diff options
| author | Jerry Jelinek <jerry.jelinek@joyent.com> | 2019-11-15 12:25:21 +0000 |
|---|---|---|
| committer | Jerry Jelinek <jerry.jelinek@joyent.com> | 2019-11-15 12:25:21 +0000 |
| commit | 20413c4609984695499fa634908cd2e67fd9e2cc (patch) | |
| tree | 5e15a21fca775697c392e4a63e2b26d75cf7493d /usr/src | |
| parent | 5cb315633c04958c08cfb359a7fa032ce09bdbd1 (diff) | |
| parent | e89be50a407de17396dc2e87e7f9aa8160182fb6 (diff) | |
| download | illumos-joyent-20413c4609984695499fa634908cd2e67fd9e2cc.tar.gz | |
[illumos-gate merge]
commit e89be50a407de17396dc2e87e7f9aa8160182fb6
11961 add DDI UFM support to the nvme driver
commit f21abddf5629122d5dd1aa759e5ec0f27610c188
11963 Allow ptree(1) to wrap output
commit cb09bd3c63580aef9fe1999ae4e48a8a5b9cf55c
11935 loader: fix memory corruption bug in vdev_read
commit f67d64d998ff666158cc5231b7e80c11c3e922e0
11954 rpcmod: Possible memory leak in connmgr_get()
11955 clnt_cots: kmem_free(NULL, 0) is legal
commit f0c1c263e90642997cf3e76484abec617782ddb8
9601 Divide by zero in i40e_get_available_resources()
commit 67806cd738bddbbd117d50180c8f96050a49a8cc
11933 loader: we can not read log device but we need to know about
commit 4b6bffb4c4308c6219c095d4cf5bf96bb0970e04
11928 rpcmod's clnt_cots can do zero-length kmem allocations
commit 48f31329f53c9b7554a923cb617ff7eecb6137e1
11854 Domain Admins shouldn't always be Administrators
commit 3c1aa8841c55cae7b41cc9b045a71b2fffd4d0cb
11853 Administrators should have Backup and Restore privileges by default
commit 0292c176d853baa7e46c9ff8e4f16f63b8cbd6e5
11773 Need ways to override Domain Admins' full control
commit 06721c885c2d7becabe2cba874b84cdfba66eb47
11852 SMB should explicitly fail deletion of mountpoints
commit dafb549fce563c2f4123e8957dc8a1d921bf0fca
11039 All zfs/nfs/smb threads in door calls to idle idmap
commit 4ad35fa3117b4f36004f76885e267a46c738a794
11038 SMB2 server should require signed Validate Negotiate requests
Conflicts:
usr/src/uts/common/io/nvme/nvme_var.h
usr/src/uts/common/io/nvme/nvme.c
exception_lists/wscheck
Diffstat (limited to 'usr/src')
35 files changed, 549 insertions, 188 deletions
diff --git a/usr/src/boot/Makefile.version b/usr/src/boot/Makefile.version index a161b24487..46e00fbcea 100644 --- a/usr/src/boot/Makefile.version +++ b/usr/src/boot/Makefile.version @@ -33,4 +33,4 @@ LOADER_VERSION = 1.1 # Use date like formatting here, YYYY.MM.DD.XX, without leading zeroes. # The version is processed from left to right, the version number can only # be increased. -BOOT_VERSION = $(LOADER_VERSION)-2019.11.05.1 +BOOT_VERSION = $(LOADER_VERSION)-2019.11.06.1 diff --git a/usr/src/boot/lib/libstand/zfs/zfs.c b/usr/src/boot/lib/libstand/zfs/zfs.c index e76f1ada52..665d0b4a48 100644 --- a/usr/src/boot/lib/libstand/zfs/zfs.c +++ b/usr/src/boot/lib/libstand/zfs/zfs.c @@ -347,57 +347,107 @@ vdev_read(vdev_t *vdev __unused, void *priv, off_t offset, void *buf, size_t bytes) { int fd, ret; - size_t res, size, remainder, rb_size, blksz; - unsigned secsz; - off_t off; - char *bouncebuf, *rb_buf; + size_t res, head, tail, total_size, full_sec_size; + unsigned secsz, do_tail_read; + off_t start_sec; + char *outbuf, *bouncebuf; fd = (uintptr_t)priv; + outbuf = (char *)buf; bouncebuf = NULL; ret = ioctl(fd, DIOCGSECTORSIZE, &secsz); if (ret != 0) return (ret); - off = offset / secsz; - remainder = offset % secsz; - if (lseek(fd, off * secsz, SEEK_SET) == -1) - return (errno); - - rb_buf = buf; - rb_size = bytes; - size = roundup2(bytes + remainder, secsz); - blksz = size; - if (remainder != 0 || size != bytes) { - bouncebuf = zfs_alloc(secsz); + /* + * Handling reads of arbitrary offset and size - multi-sector case + * and single-sector case. + * + * Multi-sector Case + * (do_tail_read = true if tail > 0) + * + * |<----------------------total_size--------------------->| + * | | + * |<--head-->|<--------------bytes------------>|<--tail-->| + * | | | | + * | | |<~full_sec_size~>| | | + * +------------------+ +------------------+ + * | |0101010| . . . |0101011| | + * +------------------+ +------------------+ + * start_sec start_sec + n + * + * + * Single-sector Case + * (do_tail_read = false) + * + * |<------total_size = secsz----->| + * | | + * |<-head->|<---bytes--->|<-tail->| + * +-------------------------------+ + * | |0101010101010| | + * +-------------------------------+ + * start_sec + */ + start_sec = offset / secsz; + head = offset % secsz; + total_size = roundup2(head + bytes, secsz); + tail = total_size - (head + bytes); + do_tail_read = ((tail > 0) && (head + bytes > secsz)); + full_sec_size = total_size; + if (head > 0) + full_sec_size -= secsz; + if (do_tail_read) + full_sec_size -= secsz; + + /* Return of partial sector data requires a bounce buffer. */ + if ((head > 0) || do_tail_read) { + bouncebuf = malloc(secsz); if (bouncebuf == NULL) { printf("vdev_read: out of memory\n"); return (ENOMEM); } - rb_buf = bouncebuf; - blksz = rb_size - remainder; } - while (bytes > 0) { - res = read(fd, rb_buf, rb_size); - if (res != rb_size) { + if (lseek(fd, start_sec * secsz, SEEK_SET) == -1) { + ret = errno; + goto error; + } + + /* Partial data return from first sector */ + if (head > 0) { + res = read(fd, bouncebuf, secsz); + if (res != secsz) { + ret = EIO; + goto error; + } + memcpy(outbuf, bouncebuf + head, min(secsz - head, bytes)); + outbuf += min(secsz - head, bytes); + } + + /* Full data return from read sectors */ + if (full_sec_size > 0) { + res = read(fd, outbuf, full_sec_size); + if (res != full_sec_size) { + ret = EIO; + goto error; + } + outbuf += full_sec_size; + } + + /* Partial data return from last sector */ + if (do_tail_read) { + res = read(fd, bouncebuf, secsz); + if (res != secsz) { ret = EIO; goto error; } - if (bytes < blksz) - blksz = bytes; - if (bouncebuf != NULL) - memcpy(buf, rb_buf + remainder, blksz); - buf = (void *)((uintptr_t)buf + blksz); - bytes -= blksz; - remainder = 0; - blksz = rb_size; + memcpy(outbuf, bouncebuf, secsz - tail); } ret = 0; error: - if (bouncebuf != NULL) - zfs_free(bouncebuf, secsz); + free(bouncebuf); return (ret); } diff --git a/usr/src/boot/lib/libstand/zfs/zfsimpl.c b/usr/src/boot/lib/libstand/zfs/zfsimpl.c index fba9f1fc59..7d0d79b922 100644 --- a/usr/src/boot/lib/libstand/zfs/zfsimpl.c +++ b/usr/src/boot/lib/libstand/zfs/zfsimpl.c @@ -1106,6 +1106,7 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, const unsigned char *kids; int nkids, i, is_new; uint64_t is_offline, is_faulted, is_degraded, is_removed, isnt_present; + uint64_t is_log; if (nvlist_find(nvlist, ZPOOL_CONFIG_GUID, DATA_TYPE_UINT64, NULL, &guid) || @@ -1129,6 +1130,7 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, } is_offline = is_removed = is_faulted = is_degraded = isnt_present = 0; + is_log = 0; nvlist_find(nvlist, ZPOOL_CONFIG_OFFLINE, DATA_TYPE_UINT64, NULL, &is_offline); @@ -1140,6 +1142,8 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, &is_degraded); nvlist_find(nvlist, ZPOOL_CONFIG_NOT_PRESENT, DATA_TYPE_UINT64, NULL, &isnt_present); + nvlist_find(nvlist, ZPOOL_CONFIG_IS_LOG, DATA_TYPE_UINT64, NULL, + &is_log); vdev = vdev_find(guid); if (!vdev) { @@ -1226,6 +1230,7 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, return (ENOMEM); vdev->v_name = name; } + vdev->v_islog = is_log == 1; } else { is_new = 0; } @@ -1429,6 +1434,12 @@ vdev_status(vdev_t *vdev, int indent) { vdev_t *kid; int ret; + + if (vdev->v_islog) { + (void)pager_output(" logs\n"); + indent++; + } + ret = print_state(indent, vdev->v_name, vdev->v_state); if (ret != 0) return (ret); @@ -1759,12 +1770,6 @@ vdev_probe(vdev_phys_read_t *phys_read, void *read_priv, spa_t **spap) return (EIO); } - if (nvlist_find(nvlist, ZPOOL_CONFIG_IS_LOG, DATA_TYPE_UINT64, - NULL, &val) == 0 && val != 0) { - free(nvlist); - return (EIO); - } - /* * Create the pool if this is the first time we've seen it. */ @@ -1839,6 +1844,9 @@ vdev_probe(vdev_phys_read_t *phys_read, void *read_priv, spa_t **spap) return (EIO); } + if (vdev->v_islog) + spa->spa_with_log = vdev->v_islog; + /* Record boot vdev for spa. */ if (is_newer == 1) spa->spa_boot_vdev = vdev; diff --git a/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h b/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h index 8f45983761..6b629f8fe5 100644 --- a/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h +++ b/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h @@ -1770,6 +1770,7 @@ typedef struct vdev { vdev_phys_read_t *v_phys_read; /* read from raw leaf vdev */ vdev_read_t *v_read; /* read from vdev */ void *v_read_priv; /* private data for read function */ + boolean_t v_islog; struct spa *spa; /* link to spa */ /* * Values stored in the config for an indirect or removing vdev. @@ -1795,6 +1796,7 @@ typedef struct spa { void *spa_cksum_tmpls[ZIO_CHECKSUM_FUNCTIONS]; int spa_inited; /* initialized */ vdev_t *spa_boot_vdev; /* boot device for kernel */ + boolean_t spa_with_log; /* this pool has log */ } spa_t; /* IO related arguments. */ diff --git a/usr/src/cmd/idmap/idmapd/idmap_lsa.c b/usr/src/cmd/idmap/idmapd/idmap_lsa.c index 28c6c2755e..12296e822c 100644 --- a/usr/src/cmd/idmap/idmapd/idmap_lsa.c +++ b/usr/src/cmd/idmap/idmapd/idmap_lsa.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ /* @@ -83,9 +83,9 @@ lookup_lsa_by_sid( (void) snprintf(sid, sizeof (sid), "%s-%u", sidprefix, rid); - rc = smb_lookup_sid(sid, &acct); + rc = smb_lookup_lsid(sid, &acct); if (rc != 0) { - idmapdlog(LOG_ERR, "Error: smb_lookup_sid failed."); + idmapdlog(LOG_ERR, "Error: SMB lookup SID failed."); idmapdlog(LOG_ERR, "Check SMB service (svc:/network/smb/server)."); idmapdlog(LOG_ERR, @@ -100,7 +100,7 @@ lookup_lsa_by_sid( } if (acct.a_status != NT_STATUS_SUCCESS) { idmapdlog(LOG_WARNING, - "Warning: smb_lookup_sid(%s) failed (0x%x)", + "Warning: SMB lookup SID(%s) failed (0x%x)", sid, acct.a_status); /* Fail soft */ ret = IDMAP_ERR_NOTFOUND; @@ -167,9 +167,9 @@ lookup_lsa_by_name( goto out; } - rc = smb_lookup_name(namedom, SidTypeUnknown, &acct); + rc = smb_lookup_lname(namedom, SidTypeUnknown, &acct); if (rc != 0) { - idmapdlog(LOG_ERR, "Error: smb_lookup_name failed."); + idmapdlog(LOG_ERR, "Error: SMB lookup name failed."); idmapdlog(LOG_ERR, "Check SMB service (svc:/network/smb/server)."); idmapdlog(LOG_ERR, @@ -183,7 +183,7 @@ lookup_lsa_by_name( } if (acct.a_status != NT_STATUS_SUCCESS) { idmapdlog(LOG_WARNING, - "Warning: smb_lookup_name(%s) failed (0x%x)", + "Warning: SMB lookup name(%s) failed (0x%x)", namedom, acct.a_status); /* Fail soft */ ret = IDMAP_ERR_NOTFOUND; diff --git a/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c b/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c index 4195a62149..7fc4ec3afc 100644 --- a/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c +++ b/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #include <mdb/mdb_modapi.h> @@ -1409,6 +1409,12 @@ user_priv_bits[] = { { "CHANGE_NOTIFY", SMB_USER_PRIV_CHANGE_NOTIFY, SMB_USER_PRIV_CHANGE_NOTIFY }, + { "READ_FILE", + SMB_USER_PRIV_READ_FILE, + SMB_USER_PRIV_READ_FILE }, + { "WRITE_FILE", + SMB_USER_PRIV_WRITE_FILE, + SMB_USER_PRIV_WRITE_FILE }, { NULL, 0, 0 } }; diff --git a/usr/src/cmd/ptools/ptree/ptree.c b/usr/src/cmd/ptools/ptree/ptree.c index 83f9c3c7e1..82a32bf46c 100644 --- a/usr/src/cmd/ptools/ptree/ptree.c +++ b/usr/src/cmd/ptools/ptree/ptree.c @@ -90,6 +90,7 @@ static int aflag = 0; static int cflag = 0; static int gflag = 0; static int sflag = 0; +static int wflag = 0; static int zflag = 0; static zoneid_t zoneid; static char *match_svc; @@ -149,6 +150,8 @@ usage(void) (void) fprintf(stderr, " -s : print only processes with given service FMRI\n"); (void) fprintf(stderr, + " -w : allow lines to wrap instead of truncating\n"); + (void) fprintf(stderr, " -z : print only processes in given zone\n"); exit(2); } @@ -164,7 +167,7 @@ main(int argc, char **argv) ps_t *p; /* options */ - while ((opt = getopt(argc, argv, "acgs:z:")) != EOF) { + while ((opt = getopt(argc, argv, "acgs:wz:")) != EOF) { switch (opt) { case 'a': /* include children of process 0 */ aflag = 1; @@ -180,6 +183,9 @@ main(int argc, char **argv) sflag = 1; match_svc = parse_svc(optarg, &match_inst); break; + case 'w': + wflag = 1; + break; case 'z': /* only processes in given zone */ zflag = 1; zoneid = getzone(optarg); @@ -196,8 +202,10 @@ main(int argc, char **argv) if (errflg) usage(); - columns = get_termwidth(); - VERIFY3S(columns, >, 0); + if (!wflag) { + columns = get_termwidth(); + VERIFY3S(columns, >, 0); + } nps = 0; psize = 0; @@ -334,8 +342,14 @@ printone(ps_t *p, int level) if (p->done && !FAKEDPID0(p)) { indent = level * 2; - if ((n = columns - PIDWIDTH - indent - 2) < 0) - n = 0; + + if (wflag) { + n = strlen(p->psargs); + } else { + if ((n = columns - PIDWIDTH - indent - 2) < 0) + n = 0; + } + printlines(p, level); if (p->pid >= 0) { (void) printf("%-*d %.*s\n", PIDWIDTH, (int)p->pid, n, diff --git a/usr/src/cmd/smbsrv/smbadm/smbadm.c b/usr/src/cmd/smbsrv/smbadm/smbadm.c index d8509aecdf..4d06c00b36 100644 --- a/usr/src/cmd/smbsrv/smbadm/smbadm.c +++ b/usr/src/cmd/smbsrv/smbadm/smbadm.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -178,6 +178,10 @@ static smbadm_prop_handle_t *smbadm_prop_gethandle(char *pname); static boolean_t smbadm_chkprop_priv(smbadm_prop_t *prop); static int smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop); static int smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop); +static int smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop); +static int smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop); +static int smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop); +static int smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop); static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop); static int smbadm_getprop_backup(char *gname, smbadm_prop_t *prop); static int smbadm_setprop_restore(char *gname, smbadm_prop_t *prop); @@ -192,6 +196,10 @@ static smbadm_prop_handle_t smbadm_ptable[] = { smbadm_getprop_restore, smbadm_chkprop_priv }, {"take-ownership", "on|off", smbadm_setprop_tkowner, smbadm_getprop_tkowner, smbadm_chkprop_priv }, + {"bypass-read", "on|off", smbadm_setprop_readfile, + smbadm_getprop_readfile, smbadm_chkprop_priv }, + {"bypass-write", "on|off", smbadm_setprop_writefile, + smbadm_getprop_writefile, smbadm_chkprop_priv }, {"description", "<string>", smbadm_setprop_desc, smbadm_getprop_desc, NULL }, }; @@ -1807,6 +1815,30 @@ smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop) } static int +smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_setpriv(gname, SE_READ_FILE_LUID, prop)); +} + +static int +smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_getpriv(gname, SE_READ_FILE_LUID, prop)); +} + +static int +smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_setpriv(gname, SE_WRITE_FILE_LUID, prop)); +} + +static int +smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_getpriv(gname, SE_WRITE_FILE_LUID, prop)); +} + +static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop) { return (smbadm_group_setpriv(gname, SE_BACKUP_LUID, prop)); diff --git a/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c b/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c index e13f271e51..4434dc2b29 100644 --- a/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c +++ b/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #include <sys/list.h> @@ -103,7 +103,9 @@ smbd_doorop_t smbd_doorops[] = { { SMB_DR_DFS_GET_REFERRALS, smbd_dop_dfs_get_referrals }, { SMB_DR_SHR_HOSTACCESS, smbd_dop_shr_hostaccess }, { SMB_DR_SHR_EXEC, smbd_dop_shr_exec }, - { SMB_DR_NOTIFY_DC_CHANGED, smbd_dop_notify_dc_changed } + { SMB_DR_NOTIFY_DC_CHANGED, smbd_dop_notify_dc_changed }, + { SMB_DR_LOOKUP_LSID, smbd_dop_lookup_sid }, + { SMB_DR_LOOKUP_LNAME, smbd_dop_lookup_name } }; static int smbd_ndoorop = (sizeof (smbd_doorops) / sizeof (smbd_doorops[0])); @@ -581,6 +583,10 @@ smbd_dop_user_auth_logon(smbd_arg_t *arg) return (SMB_DOP_EMPTYBUF); } +/* + * SMB_DR_LOOKUP_NAME, + * SMB_DR_LOOKUP_LNAME (local-only, for idmap) + */ static int smbd_dop_lookup_name(smbd_arg_t *arg) { @@ -604,7 +610,24 @@ smbd_dop_lookup_name(smbd_arg_t *arg) (void) snprintf(buf, MAXNAMELEN, "%s\\%s", acct.a_domain, acct.a_name); - acct.a_status = lsa_lookup_name(buf, acct.a_sidtype, &ainfo); + switch (arg->hdr.dh_op) { + case SMB_DR_LOOKUP_NAME: + acct.a_status = lsa_lookup_name(buf, acct.a_sidtype, &ainfo); + break; + + case SMB_DR_LOOKUP_LNAME: + /* + * Basically for idmap. Don't call out to AD. + */ + acct.a_status = lsa_lookup_lname(buf, acct.a_sidtype, &ainfo); + break; + + default: + assert(!"arg->hdr.dh_op"); + acct.a_status = NT_STATUS_INTERNAL_ERROR; + break; + } + if (acct.a_status == NT_STATUS_SUCCESS) { acct.a_sidtype = ainfo.a_type; smb_sid_tostr(ainfo.a_sid, acct.a_sid); @@ -626,6 +649,10 @@ smbd_dop_lookup_name(smbd_arg_t *arg) return (SMB_DOP_SUCCESS); } +/* + * SMB_DR_LOOKUP_SID, + * SMB_DR_LOOKUP_LSID (local-only, for idmap) + */ static int smbd_dop_lookup_sid(smbd_arg_t *arg) { @@ -641,7 +668,25 @@ smbd_dop_lookup_sid(smbd_arg_t *arg) return (SMB_DOP_DECODE_ERROR); sid = smb_sid_fromstr(acct.a_sid); - acct.a_status = lsa_lookup_sid(sid, &ainfo); + + switch (arg->hdr.dh_op) { + case SMB_DR_LOOKUP_SID: + acct.a_status = lsa_lookup_sid(sid, &ainfo); + break; + + case SMB_DR_LOOKUP_LSID: + /* + * Basically for idmap. Don't call out to AD. + */ + acct.a_status = lsa_lookup_lsid(sid, &ainfo); + break; + + default: + assert(!"arg->hdr.dh_op"); + acct.a_status = NT_STATUS_INTERNAL_ERROR; + break; + } + smb_sid_free(sid); if (acct.a_status == NT_STATUS_SUCCESS) { diff --git a/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h b/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h index 1992857bdc..14cbf858c4 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h +++ b/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #ifndef _LIBMLSVC_H @@ -65,7 +65,9 @@ extern "C" { #endif uint32_t lsa_lookup_name(char *, uint16_t, smb_account_t *); +uint32_t lsa_lookup_lname(char *, uint16_t, smb_account_t *); uint32_t lsa_lookup_sid(smb_sid_t *, smb_account_t *); +uint32_t lsa_lookup_lsid(smb_sid_t *, smb_account_t *); /* * SMB domain API to discover a domain controller and obtain domain diff --git a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c index 47b9466fb4..49fb4d1e29 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2016 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ /* @@ -38,6 +38,10 @@ #include <lsalib.h> +static uint32_t lsa_lookup_name_int(char *, uint16_t, smb_account_t *, + boolean_t); +static uint32_t lsa_lookup_sid_int(smb_sid_t *, smb_account_t *, boolean_t); + static uint32_t lsa_lookup_name_builtin(char *, char *, smb_account_t *); static uint32_t lsa_lookup_name_domain(char *, smb_account_t *); @@ -75,6 +79,20 @@ static uint32_t lsa_map_status(uint32_t); uint32_t lsa_lookup_name(char *account, uint16_t type, smb_account_t *info) { + return (lsa_lookup_name_int(account, type, info, B_TRUE)); +} + +/* Variant that avoids the call out to AD. */ +uint32_t +lsa_lookup_lname(char *account, uint16_t type, smb_account_t *info) +{ + return (lsa_lookup_name_int(account, type, info, B_FALSE)); +} + +uint32_t +lsa_lookup_name_int(char *account, uint16_t type, smb_account_t *info, + boolean_t try_ad) +{ char nambuf[SMB_USERNAME_MAXLEN]; char dombuf[SMB_PI_MAX_DOMAIN]; char *name, *domain; @@ -107,8 +125,10 @@ lsa_lookup_name(char *account, uint16_t type, smb_account_t *info) if (status == NT_STATUS_SUCCESS) return (status); - if ((domain == NULL) || (status == NT_STATUS_NOT_FOUND)) + if (try_ad && ((domain == NULL) || + (status == NT_STATUS_NOT_FOUND))) { status = lsa_lookup_name_domain(account, info); + } } return ((status == NT_STATUS_SUCCESS) ? status : NT_STATUS_NONE_MAPPED); @@ -117,6 +137,19 @@ lsa_lookup_name(char *account, uint16_t type, smb_account_t *info) uint32_t lsa_lookup_sid(smb_sid_t *sid, smb_account_t *info) { + return (lsa_lookup_sid_int(sid, info, B_TRUE)); +} + +/* Variant that avoids the call out to AD. */ +uint32_t +lsa_lookup_lsid(smb_sid_t *sid, smb_account_t *info) +{ + return (lsa_lookup_sid_int(sid, info, B_FALSE)); +} + +static uint32_t +lsa_lookup_sid_int(smb_sid_t *sid, smb_account_t *info, boolean_t try_ad) +{ uint32_t status; if (!smb_sid_isvalid(sid)) @@ -125,8 +158,9 @@ lsa_lookup_sid(smb_sid_t *sid, smb_account_t *info) status = lsa_lookup_sid_builtin(sid, info); if (status == NT_STATUS_NOT_FOUND) { status = smb_sam_lookup_sid(sid, info); - if (status == NT_STATUS_NOT_FOUND) + if (try_ad && status == NT_STATUS_NOT_FOUND) { status = lsa_lookup_sid_domain(sid, info); + } } return ((status == NT_STATUS_SUCCESS) ? status : NT_STATUS_NONE_MAPPED); diff --git a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h index c26eab4a13..c3599849fc 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h +++ b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h @@ -52,8 +52,6 @@ typedef struct mslsa_sid lsa_sid_t; /* * lsalib.c */ -uint32_t lsa_lookup_name(char *, uint16_t, smb_account_t *); -uint32_t lsa_lookup_sid(smb_sid_t *, smb_account_t *); DWORD lsa_query_primary_domain_info(char *, char *, smb_domain_t *); DWORD lsa_query_account_domain_info(char *, char *, smb_domain_t *); DWORD lsa_query_dns_domain_info(char *, char *, smb_domain_t *); diff --git a/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers b/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers index 81005ae939..80317f002c 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers +++ b/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers @@ -20,7 +20,7 @@ # # # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. -# Copyright 2018 Nexenta Systems, Inc. All rights reserved. +# Copyright 2019 Nexenta Systems, Inc. All rights reserved. # # @@ -45,6 +45,8 @@ SYMBOL_VERSION SUNWprivate { dfs_info_free; dssetup_check_service; dssetup_clear_domain_info; + lsa_lookup_lname; + lsa_lookup_lsid; lsa_lookup_name; lsa_lookup_sid; mlsvc_disconnect; diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c index af6ab58a1d..4e2cfc5518 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -56,7 +56,6 @@ static void netr_network_samlogon(ndr_heap_t *, netr_info_t *, smb_logon_t *, struct netr_logon_info2 *); static void netr_setup_identity(ndr_heap_t *, smb_logon_t *, netr_logon_id_t *); -static boolean_t netr_isadmin(struct netr_validation_info3 *); static uint32_t netr_setup_domain_groups(struct netr_validation_info3 *, smb_ids_t *); static uint32_t netr_setup_krb5res_groups(struct krb5_validation_info *, @@ -818,7 +817,7 @@ netr_setup_identity(ndr_heap_t *heap, smb_logon_t *user_info, * token. Called after domain groups have been added. */ static uint32_t -netr_setup_token_wingrps(struct netr_validation_info3 *info3, +netr_setup_token_wingrps(struct netr_validation_info3 *info3 __unused, smb_token_t *token) { uint32_t status; @@ -828,9 +827,6 @@ netr_setup_token_wingrps(struct netr_validation_info3 *info3, if (status != NT_STATUS_SUCCESS) return (status); - if (netr_isadmin(info3)) - token->tkn_flags |= SMB_ATF_ADMIN; - status = smb_wka_token_groups(token->tkn_flags, &token->tkn_win_grps); return (status); @@ -923,30 +919,3 @@ static uint32_t netr_setup_krb5res_groups(struct krb5_validation_info *info, return (0); } - -/* - * Determines if the given user is the domain Administrator or a - * member of Domain Admins - */ -static boolean_t -netr_isadmin(struct netr_validation_info3 *info3) -{ - smb_domain_t di; - int i; - - if (!smb_domain_lookup_sid((smb_sid_t *)info3->LogonDomainId, &di)) - return (B_FALSE); - - if (di.di_type != SMB_DOMAIN_PRIMARY) - return (B_FALSE); - - if ((info3->UserId == DOMAIN_USER_RID_ADMIN) || - (info3->PrimaryGroupId == DOMAIN_GROUP_RID_ADMINS)) - return (B_TRUE); - - for (i = 0; i < info3->GroupCount; i++) - if (info3->GroupIds[i].rid == DOMAIN_GROUP_RID_ADMINS) - return (B_TRUE); - - return (B_FALSE); -} diff --git a/usr/src/lib/smbsrv/libsmb/common/libsmb.h b/usr/src/lib/smbsrv/libsmb/common/libsmb.h index 11a764f0dc..dcfe696157 100644 --- a/usr/src/lib/smbsrv/libsmb/common/libsmb.h +++ b/usr/src/lib/smbsrv/libsmb/common/libsmb.h @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #ifndef _LIBSMB_H @@ -722,7 +722,9 @@ boolean_t smb_lgrp_itererror(smb_giter_t *); int smb_lgrp_iterate(smb_giter_t *, smb_group_t *); int smb_lookup_sid(const char *, lsa_account_t *); +int smb_lookup_lsid(const char *, lsa_account_t *); int smb_lookup_name(const char *, sid_type_t, lsa_account_t *); +int smb_lookup_lname(const char *, sid_type_t, lsa_account_t *); #define SMB_LGRP_SUCCESS 0 #define SMB_LGRP_INVALID_ARG 1 diff --git a/usr/src/lib/smbsrv/libsmb/common/mapfile-vers b/usr/src/lib/smbsrv/libsmb/common/mapfile-vers index 507165ade8..c8c5f3c4e2 100644 --- a/usr/src/lib/smbsrv/libsmb/common/mapfile-vers +++ b/usr/src/lib/smbsrv/libsmb/common/mapfile-vers @@ -19,7 +19,7 @@ # # # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. -# Copyright 2017 Nexenta Systems, Inc. All rights reserved. +# Copyright 2019 Nexenta Systems, Inc. All rights reserved. # # @@ -268,6 +268,8 @@ SYMBOL_VERSION SUNWprivate { smb_logon_decode; smb_logon_free; smb_logon_xdr; + smb_lookup_lname; + smb_lookup_lsid; smb_lookup_name; smb_lookup_sid; smb_match_netlogon_seqnum; diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c b/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c index dfbbfd0483..96702e4c7d 100644 --- a/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c +++ b/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2015 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #include <assert.h> @@ -44,6 +44,9 @@ static int smb_door_decode(smb_doorarg_t *); static void smb_door_sethdr(smb_doorhdr_t *, uint32_t, uint32_t); static boolean_t smb_door_chkhdr(smb_doorarg_t *, smb_doorhdr_t *); static void smb_door_free(door_arg_t *arg); +static int smb_lookup_name_int(const char *name, sid_type_t sidtype, + lsa_account_t *acct, int); +static int smb_lookup_sid_int(const char *sid, lsa_account_t *acct, int); /* * Given a SID, make a door call to get the associated name. @@ -57,6 +60,20 @@ static void smb_door_free(door_arg_t *arg); int smb_lookup_sid(const char *sid, lsa_account_t *acct) { + return (smb_lookup_sid_int(sid, acct, SMB_DR_LOOKUP_SID)); +} +/* + * Variant of smb_lookup_sid to do a "local-only" lookup. + */ +int +smb_lookup_lsid(const char *sid, lsa_account_t *acct) +{ + return (smb_lookup_sid_int(sid, acct, SMB_DR_LOOKUP_LSID)); +} + +static int +smb_lookup_sid_int(const char *sid, lsa_account_t *acct, int dop) +{ int rc; assert((sid != NULL) && (acct != NULL)); @@ -64,7 +81,7 @@ smb_lookup_sid(const char *sid, lsa_account_t *acct) bzero(acct, sizeof (lsa_account_t)); (void) strlcpy(acct->a_sid, sid, SMB_SID_STRSZ); - rc = smb_door_call(SMB_DR_LOOKUP_SID, acct, lsa_account_xdr, + rc = smb_door_call(dop, acct, lsa_account_xdr, acct, lsa_account_xdr); if (rc != 0) @@ -84,6 +101,19 @@ smb_lookup_sid(const char *sid, lsa_account_t *acct) int smb_lookup_name(const char *name, sid_type_t sidtype, lsa_account_t *acct) { + return (smb_lookup_name_int(name, sidtype, acct, SMB_DR_LOOKUP_NAME)); +} + +int +smb_lookup_lname(const char *name, sid_type_t sidtype, lsa_account_t *acct) +{ + return (smb_lookup_name_int(name, sidtype, acct, SMB_DR_LOOKUP_LNAME)); +} + +static int +smb_lookup_name_int(const char *name, sid_type_t sidtype, lsa_account_t *acct, + int dop) +{ char tmp[MAXNAMELEN]; char *dp = NULL; char *np = NULL; @@ -104,7 +134,7 @@ smb_lookup_name(const char *name, sid_type_t sidtype, lsa_account_t *acct) (void) strlcpy(acct->a_name, name, MAXNAMELEN); } - rc = smb_door_call(SMB_DR_LOOKUP_NAME, acct, lsa_account_xdr, + rc = smb_door_call(dop, acct, lsa_account_xdr, acct, lsa_account_xdr); if (rc != 0) diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c b/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c index 4ff589bb7c..1fb0adc03c 100644 --- a/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c +++ b/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c @@ -22,7 +22,7 @@ /* * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013 RackTop Systems. - * Copyright 2016 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #include <stdlib.h> @@ -2398,6 +2398,8 @@ smb_lgrp_set_default_privs(smb_group_t *grp) { if (smb_strcasecmp(grp->sg_name, "Administrators", 0) == 0) { smb_privset_enable(grp->sg_privs, SE_TAKE_OWNERSHIP_LUID); + smb_privset_enable(grp->sg_privs, SE_BACKUP_LUID); + smb_privset_enable(grp->sg_privs, SE_RESTORE_LUID); return; } diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c b/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c index 2b60a8d549..2b319d53ee 100644 --- a/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c +++ b/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c @@ -21,6 +21,8 @@ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -79,7 +81,11 @@ static smb_privinfo_t priv_table[] = { "Modify firmware environment values", 0 }, { 23, SE_CHANGE_NOTIFY_NAME, "Bypass traverse checking", 0 }, { 24, SE_REMOTE_SHUTDOWN_NAME, - "Force shutdown from a remote system", 0 } + "Force shutdown from a remote system", 0 }, + { 25, SE_READ_FILE_NAME, + "Bypass ACL for READ access", PF_PRESENTABLE }, + { 26, SE_WRITE_FILE_NAME, + "Bypass ACL for WRITE and DELETE access", PF_PRESENTABLE }, }; /* diff --git a/usr/src/man/man1/ptree.1 b/usr/src/man/man1/ptree.1 index d603584e4c..c812b38612 100644 --- a/usr/src/man/man1/ptree.1 +++ b/usr/src/man/man1/ptree.1 @@ -4,12 +4,12 @@ .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH PTREE 1 "Oct 30, 2019" +.TH PTREE 1 "Nov 13, 2019" .SH NAME ptree \- print process trees .SH SYNOPSIS .nf -\fB/usr/bin/ptree\fR [\fB-a\fR] [\fB-c\fR] [\fB-g\fR] [\fB-s\fR \fIsvc\fR] [\fB-z\fR \fIzone\fR] [\fIpid\fR | \fIuser\fR]... +\fB/usr/bin/ptree\fR [\fB-a\fR] [\fB-c\fR] [\fB-g\fR] [\fB-w\fR] [\fB-s\fR \fIsvc\fR] [\fB-z\fR \fIzone\fR] [\fIpid\fR | \fIuser\fR]... .fi .SH DESCRIPTION @@ -65,6 +65,16 @@ See \fBprocess\fR(4). .sp .ne 2 .na +\fB\fB-w\fR\fR +.ad +.RS 11n +Allow output lines to wrap. Normally output lines are truncated to the current +width of the terminal window. +.RE + +.sp +.ne 2 +.na \fB\fB-z\fR \fIzone\fR\fR .ad .RS 11n diff --git a/usr/src/man/man1m/smbadm.1m b/usr/src/man/man1m/smbadm.1m index bee77ccf28..10da14181f 100644 --- a/usr/src/man/man1m/smbadm.1m +++ b/usr/src/man/man1m/smbadm.1m @@ -16,9 +16,9 @@ .\" .\" .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.\" Copyright 2017 Nexenta Systems, Inc. +.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved. .\" -.Dd November 18, 2017 +.Dd June 6, 2019 .Dt SMBADM 1M .Os .Sh NAME @@ -252,6 +252,10 @@ to restore file system objects. .It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off Specifies whether members of the SMB local group can take ownership of file system objects. +.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off +Specifies whether members of the SMB local group can always bypass Read access controls. +.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off +Specifies whether members of the SMB local group can always bypass Write and Delete access controls. .El .It Xo .Cm add-member diff --git a/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c b/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c index e562eb5200..9010e3a181 100644 --- a/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c +++ b/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c @@ -10,7 +10,7 @@ */ /* - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. * Copyright 2019 RackTop Systems. */ @@ -823,18 +823,21 @@ cmd_start: */ if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 && !sr->encrypted && sr->uid_user != NULL && - (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) { + (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) { /* - * This request type should be signed, and - * we're configured to require signatures. + * If the request is signed, check the signature. + * Otherwise, if signing is required, deny access. */ - if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0) { - smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); - goto cmd_done; - } - rc = smb2_sign_check_request(sr); - if (rc != 0) { - DTRACE_PROBE1(smb2__sign__check, smb_request_t *, sr); + if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) { + rc = smb2_sign_check_request(sr); + if (rc != 0) { + DTRACE_PROBE1(smb2__sign__check, + smb_request_t *, sr); + smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); + goto cmd_done; + } + } else if ( + (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) { smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); goto cmd_done; } diff --git a/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c b/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c index e01edfaea3..e8d8419f93 100644 --- a/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c +++ b/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c @@ -10,7 +10,7 @@ */ /* - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. * Copyright 2019 RackTop Systems. */ @@ -472,8 +472,7 @@ smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) /* * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here * and verify that the original negotiate was not modified. - * The only tampering we need worry about is secmode, and - * we're not taking that from the client, so don't bother. + * The request MUST be signed, and we MUST validate the signature. * * One interesting requirement here is that we MUST reply * with exactly the same information as we returned in our @@ -486,6 +485,9 @@ smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) uint16_t secmode, num_dialects, dialects[8]; uint8_t clnt_guid[16]; + if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0) + goto drop; + if (fsctl->InputCount < 24) goto drop; diff --git a/usr/src/uts/common/fs/smbsrv/smb_authenticate.c b/usr/src/uts/common/fs/smbsrv/smb_authenticate.c index af9f5d271f..64f26363a6 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_authenticate.c +++ b/usr/src/uts/common/fs/smbsrv/smb_authenticate.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -544,6 +544,12 @@ smb_priv_xlate(smb_token_t *token) if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) privileges |= SMB_USER_PRIV_CHANGE_NOTIFY; + if (smb_token_query_privilege(token, SE_READ_FILE_LUID)) + privileges |= SMB_USER_PRIV_READ_FILE; + + if (smb_token_query_privilege(token, SE_WRITE_FILE_LUID)) + privileges |= SMB_USER_PRIV_WRITE_FILE; + return (privileges); } diff --git a/usr/src/uts/common/fs/smbsrv/smb_common_open.c b/usr/src/uts/common/fs/smbsrv/smb_common_open.c index 0ef06a3c3e..8007463ba1 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_common_open.c +++ b/usr/src/uts/common/fs/smbsrv/smb_common_open.c @@ -543,6 +543,13 @@ smb_common_open(smb_request_t *sr) (op->create_disposition == FILE_OVERWRITE)) op->desired_access |= FILE_WRITE_DATA; + /* Dataset roots can't be deleted, so don't set DOC */ + if ((op->create_options & FILE_DELETE_ON_CLOSE) != 0 && + (fnode->flags & NODE_FLAGS_VFSROOT) != 0) { + status = NT_STATUS_CANNOT_DELETE; + goto errout; + } + status = smb_fsop_access(sr, sr->user_cr, fnode, op->desired_access); if (status != NT_STATUS_SUCCESS) diff --git a/usr/src/uts/common/fs/smbsrv/smb_cred.c b/usr/src/uts/common/fs/smbsrv/smb_cred.c index 8431db4653..1acd5932cd 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_cred.c +++ b/usr/src/uts/common/fs/smbsrv/smb_cred.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -97,35 +97,6 @@ smb_cred_create(smb_token_t *token) ksidlist = smb_cred_set_sidlist(&token->tkn_win_grps); crsetsidlist(cr, ksidlist); - /* - * In the AD world, "take ownership privilege" is very much - * like having Unix "root" privileges. It's normally given - * to members of the "Administrators" group, which normally - * includes the the local Administrator (like root) and when - * joined to a domain, "Domain Admins". - */ - if (smb_token_query_privilege(token, SE_TAKE_OWNERSHIP_LUID)) { - (void) crsetpriv(cr, - PRIV_FILE_CHOWN, - PRIV_FILE_DAC_READ, - PRIV_FILE_DAC_SEARCH, - PRIV_FILE_DAC_WRITE, - PRIV_FILE_OWNER, - NULL); - } - - /* - * See smb.4 bypass_traverse_checking - * - * For historical reasons, the Windows privilege is named - * SeChangeNotifyPrivilege, though the description is - * "Bypass traverse checking". - */ - if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) { - (void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL); - } - - return (cr); } diff --git a/usr/src/uts/common/fs/smbsrv/smb_node.c b/usr/src/uts/common/fs/smbsrv/smb_node.c index 4a932b2f0b..8ce3e70712 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_node.c +++ b/usr/src/uts/common/fs/smbsrv/smb_node.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ /* * SMB Node State Machine @@ -685,6 +685,11 @@ smb_node_set_delete_on_close(smb_node_t *node, cred_t *cr, uint32_t flags) } } + /* Dataset roots can't be deleted, so don't set DOC */ + if ((node->flags & NODE_FLAGS_VFSROOT) != 0) { + return (NT_STATUS_CANNOT_DELETE); + } + mutex_enter(&node->n_mutex); if (node->flags & NODE_FLAGS_DELETE_ON_CLOSE) { /* It was already marked. We're done. */ diff --git a/usr/src/uts/common/fs/smbsrv/smb_user.c b/usr/src/uts/common/fs/smbsrv/smb_user.c index 8c69e95a56..b46cad1b6f 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_user.c +++ b/usr/src/uts/common/fs/smbsrv/smb_user.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. * Copyright (c) 2016 by Delphix. All rights reserved. */ @@ -755,6 +755,57 @@ smb_user_setcred(smb_user_t *user, cred_t *cr, uint32_t privileges) ASSERT(cr); crhold(cr); + /* + * See smb.4 bypass_traverse_checking + * + * For historical reasons, the Windows privilege is named + * SeChangeNotifyPrivilege, though the description is + * "Bypass traverse checking". + */ + if ((privileges & SMB_USER_PRIV_CHANGE_NOTIFY) != 0) { + (void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL); + } + + /* + * Window's "take ownership privilege" is similar to our + * PRIV_FILE_CHOWN privilege. It's normally given to members of the + * "Administrators" group, which normally includes the the local + * Administrator (like root) and when joined to a domain, + * "Domain Admins". + */ + if ((privileges & SMB_USER_PRIV_TAKE_OWNERSHIP) != 0) { + (void) crsetpriv(cr, + PRIV_FILE_CHOWN, + PRIV_FILE_CHOWN_SELF, + NULL); + } + + /* + * Bypass ACL for READ accesses. + */ + if ((privileges & SMB_USER_PRIV_READ_FILE) != 0) { + (void) crsetpriv(cr, PRIV_FILE_DAC_READ, NULL); + } + + /* + * Bypass ACL for WRITE accesses. + * Include FILE_OWNER, as it covers WRITE_ACL and DELETE. + */ + if ((privileges & SMB_USER_PRIV_WRITE_FILE) != 0) { + (void) crsetpriv(cr, + PRIV_FILE_DAC_WRITE, + PRIV_FILE_OWNER, + NULL); + } + + /* + * These privileges are used only when a file is opened with + * 'backup intent'. These allow users to bypass certain access + * controls. Administrators typically have these privileges, + * and they are used during recursive take-ownership operations. + * Some commonly used tools use 'backup intent' to administrate + * files that do not grant explicit permissions to Administrators. + */ if (privileges & (SMB_USER_PRIV_BACKUP | SMB_USER_PRIV_RESTORE)) privcred = crdup(cr); diff --git a/usr/src/uts/common/io/i40e/core/README.illumos b/usr/src/uts/common/io/i40e/core/README.illumos new file mode 100644 index 0000000000..47cb1fdf2d --- /dev/null +++ b/usr/src/uts/common/io/i40e/core/README.illumos @@ -0,0 +1,91 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +This directory contains files extracted from the Intel ixl-1.6.10 driver for +FreeBSD with the following modifications/differences. The following two +changes each modified the common code. + +9805 i40e should read SFP data when firmware supports it +9601 Divide by zero in i40e_get_available_resources() + +The following diff was originally applied to add support for Studio and the +32-bit kernel: + +--- ixl-1.6.10/src/i40e_common.c ++++ illumos-gate/usr/src/uts/common/io/i40e/core/i40e_common.c +@@ -4037,8 +4037,8 @@ + + cmd->type = mib_type; + cmd->length = CPU_TO_LE16(buff_size); +- cmd->address_high = CPU_TO_LE32(I40E_HI_WORD((u64)buff)); +- cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((u64)buff)); ++ cmd->address_high = CPU_TO_LE32(I40E_HI_WORD((uintptr_t)buff)); ++ cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)buff)); + + status = i40e_asq_send_command(hw, &desc, buff, buff_size, cmd_details); + return status; +@@ -6585,9 +6585,9 @@ + i40e_fill_default_direct_cmd_desc(&desc, i40e_aqc_opc_set_proxy_config); + + desc.params.external.addr_high = +- CPU_TO_LE32(I40E_HI_DWORD((u64)proxy_config)); ++ CPU_TO_LE32(I40E_HI_DWORD((uintptr_t)proxy_config)); + desc.params.external.addr_low = +- CPU_TO_LE32(I40E_LO_DWORD((u64)proxy_config)); ++ CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)proxy_config)); + + status = i40e_asq_send_command(hw, &desc, proxy_config, + sizeof(struct i40e_aqc_arp_proxy_data), +@@ -6619,9 +6619,9 @@ + i40e_aqc_opc_set_ns_proxy_table_entry); + + desc.params.external.addr_high = +- CPU_TO_LE32(I40E_HI_DWORD((u64)ns_proxy_table_entry)); ++ CPU_TO_LE32(I40E_HI_DWORD((uintptr_t)ns_proxy_table_entry)); + desc.params.external.addr_low = +- CPU_TO_LE32(I40E_LO_DWORD((u64)ns_proxy_table_entry)); ++ CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)ns_proxy_table_entry)); + + status = i40e_asq_send_command(hw, &desc, ns_proxy_table_entry, + sizeof(struct i40e_aqc_ns_proxy_data), +@@ -6681,8 +6681,8 @@ + valid_flags |= I40E_AQC_SET_WOL_FILTER_NO_TCO_ACTION_VALID; + cmd->valid_flags = CPU_TO_LE16(valid_flags); + +- cmd->address_high = CPU_TO_LE32(I40E_HI_DWORD((u64)filter)); +- cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((u64)filter)); ++ cmd->address_high = CPU_TO_LE32(I40E_HI_DWORD((uintptr_t)filter)); ++ cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)filter)); + + status = i40e_asq_send_command(hw, &desc, filter, + buff_len, cmd_details); +--- ixl-1.6.10/src/i40e_register.h ++++ illumos-gate/usr/src/uts/common/io/i40e/core/i40e_register.h +@@ -113,7 +113,7 @@ + #define I40E_PF_ATQLEN_ATQCRIT_SHIFT 30 + #define I40E_PF_ATQLEN_ATQCRIT_MASK I40E_MASK(0x1, I40E_PF_ATQLEN_ATQCRIT_SHIFT) + #define I40E_PF_ATQLEN_ATQENABLE_SHIFT 31 +-#define I40E_PF_ATQLEN_ATQENABLE_MASK I40E_MASK(0x1, I40E_PF_ATQLEN_ATQENABLE_SHIFT) ++#define I40E_PF_ATQLEN_ATQENABLE_MASK I40E_MASK(0x1UL, I40E_PF_ATQLEN_ATQENABLE_SHIFT) + #define I40E_PF_ATQT 0x00080400 /* Reset: EMPR */ + #define I40E_PF_ATQT_ATQT_SHIFT 0 + #define I40E_PF_ATQT_ATQT_MASK I40E_MASK(0x3FF, I40E_PF_ATQT_ATQT_SHIFT) +--- ixl-1.6.10/src/i40e_type.h ++++ illumos-gate/usr/src/uts/common/io/i40e/core/i40e_type.h +@@ -49,7 +49,7 @@ + + #ifndef I40E_MASK + /* I40E_MASK is a macro used on 32 bit registers */ +-#define I40E_MASK(mask, shift) (mask << shift) ++#define I40E_MASK(mask, shift) (((uint32_t)(mask)) << ((uint32_t)(shift))) + #endif + + #define I40E_MAX_PF 16 diff --git a/usr/src/uts/common/io/i40e/core/i40e_common.c b/usr/src/uts/common/io/i40e/core/i40e_common.c index f4dd8da819..0e0dc285ae 100644 --- a/usr/src/uts/common/io/i40e/core/i40e_common.c +++ b/usr/src/uts/common/io/i40e/core/i40e_common.c @@ -3823,14 +3823,16 @@ static void i40e_parse_discover_capabilities(struct i40e_hw *hw, void *buff, /* count the enabled ports (aka the "not disabled" ports) */ hw->num_ports = 0; for (i = 0; i < 4; i++) { - u32 port_cfg_reg = I40E_PRTGEN_CNF + (4 * i); + enum i40e_status_code status; + u32 port_cfg_reg = I40E_PRTGEN_STATUS + (4 * i); u64 port_cfg = 0; /* use AQ read to get the physical register offset instead * of the port relative offset */ - i40e_aq_debug_read_register(hw, port_cfg_reg, &port_cfg, NULL); - if (!(port_cfg & I40E_PRTGEN_CNF_PORT_DIS_MASK)) + status = i40e_aq_debug_read_register(hw, port_cfg_reg, &port_cfg, NULL); + if ((status == I40E_SUCCESS) && + (port_cfg & I40E_PRTGEN_STATUS_PORT_VALID_MASK)) hw->num_ports++; } diff --git a/usr/src/uts/common/io/nvme/nvme.c b/usr/src/uts/common/io/nvme/nvme.c index 03fb31ae03..b5743a0c56 100644 --- a/usr/src/uts/common/io/nvme/nvme.c +++ b/usr/src/uts/common/io/nvme/nvme.c @@ -4794,9 +4794,7 @@ nvme_ufm_fill_slot(ddi_ufm_handle_t *ufmh, void *arg, uint_t imgno, if (slotno == (nvme->n_fwslot->fw_afi - 1)) attr |= DDI_UFM_ATTR_ACTIVE; - if (slotno == 0 && nvme->n_idctl->id_frmw.fw_readonly == 0) - attr |= DDI_UFM_ATTR_WRITEABLE; - else + if (slotno != 0 || nvme->n_idctl->id_frmw.fw_readonly == 0) attr |= DDI_UFM_ATTR_WRITEABLE; if (nvme->n_fwslot->fw_frs[slotno][0] == '\0') { diff --git a/usr/src/uts/common/rpc/clnt_cots.c b/usr/src/uts/common/rpc/clnt_cots.c index 2e64ab0922..d15710d467 100644 --- a/usr/src/uts/common/rpc/clnt_cots.c +++ b/usr/src/uts/common/rpc/clnt_cots.c @@ -22,6 +22,7 @@ /* * Copyright 2016 Nexenta Systems, Inc. All rights reserved. * Copyright (c) 2016 by Delphix. All rights reserved. + * Copyright 2019 Joyent, Inc. */ /* @@ -623,6 +624,7 @@ clnt_cots_kcreate(dev_t dev, struct netbuf *addr, int family, rpcprog_t prog, * The zalloc initialized the fields below. * p->cku_xid = 0; * p->cku_flags = 0; + * p->cku_srcaddr.buf = NULL; * p->cku_srcaddr.len = 0; * p->cku_srcaddr.maxlen = 0; */ @@ -1579,8 +1581,7 @@ clnt_cots_kinit(CLIENT *h, dev_t dev, int family, struct netbuf *addr, p->cku_cred = cred; if (p->cku_addr.maxlen < addr->len) { - if (p->cku_addr.maxlen != 0 && p->cku_addr.buf != NULL) - kmem_free(p->cku_addr.buf, p->cku_addr.maxlen); + kmem_free(p->cku_addr.buf, p->cku_addr.maxlen); p->cku_addr.buf = kmem_zalloc(addr->maxlen, KM_SLEEP); p->cku_addr.maxlen = addr->maxlen; } @@ -1933,10 +1934,9 @@ use_new_conn: * a later retry. */ if (srcaddr->len != lru_entry->x_src.len) { - if (srcaddr->len > 0) - kmem_free(srcaddr->buf, - srcaddr->maxlen); - srcaddr->buf = kmem_zalloc( + kmem_free(srcaddr->buf, srcaddr->maxlen); + ASSERT(lru_entry->x_src.len != 0); + srcaddr->buf = kmem_alloc( lru_entry->x_src.len, KM_SLEEP); srcaddr->maxlen = srcaddr->len = lru_entry->x_src.len; @@ -2091,7 +2091,7 @@ start_retry_loop: cm_entry = (struct cm_xprt *) kmem_zalloc(sizeof (struct cm_xprt), KM_SLEEP); - cm_entry->x_server.buf = kmem_zalloc(destaddr->len, KM_SLEEP); + cm_entry->x_server.buf = kmem_alloc(destaddr->len, KM_SLEEP); bcopy(destaddr->buf, cm_entry->x_server.buf, destaddr->len); cm_entry->x_server.len = cm_entry->x_server.maxlen = destaddr->len; @@ -2256,9 +2256,11 @@ start_retry_loop: /* * Set up a transport entry in the connection manager's list. */ - cm_entry->x_src.buf = kmem_zalloc(srcaddr->len, KM_SLEEP); - bcopy(srcaddr->buf, cm_entry->x_src.buf, srcaddr->len); - cm_entry->x_src.len = cm_entry->x_src.maxlen = srcaddr->len; + if (srcaddr->len > 0) { + cm_entry->x_src.buf = kmem_alloc(srcaddr->len, KM_SLEEP); + bcopy(srcaddr->buf, cm_entry->x_src.buf, srcaddr->len); + cm_entry->x_src.len = cm_entry->x_src.maxlen = srcaddr->len; + } /* Else kmem_zalloc() of cm_entry already sets its x_src to NULL. */ cm_entry->x_tiptr = tiptr; cm_entry->x_time = ddi_get_lbolt(); @@ -2438,12 +2440,11 @@ connmgr_wrapconnect( * in case of a later retry. */ if (srcaddr->len != cm_entry->x_src.len) { - if (srcaddr->maxlen > 0) - kmem_free(srcaddr->buf, srcaddr->maxlen); - srcaddr->buf = kmem_zalloc(cm_entry->x_src.len, + kmem_free(srcaddr->buf, srcaddr->maxlen); + ASSERT(cm_entry->x_src.len != 0); + srcaddr->buf = kmem_alloc(cm_entry->x_src.len, KM_SLEEP); - srcaddr->maxlen = srcaddr->len = - cm_entry->x_src.len; + srcaddr->maxlen = srcaddr->len = cm_entry->x_src.len; } bcopy(cm_entry->x_src.buf, srcaddr->buf, srcaddr->len); } @@ -2565,10 +2566,8 @@ connmgr_close(struct cm_xprt *cm_entry) cv_destroy(&cm_entry->x_conn_cv); cv_destroy(&cm_entry->x_dis_cv); - if (cm_entry->x_server.buf != NULL) - kmem_free(cm_entry->x_server.buf, cm_entry->x_server.maxlen); - if (cm_entry->x_src.buf != NULL) - kmem_free(cm_entry->x_src.buf, cm_entry->x_src.maxlen); + kmem_free(cm_entry->x_server.buf, cm_entry->x_server.maxlen); + kmem_free(cm_entry->x_src.buf, cm_entry->x_src.maxlen); kmem_free(cm_entry, sizeof (struct cm_xprt)); } @@ -2631,11 +2630,11 @@ connmgr_connect( queue_t *wq, struct netbuf *addr, int addrfmly, - calllist_t *e, - int *tidu_ptr, - bool_t reconnect, - const struct timeval *waitp, - bool_t nosignal, + calllist_t *e, + int *tidu_ptr, + bool_t reconnect, + const struct timeval *waitp, + bool_t nosignal, cred_t *cr) { mblk_t *mp; diff --git a/usr/src/uts/common/smbsrv/smb_door.h b/usr/src/uts/common/smbsrv/smb_door.h index a59040ecdf..0c8ad198b4 100644 --- a/usr/src/uts/common/smbsrv/smb_door.h +++ b/usr/src/uts/common/smbsrv/smb_door.h @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #ifndef _SMBSRV_SMB_DOOR_H @@ -70,7 +70,9 @@ typedef enum smb_dopcode { SMB_DR_DFS_GET_REFERRALS, SMB_DR_SHR_HOSTACCESS, SMB_DR_SHR_EXEC, - SMB_DR_NOTIFY_DC_CHANGED + SMB_DR_NOTIFY_DC_CHANGED, + SMB_DR_LOOKUP_LSID, + SMB_DR_LOOKUP_LNAME } smb_dopcode_t; struct smb_event; diff --git a/usr/src/uts/common/smbsrv/smb_ktypes.h b/usr/src/uts/common/smbsrv/smb_ktypes.h index 20d214a523..5bd83324c4 100644 --- a/usr/src/uts/common/smbsrv/smb_ktypes.h +++ b/usr/src/uts/common/smbsrv/smb_ktypes.h @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -1012,6 +1012,8 @@ typedef struct smb_session { #define SMB_USER_PRIV_BACKUP (1<<17) /* SE_BACKUP_LUID */ #define SMB_USER_PRIV_RESTORE (1<<18) /* SE_RESTORE_LUID */ #define SMB_USER_PRIV_CHANGE_NOTIFY (1<<23) /* SE_CHANGE_NOTIFY_LUID */ +#define SMB_USER_PRIV_READ_FILE (1<<25) /* SE_READ_FILE_LUID */ +#define SMB_USER_PRIV_WRITE_FILE (1<<26) /* SE_WRITE_FILE_LUID */ /* * See the long "User State Machine" comment in smb_user.c diff --git a/usr/src/uts/common/smbsrv/smb_privilege.h b/usr/src/uts/common/smbsrv/smb_privilege.h index cbca27107f..93e79d0689 100644 --- a/usr/src/uts/common/smbsrv/smb_privilege.h +++ b/usr/src/uts/common/smbsrv/smb_privilege.h @@ -22,7 +22,7 @@ * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #ifndef _SMB_PRIVILEGE_H @@ -97,6 +97,8 @@ extern "C" { #define SE_SYSTEM_ENVIRONMENT_NAME "SeSystemEnvironmentPrivilege" #define SE_CHANGE_NOTIFY_NAME "SeChangeNotifyPrivilege" #define SE_REMOTE_SHUTDOWN_NAME "SeRemoteShutdownPrivilege" +#define SE_READ_FILE_NAME "BypassAclRead" +#define SE_WRITE_FILE_NAME "BypassAclWrite" #define SE_MIN_LUID 2 #define SE_CREATE_TOKEN_LUID 2 @@ -122,7 +124,9 @@ extern "C" { #define SE_SYSTEM_ENVIRONMENT_LUID 22 #define SE_CHANGE_NOTIFY_LUID 23 #define SE_REMOTE_SHUTDOWN_LUID 24 -#define SE_MAX_LUID 24 +#define SE_READ_FILE_LUID 25 +#define SE_WRITE_FILE_LUID 26 +#define SE_MAX_LUID 26 /* * Privilege attributes |