) strlcpy(a, b, NMAX) struct cachenode { /* this struct must be zeroed before using */ struct cachenode *lesschild; /* subtree whose entries < val */ struct cachenode *grtrchild; /* subtree whose entries > val */ long val; /* the uid or gid of this entry */ int initted; /* name has been filled in */ - char name[NMAX+1]; /* the string that val maps to */ + char name[NMAX]; /* the string that val maps to */ }; static struct cachenode *names, *groups; +static struct cachenode *user_sids, *group_sids; static struct cachenode * findincache(struct cachenode **head, long val) @@ -2215,19 +2236,28 @@ findincache(struct cachenode **head, long val) /* * get name from cache, or passwd file for a given uid; * lastuid is set to uid. + * + * If an ephemeral UID (> MAXUID) try to convert to either a + * name or a sid. */ static char * getname(uid_t uid) { struct passwd *pwent; struct cachenode *c; + char *sid; if ((uid == lastuid) && lastuname) return (lastuname); c = findincache(&names, uid); if (c->initted == 0) { - if ((pwent = getpwuid(uid)) != NULL) { + sid = NULL; + if (uid > MAXUID && + sid_string_by_id(uid, B_TRUE, &sid, 0) == 0) { + SCPYN(&c->name[0], sid); + free(sid); + } else if ((pwent = getpwuid(uid)) != NULL) { SCPYN(&c->name[0], pwent->pw_name); } else { (void) sprintf(&c->name[0], "%-8u", (int)uid); @@ -2242,19 +2272,28 @@ getname(uid_t uid) /* * get name from cache, or group file for a given gid; * lastgid is set to gid. + * + * If an ephemeral GID (> MAXUID) try to convert to either a + * name or a sid. */ static char * getgroup(gid_t gid) { struct group *grent; struct cachenode *c; + char *sid; if ((gid == lastgid) && lastgname) return (lastgname); c = findincache(&groups, gid); if (c->initted == 0) { - if ((grent = getgrgid(gid)) != NULL) { + sid = NULL; + if (gid > MAXUID && + sid_string_by_id(gid, B_FALSE, &sid, 0) == 0) { + SCPYN(&c->name[0], sid); + free(sid); + } else if ((grent = getgrgid(gid)) != NULL) { SCPYN(&c->name[0], grent->gr_name); } else { (void) sprintf(&c->name[0], "%-8u", (int)gid); @@ -2266,6 +2305,60 @@ getgroup(gid_t gid) return (lastgname); } +/* + * get SID from cache, or from idmap for a given (ephemeral) uid; + * + * Always an ephemeral UID (> MAXUID) here. + * Just convert to a SID (no winname lookup) + */ +static char * +getusid(uid_t uid) +{ + struct cachenode *c; + char *sid; + + c = findincache(&user_sids, uid); + if (c->initted == 0) { + sid = NULL; + if (sid_string_by_id(uid, B_TRUE, &sid, ACL_NORESOLVE) == 0) { + SCPYN(&c->name[0], sid); + free(sid); + } else { + (void) sprintf(&c->name[0], "%-8u", (int)uid); + } + c->initted = 1; + } + + return (&c->name[0]); +} + +/* + * get SID from cache, or from idmap for a given (ephemeral) gid; + * + * If an ephemeral UID (> MAXUID) try to convert to a SID + * (no winname lookup here) + */ +static char * +getgsid(gid_t gid) +{ + struct cachenode *c; + char *sid; + + c = findincache(&group_sids, gid); + if (c->initted == 0) { + sid = NULL; + if (sid_string_by_id(gid, B_FALSE, &sid, ACL_NORESOLVE) == 0) { + SCPYN(&c->name[0], sid); + free(sid); + } else { + (void) sprintf(&c->name[0], "%-8u", (int)gid); + } + c->initted = 1; + } + + return (&c->name[0]); +} + /* return >0 if item pointed by pp2 should appear first */ static int compar(struct lbuf **pp1, struct lbuf **pp2) diff --git a/usr/src/common/ficl/emu/loader_emu.c b/usr/src/common/ficl/emu/loader_emu.c index 8c4b376cfd..e3a48f29da 100644 --- a/usr/src/common/ficl/emu/loader_emu.c +++ b/usr/src/common/ficl/emu/loader_emu.c @@ -720,6 +720,7 @@ bf_init(const char *rc, ficlOutputFunction out) buf = get_currdev(); (void) setenv("currdev", buf, 1); free(buf); + (void) setenv("console", "text", 1); /* Put all private definitions in a "builtins" vocabulary */ rv = ficlVmEvaluate(bf_vm, diff --git a/usr/src/common/smbsrv/smb_sid.c b/usr/src/common/smbsrv/smb_sid.c index 9d4dc978ae..c5700b0d87 100644 --- a/usr/src/common/smbsrv/smb_sid.c +++ b/usr/src/common/smbsrv/smb_sid.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2022 Tintri by DDN, Inc. All rights reserved. */ #if !defined(_KERNEL) && !defined(_FAKE_KERNEL) @@ -29,6 +29,7 @@ #include <stdlib.h> #include <syslog.h> #else /* !_KERNEL && !_FAKE_KERNEL */ +#include <sys/int_limits.h> /* Needed for _FAKE_KERNEL */ #include <sys/types.h> #include <sys/systm.h> #include <sys/sunddi.h> @@ -50,7 +51,7 @@ smb_sid_isvalid(smb_sid_t *sid) return (B_FALSE); return ((sid->sid_revision == NT_SID_REVISION) && - (sid->sid_subauthcnt < NT_SID_SUBAUTH_MAX)); + (sid->sid_subauthcnt <= NT_SID_SUBAUTH_MAX)); } /* @@ -317,7 +318,7 @@ smb_sid_t * smb_sid_fromstr(const char *sidstr) { smb_sid_t *sid; - smb_sid_t *retsid; + smb_sid_t *retsid = NULL; const char *p; int size; uint8_t i; @@ -329,35 +330,47 @@ smb_sid_fromstr(const char *sidstr) if (strncmp(sidstr, "S-1-", 4) != 0) return (NULL); + sua = 0; + (void) ddi_strtoul(&sidstr[4], (char **)&p, 10, &sua); + + /* + * If ddi_strtoul() did the right thing, *p will point at the first '-' + * after the identifier authority. + * The IdentifierAuthority can be up to 2^48, but all known ones + * currently fit into a uint8_t. + * TODO: support IdentifierAuthorities > 255 (those over UINT32_MAX are + * hex-formatted). + */ + if (sua > UINT8_MAX || (*p != '-' && *p != '\0')) + return (NULL); + size = sizeof (smb_sid_t) + (NT_SID_SUBAUTH_MAX * sizeof (uint32_t)); sid = kmem_zalloc(size, KM_SLEEP); - sid->sid_revision = NT_SID_REVISION; - sua = 0; - (void) ddi_strtoul(&sidstr[4], 0, 10, &sua); sid->sid_authority[5] = (uint8_t)sua; - for (i = 0, p = &sidstr[5]; i < NT_SID_SUBAUTH_MAX && *p; ++i) { - while (*p && *p == '-') + for (i = 0; i < NT_SID_SUBAUTH_MAX && *p; ++i) { + while (*p == '-') ++p; - if (*p < '0' || *p > '9') { - kmem_free(sid, size); - return (NULL); - } + if (*p < '0' || *p > '9') + goto out; sua = 0; - (void) ddi_strtoul(p, 0, 10, &sua); + (void) ddi_strtoul(p, (char **)&p, 10, &sua); + if (sua > UINT32_MAX) + goto out; sid->sid_subauth[i] = (uint32_t)sua; - while (*p && *p != '-') - ++p; + if (*p != '\0' && *p != '-') + goto out; } sid->sid_subauthcnt = i; retsid = smb_sid_dup(sid); - kmem_free(sid, size); +out: + kmem_free(sid, size); return (retsid); } #else /* _KERNEL */ @@ -368,6 +381,7 @@ smb_sid_fromstr(const char *sidstr) const char *p; int size; uint8_t i; + unsigned long sua; if (sidstr == NULL) return (NULL); @@ -375,17 +389,29 @@ smb_sid_fromstr(const char *sidstr) if (strncmp(sidstr, "S-1-", 4) != 0) return (NULL); + sua = strtoul(&sidstr[4], (char **)&p, 10); + + /* + * If strtoul() did the right thing, *p will point at the first '-' + * after the identifier authority. + * The IdentifierAuthority can be up to 2^48, but all known ones + * currently fit into a uint8_t. + * TODO: support IdentifierAuthorities > 255 (those over UINT32_MAX are + * hex-formatted). + */ + if (sua > UINT8_MAX || (*p != '-' && *p != '\0')) + return (NULL); + size = sizeof (smb_sid_t) + (NT_SID_SUBAUTH_MAX * sizeof (uint32_t)); - if ((sid = malloc(size)) == NULL) + if ((sid = calloc(size, 1)) == NULL) return (NULL); - bzero(sid, size); sid->sid_revision = NT_SID_REVISION; - sid->sid_authority[5] = atoi(&sidstr[4]); + sid->sid_authority[5] = (uint8_t)sua; - for (i = 0, p = &sidstr[5]; i < NT_SID_SUBAUTH_MAX && *p; ++i) { - while (*p && *p == '-') + for (i = 0; i < NT_SID_SUBAUTH_MAX && *p; ++i) { + while (*p == '-') ++p; if (*p < '0' || *p > '9') { @@ -393,10 +419,11 @@ smb_sid_fromstr(const char *sidstr) return (NULL); } - sid->sid_subauth[i] = strtoul(p, NULL, 10); - - while (*p && *p != '-') - ++p; + sid->sid_subauth[i] = strtoul(p, (char **)&p, 10); + if (*p != '\0' && *p != '-') { + free(sid); + return (NULL); + } } sid->sid_subauthcnt = i; diff --git a/usr/src/data/ucode/amd/A010-00 b/usr/src/data/ucode/amd/A010-00 Binary files differindex 48149467de..c1f2f3a162 100644 --- a/usr/src/data/ucode/amd/A010-00 +++ b/usr/src/data/ucode/amd/A010-00 diff --git a/usr/src/data/ucode/amd/A011-00 b/usr/src/data/ucode/amd/A011-00 Binary files differindex 2bcf1d5a65..a35b92982b 100644 --- a/usr/src/data/ucode/amd/A011-00 +++ b/usr/src/data/ucode/amd/A011-00 diff --git a/usr/src/data/ucode/amd/A012-00 b/usr/src/data/ucode/amd/A012-00 Binary files differindex 4536829bb5..1361159596 100644 --- a/usr/src/data/ucode/amd/A012-00 +++ b/usr/src/data/ucode/amd/A012-00 diff --git a/usr/src/data/ucode/amd/THIRDPARTYLICENSE b/usr/src/data/ucode/amd/THIRDPARTYLICENSE index de5b29c4e4..ea47c577c7 100644 --- a/usr/src/data/ucode/amd/THIRDPARTYLICENSE +++ b/usr/src/data/ucode/amd/THIRDPARTYLICENSE @@ -1,4 +1,4 @@ -Copyright (C) 2010-2018 Advanced Micro Devices, Inc., All rights reserved. +Copyright (C) 2010-2022 Advanced Micro Devices, Inc., All rights reserved. Permission is hereby granted by Advanced Micro Devices, Inc. ("AMD"), free of any license fees, to any person obtaining a copy of this diff --git a/usr/src/lib/libsec/common/acltext.c b/usr/src/lib/libsec/common/acltext.c index 42a31ad995..9c9953c896 100644 --- a/usr/src/lib/libsec/common/acltext.c +++ b/usr/src/lib/libsec/common/acltext.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 1993, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2016 Nexenta Systems, Inc. All rights reserved. */ /*LINTLIBRARY*/ @@ -172,6 +172,15 @@ getsidname(uid_t who, boolean_t user, char **sidp, boolean_t noresolve) return (*sidp ? 0 : 1); } +/* + * sid_string_by_id() is an exposed interface via -lsec + */ +int +sid_string_by_id(uid_t who, boolean_t user, char **sidp, boolean_t noresolve) +{ + return (getsidname(who, user, sidp, noresolve)); +} + static void aclent_printacl(acl_t *aclp) { @@ -729,10 +738,10 @@ ace_inherit_txt(dynaclstr_t *dstr, uint32_t iflags, int flags) char * aclent_acltotext(aclent_t *aclp, int aclcnt, int flags) { - dynaclstr_t *dstr; + dynaclstr_t *dstr; char *aclexport = NULL; int i; - int error = 0; + int error = 0; if (aclp == NULL) return (NULL); @@ -884,7 +893,7 @@ ace_acltotext(acl_t *aceaclp, int flags) int i; int error = 0; int isdir = (aceaclp->acl_flags & ACL_IS_DIR); - dynaclstr_t *dstr; + dynaclstr_t *dstr; char *aclexport = NULL; char *rawsidp = NULL; @@ -1028,7 +1037,7 @@ acl_parse(const char *acltextp, acl_t **aclp) } static void -ace_compact_printacl(acl_t *aclp) +ace_compact_printacl(acl_t *aclp, int flgs) { int cnt; ace_t *acep; @@ -1050,7 +1059,7 @@ ace_compact_printacl(acl_t *aclp) dstr->d_aclexport[0] = '\0'; dstr->d_pos = 0; - if (ace_type_txt(dstr, acep, 0)) + if (ace_type_txt(dstr, acep, flgs)) break; len = strlen(&dstr->d_aclexport[0]); if (ace_perm_txt(dstr, acep->a_access_mask, acep->a_flags, @@ -1070,18 +1079,18 @@ ace_compact_printacl(acl_t *aclp) } static void -ace_printacl(acl_t *aclp, int cols, int compact) +ace_printacl(acl_t *aclp, int cols, int flgs) { int slot = 0; char *token; char *acltext; - if (compact) { - ace_compact_printacl(aclp); + if (flgs & ACL_COMPACT_FMT) { + ace_compact_printacl(aclp, flgs); return; } - acltext = acl_totext(aclp, 0); + acltext = acl_totext(aclp, flgs); if (acltext == NULL) return; @@ -1111,15 +1120,33 @@ ace_printacl(acl_t *aclp, int cols, int compact) * print a "slot" number. */ void +acl_printacl2(acl_t *aclp, int cols, int flgs) +{ + + switch (aclp->acl_type) { + case ACLENT_T: + aclent_printacl(aclp); + break; + case ACE_T: + ace_printacl(aclp, cols, flgs); + break; + } +} + +/* + * Historical, compatibility version of the above. + */ +void acl_printacl(acl_t *aclp, int cols, int compact) { + int flgs = compact ? ACL_COMPACT_FMT : 0; switch (aclp->acl_type) { case ACLENT_T: aclent_printacl(aclp); break; case ACE_T: - ace_printacl(aclp, cols, compact); + ace_printacl(aclp, cols, flgs); break; } } diff --git a/usr/src/lib/libsec/common/aclutils.h b/usr/src/lib/libsec/common/aclutils.h index e3e6d130f6..706d880e4b 100644 --- a/usr/src/lib/libsec/common/aclutils.h +++ b/usr/src/lib/libsec/common/aclutils.h @@ -22,6 +22,7 @@ * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * + * Copyright 2016 Nexenta Systems, Inc. All rights reserved. * Copyright 2022 RackTop Systems, Inc. */ @@ -130,6 +131,7 @@ extern int acl_addentries(acl_t *, acl_t *, int); extern int acl_removeentries(acl_t *, acl_t *, int, int); extern int acl_modifyentries(acl_t *, acl_t *, int); extern void acl_printacl(acl_t *, int, int); +extern void acl_printacl2(acl_t *, int, int); extern char *acl_strerror(int); extern acl_t *acl_dup(acl_t *); extern int acl_type(acl_t *); @@ -142,6 +144,7 @@ extern int yyparse(void); extern void yyreset(void); extern void yycleanup(void); extern acl_t *acl_to_aclp(enum acl_type, void *, int); +extern int sid_string_by_id(uid_t, boolean_t, char **, boolean_t); extern int sid_to_id(char *, boolean_t, uid_t *); extern int sid_to_xid(char *, int *, uid_t *); diff --git a/usr/src/lib/libsec/common/mapfile-vers b/usr/src/lib/libsec/common/mapfile-vers index 87e9ea6019..3fb8b52e25 100644 --- a/usr/src/lib/libsec/common/mapfile-vers +++ b/usr/src/lib/libsec/common/mapfile-vers @@ -20,6 +20,7 @@ # # # Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2016 Nexenta Systems, Inc. All rights reserved. # # @@ -83,10 +84,12 @@ SYMBOL_VERSION SUNWprivate_1.1 { acl_modifyentries; acl_parse; acl_printacl; + acl_printacl2; acl_removeentries; acl_strerror; acl_to_aclp; acl_type; + sid_string_by_id; sid_to_id; local: *; diff --git a/usr/src/man/man1/ls.1 b/usr/src/man/man1/ls.1 index 952b65c845..bbd98e7556 100644 --- a/usr/src/man/man1/ls.1 +++ b/usr/src/man/man1/ls.1 @@ -43,7 +43,7 @@ .\" Copyright 1989 AT&T .\" Portions Copyright (c) 1992, X/Open Company Limited All Rights Reserved .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved -.\" Copyright 2014 Nexenta Systems, Inc. All Rights Reserved. +.\" Copyright 2016 Nexenta Systems, Inc. All Rights Reserved. .\" .TH LS 1 "Apr 25, 2020" .SH NAME @@ -1183,7 +1183,12 @@ Streams output format. Files are listed across the page, separated by commas. .sp .6 .RS 4n The same as \fB-l\fR, except that the owner's \fBUID\fR and group's \fBGID\fR -numbers are printed, rather than the associated character strings. +numbers are printed, rather than the associated character strings. For files +which owner and/or group is a Windows Security Identifier (\fBSID\fR), \fB-n\fR +suppresses any lookups for the Windows Name string and prints only the raw SID. +Moreover, a second instance of this flag (\fB-nn\fR) can be used to further +suppress \fBidmapd\fR(1M) lookups of the file's owner and/or group SID, thus +forcing \fBls\fR into printing the raw ephemeral numeric identifiers. .RE .sp @@ -2829,3 +2834,9 @@ overridden by the \fBLC_COLLATE\fR environment variable. For example, if beginning with upper-case letters, then followed by names beginning with lower-case letters. But if \fBLC_COLLATE\fR equals \fBen_US.ISO8859-1\fR, then leading dots as well as case are ignored in determining the sort order. +.sp +.LP +For additional information regarding Windows Security Identifiers, consult +Microsoft support document, \fIWell-known security identifiers in Windows +operating systems\fR, which can be found at Microsoft's support site: +https://support.microsoft.com/en-us/kb/243330/. diff --git a/usr/src/pkg/manifests/system-microcode-amd.p5m b/usr/src/pkg/manifests/system-microcode-amd.p5m index a79641cbc4..77e52a2946 100644 --- a/usr/src/pkg/manifests/system-microcode-amd.p5m +++ b/usr/src/pkg/manifests/system-microcode-amd.p5m @@ -35,7 +35,7 @@ # <include global_zone_only_component> set name=pkg.fmri \ - value=pkg:/system/microcode/amd@20220408,$(PKGVERS_BUILTON)-$(PKGVERS_BRANCH) + value=pkg:/system/microcode/amd@20220930,$(PKGVERS_BUILTON)-$(PKGVERS_BRANCH) set name=pkg.summary value="Microcode for AMD CPUs" set name=pkg.description value="Microcode for AMD CPUs" set name=info.classification value=org.opensolaris.category.2008:System/Core diff --git a/usr/src/pkg/manifests/system-test-smbsrvtest.p5m b/usr/src/pkg/manifests/system-test-smbsrvtest.p5m index 109cb6ccb9..96025785e0 100644 --- a/usr/src/pkg/manifests/system-test-smbsrvtest.p5m +++ b/usr/src/pkg/manifests/system-test-smbsrvtest.p5m @@ -9,7 +9,7 @@ # http://www.illumos.org/license/CDDL. # -# Copyright 2021 Tintri by DDN, Inc. All rights reserved. +# Copyright 2022 Tintri by DDN, Inc. All rights reserved. set name=pkg.fmri value=pkg:/system/test/smbsrvtest@$(PKGVERS) set name=pkg.summary value="SMB Server Functional Tests" @@ -27,6 +27,9 @@ file path=opt/smbsrv-tests/include/default.cfg mode=0444 file path=opt/smbsrv-tests/include/smbtor-excl-rpc.txt mode=0444 file path=opt/smbsrv-tests/include/smbtor-excl-smb2.txt mode=0444 dir path=opt/smbsrv-tests/tests +dir path=opt/smbsrv-tests/tests/smb_sid +file path=opt/smbsrv-tests/tests/smb_sid/large_sids_kern mode=0555 +file path=opt/smbsrv-tests/tests/smb_sid/large_sids_lib mode=0555 dir path=opt/smbsrv-tests/tests/smbtorture file path=opt/smbsrv-tests/tests/smbtorture/runst-rpc mode=0555 file path=opt/smbsrv-tests/tests/smbtorture/runst-smb2 mode=0555 diff --git a/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh b/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh index aab3ad0c8f..dd2053bc01 100644 --- a/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh +++ b/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh @@ -12,7 +12,7 @@ # # -# Copyright 2021 Tintri by DDN, Inc. All rights reserved. +# Copyright 2022 Tintri by DDN, Inc. All rights reserved. # # Run all the smbsrv-tests @@ -49,3 +49,5 @@ set -x $SMBSRV_TESTS/tests/smbtorture/runst-smb2 $SMBSRV_TESTS/tests/smbtorture/runst-rpc +$SMBSRV_TESTS/tests/smb_sid/large_sids_lib +$SMBSRV_TESTS/tests/smb_sid/large_sids_kern diff --git a/usr/src/test/smbsrv-tests/tests/smb_sid/Makefile b/usr/src/test/smbsrv-tests/tests/smb_sid/Makefile new file mode 100644 index 0000000000..d3e11c6ef5 --- /dev/null +++ b/usr/src/test/smbsrv-tests/tests/smb_sid/Makefile @@ -0,0 +1,66 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2012, 2016 by Delphix. All rights reserved. +# Copyright 2022 Tintri by DDN, Inc. All rights reserved. +# +include $(SRC)/cmd/Makefile.cmd +include $(SRC)/test/Makefile.com + +PROG = large_sids_lib large_sids_kern +KERN_OBJS = smb_sid.o + +large_sids_lib := LDLIBS += -L$(ROOT)/usr/lib/smbsrv -lsmb +large_sids_lib := LDFLAGS += -R/usr/lib/smbsrv +large_sids_kern := LDLIBS64 += -lfakekernel + +smb_sid.o := CPPFLAGS.first += -I $(SRC)/lib/libfakekernel/common -D_FAKE_KERNEL + +ROOTOPTPKG = $(ROOT)/opt/smbsrv-tests +TESTDIR = $(ROOTOPTPKG)/tests/smb_sid + +CMDS = $(PROG:%=$(TESTDIR)/%) +$(CMDS) := FILEMODE = 0555 + +CSTD = $(CSTD_GNU99) + +all: $(PROG) + +$(TESTDIR): + $(INS.dir) + +$(TESTDIR)/%: % + $(INS.file) + +%_lib: %.c + $(LINK.c) -o $@ $< $(LDLIBS) + $(POST_PROCESS) + +%_kern: %.c $(KERN_OBJS) + $(LINK64.c) -o $@ $^ $(LDLIBS64) + $(POST_PROCESS) + +smb_sid.c: $(SRC)/common/smbsrv/smb_sid.c + $(CP) $^ $@ + +%.o: %.c + $(COMPILE64.c) $< + +install: all $(CMDS) + +clobber: clean + -$(RM) $(PROG) + +clean: + -$(RM) $(KERN_OBJS) + +$(CMDS): $(TESTDIR) $(PROG) diff --git a/usr/src/test/smbsrv-tests/tests/smb_sid/large_sids.c b/usr/src/test/smbsrv-tests/tests/smb_sid/large_sids.c new file mode 100644 index 0000000000..267fdd734c --- /dev/null +++ b/usr/src/test/smbsrv-tests/tests/smb_sid/large_sids.c @@ -0,0 +1,104 @@ +/* + * This file and its contents are supplied under the terms of the + * Common Development and Distribution License ("CDDL"), version 1.0. + * You may only use this file in accordance with the terms of version + * 1.0 of the CDDL. + * + * A full copy of the text of the CDDL should have accompanied this + * source. A copy of the CDDL is also available via the Internet at + * http://www.illumos.org/license/CDDL. + */ + +/* + * Copyright 2022 Tintri by DDN, Inc. All rights reserved. + */ + +/* + * Test usr/src/common/smbsrv/smb_sid.c with large SIDs + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <smbsrv/smb_sid.h> +#include <limits.h> + +void +test_sid(const char *sidstr, uint8_t idauth, const uint32_t *subauths, + size_t subauth_cnt) +{ + char newstr[1024]; + smb_sid_t *sid; + int i; + + sid = smb_sid_fromstr(sidstr); + if (!smb_sid_isvalid(sid)) { + fprintf(stderr, "SID %s not valid: %p\n", sidstr, sid); + exit(1); + } + + smb_sid_tostr(sid, newstr); + + if (strncmp(sidstr, newstr, sizeof (newstr)) != 0) { + fprintf(stderr, "SID %s did not match decoded SID %s\n", + sidstr, newstr); + exit(5); + } + + if (subauths == NULL) { + smb_sid_free(sid); + return; + } + + if (sid->sid_authority[5] != idauth) { + fprintf(stderr, "Wrong SID authority %u (expected %u): %s\n", + sid->sid_authority, idauth, sidstr); + exit(2); + } + + if (sid->sid_subauthcnt != subauth_cnt) { + fprintf(stderr, "Wrong subauthcnt %u (expected %u): %s\n", + sid->sid_subauthcnt, subauth_cnt, sidstr); + exit(3); + } + + for (i = 0; i < subauth_cnt; i++) { + if (sid->sid_subauth[i] != subauths[i]) { + fprintf(stderr, + "Wrong subauthcnt %u (expected %u): %s\n", + sid->sid_subauthcnt, subauth_cnt, sidstr); + exit(4); + } + } + + smb_sid_free(sid); +} + +int +main(int argc, char *argv[]) +{ + char sid[1024]; + uint32_t subauths[NT_SID_SUBAUTH_MAX]; + size_t len = sizeof (sid); + int off = 0; + int i, idauth; + + if (argc > 1) { + test_sid(argv[1], 0, NULL, 0); + goto out; + } + + for (idauth = 2; idauth <= UINT8_MAX; idauth += 11) { + off = snprintf(&sid[0], len, "S-1-%u", idauth); + for (i = 0; i < NT_SID_SUBAUTH_MAX; i++) { + subauths[i] = arc4random(); + off += snprintf(&sid[off], len - off, + "-%u", subauths[i]); + } + test_sid(sid, idauth, subauths, NT_SID_SUBAUTH_MAX); + } + +out: + printf("success!\n"); + return (0); +} diff --git a/usr/src/uts/common/fs/smbsrv/smb_sd.c b/usr/src/uts/common/fs/smbsrv/smb_sd.c index 946503fa8f..b5dc88db58 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_sd.c +++ b/usr/src/uts/common/fs/smbsrv/smb_sd.c @@ -89,6 +89,9 @@ smb_sd_len(smb_sd_t *sd, uint32_t secinfo) * * Return the security information mask for the specified security * descriptor. + * + * Note: This is used for 'create-with-sd'. 'set-security-info' provides the + * secinfo as part of the request, but create does not, so we must infer it. */ uint32_t smb_sd_get_secinfo(smb_sd_t *sd) @@ -104,10 +107,10 @@ smb_sd_get_secinfo(smb_sd_t *sd) if (sd->sd_group) sec_info |= SMB_GROUP_SECINFO; - if (sd->sd_dacl) + if ((sd->sd_control & SE_DACL_PRESENT) != 0) sec_info |= SMB_DACL_SECINFO; - if (sd->sd_sacl) + if ((sd->sd_control & SE_SACL_PRESENT) != 0) sec_info |= SMB_SACL_SECINFO; return (sec_info); diff --git a/usr/src/uts/intel/io/vmm/io/iommu.c b/usr/src/uts/intel/io/vmm/io/iommu.c index 8374a6da58..8d22c4901e 100644 --- a/usr/src/uts/intel/io/vmm/io/iommu.c +++ b/usr/src/uts/intel/io/vmm/io/iommu.c @@ -70,12 +70,10 @@ ddi_modhandle_t iommu_modhdl; static const struct iommu_ops *ops; static void *host_domain; -static volatile uint_t iommu_initted; - static int iommu_find_device(dev_info_t *dip, void *arg) { - boolean_t add = (boolean_t)arg; + boolean_t add = (boolean_t)(uintptr_t)arg; if (pcie_is_pci_device(dip)) { if (add) |