2010-09-18 11:06:02 +10:00
/*
Unix SMB / CIFS implementation .
Copyright ( C ) Andrew Tridgell 2004
Copyright ( C ) Gerald Carter 2005
Copyright ( C ) Volker Lendecke 2007
Copyright ( C ) Jeremy Allison 2008
Copyright ( C ) Andrew Bartlett 2010
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2011-03-15 14:05:42 +11:00
# ifndef _ACCESS_CHECK_H_
# define _ACCESS_CHECK_H_
2010-09-18 11:06:02 +10:00
2024-01-18 14:28:04 +13:00
# include "lib/util/data_blob.h"
2010-09-18 12:55:31 +10:00
# include "librpc/gen_ndr/security.h"
2010-09-18 11:06:02 +10:00
/* Map generic access rights to object specific rights. This technique is
used to give meaning to assigning read , write , execute and all access to
objects . Each type of object has its own mapping of generic to object
specific access rights . */
void se_map_generic ( uint32_t * access_mask , const struct generic_mapping * mapping ) ;
/* Map generic access rights to object specific rights for all the ACE's
* in a security_acl .
*/
void security_acl_map_generic ( struct security_acl * sa ,
const struct generic_mapping * mapping ) ;
/* Map standard access rights to object specific rights. This technique is
used to give meaning to assigning read , write , execute and all access to
objects . Each type of object has its own mapping of standard to object
specific access rights . */
void se_map_standard ( uint32_t * access_mask , const struct standard_mapping * mapping ) ;
/*
The main entry point for access checking . If returning ACCESS_DENIED
this function returns the denied bits in the uint32_t pointed
to by the access_granted pointer .
*/
NTSTATUS se_access_check ( const struct security_descriptor * sd ,
const struct security_token * token ,
uint32_t access_desired ,
uint32_t * access_granted ) ;
2010-09-18 12:55:31 +10:00
2012-08-27 15:41:18 -07:00
/*
The main entry point for access checking FOR THE FILE SERVER ONLY !
If returning ACCESS_DENIED this function returns the denied bits in
the uint32_t pointed to by the access_granted pointer .
*/
NTSTATUS se_file_access_check ( const struct security_descriptor * sd ,
const struct security_token * token ,
bool priv_open_requested ,
uint32_t access_desired ,
uint32_t * access_granted ) ;
2024-01-18 14:28:04 +13:00
struct object_tree ;
2021-10-22 21:33:03 +03:00
NTSTATUS sec_access_check_ds_implicit_owner ( const struct security_descriptor * sd ,
const struct security_token * token ,
uint32_t access_desired ,
uint32_t * access_granted ,
struct object_tree * tree ,
2023-01-27 07:57:27 +13:00
const struct dom_sid * replace_sid ,
2021-10-22 21:33:03 +03:00
enum implicit_owner_rights implicit_owner_rights ) ;
2010-09-18 12:55:31 +10:00
/* modified access check for the purposes of DS security
2022-04-28 20:32:51 +12:00
* Lots of code duplication , it will be united in just one
2010-09-18 12:55:31 +10:00
* function eventually */
NTSTATUS sec_access_check_ds ( const struct security_descriptor * sd ,
const struct security_token * token ,
uint32_t access_desired ,
uint32_t * access_granted ,
struct object_tree * tree ,
2024-01-09 15:33:38 +13:00
const struct dom_sid * replace_sid ) ;
2010-09-18 12:55:31 +10:00
bool insert_in_object_tree ( TALLOC_CTX * mem_ctx ,
2013-01-03 20:40:32 +11:00
const struct GUID * guid ,
uint32_t init_access ,
struct object_tree * root ,
struct object_tree * * new_node_out ) ;
2010-09-18 12:55:31 +10:00
/* search by GUID */
struct object_tree * get_object_tree_by_GUID ( struct object_tree * root ,
const struct GUID * guid ) ;
/* Change the granted access per each ACE */
void object_tree_modify_access ( struct object_tree * root ,
2010-12-06 11:06:27 +01:00
uint32_t access_mask ) ;
2011-03-15 14:05:42 +11:00
# endif