src/secaudit.h

/*
 *		General declarations for secaudit
 *
 *	These declarations are organized to enable code sharing with ntfs-3g
 *	library, but should only be used to build tools runnable both
 *	on Linux (dynamic linking) and Windows (static linking)
 *
 * Copyright (c) 2007-2009 Jean-Pierre Andre
 *
 */

/*
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program (in the main directory of the NTFS-3G
 * distribution in the file COPYING); if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

/*
 *		General parameters which may have to be adapted to needs
 */

#define SELFTESTS 1 /* include code for self-testing */
#define POSIXACLS 0 /* include code for processing Posix ACLs */
#define NOREVBOM 0 /* temporary */

#define OWNERFROMACL 1 /* must match option in security.c */

#define MAXATTRSZ 65536 /* Max sec attr size (16448 met for WinXP) */
#define MAXSECURID 262144
#define SECBLKSZ 8
#define MAXFILENAME 4096
#define FORCEMASK 0 /* Special (dangerous) option -m to force a mask */
#define MAXLINE 80 /* maximum processed size of a line */
#define BUFSZ 1024		/* buffer size to read mapping file */
#define LINESZ 120              /* maximum useful size of a mapping line */

/*
 *		     Definitions for Linux
 *	Use explicit or implicit dynamic linking
 */

#ifdef HAVE_CONFIG_H
#undef POSIXACLS   /* override default by configure option */
#define USESTUBS 1 /* API stubs generated at link time */
#else
#define USESTUBS 0 /* direct calls to API, based on following definitions */
#define ENVNTFS3G "NTFS3G"
#if defined(__SVR4)
#define LIBFILE64 "/usr/lib/amd64/libntfs-3g.so"
#define LIBFILE "/usr/lib/libntfs-3g.so"
#else
#define LIBFILE64 "/lib64/libntfs-3g.so"
#define LIBFILE "/lib/libntfs-3g.so"
#endif
#endif

#define MAPDIR ".NTFS-3G"
#define MAPFILE "UserMapping"
#define MAGIC_API 0x09042009

#ifndef _NTFS_ENDIANS_H

typedef char s8;
typedef short s16;
typedef long long s64;
typedef unsigned char u8;
typedef unsigned short le16, be16, u16;
typedef unsigned long long u64;
#ifdef STSC
typedef long s32;
typedef unsigned long le32, be32, u32;
#else
typedef int s32;
typedef unsigned int le32, be32, u32;
#endif

#ifdef STSC
#define endian_rev16(x) ((((x) & 255L) << 8) + (((x) >> 8) & 255L))
#define endian_rev32(x) ((((x) & 255L) << 24) + (((x) & 0xff00L) << 8) \
		       + (((x) >> 8) & 0xff00L) + (((x) >> 24) & 255L))
#else
#define endian_rev16(x) ((((x) & 255) << 8) + (((x) >> 8) & 255))
#define endian_rev32(x) ((((x) & 255) << 24) + (((x) & 0xff00) << 8) \
		       + (((x) >> 8) & 0xff00) + (((x) >> 24) & 255))
#endif
#define endian_rev64(x) ((((x) & 255LL) << 56) + (((x) & 0xff00LL) << 40) \
		       + (((x) & 0xff0000LL) << 24) + (((x) & 0xff000000LL) << 8) \
		       + (((x) >> 8) & 0xff000000LL) + (((x) >> 24) & 0xff0000LL) \
		       + (((x) >> 40) & 0xff00LL) + (((x) >> 56) & 255LL))

#if __BYTE_ORDER == __LITTLE_ENDIAN

#define cpu_to_be16(x) endian_rev16(x)
#define cpu_to_be32(x) endian_rev32(x)
#define cpu_to_le16(x) (x)
#define cpu_to_le32(x) (x)
#define cpu_to_le64(x) (x)
#define le16_to_cpu(x) (x)
#define le32_to_cpu(x) (x)
#define le64_to_cpu(x) (x)

#else

#define cpu_to_be16(x) (x)
#define cpu_to_be32(x) (x)
#define cpu_to_le16(x) endian_rev16(x)
#define cpu_to_le32(x) endian_rev32(x)
#define cpu_to_le64(x) endian_rev64(x)
#define le16_to_cpu(x) endian_rev16(x)
#define le32_to_cpu(x) endian_rev32(x)
#define le64_to_cpu(x) endian_rev64(x)

#endif

#define const_le16_to_cpu(x) le16_to_cpu(x)
#define const_cpu_to_le16(x) cpu_to_le16(x)
#define const_cpu_to_le32(x) cpu_to_le32(x)
#define const_cpu_to_be16(x) cpu_to_be16(x)
#define const_cpu_to_be32(x) cpu_to_be32(x)

#endif /* _NTFS_ENDIANS_H */

#ifndef FALSE
enum { FALSE, TRUE } ;
#endif /* FALSE */

#ifdef WIN32

typedef unsigned short uid_t;
typedef unsigned short gid_t;

#define UNICODE(c) ((unsigned short)(c))

#define __attribute__(x)

#else

#ifndef BOOL
typedef int BOOL;   /* Already defined in windows.h */
#endif /* BOOL */

#ifdef STSC

#define ENOTSUP 95

#endif /* STSC */

typedef u32 DWORD; /* must be 32 bits whatever the platform */
typedef DWORD *LPDWORD;

#define NTFS_MNT_NONE 0    /* no flag for mounting the device */
#define NTFS_MNT_RDONLY 1  /* flag for mounting the device read-only */

#endif /* WIN32 */

#if defined(WIN32) | defined(STSC)

/*
 *	On non-Linux computers, there is no mount and the user mapping
 *	if fetched from a real file (or a dummy one for self tests)
 */

#define NTFS_FIND_USID(map,uid,buf) ntfs_find_usid(map,uid,buf)
#define NTFS_FIND_GSID(map,gid,buf) ntfs_find_gsid(map,gid,buf)
#define NTFS_FIND_USER(map,usid) ntfs_find_user(map,usid)
#define NTFS_FIND_GROUP(map,gsid) ntfs_find_group(map,gsid)

#else

/*
 *	On Linux computers, there is a mount and the user mapping
 *	if either obtained through the mount process or fetched
 *	from a dummy file for self-tests
 */

#define NTFS_FIND_USID(map,uid,buf) (mappingtype != MAPEXTERN ? \
		ntfs_find_usid(map,uid,buf) : relay_find_usid(map,uid,buf))
#define NTFS_FIND_GSID(map,gid,buf) (mappingtype != MAPEXTERN ? \
		ntfs_find_gsid(map,gid,buf) : relay_find_gsid(map,gid,buf))
#define NTFS_FIND_USER(map,usid) (mappingtype != MAPEXTERN ? \
		ntfs_find_user(map,usid) : relay_find_user(map,usid))
#define NTFS_FIND_GROUP(map,gsid) (mappingtype != MAPEXTERN ? \
		ntfs_find_group(map,gsid) : relay_find_group(map,gsid))

#endif

/*
 *		A few name hijackings or definitions
 *	needed for using code from ntfs-3g
 */

#ifdef WIN32
#define ACL MY_ACL
#define SID MY_SID
#define ACCESS_ALLOWED_ACE MY_ACCESS_ALLOWED_ACE
#define ACCESS_DENIED_ACE MY_ACCESS_DENIED_ACE
#define FILE_ATTRIBUTE_REPARSE_POINT 0x400
#define IO_REPARSE_TAG_MOUNT_POINT 0xa0000003
#define IO_REPARSE_TAG_SYMLINK     0xa000000c
#else
#define SE_OWNER_DEFAULTED  const_cpu_to_le16(1)
#define SE_GROUP_DEFAULTED  const_cpu_to_le16(2)
#define SE_DACL_PRESENT     const_cpu_to_le16(4)
#define SE_SACL_PRESENT     const_cpu_to_le16(0x10)
#define SE_DACL_DEFAULTED   const_cpu_to_le16(8)
#define SE_SELF_RELATIVE    const_cpu_to_le16(0x8000)
#define SID_REVISION 1
#endif /* WIN32 */
#define SE_DACL_PROTECTED   const_cpu_to_le16(0x1000)
#define SE_SACL_PROTECTED   const_cpu_to_le16(0x2000)
#define SE_DACL_AUTO_INHERITED   const_cpu_to_le16(0x400)
#define SE_SACL_AUTO_INHERITED   const_cpu_to_le16(0x800)
#define SE_DACL_AUTO_INHERIT_REQ   const_cpu_to_le16(0x100)
#define SE_SACL_AUTO_INHERIT_REQ   const_cpu_to_le16(0x200)

typedef le16 ntfschar;

#define ntfs_log_error(args...) do { printf("** " args); if (!isatty(1)) fprintf(stderr,args); } while(0)

/*
 *		Struct to hold the input mapping file
 *	(private to this module)
 */

struct MAPLIST {
	struct MAPLIST *next;
	char *uidstr;		/* uid text from the same record */
	char *gidstr;		/* gid text from the same record */
	char *sidstr;		/* sid text from the same record */
	char maptext[LINESZ + 1];
};

/*
 *		A few dummy declarations needed for using code from security.c
 */

#define MFT_RECORD_IS_DIRECTORY const_cpu_to_le16(1)

struct SECURITY_DATA {
	u64 offset;
	char *attr;
	u32 hash;
	u32 length;
	unsigned int filecount:16;
	unsigned int mode:12;
	unsigned int flags:4;
} ;

		/* default security sub-authorities */
enum {
	DEFSECAUTH1 = -1153374643, /* 3141592653 */
	DEFSECAUTH2 = 589793238,
	DEFSECAUTH3 = 462843383,
	DEFSECBASE = 10000
};

#define OWNERID 1016
#define GROUPID 513


#define INSDS1 1
#define INSDS2 2
#define INSII 4
#define INSDH 8

#ifdef WIN32

typedef enum { RECSHOW, RECSET, RECSETPOSIX } RECURSE; 

#endif

/*
 *		A type large enough to hold any SID
 */

typedef char BIGSID[40];

/*
 *		Declarations for memory allocation checks
 */

struct CHKALLOC
   {
   struct CHKALLOC *next;
   void *alloc;
   const char *file;
   int line;
   size_t size;
   } ;

#if defined(WIN32) | defined(STSC)

#define S_ISVTX 01000
#define S_ISGID 02000
#define S_ISUID 04000
#define S_IXUSR 0100
#define S_IWUSR 0200
#define S_IRUSR 0400
#define S_IXGRP 010
#define S_IWGRP 020
#define S_IRGRP 040
#define S_IXOTH 001
#define S_IWOTH 002
#define S_IROTH 004

#endif

#ifdef WIN32
#else
/*
 *
 *   See http://msdn2.microsoft.com/en-us/library/aa379649.aspx
 */

typedef enum {
	DACL_SECURITY_INFORMATION = 4, // The DACL of the object is being referenced.
	SACL_SECURITY_INFORMATION = 8, // The SACL of the object is being referenced.
	LABEL_SECURITY_INFORMATION = 8, // The mandatory integrity label is being referenced.
	GROUP_SECURITY_INFORMATION = 2, // The primary group identifier of the object is being referenced.
	OWNER_SECURITY_INFORMATION = 1, // The owner identifier of the object is being referenced.
} SECURITY_INFORMATION;

#define STANDARD_RIGHTS_READ	  const_cpu_to_le32(0x20000)
#define STANDARD_RIGHTS_WRITE	  const_cpu_to_le32(0x20000)
#define STANDARD_RIGHTS_EXECUTE   const_cpu_to_le32(0x20000)
#define STANDARD_RIGHTS_REQUIRED  const_cpu_to_le32(0xf0000)

#endif

typedef struct SECHEAD {
	s8 revision;
	s8 alignment;
	le16 control;
	le32 owner;
	le32 group;
	le32 sacl;
	le32 dacl;
} SECURITY_DESCRIPTOR_RELATIVE;

typedef struct ACL {
	s8 revision;
	s8 alignment1;
	le16 size;
	le16 ace_count;
	le16 alignment2;
} ACL;

typedef struct {
	union {
		struct {
			unsigned char revision;
			unsigned char sub_authority_count;
		} ;
		struct {
			/* evade an alignment problem when a 4 byte field  */
			/* in a struct implies alignment of the struct */
			le16 dummy;
			be16 high_part;
			be32 low_part;
		} identifier_authority;
	} ;
	le32 sub_authority[1];
} SID;

typedef u8 ACE_FLAGS;

typedef struct ACE {
	u8 type;
	u8 flags;
	le16 size;
	le32 mask;
	SID sid;
} ACCESS_ALLOWED_ACE, ACCESS_DENIED_ACE;


/*
 *          item in the mapping list
 */

struct MAPPING {
	struct MAPPING *next;
	int xid;		/* linux id : uid or gid */
	SID *sid;		/* Windows id : usid or gsid */
	int grcnt;		/* group count (for users only) */
	gid_t *groups;		/* groups which the user is member of */
};

/*
 *		       Posix ACL structures
 */

struct POSIX_ACE {
	u16 tag;
	u16 perms;
	s32 id;
} ;

struct POSIX_ACL {
	u8 version;
	u8 flags;
	u16 filler;
	struct POSIX_ACE ace[0];
} ;

struct POSIX_SECURITY {
	mode_t mode;
	int acccnt;
	int defcnt;
	int firstdef;
	u16 tagsset;
	struct POSIX_ACL acl;
} ;

/*
 *		Posix tags, cpu-endian 16 bits
 */

enum {
	POSIX_ACL_USER_OBJ =	1,
	POSIX_ACL_USER =	2,
	POSIX_ACL_GROUP_OBJ =	4,
	POSIX_ACL_GROUP =	8,
	POSIX_ACL_MASK =	16,
	POSIX_ACL_OTHER =	32,
	POSIX_ACL_SPECIAL =	64  /* internal use only */
} ;

/*
 *		Posix permissions, cpu-endian 16 bits
 */

enum {
	POSIX_PERM_X =		1,
	POSIX_PERM_W =		2,
	POSIX_PERM_R =		4,
	POSIX_PERM_DENIAL =	64 /* internal use only */
} ;

#define POSIX_VERSION 2

/*
 *		 A few definitions adapted from winnt.h
 *	    (Windows version uses actual definitions from winnt.h, which are
 *	     not compatible with code from security.c on a big-endian computer)
 */

#ifndef WIN32

#define DELETE				 const_cpu_to_le32(0x00010000L)
#define READ_CONTROL			 const_cpu_to_le32(0x00020000L)
#define WRITE_DAC			 const_cpu_to_le32(0x00040000L)
#define WRITE_OWNER			 const_cpu_to_le32(0x00080000L)
#define SYNCHRONIZE			 const_cpu_to_le32(0x00100000L)


#define FILE_READ_DATA		  const_cpu_to_le32(0x0001) // file & pipe
#define FILE_LIST_DIRECTORY	  const_cpu_to_le32(0x0001) // directory

#define FILE_WRITE_DATA 	  const_cpu_to_le32(0x0002) // file & pipe
#define FILE_ADD_FILE		  const_cpu_to_le32(0x0002) // directory

#define FILE_APPEND_DATA	  const_cpu_to_le32(0x0004) // file
#define FILE_ADD_SUBDIRECTORY	  const_cpu_to_le32(0x0004) // directory
#define FILE_CREATE_PIPE_INSTANCE const_cpu_to_le32(0x0004) // named pipe


#define FILE_READ_EA		  const_cpu_to_le32(0x0008) // file & directory

#define FILE_WRITE_EA		  const_cpu_to_le32(0x0010) // file & directory

#define FILE_EXECUTE		  const_cpu_to_le32(0x0020) // file
#define FILE_TRAVERSE		  const_cpu_to_le32(0x0020) // directory

#define FILE_DELETE_CHILD	  const_cpu_to_le32(0x0040) // directory

#define FILE_READ_ATTRIBUTES	  const_cpu_to_le32(0x0080) // all

#define FILE_WRITE_ATTRIBUTES	  const_cpu_to_le32(0x0100) // all

#define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
				 const_cpu_to_le32(0x1FF))

#define FILE_GENERIC_READ	  (STANDARD_RIGHTS_READ     |\
				   FILE_READ_DATA	    |\
				   FILE_READ_ATTRIBUTES     |\
				   FILE_READ_EA 	    |\
				   SYNCHRONIZE)


#define FILE_GENERIC_WRITE	  (STANDARD_RIGHTS_WRITE    |\
				   FILE_WRITE_DATA	    |\
				   FILE_WRITE_ATTRIBUTES    |\
				   FILE_WRITE_EA	    |\
				   FILE_APPEND_DATA	    |\
				   SYNCHRONIZE)


#define FILE_GENERIC_EXECUTE	  (STANDARD_RIGHTS_EXECUTE  |\
				   FILE_READ_ATTRIBUTES     |\
				   FILE_EXECUTE 	    |\
				   SYNCHRONIZE)

#define GENERIC_READ			 const_cpu_to_le32(0x80000000L)
#define GENERIC_WRITE			 const_cpu_to_le32(0x40000000L)
#define GENERIC_EXECUTE 		 const_cpu_to_le32(0x20000000L)
#define GENERIC_ALL	 		 const_cpu_to_le32(0x10000000L)


#define OBJECT_INHERIT_ACE		  (0x1)
#define CONTAINER_INHERIT_ACE		  (0x2)
#define NO_PROPAGATE_INHERIT_ACE	  (0x4)
#define INHERIT_ONLY_ACE		  (0x8)
#define INHERITED_ACE			  (0x10)
#define VALID_INHERIT_FLAGS		  (0x1F)

/*
 *	     Other useful definitions
 */

#define ACL_REVISION 2
#define ACCESS_ALLOWED_ACE_TYPE 0
#define ACCESS_DENIED_ACE_TYPE 1
#define SECURITY_DESCRIPTOR_REVISION 1

#endif /* !WIN32 */

#ifndef ACL_REVISION_DS	/* not always defined in <windows.h> */
#define ACL_REVISION_DS 4
#endif

#ifndef INHERITED_ACE /* not always defined in <windows.h> */
#define INHERITED_ACE			  (0x10)
#undef VALID_INHERIT_FLAGS
#define VALID_INHERIT_FLAGS		  (0x1F)
#endif

/*
 *		Matching of ntfs permissions to Linux permissions
 *	these constants are adapted to endianness
 *	when setting, set them all
 *	when checking, check one is present
 */

          /* flags which are set to mean exec, write or read */

#define FILE_READ (FILE_READ_DATA)
#define FILE_WRITE (FILE_WRITE_DATA | FILE_APPEND_DATA \
		| READ_CONTROL | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA)
#define FILE_EXEC (FILE_EXECUTE)
#define DIR_READ FILE_LIST_DIRECTORY
#define DIR_WRITE (FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY | FILE_DELETE_CHILD \
	 	| READ_CONTROL | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA)
#define DIR_EXEC (FILE_TRAVERSE)

          /* flags tested for meaning exec, write or read */
	  /* tests for write allow for interpretation of a sticky bit */

#define FILE_GREAD (FILE_READ_DATA | GENERIC_READ | GENERIC_ALL)
#define FILE_GWRITE (FILE_WRITE_DATA | FILE_APPEND_DATA | GENERIC_WRITE \
			| GENERIC_ALL)
#define FILE_GEXEC (FILE_EXECUTE | GENERIC_EXECUTE | GENERIC_ALL)
#define DIR_GREAD (FILE_LIST_DIRECTORY | GENERIC_READ | GENERIC_ALL)
#define DIR_GWRITE (FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY | GENERIC_WRITE \
			| GENERIC_ALL)
#define DIR_GEXEC (FILE_TRAVERSE | GENERIC_EXECUTE | GENERIC_ALL)

	/* standard owner (and administrator) rights */

#define OWNER_RIGHTS (DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER \
			| SYNCHRONIZE \
			| FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES \
			| FILE_READ_EA | FILE_WRITE_EA)

	/* standard world rights */

#define WORLD_RIGHTS (READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_READ_EA \
			| SYNCHRONIZE)

          /* inheritance flags for files and directories */

#define FILE_INHERITANCE NO_PROPAGATE_INHERIT_ACE
#define DIR_INHERITANCE (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE)

/*
 *		To identify NTFS ACL meaning Posix ACL granted to root
 *	we use rights always granted to anybody, so they have no impact
 *	either on Windows or on Linux.
 */

#define ROOT_OWNER_UNMARK SYNCHRONIZE	/* ACL granted to root as owner */
#define ROOT_GROUP_UNMARK FILE_READ_EA	/* ACL granted to root as group */


struct SII {		/* this is an image of an $SII index entry */
	le16 offs;
	le16 size;
	le32 fill1;
	le16 indexsz;
	le16 indexksz;
	le16 flags;
	le16 fill2;
	le32 keysecurid;

	/* did not find official description for the following */
	le32 hash;
	le32 securid;
	le32 dataoffsl;	/* documented as badly aligned */
	le32 dataoffsh;
	le32 datasize;
} ;

struct SDH {		/* this is an image of an $SDH index entry */
	le16 offs;
	le16 size;
	le32 fill1;
	le16 indexsz;
	le16 indexksz;
	le16 flags;
	le16 fill2;
	le32 keyhash;
	le32 keysecurid;

	/* did not find official description for the following */
	le32 hash;
	le32 securid;
	le32 dataoffsl;
	le32 dataoffsh;
	le32 datasize;
	le32 fill3;
	} ;

#ifndef INVALID_FILE_ATTRIBUTES     /* not defined in old windows.h */
#define INVALID_FILE_ATTRIBUTES (-1)
#endif

enum { MAPUSERS, MAPGROUPS, MAPCOUNT } ;

struct SECURITY_CONTEXT {
	struct MAPPING *mapping[MAPCOUNT];
} ;

typedef enum { MAPNONE, MAPEXTERN, MAPLOCAL, MAPDUMMY } MAPTYPE;



struct passwd {
	uid_t pw_uid;
} ;

struct group {
	gid_t gr_gid;
} ;

typedef int (*FILEREADER)(void *fileid, char *buf, size_t size, off_t pos);

/*
 *		Data defined in secaudit.c
 */

extern MAPTYPE mappingtype;

/*
 *		Functions defined in acls.c
 */

BOOL ntfs_valid_descr(const char *securattr, unsigned int attrsz);
BOOL ntfs_valid_posix(const struct POSIX_SECURITY *pxdesc);
BOOL ntfs_valid_pattern(const SID *sid);
BOOL ntfs_same_sid(const SID *first, const SID *second);


int ntfs_sid_size(const SID * sid);
unsigned int ntfs_attr_size(const char *attr);

const SID *ntfs_find_usid(const struct MAPPING *usermapping,
			uid_t uid, SID *pdefsid);
const SID *ntfs_find_gsid(const struct MAPPING *groupmapping,
			gid_t gid, SID *pdefsid);
uid_t ntfs_find_user(const struct MAPPING *usermapping, const SID *usid);
gid_t ntfs_find_group(const struct MAPPING *groupmapping, const SID * gsid);
const SID *ntfs_acl_owner(const char *secattr);

void ntfs_sort_posix(struct POSIX_SECURITY *pxdesc);
int ntfs_merge_mode_posix(struct POSIX_SECURITY *pxdesc, mode_t mode);


struct POSIX_SECURITY *ntfs_build_permissions_posix(
			struct MAPPING* const mapping[],
			const char *securattr,
			const SID *usid, const SID *gsid, BOOL isdir);
int ntfs_build_permissions(const char *securattr,
			const SID *usid, const SID *gsid, BOOL isdir);
struct MAPLIST *ntfs_read_mapping(FILEREADER reader, void *fileid);
struct MAPPING *ntfs_do_user_mapping(struct MAPLIST *firstitem);
struct MAPPING *ntfs_do_group_mapping(struct MAPLIST *firstitem);
void ntfs_free_mapping(struct MAPPING *mapping[]);

struct POSIX_SECURITY *ntfs_merge_descr_posix(const struct POSIX_SECURITY *first,
			const struct POSIX_SECURITY *second);
char *ntfs_build_descr_posix(struct MAPPING* const mapping[],
			struct POSIX_SECURITY *pxdesc,
			int isdir, const SID *usid, const SID *gsid);
char *ntfs_build_descr(mode_t mode,
			int isdir, const SID * usid, const SID * gsid);

/*
 *		Functions defined in secaudit.c
 */

void *chkmalloc(size_t, const char*, int);
void *chkcalloc(size_t, size_t, const char *, int);
void chkfree(void*, const char*, int);
BOOL chkisalloc(void*, const char*, int);
void dumpalloc(const char*);

#define malloc(sz) chkmalloc(sz, __FILE__, __LINE__)
#define calloc(cnt,sz) chkcalloc(cnt, sz, __FILE__, __LINE__)
#define free(ptr) chkfree(ptr, __FILE__, __LINE__)
#define isalloc(ptr) chkisalloc(ptr, __FILE__, __LINE__)
#define ntfs_malloc(sz) chkmalloc(sz, __FILE__, __LINE__)

struct passwd *getpwnam(const char *user);
struct group *getgrnam(const char *group);

const SID *relay_find_usid(const struct MAPPING *usermapping,
			uid_t uid, SID *pdefsid);
const SID *relay_find_gsid(const struct MAPPING *groupmapping,
			gid_t gid, SID *pdefsid);
uid_t relay_find_user(const struct MAPPING *usermapping, const SID *usid);
gid_t relay_find_group(const struct MAPPING *groupmapping, const SID * gsid);