| 1 | /*
|
|---|
| 2 | Unix SMB/CIFS implementation.
|
|---|
| 3 |
|
|---|
| 4 | Copyright (C) Andrew Tridgell 2004
|
|---|
| 5 | Copyright (C) Gerald Carter 2005
|
|---|
| 6 | Copyright (C) Volker Lendecke 2007
|
|---|
| 7 | Copyright (C) Jeremy Allison 2008
|
|---|
| 8 | Copyright (C) Andrew Bartlett 2010
|
|---|
| 9 |
|
|---|
| 10 | This program is free software; you can redistribute it and/or modify
|
|---|
| 11 | it under the terms of the GNU General Public License as published by
|
|---|
| 12 | the Free Software Foundation; either version 3 of the License, or
|
|---|
| 13 | (at your option) any later version.
|
|---|
| 14 |
|
|---|
| 15 | This program is distributed in the hope that it will be useful,
|
|---|
| 16 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 18 | GNU General Public License for more details.
|
|---|
| 19 |
|
|---|
| 20 | You should have received a copy of the GNU General Public License
|
|---|
| 21 | along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|---|
| 22 | */
|
|---|
| 23 | #ifndef _ACCESS_CHECK_H_
|
|---|
| 24 | #define _ACCESS_CHECK_H_
|
|---|
| 25 |
|
|---|
| 26 | #include "librpc/gen_ndr/security.h"
|
|---|
| 27 |
|
|---|
| 28 | /* Map generic access rights to object specific rights. This technique is
|
|---|
| 29 | used to give meaning to assigning read, write, execute and all access to
|
|---|
| 30 | objects. Each type of object has its own mapping of generic to object
|
|---|
| 31 | specific access rights. */
|
|---|
| 32 |
|
|---|
| 33 | void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping);
|
|---|
| 34 |
|
|---|
| 35 | /* Map generic access rights to object specific rights for all the ACE's
|
|---|
| 36 | * in a security_acl.
|
|---|
| 37 | */
|
|---|
| 38 | void security_acl_map_generic(struct security_acl *sa,
|
|---|
| 39 | const struct generic_mapping *mapping);
|
|---|
| 40 |
|
|---|
| 41 | /* Map standard access rights to object specific rights. This technique is
|
|---|
| 42 | used to give meaning to assigning read, write, execute and all access to
|
|---|
| 43 | objects. Each type of object has its own mapping of standard to object
|
|---|
| 44 | specific access rights. */
|
|---|
| 45 | void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping);
|
|---|
| 46 |
|
|---|
| 47 | /*
|
|---|
| 48 | The main entry point for access checking. If returning ACCESS_DENIED
|
|---|
| 49 | this function returns the denied bits in the uint32_t pointed
|
|---|
| 50 | to by the access_granted pointer.
|
|---|
| 51 | */
|
|---|
| 52 | NTSTATUS se_access_check(const struct security_descriptor *sd,
|
|---|
| 53 | const struct security_token *token,
|
|---|
| 54 | uint32_t access_desired,
|
|---|
| 55 | uint32_t *access_granted);
|
|---|
| 56 |
|
|---|
| 57 | /* modified access check for the purposes of DS security
|
|---|
| 58 | * Lots of code duplication, it will ve united in just one
|
|---|
| 59 | * function eventually */
|
|---|
| 60 |
|
|---|
| 61 | NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
|
|---|
| 62 | const struct security_token *token,
|
|---|
| 63 | uint32_t access_desired,
|
|---|
| 64 | uint32_t *access_granted,
|
|---|
| 65 | struct object_tree *tree,
|
|---|
| 66 | struct dom_sid *replace_sid);
|
|---|
| 67 |
|
|---|
| 68 | bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
|
|---|
| 69 | const struct GUID *guid,
|
|---|
| 70 | uint32_t init_access,
|
|---|
| 71 | struct object_tree **root,
|
|---|
| 72 | struct object_tree **new_node);
|
|---|
| 73 |
|
|---|
| 74 | /* search by GUID */
|
|---|
| 75 | struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
|
|---|
| 76 | const struct GUID *guid);
|
|---|
| 77 |
|
|---|
| 78 | /* Change the granted access per each ACE */
|
|---|
| 79 | void object_tree_modify_access(struct object_tree *root,
|
|---|
| 80 | uint32_t access_mask);
|
|---|
| 81 | #endif
|
|---|
