bybrooklyn/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-04-18 06:44:00 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
cdd4dc3aebeab43a72ce0bc2b5bab6f0a80b97a5
linux/fs/ntfs/layout.h
Namjae Jeon 4079605199 ntfs: update in-memory, on-disk structures and headers 
Update the NTFS filesystem driver's in-memory and on-disk structures:

  - Introduce the  infrastructure and initial support for reparse
    points and EA attribute.
  - Refactor the core ntfs_inode and ntfs_volume structures to support
    new features such as iomap.
  - Remove the unnecessary types.h and endian.h headers.
  - Reorganize the comments in headers for better readability, including
    fixing warnings from checkpatch.pl.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
2026-02-19 21:48:06 +09:00

2347 lines
96 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
* All NTFS associated on-disk structures.
*
* Copyright (c) 2001-2005 Anton Altaparmakov
* Copyright (c) 2002 Richard Russon
*/
#ifndef _LINUX_NTFS_LAYOUT_H
#define _LINUX_NTFS_LAYOUT_H
#include <linux/types.h>
#include <linux/bitops.h>
#include <linux/list.h>
#include <asm/byteorder.h>
/* The NTFS oem_id "NTFS " */
#define magicNTFS cpu_to_le64(0x202020205346544eULL)
/*
* Location of bootsector on partition:
* The standard NTFS_BOOT_SECTOR is on sector 0 of the partition.
* On NT4 and above there is one backup copy of the boot sector to
* be found on the last sector of the partition (not normally accessible
* from within Windows as the bootsector contained number of sectors
* value is one less than the actual value!).
* On versions of NT 3.51 and earlier, the backup copy was located at
* number of sectors/2 (integer divide), i.e. in the middle of the volume.
*/
/*
* BIOS parameter block (bpb) structure.
*
* @bytes_per_sector: Size of a sector in bytes (usually 512).
* Matches the logical sector size of the underlying device.
* @sectors_per_cluster: Size of a cluster in sectors (NTFS cluster size / sector size).
* @reserved_sectors: Number of reserved sectors at the beginning of the volume.
* Always set to 0 in NTFS.
* @fats: Number of FAT tables.
* Always 0 in NTFS (no FAT tables exist).
* @root_entries: Number of entries in the root directory.
* Always 0 in NTFS.
* @sectors: Total number of sectors on the volume.
* Always 0 in NTFS (use @large_sectors instead).
* @media_type: Media descriptor byte.
* 0xF8 for hard disk (fixed media) in NTFS.
* @sectors_per_fat: Number of sectors per FAT table.
* Always 0 in NTFS.
* @sectors_per_track: Number of sectors per track.
* Irrelevant for NTFS.
* @heads: Number of heads (CHS geometry).
* Irrelevant for NTFS.
* @hidden_sectors: Number of hidden sectors before the start of the partition.
* Always 0 in NTFS boot sector.
* @large_sectors: Total number of sectors on the volume.
*/
struct bios_parameter_block {
__le16 bytes_per_sector;
u8 sectors_per_cluster;
__le16 reserved_sectors;
u8 fats;
__le16 root_entries;
__le16 sectors;
u8 media_type;
__le16 sectors_per_fat;
__le16 sectors_per_track;
__le16 heads;
__le32 hidden_sectors;
__le32 large_sectors;
} __packed;
/*
* NTFS boot sector structure.
*
* @jump: 3-byte jump instruction to boot code (irrelevant for NTFS).
* Typically 0xEB 0x52 0x90 or similar.
* @oem_id: OEM identifier string (8 bytes).
* Always "NTFS " (with trailing spaces) in NTFS volumes.
* @bpb: Legacy BIOS Parameter Block (see struct bios_parameter_block).
* Mostly zeroed or set to fixed values for NTFS compatibility.
* @unused: 4 bytes, reserved/unused.
* NTFS disk editors show it as:
* - physical_drive (0x80 for fixed disk)
* - current_head (0)
* - extended_boot_signature (0x80 or 0x28)
* - unused (0)
* Always zero in practice for NTFS.
* @number_of_sectors: Number of sectors in volume. Gives maximum volume
* size of 2^63 sectors. Assuming standard sector
* size of 512 bytes, the maximum byte size is
* approx. 4.7x10^21 bytes. (-;
* @mft_lcn: Logical cluster number (LCN) of the $MFT data attribute.
* Location of the Master File Table.
* @mftmirr_lcn: LCN of the $MFTMirr (first 3-4 MFT records copy).
* Mirror for boot-time recovery.
* @clusters_per_mft_record:
* Size of each MFT record in clusters.
* @reserved0: 3 bytes, reserved/zero.
* @clusters_per_index_record:
* Size of each index block/record in clusters.
* @reserved1: 3 bytes, reserved/zero.
* @volume_serial_number:
* 64-bit volume serial number.
* Used for identification (irrelevant for NTFS operation).
* @checksum: 32-bit checksum of the boot sector (excluding this field).
* Used to detect boot sector corruption.
* @bootstrap: 426 bytes of bootstrap code.
* Irrelevant for NTFS (contains x86 boot loader stub).
* @end_of_sector_marker:
* 2-byte end-of-sector signature.
* Always 0xAA55 (little-endian magic number).
*/
struct ntfs_boot_sector {
u8 jump[3];
__le64 oem_id;
struct bios_parameter_block bpb;
u8 unused[4];
__le64 number_of_sectors;
__le64 mft_lcn;
__le64 mftmirr_lcn;
s8 clusters_per_mft_record;
u8 reserved0[3];
s8 clusters_per_index_record;
u8 reserved1[3];
__le64 volume_serial_number;
__le32 checksum;
u8 bootstrap[426];
__le16 end_of_sector_marker;
} __packed;
static_assert(sizeof(struct ntfs_boot_sector) == 512);
/*
* Magic identifiers present at the beginning of all ntfs record containing
* records (like mft records for example).
*
* magic_FILE: MFT entry header ("FILE" in ASCII).
* Used in $MFT/$DATA for all master file table records.
* magic_INDX: Index buffer header ("INDX" in ASCII).
* Used in $INDEX_ALLOCATION attributes (directories, $I30 indexes).
* magic_HOLE: Hole marker ("HOLE" in ASCII).
* Introduced in NTFS 3.0+, used for sparse/hole regions in some contexts.
* magic_RSTR: Restart page header ("RSTR" in ASCII).
* Used in LogFile for restart pages (transaction log recovery).
* magic_RCRD: Log record page header ("RCRD" in ASCII).
* Used in LogFile for individual log record pages.
* magic_CHKD: Chkdsk modified marker ("CHKD" in ASCII).
* Set by chkdsk when it modifies a record; indicates repair was done.
* magic_BAAD: Bad record marker ("BAAD" in ASCII).
* Indicates a multi-sector transfer failure was detected.
* The record is corrupted/unusable; often set during I/O errors.
* magic_empty: Empty/uninitialized page marker (0xffffffff).
* Used in LogFile when a page is filled with 0xff bytes
* and has not yet been initialized. Must be formatted before use.
*/
enum {
magic_FILE = cpu_to_le32(0x454c4946),
magic_INDX = cpu_to_le32(0x58444e49),
magic_HOLE = cpu_to_le32(0x454c4f48),
magic_RSTR = cpu_to_le32(0x52545352),
magic_RCRD = cpu_to_le32(0x44524352),
magic_CHKD = cpu_to_le32(0x444b4843),
magic_BAAD = cpu_to_le32(0x44414142),
magic_empty = cpu_to_le32(0xffffffff)
};
/*
* Generic magic comparison macros. Finally found a use for the ## preprocessor
* operator! (-8
*/
static inline bool __ntfs_is_magic(__le32 x, __le32 r)
{
return (x == r);
}
#define ntfs_is_magic(x, m) __ntfs_is_magic(x, magic_##m)
static inline bool __ntfs_is_magicp(__le32 *p, __le32 r)
{
return (*p == r);
}
#define ntfs_is_magicp(p, m) __ntfs_is_magicp(p, magic_##m)
/*
* Specialised magic comparison macros for the NTFS_RECORD_TYPEs defined above.
*/
#define ntfs_is_file_record(x) (ntfs_is_magic(x, FILE))
#define ntfs_is_file_recordp(p) (ntfs_is_magicp(p, FILE))
#define ntfs_is_mft_record(x) (ntfs_is_file_record(x))
#define ntfs_is_mft_recordp(p) (ntfs_is_file_recordp(p))
#define ntfs_is_indx_record(x) (ntfs_is_magic(x, INDX))
#define ntfs_is_indx_recordp(p) (ntfs_is_magicp(p, INDX))
#define ntfs_is_hole_record(x) (ntfs_is_magic(x, HOLE))
#define ntfs_is_hole_recordp(p) (ntfs_is_magicp(p, HOLE))
#define ntfs_is_rstr_record(x) (ntfs_is_magic(x, RSTR))
#define ntfs_is_rstr_recordp(p) (ntfs_is_magicp(p, RSTR))
#define ntfs_is_rcrd_record(x) (ntfs_is_magic(x, RCRD))
#define ntfs_is_rcrd_recordp(p) (ntfs_is_magicp(p, RCRD))
#define ntfs_is_chkd_record(x) (ntfs_is_magic(x, CHKD))
#define ntfs_is_chkd_recordp(p) (ntfs_is_magicp(p, CHKD))
#define ntfs_is_baad_record(x) (ntfs_is_magic(x, BAAD))
#define ntfs_is_baad_recordp(p) (ntfs_is_magicp(p, BAAD))
#define ntfs_is_empty_record(x) (ntfs_is_magic(x, empty))
#define ntfs_is_empty_recordp(p) (ntfs_is_magicp(p, empty))
/*
* struct ntfs_record - Common header for all multi-sector protected NTFS records
*
* @magic: 4-byte magic identifier for the record type and/or status.
* Common values are defined in the magic_* enum (FILE, INDX, RSTR,
* RCRD, CHKD, BAAD, HOLE, empty).
* - "FILE" = MFT record
* - "INDX" = Index allocation block
* - "BAAD" = Record corrupted (multi-sector fixup failed)
* - 0xffffffff = Uninitialized/empty page
* @usa_ofs: Offset (in bytes) from the start of this record to the Update
* Sequence Array (USA).
* The USA is located at record + usa_ofs.
* @usa_count: Number of 16-bit entries in the USA array (including the Update
* Sequence Number itself).
* - Number of fixup locations = usa_count - 1
* - Each fixup location is a 16-bit value in the record that needs
* protection against torn writes.
*
* The Update Sequence Array (usa) is an array of the __le16 values which belong
* to the end of each sector protected by the update sequence record in which
* this array is contained. Note that the first entry is the Update Sequence
* Number (usn), a cyclic counter of how many times the protected record has
* been written to disk. The values 0 and -1 (ie. 0xffff) are not used. All
* last le16's of each sector have to be equal to the usn (during reading) or
* are set to it (during writing). If they are not, an incomplete multi sector
* transfer has occurred when the data was written.
* The maximum size for the update sequence array is fixed to:
* maximum size = usa_ofs + (usa_count * 2) = 510 bytes
* The 510 bytes comes from the fact that the last __le16 in the array has to
* (obviously) finish before the last __le16 of the first 512-byte sector.
* This formula can be used as a consistency check in that usa_ofs +
* (usa_count * 2) has to be less than or equal to 510.
*/
struct ntfs_record {
__le32 magic;
__le16 usa_ofs;
__le16 usa_count;
} __packed;
/*
* System files mft record numbers. All these files are always marked as used
* in the bitmap attribute of the mft; presumably in order to avoid accidental
* allocation for random other mft records. Also, the sequence number for each
* of the system files is always equal to their mft record number and it is
* never modified.
*
* FILE_MFT: Master File Table (MFT) itself.
* Data attribute contains all MFT entries;
* Bitmap attribute tracks which records are in use (bit==1).
* FILE_MFTMirr: MFT mirror: copy of the first four (or more) MFT records
* in its data attribute.
* If cluster size > 4 KiB, copies first N records where
* N = cluster_size / mft_record_size.
* FILE_LogFile: Journaling log (LogFile) in data attribute.
* Used for transaction logging and recovery.
* FILE_Volume: Volume information and name.
* Contains $VolumeName (label) and $VolumeInformation
* (flags, NTFS version). Windows calls this the volume DASD.
* FILE_AttrDef: Attribute definitions array in data attribute.
* Defines all possible attribute types and their properties.
* FILE_root: Root directory ($Root).
* The top-level directory of the filesystem.
* FILE_Bitmap: Cluster allocation bitmap ($Bitmap) in data attribute.
* Tracks free/used clusters (LCNs) on the volume.
* FILE_Boot: Boot sector ($Boot) in data attribute.
* Always located at cluster 0; contains BPB and NTFS parameters.
* FILE_BadClus: Bad cluster list ($BadClus) in non-resident data attribute.
* Marks all known bad clusters.
* FILE_Secure: Security descriptors ($Secure).
* Contains shared $SDS (security descriptors) and two indexes
* ($SDH, $SII). Introduced in Windows 2000.
* Before that, it was called $Quota but was unused.
* FILE_UpCase: Uppercase table ($UpCase) in data attribute.
* Maps all 65536 Unicode characters to their uppercase forms.
* FILE_Extend: System directory ($Extend).
* Contains additional system files ($ObjId, $Quota, $Reparse,
* $UsnJrnl, etc.). Introduced in NTFS 3.0 (Windows 2000).
* FILE_reserved12: Reserved for future use (MFT records 1215).
* FILE_reserved13: Reserved.
* FILE_reserved14: Reserved.
* FILE_reserved15: Reserved.
* FILE_first_user: First possible user-created file MFT record number.
* Used as a boundary to distinguish system files from user files.
*/
enum {
FILE_MFT = 0,
FILE_MFTMirr = 1,
FILE_LogFile = 2,
FILE_Volume = 3,
FILE_AttrDef = 4,
FILE_root = 5,
FILE_Bitmap = 6,
FILE_Boot = 7,
FILE_BadClus = 8,
FILE_Secure = 9,
FILE_UpCase = 10,
FILE_Extend = 11,
FILE_reserved12 = 12,
FILE_reserved13 = 13,
FILE_reserved14 = 14,
FILE_reserved15 = 15,
FILE_first_user = 16,
};
/*
* enum - Flags for MFT record header
*
* These are the so far known MFT_RECORD_* flags (16-bit) which contain
* information about the mft record in which they are present.
*
* MFT_RECORD_IN_USE: This MFT record is allocated and in use.
* (bit set = record is valid/used; clear = free)
* MFT_RECORD_IS_DIRECTORY: This MFT record represents a directory.
* (Used to quickly distinguish files from directories)
* MFT_RECORD_IS_4: Indicates the record is a special "record 4" type.
* (Rarely used; related to NTFS internal special cases,
* often for $AttrDef or early system files)
* MFT_RECORD_IS_VIEW_INDEX: This MFT record is used as a view index.
* (Specific to NTFS indexed views or object ID indexes)
* MFT_REC_SPACE_FILLER: Dummy value to force the enum to be 16-bit wide.
* (Not a real flag; just a sentinel to ensure the type
* is __le16 and no higher bits are accidentally used)
*/
enum {
MFT_RECORD_IN_USE = cpu_to_le16(0x0001),
MFT_RECORD_IS_DIRECTORY = cpu_to_le16(0x0002),
MFT_RECORD_IS_4 = cpu_to_le16(0x0004),
MFT_RECORD_IS_VIEW_INDEX = cpu_to_le16(0x0008),
MFT_REC_SPACE_FILLER = cpu_to_le16(0xffff), /*Just to make flags 16-bit.*/
} __packed;
/*
* mft references (aka file references or file record segment references) are
* used whenever a structure needs to refer to a record in the mft.
*
* A reference consists of a 48-bit index into the mft and a 16-bit sequence
* number used to detect stale references.
*
* For error reporting purposes we treat the 48-bit index as a signed quantity.
*
* The sequence number is a circular counter (skipping 0) describing how many
* times the referenced mft record has been (re)used. This has to match the
* sequence number of the mft record being referenced, otherwise the reference
* is considered stale and removed.
*
* If the sequence number is zero it is assumed that no sequence number
* consistency checking should be performed.
*/
/*
* Define two unpacking macros to get to the reference (MREF) and
* sequence number (MSEQNO) respectively.
* The _LE versions are to be applied on little endian MFT_REFs.
* Note: The _LE versions will return a CPU endian formatted value!
*/
#define MFT_REF_MASK_CPU 0x0000ffffffffffffULL
#define MFT_REF_MASK_LE cpu_to_le64(MFT_REF_MASK_CPU)
#define MK_MREF(m, s) ((u64)(((u64)(s) << 48) | \
((u64)(m) & MFT_REF_MASK_CPU)))
#define MK_LE_MREF(m, s) cpu_to_le64(MK_MREF(m, s))
#define MREF(x) ((unsigned long)((x) & MFT_REF_MASK_CPU))
#define MSEQNO(x) ((u16)(((x) >> 48) & 0xffff))
#define MREF_LE(x) ((unsigned long)(le64_to_cpu(x) & MFT_REF_MASK_CPU))
#define MREF_INO(x) ((unsigned long)MREF_LE(x))
#define MSEQNO_LE(x) ((u16)((le64_to_cpu(x) >> 48) & 0xffff))
#define IS_ERR_MREF(x) (((x) & 0x0000800000000000ULL) ? true : false)
#define ERR_MREF(x) ((u64)((s64)(x)))
#define MREF_ERR(x) ((int)((s64)(x)))
/*
* struct mft_record - NTFS Master File Table (MFT) record header
*
* The mft record header present at the beginning of every record in the mft.
* This is followed by a sequence of variable length attribute records which
* is terminated by an attribute of type AT_END which is a truncated attribute
* in that it only consists of the attribute type code AT_END and none of the
* other members of the attribute structure are present.
*
* magic: Record magic ("FILE" for valid MFT entries).
* See ntfs_record magic enum for other values.
* usa_ofs: Offset to Update Sequence Array (see ntfs_record).
* usa_count: Number of entries in USA (see ntfs_record).
* lsn: Log sequence number (LSN) from LogFile.
* Incremented on every modification to this record.
* sequence_number: Reuse count of this MFT record slot.
* Incremented (skipping zero) when the file is deleted.
* Zero means never reused or special case.
* Part of MFT reference (together with record number).
* link_count: Number of hard links (directory entries) to this file.
* Only meaningful in base MFT records.
* When deleting a directory entry:
* - If link_count == 1, delete the whole file
* - Else remove only the $FILE_NAME attribute and decrement
* attrs_offset: Byte offset from start of MFT record to first attribute.
* Must be 8-byte aligned.
* flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum).
* MFT_RECORD_IN_USE cleared when record is freed/deleted.
* bytes_in_use: Number of bytes actually used in this MFT record.
* Must be 8-byte aligned.
* Includes header + all attributes + padding.
* bytes_allocated: Total allocated size of this MFT record.
* Usually equal to MFT record size (1024 bytes or cluster size).
* base_mft_record: MFT reference to the base record.
* 0 for base records.
* Non-zero for extension records → points to base record
* containing the $ATTRIBUTE_LIST that describes this extension.
* next_attr_instance: Next attribute instance number to assign.
* Incremented after each use.
* Reset to 0 when MFT record is reused.
* First instance is always 0.
* reserved: Reserved for alignment (NTFS 3.1+).
* mft_record_number: This MFT record's number (index in $MFT).
* Only present in NTFS 3.1+ (Windows XP and above).
*/
struct mft_record {
__le32 magic;
__le16 usa_ofs;
__le16 usa_count;
__le64 lsn;
__le16 sequence_number;
__le16 link_count;
__le16 attrs_offset;
__le16 flags;
__le32 bytes_in_use;
__le32 bytes_allocated;
__le64 base_mft_record;
__le16 next_attr_instance;
__le16 reserved;
__le32 mft_record_number;
} __packed;
static_assert(sizeof(struct mft_record) == 48);
/**x
* struct mft_record_old - Old NTFS MFT record header (pre-NTFS 3.1 / Windows XP)
*
* This is the older version of the MFT record header used in NTFS versions
* prior to 3.1 (Windows XP and later). It lacks the additional fields
* @reserved and @mft_record_number that were added in NTFS 3.1+.
*
* @magic: Record magic ("FILE" for valid MFT entries).
* See ntfs_record magic enum for other values.
* @usa_ofs: Offset to Update Sequence Array (see ntfs_record).
* @usa_count: Number of entries in USA (see ntfs_record).
* @lsn: Log sequence number (LSN) from LogFile.
* Incremented on every modification to this record.
* @sequence_number: Reuse count of this MFT record slot.
* Incremented (skipping zero) when the file is deleted.
* Zero means never reused or special case.
* Part of MFT reference (together with record number).
* @link_count: Number of hard links (directory entries) to this file.
* Only meaningful in base MFT records.
* When deleting a directory entry:
* - If link_count == 1, delete the whole file
* - Else remove only the $FILE_NAME attribute and decrement
* @attrs_offset: Byte offset from start of MFT record to first attribute.
* Must be 8-byte aligned.
* @flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum).
* MFT_RECORD_IN_USE cleared when record is freed/deleted.
* @bytes_in_use: Number of bytes actually used in this MFT record.
* Must be 8-byte aligned.
* Includes header + all attributes + padding.
* @bytes_allocated: Total allocated size of this MFT record.
* Usually equal to MFT record size (1024 bytes or cluster size).
* @base_mft_record: MFT reference to the base record.
* 0 for base records.
* Non-zero for extension records → points to base record
* containing the $ATTRIBUTE_LIST that describes this extension.
* @next_attr_instance: Next attribute instance number to assign.
* Incremented after each use.
* Reset to 0 when MFT record is reused.
* First instance is always 0.
*/
struct mft_record_old {
__le32 magic;
__le16 usa_ofs;
__le16 usa_count;
__le64 lsn;
__le16 sequence_number;
__le16 link_count;
__le16 attrs_offset;
__le16 flags;
__le32 bytes_in_use;
__le32 bytes_allocated;
__le64 base_mft_record;
__le16 next_attr_instance;
} __packed;
static_assert(sizeof(struct mft_record_old) == 42);
/*
* System defined attributes (32-bit). Each attribute type has a corresponding
* attribute name (Unicode string of maximum 64 character length) as described
* by the attribute definitions present in the data attribute of the $AttrDef
* system file. On NTFS 3.0 volumes the names are just as the types are named
* in the below defines exchanging AT_ for the dollar sign ($). If that is not
* a revealing choice of symbol I do not know what is... (-;
*/
enum {
AT_UNUSED = cpu_to_le32(0),
AT_STANDARD_INFORMATION = cpu_to_le32(0x10),
AT_ATTRIBUTE_LIST = cpu_to_le32(0x20),
AT_FILE_NAME = cpu_to_le32(0x30),
AT_OBJECT_ID = cpu_to_le32(0x40),
AT_SECURITY_DESCRIPTOR = cpu_to_le32(0x50),
AT_VOLUME_NAME = cpu_to_le32(0x60),
AT_VOLUME_INFORMATION = cpu_to_le32(0x70),
AT_DATA = cpu_to_le32(0x80),
AT_INDEX_ROOT = cpu_to_le32(0x90),
AT_INDEX_ALLOCATION = cpu_to_le32(0xa0),
AT_BITMAP = cpu_to_le32(0xb0),
AT_REPARSE_POINT = cpu_to_le32(0xc0),
AT_EA_INFORMATION = cpu_to_le32(0xd0),
AT_EA = cpu_to_le32(0xe0),
AT_PROPERTY_SET = cpu_to_le32(0xf0),
AT_LOGGED_UTILITY_STREAM = cpu_to_le32(0x100),
AT_FIRST_USER_DEFINED_ATTRIBUTE = cpu_to_le32(0x1000),
AT_END = cpu_to_le32(0xffffffff)
};
/*
* The collation rules for sorting views/indexes/etc (32-bit).
*
* COLLATION_BINARY - Collate by binary compare where the first byte is most
* significant.
* COLLATION_UNICODE_STRING - Collate Unicode strings by comparing their binary
* Unicode values, except that when a character can be uppercased, the
* upper case value collates before the lower case one.
* COLLATION_FILE_NAME - Collate file names as Unicode strings. The collation
* is done very much like COLLATION_UNICODE_STRING. In fact I have no idea
* what the difference is. Perhaps the difference is that file names
* would treat some special characters in an odd way (see
* unistr.c::ntfs_collate_names() and unistr.c::legal_ansi_char_array[]
* for what I mean but COLLATION_UNICODE_STRING would not give any special
* treatment to any characters at all, but this is speculation.
* COLLATION_NTOFS_ULONG - Sorting is done according to ascending __le32 key
* values. E.g. used for $SII index in FILE_Secure, which sorts by
* security_id (le32).
* COLLATION_NTOFS_SID - Sorting is done according to ascending SID values.
* E.g. used for $O index in FILE_Extend/$Quota.
* COLLATION_NTOFS_SECURITY_HASH - Sorting is done first by ascending hash
* values and second by ascending security_id values. E.g. used for $SDH
* index in FILE_Secure.
* COLLATION_NTOFS_ULONGS - Sorting is done according to a sequence of ascending
* __le32 key values. E.g. used for $O index in FILE_Extend/$ObjId, which
* sorts by object_id (16-byte), by splitting up the object_id in four
* __le32 values and using them as individual keys. E.g. take the following
* two security_ids, stored as follows on disk:
* 1st: a1 61 65 b7 65 7b d4 11 9e 3d 00 e0 81 10 42 59
* 2nd: 38 14 37 d2 d2 f3 d4 11 a5 21 c8 6b 79 b1 97 45
* To compare them, they are split into four __le32 values each, like so:
* 1st: 0xb76561a1 0x11d47b65 0xe0003d9e 0x59421081
* 2nd: 0xd2371438 0x11d4f3d2 0x6bc821a5 0x4597b179
* Now, it is apparent why the 2nd object_id collates after the 1st: the
* first __le32 value of the 1st object_id is less than the first __le32 of
* the 2nd object_id. If the first __le32 values of both object_ids were
* equal then the second __le32 values would be compared, etc.
*/
enum {
COLLATION_BINARY = cpu_to_le32(0x00),
COLLATION_FILE_NAME = cpu_to_le32(0x01),
COLLATION_UNICODE_STRING = cpu_to_le32(0x02),
COLLATION_NTOFS_ULONG = cpu_to_le32(0x10),
COLLATION_NTOFS_SID = cpu_to_le32(0x11),
COLLATION_NTOFS_SECURITY_HASH = cpu_to_le32(0x12),
COLLATION_NTOFS_ULONGS = cpu_to_le32(0x13),
};
/*
* enum - Attribute definition flags
*
* The flags (32-bit) describing attribute properties in the attribute
* definition structure.
* The INDEXABLE flag is fairly certainly correct as only the file
* name attribute has this flag set and this is the only attribute indexed in
* NT4.
*
* ATTR_DEF_INDEXABLE: Attribute can be indexed.
* (Used for creating indexes like $I30, $SDH, etc.)
* ATTR_DEF_MULTIPLE: Attribute type can be present multiple times
* in the MFT record of an inode.
* (e.g., multiple $FILE_NAME, $DATA streams)
* ATTR_DEF_NOT_ZERO: Attribute value must contain at least one non-zero byte.
* (Prevents empty or all-zero values)
* ATTR_DEF_INDEXED_UNIQUE: Attribute must be indexed and the value must be unique
* for this attribute type across all MFT records of an inode.
* (e.g., security descriptor IDs in $Secure)
* ATTR_DEF_NAMED_UNIQUE: Attribute must be named and the name must be unique
* for this attribute type across all MFT records of an inode.
* (e.g., named $DATA streams or alternate data streams)
* ATTR_DEF_RESIDENT: Attribute must be resident (stored in MFT record).
* (Cannot be non-resident/sparse/compressed)
* ATTR_DEF_ALWAYS_LOG: Always log modifications to this attribute in LogFile,
* regardless of whether it is resident or non-resident.
* Without this flag, modifications are logged only if resident.
* (Used for critical metadata attributes)
*/
enum {
ATTR_DEF_INDEXABLE = cpu_to_le32(0x02),
ATTR_DEF_MULTIPLE = cpu_to_le32(0x04),
ATTR_DEF_NOT_ZERO = cpu_to_le32(0x08),
ATTR_DEF_INDEXED_UNIQUE = cpu_to_le32(0x10),
ATTR_DEF_NAMED_UNIQUE = cpu_to_le32(0x20),
ATTR_DEF_RESIDENT = cpu_to_le32(0x40),
ATTR_DEF_ALWAYS_LOG = cpu_to_le32(0x80),
};
/*
* struct attr_def - Attribute definition entry ($AttrDef array)
*
* The data attribute of FILE_AttrDef contains a sequence of attribute
* definitions for the NTFS volume. With this, it is supposed to be safe for an
* older NTFS driver to mount a volume containing a newer NTFS version without
* damaging it (that's the theory. In practice it's: not damaging it too much).
* Entries are sorted by attribute type. The flags describe whether the
* attribute can be resident/non-resident and possibly other things, but the
* actual bits are unknown.
*
* @name: Unicode (UTF-16LE) name of the attribute (e.g. "$DATA", "$FILE_NAME").
* Zero-terminated string, maximum 0x40 characters (128 bytes).
* Used for human-readable display and debugging.
* @type: Attribute type code (ATTR_TYPE_* constants).
* Defines which attribute this entry describes.
* @display_rule: Default display rule (usually 0; rarely used in modern NTFS).
* Controls how the attribute is displayed in tools (legacy).
* @collation_rule: Default collation rule for indexing this attribute.
* Determines sort order when indexed (e.g. CASE_SENSITIVE, UNICODE).
* Used in $I30, $SDH, $SII, etc.
* @flags: Bit array of attribute constraints (ATTR_DEF_* flags).
* See ATTR_DEF_INDEXABLE, ATTR_DEF_MULTIPLE, etc.
* Defines whether the attribute can be indexed, multiple, resident-only, etc.
* @min_size: Optional minimum size of the attribute value (in bytes).
* 0 means no minimum enforced.
* @max_size: Maximum allowed size of the attribute value (in bytes).
*/
struct attr_def {
__le16 name[0x40];
__le32 type;
__le32 display_rule;
__le32 collation_rule;
__le32 flags;
__le64 min_size;
__le64 max_size;
} __packed;
static_assert(sizeof(struct attr_def) == 160);
/*
* enum - Attribute flags (16-bit) for non-resident attributes
*
* ATTR_IS_COMPRESSED: Attribute is compressed.
* If set, data is compressed using the method in
* ATTR_COMPRESSION_MASK.
* ATTR_COMPRESSION_MASK: Mask for compression method.
* Valid values are defined in NTFS compression types
* (e.g., 0x02 = LZNT1, etc.).
* Also serves as the first illegal value for method.
* ATTR_IS_ENCRYPTED: Attribute is encrypted.
* Data is encrypted using EFS (Encrypting File System).
* ATTR_IS_SPARSE: Attribute is sparse.
* Contains holes (unallocated regions) that read as zeros.
*/
enum {
ATTR_IS_COMPRESSED = cpu_to_le16(0x0001),
ATTR_COMPRESSION_MASK = cpu_to_le16(0x00ff),
ATTR_IS_ENCRYPTED = cpu_to_le16(0x4000),
ATTR_IS_SPARSE = cpu_to_le16(0x8000),
} __packed;
/*
* Attribute compression.
*
* Only the data attribute is ever compressed in the current ntfs driver in
* Windows. Further, compression is only applied when the data attribute is
* non-resident. Finally, to use compression, the maximum allowed cluster size
* on a volume is 4kib.
*
* The compression method is based on independently compressing blocks of X
* clusters, where X is determined from the compression_unit value found in the
* non-resident attribute record header (more precisely: X = 2^compression_unit
* clusters). On Windows NT/2k, X always is 16 clusters (compression_unit = 4).
*
* There are three different cases of how a compression block of X clusters
* can be stored:
*
* 1) The data in the block is all zero (a sparse block):
* This is stored as a sparse block in the runlist, i.e. the runlist
* entry has length = X and lcn = -1. The mapping pairs array actually
* uses a delta_lcn value length of 0, i.e. delta_lcn is not present at
* all, which is then interpreted by the driver as lcn = -1.
* NOTE: Even uncompressed files can be sparse on NTFS 3.0 volumes, then
* the same principles apply as above, except that the length is not
* restricted to being any particular value.
*
* 2) The data in the block is not compressed:
* This happens when compression doesn't reduce the size of the block
* in clusters. I.e. if compression has a small effect so that the
* compressed data still occupies X clusters, then the uncompressed data
* is stored in the block.
* This case is recognised by the fact that the runlist entry has
* length = X and lcn >= 0. The mapping pairs array stores this as
* normal with a run length of X and some specific delta_lcn, i.e.
* delta_lcn has to be present.
*
* 3) The data in the block is compressed:
* The common case. This case is recognised by the fact that the run
* list entry has length L < X and lcn >= 0. The mapping pairs array
* stores this as normal with a run length of X and some specific
* delta_lcn, i.e. delta_lcn has to be present. This runlist entry is
* immediately followed by a sparse entry with length = X - L and
* lcn = -1. The latter entry is to make up the vcn counting to the
* full compression block size X.
*
* In fact, life is more complicated because adjacent entries of the same type
* can be coalesced. This means that one has to keep track of the number of
* clusters handled and work on a basis of X clusters at a time being one
* block. An example: if length L > X this means that this particular runlist
* entry contains a block of length X and part of one or more blocks of length
* L - X. Another example: if length L < X, this does not necessarily mean that
* the block is compressed as it might be that the lcn changes inside the block
* and hence the following runlist entry describes the continuation of the
* potentially compressed block. The block would be compressed if the
* following runlist entry describes at least X - L sparse clusters, thus
* making up the compression block length as described in point 3 above. (Of
* course, there can be several runlist entries with small lengths so that the
* sparse entry does not follow the first data containing entry with
* length < X.)
*
* NOTE: At the end of the compressed attribute value, there most likely is not
* just the right amount of data to make up a compression block, thus this data
* is not even attempted to be compressed. It is just stored as is, unless
* the number of clusters it occupies is reduced when compressed in which case
* it is stored as a compressed compression block, complete with sparse
* clusters at the end.
*/
/*
* enum - Flags for resident attributes (8-bit)
*
* RESIDENT_ATTR_IS_INDEXED: Attribute is referenced in an index.
* (e.g., part of an index key or entry)
* Has implications for deletion and modification:
* - Cannot be freely removed if indexed
* - Index must be updated when value changes
* - Used for attributes like $FILE_NAME in directories
*/
enum {
RESIDENT_ATTR_IS_INDEXED = 0x01,
} __packed;
/*
* struct attr_record - NTFS attribute record header
*
* Common header for both resident and non-resident attributes.
* Always aligned to an 8-byte boundary on disk.
* Located at attrs_offset in the MFT record (see struct mft_record).
*
* @type: 32-bit attribute type (ATTR_TYPE_* constants).
* Identifies the attribute
* (e.g. 0x10 = $STANDARD_INFORMATION).
* @length: Total byte size of this attribute record (resident).
* 8-byte aligned; used to locate the next attribute.
* @non_resident: 0 = resident attribute
* 1 = non-resident attribute
* @name_length: Number of Unicode characters in the attribute name.
* 0 if unnamed (most system attributes are unnamed).
* @name_offset: Byte offset from start of attribute record to the name.
* 8-byte aligned; when creating, place at end of header.
* @flags: Attribute flags (see ATTR_IS_COMPRESSED,
* ATTR_IS_ENCRYPTED, etc.).
* For resident: see RESIDENT_ATTR_* flags.
* @instance: Unique instance number within this MFT record.
* Incremented via next_attr_instance; unique per record.
*
* Resident attributes (when @non_resident == 0):
* @data.resident.value_length: Byte size of the attribute value.
* @data.resident.value_offset: Byte offset from start of attribute
* record to the value data.
* 8-byte aligned if name present.
* @data.resident.flags: Resident-specific flags
* @data.resident.reserved: Reserved/alignment to 8 bytes.
*
* Non-resident attributes (when @non_resident == 1):
* @data.non_resident.lowest_vcn: Lowest valid VCN in this extent.
* Usually 0 unless attribute list is used.
* @data.non_resident.highest_vcn: Highest valid VCN in this extent.
* -1 for zero-length, 0 for single extent.
* @data.non_resident.mapping_pairs_offset:
* Byte offset to mapping pairs array
* (VCN → LCN mappings).
* 8-byte aligned when creating.
* @data.non_resident.compression_unit:
* Log2 of clusters per compression unit.
* 0 = not compressed.
* WinNT4 used 4; sparse files use 0
* on XP SP2+.
* @data.non_resident.reserved: 5 bytes for 8-byte alignment.
* @data.non_resident.allocated_size:
* Allocated disk space in bytes.
* For compressed: logical allocated size.
* @data.non_resident.data_size: Logical attribute value size in bytes.
* Can be larger than allocated_size if
* compressed/sparse.
* @data.non_resident.initialized_size:
* Initialized portion size in bytes.
* Usually equals data_size.
* @data.non_resident.compressed_size:
* Compressed on-disk size in bytes.
* Only present when compressed or sparse.
* Actual disk usage.
*/
struct attr_record {
__le32 type;
__le32 length;
u8 non_resident;
u8 name_length;
__le16 name_offset;
__le16 flags;
__le16 instance;
union {
struct {
__le32 value_length;
__le16 value_offset;
u8 flags;
s8 reserved;
} __packed resident;
struct {
__le64 lowest_vcn;
__le64 highest_vcn;
__le16 mapping_pairs_offset;
u8 compression_unit;
u8 reserved[5];
__le64 allocated_size;
__le64 data_size;
__le64 initialized_size;
__le64 compressed_size;
} __packed non_resident;
} __packed data;
} __packed;
/*
* enum - NTFS file attribute flags (32-bit)
*
* File attribute flags (32-bit) appearing in the file_attributes fields of the
* STANDARD_INFORMATION attribute of MFT_RECORDs and the FILENAME_ATTR
* attributes of MFT_RECORDs and directory index entries.
*
* All of the below flags appear in the directory index entries but only some
* appear in the STANDARD_INFORMATION attribute whilst only some others appear
* in the FILENAME_ATTR attribute of MFT_RECORDs. Unless otherwise stated the
* flags appear in all of the above.
*
* FILE_ATTR_READONLY: File is read-only.
* FILE_ATTR_HIDDEN: File is hidden (not shown by default).
* FILE_ATTR_SYSTEM: System file (protected by OS).
* FILE_ATTR_DIRECTORY: Directory flag (reserved in NT; use MFT flag instead).
* FILE_ATTR_ARCHIVE: File needs archiving (backup flag).
* FILE_ATTR_DEVICE: Device file (rarely used).
* FILE_ATTR_NORMAL: Normal file (no special attributes).
* FILE_ATTR_TEMPORARY: Temporary file (delete on close).
* FILE_ATTR_SPARSE_FILE: Sparse file (contains holes).
* FILE_ATTR_REPARSE_POINT: Reparse point (junction, symlink, mount point).
* FILE_ATTR_COMPRESSED: File is compressed.
* FILE_ATTR_OFFLINE: File data is offline (not locally available).
* FILE_ATTR_NOT_CONTENT_INDEXED:
* File is excluded from content indexing.
* FILE_ATTR_ENCRYPTED: File is encrypted (EFS).
* FILE_ATTR_VALID_FLAGS: Mask of all valid flags for reading.
* FILE_ATTR_VALID_SET_FLAGS: Mask of flags that can be set by user.
* FILE_ATTRIBUTE_RECALL_ON_OPEN:
* Recall data on open (cloud/HSM related).
* FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT:
* $FILE_NAME has duplicate index entry.
* FILE_ATTR_DUP_VIEW_INDEX_PRESENT:
* Duplicate view index present (object ID, quota, etc.).
*/
enum {
FILE_ATTR_READONLY = cpu_to_le32(0x00000001),
FILE_ATTR_HIDDEN = cpu_to_le32(0x00000002),
FILE_ATTR_SYSTEM = cpu_to_le32(0x00000004),
/* Old DOS volid. Unused in NT. = cpu_to_le32(0x00000008), */
FILE_ATTR_DIRECTORY = cpu_to_le32(0x00000010),
FILE_ATTR_ARCHIVE = cpu_to_le32(0x00000020),
FILE_ATTR_DEVICE = cpu_to_le32(0x00000040),
FILE_ATTR_NORMAL = cpu_to_le32(0x00000080),
FILE_ATTR_TEMPORARY = cpu_to_le32(0x00000100),
FILE_ATTR_SPARSE_FILE = cpu_to_le32(0x00000200),
FILE_ATTR_REPARSE_POINT = cpu_to_le32(0x00000400),
FILE_ATTR_COMPRESSED = cpu_to_le32(0x00000800),
FILE_ATTR_OFFLINE = cpu_to_le32(0x00001000),
FILE_ATTR_NOT_CONTENT_INDEXED = cpu_to_le32(0x00002000),
FILE_ATTR_ENCRYPTED = cpu_to_le32(0x00004000),
FILE_ATTR_VALID_FLAGS = cpu_to_le32(0x00007fb7),
FILE_ATTR_VALID_SET_FLAGS = cpu_to_le32(0x000031a7),
FILE_ATTRIBUTE_RECALL_ON_OPEN = cpu_to_le32(0x00040000),
FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT = cpu_to_le32(0x10000000),
FILE_ATTR_DUP_VIEW_INDEX_PRESENT = cpu_to_le32(0x20000000),
};
/*
* NOTE on times in NTFS: All times are in MS standard time format, i.e. they
* are the number of 100-nanosecond intervals since 1st January 1601, 00:00:00
* universal coordinated time (UTC). (In Linux time starts 1st January 1970,
* 00:00:00 UTC and is stored as the number of 1-second intervals since then.)
*/
/*
* struct standard_information - $STANDARD_INFORMATION attribute content
*
* NOTE: Always resident.
* NOTE: Present in all base file records on a volume.
* NOTE: There is conflicting information about the meaning of each of the time
* fields but the meaning as defined below has been verified to be
* correct by practical experimentation on Windows NT4 SP6a and is hence
* assumed to be the one and only correct interpretation.
*
* @creation_time: File creation time (NTFS timestamp).
* Updated on filename change(?).
* @last_data_change_time: Last modification time of data streams.
* @last_mft_change_time: Last modification time of this MFT record.
* @last_access_time: Last access time (approximate).
* Not updated on read-only volumes; can be disabled.
* @file_attributes: File attribute flags (FILE_ATTR_* bits).
*
* Union (version-specific fields):
* @ver.v1.reserved12: 12 bytes reserved/alignment (NTFS 1.2 only).
*
* @ver.v3 (NTFS 3.x / Windows 2000+):
* @maximum_versions: Max allowed file versions (0 = disabled).
* @version_number: Current version number (0 if disabled).
* @class_id: Class ID (from bidirectional index?).
* @owner_id: Owner ID (maps to $Quota via $Q index).
* @security_id: Security ID (maps to $Secure $SII/$SDS).
* @quota_charged: Quota charge in bytes (0 if quotas disabled).
* @usn: Last USN from $UsnJrnl (0 if disabled).
*/
struct standard_information {
__le64 creation_time;
__le64 last_data_change_time;
__le64 last_mft_change_time;
__le64 last_access_time;
__le32 file_attributes;
union {
struct {
u8 reserved12[12];
} __packed v1;
struct {
__le32 maximum_versions;
__le32 version_number;
__le32 class_id;
__le32 owner_id;
__le32 security_id;
__le64 quota_charged;
__le64 usn;
} __packed v3;
} __packed ver;
} __packed;
/*
* struct attr_list_entry - Entry in $ATTRIBUTE_LIST attribute.
*
* @type: Attribute type code (ATTR_TYPE_*).
* @length: Byte size of this entry (8-byte aligned).
* @name_length: Unicode char count of attribute name (0 if unnamed).
* @name_offset: Byte offset from start of entry to name (always set).
* @lowest_vcn: Lowest VCN of this attribute extent (usually 0).
* Signed value; non-zero when attribute spans extents.
* @mft_reference: MFT record reference holding this attribute extent.
* @instance: Attribute instance number (if lowest_vcn == 0); else 0.
* @name: Variable Unicode name (use @name_offset when reading).
*
* - Can be either resident or non-resident.
* - Value consists of a sequence of variable length, 8-byte aligned,
* ATTR_LIST_ENTRY records.
* - The list is not terminated by anything at all! The only way to know when
* the end is reached is to keep track of the current offset and compare it to
* the attribute value size.
* - The attribute list attribute contains one entry for each attribute of
* the file in which the list is located, except for the list attribute
* itself. The list is sorted: first by attribute type, second by attribute
* name (if present), third by instance number. The extents of one
* non-resident attribute (if present) immediately follow after the initial
* extent. They are ordered by lowest_vcn and have their instance set to zero.
* It is not allowed to have two attributes with all sorting keys equal.
* - Further restrictions:
* - If not resident, the vcn to lcn mapping array has to fit inside the
* base mft record.
* - The attribute list attribute value has a maximum size of 256kb. This
* is imposed by the Windows cache manager.
* - Attribute lists are only used when the attributes of mft record do not
* fit inside the mft record despite all attributes (that can be made
* non-resident) having been made non-resident. This can happen e.g. when:
* - File has a large number of hard links (lots of file name
* attributes present).
* - The mapping pairs array of some non-resident attribute becomes so
* large due to fragmentation that it overflows the mft record.
* - The security descriptor is very complex (not applicable to
* NTFS 3.0 volumes).
* - There are many named streams.
*/
struct attr_list_entry {
__le32 type;
__le16 length;
u8 name_length;
u8 name_offset;
__le64 lowest_vcn;
__le64 mft_reference;
__le16 instance;
__le16 name[];
} __packed;
/*
* The maximum allowed length for a file name.
*/
#define MAXIMUM_FILE_NAME_LENGTH 255
/*
* enum - Possible namespaces for filenames in ntfs (8-bit).
*
* FILE_NAME_POSIX POSIX namespace (case sensitive, most permissive).
* Allows all Unicode except '\0' and '/'.
* WinNT/2k/2003 default utilities ignore case
* differences. SFU (Services For Unix) enables true
* case sensitivity.
* SFU restricts some chars: '"', '/', '<', '>', '\'.
* FILE_NAME_WIN32 Standard WinNT/2k long filename namespace
* (case insensitive).
* Disallows '\0', '"', '*', '/', ':', '<', '>', '?',
* '\', '|'. Names cannot end with '.' or space.
* FILE_NAME_DOS DOS 8.3 namespace (uppercase only).
* Allows 8-bit chars > space except '"', '*', '+',
* ',', '/', ':', ';', '<', '=', '>', '?', '\'.
* FILE_NAME_WIN32_AND_DOS
* Win32 and DOS names are identical (single record).
* Value 0x03 indicates both are stored in one entry.
*/
enum {
FILE_NAME_POSIX = 0x00,
FILE_NAME_WIN32 = 0x01,
FILE_NAME_DOS = 0x02,
FILE_NAME_WIN32_AND_DOS = 0x03,
} __packed;
/*
* struct file_name_attr - $FILE_NAME attribute content
*
* NOTE: Always resident.
* NOTE: All fields, except the parent_directory, are only updated when the
* filename is changed. Until then, they just become out of sync with
* reality and the more up to date values are present in the standard
* information attribute.
* NOTE: There is conflicting information about the meaning of each of the time
* fields but the meaning as defined below has been verified to be
* correct by practical experimentation on Windows NT4 SP6a and is hence
* assumed to be the one and only correct interpretation.
*
* @parent_directory: MFT reference to parent directory.
* @creation_time: File creation time (NTFS timestamp).
* @last_data_change_time:
* Last data modification time.
* @last_mft_change_time:
* Last MFT record modification time.
* @last_access_time: Last access time (approximate; may not
* update always).
* @allocated_size: On-disk allocated size for unnamed $DATA.
* Equals compressed_size if compressed/sparse.
* 0 for directories or no $DATA.
* Multiple of cluster size.
* @data_size: Logical size of unnamed $DATA.
* 0 for directories or no $DATA.
* @file_attributes: File attribute flags (FILE_ATTR_* bits).
* @type.ea.packed_ea_size:
* Size needed to pack EAs (if present).
* @type.ea.reserved: Alignment padding.
* @type.rp.reparse_point_tag:
* Reparse point type (if reparse point, no EAs).
* @file_name_length: Length of filename in Unicode characters.
* @file_name_type: Namespace (FILE_NAME_POSIX, WIN32, DOS, etc.).
* @file_name: Variable-length Unicode filename.
*/
struct file_name_attr {
__le64 parent_directory;
__le64 creation_time;
__le64 last_data_change_time;
__le64 last_mft_change_time;
__le64 last_access_time;
__le64 allocated_size;
__le64 data_size;
__le32 file_attributes;
union {
struct {
__le16 packed_ea_size;
__le16 reserved;
} __packed ea;
struct {
__le32 reparse_point_tag;
} __packed rp;
} __packed type;
u8 file_name_length;
u8 file_name_type;
__le16 file_name[];
} __packed;
/*
* struct guid - Globally Unique Identifier (GUID) structure
*
* GUID structures store globally unique identifiers (GUID). A GUID is a
* 128-bit value consisting of one group of eight hexadecimal digits, followed
* by three groups of four hexadecimal digits each, followed by one group of
* twelve hexadecimal digits. GUIDs are Microsoft's implementation of the
* distributed computing environment (DCE) universally unique identifier (UUID).
* Example of a GUID:
* 1F010768-5A73-BC91-0010A52216A7
*
* @data1: First 32 bits (first 8 hex digits).
* @data2: Next 16 bits (first group of 4 hex digits).
* @data3: Next 16 bits (second group of 4 hex digits).
* @data4: Final 64 bits (third group of 4 + last 12 hex digits).
* data4[0-1]: third group; data4[2-7]: remaining part.
*/
struct guid {
__le32 data1;
__le16 data2;
__le16 data3;
u8 data4[8];
} __packed;
/*
* struct object_id_attr - $OBJECT_ID attribute content (NTFS 3.0+)
*
* NOTE: Always resident.
*
* @object_id: Unique 128-bit GUID assigned to the file.
* Core identifier; always present.
*
* Optional extended info (union; total value size 1664 bytes):
* @extended_info.birth_volume_id:
* Birth volume GUID (where file was first created).
* @extended_info.birth_object_id:
* Birth object GUID (original ID before copy/move).
* @extended_info.domain_id:
* Domain GUID (usually zero; reserved).
*/
struct object_id_attr {
struct guid object_id;
union {
struct {
struct guid birth_volume_id;
struct guid birth_object_id;
struct guid domain_id;
} __packed;
u8 extended_info[48];
} __packed;
} __packed;
/*
* enum - RIDs (Relative Identifiers) in Windows/NTFS security
*
* These relative identifiers (RIDs) are used with the above identifier
* authorities to make up universal well-known SIDs.
*
* SECURITY_NULL_RID S-1-0 (Null authority)
* SECURITY_WORLD_RID S-1-1 (World/Everyone)
* SECURITY_LOCAL_RID S-1-2 (Local)
* SECURITY_CREATOR_OWNER_RID S-1-3-0 (Creator Owner)
* SECURITY_CREATOR_GROUP_RID S-1-3-1 (Creator Group)
* SECURITY_CREATOR_OWNER_SERVER_RID S-1-3-2 (Server Creator Owner)
* SECURITY_CREATOR_GROUP_SERVER_RID S-1-3-3 (Server Creator Group)
* SECURITY_DIALUP_RID S-1-5-1 (Dialup)
* SECURITY_NETWORK_RID S-1-5-2 (Network)
* SECURITY_BATCH_RID S-1-5-3 (Batch)
* SECURITY_INTERACTIVE_RID S-1-5-4 (Interactive)
* SECURITY_SERVICE_RID S-1-5-6 (Service)
* SECURITY_ANONYMOUS_LOGON_RID S-1-5-7 (Anonymous Logon)
* SECURITY_PROXY_RID S-1-5-8 (Proxy)
* SECURITY_ENTERPRISE_CONTROLLERS_RID S-1-5-9 (Enterprise DCs)
* SECURITY_SERVER_LOGON_RID S-1-5-9 (Server Logon alias)
* SECURITY_PRINCIPAL_SELF_RID S-1-5-10 (Self/PrincipalSelf)
* SECURITY_AUTHENTICATED_USER_RID S-1-5-11 (Authenticated Users)
* SECURITY_RESTRICTED_CODE_RID S-1-5-12 (Restricted Code)
* SECURITY_TERMINAL_SERVER_RID S-1-5-13 (Terminal Server)
* SECURITY_LOGON_IDS_RID S-1-5-5 (Logon session IDs base)
* SECURITY_LOCAL_SYSTEM_RID S-1-5-18 (Local System)
* SECURITY_NT_NON_UNIQUE S-1-5-21 (NT non-unique authority)
* SECURITY_BUILTIN_DOMAIN_RID S-1-5-32 (Built-in domain)
*
* Built-in domain relative RIDs (S-1-5-32-...):
* Users:
* DOMAIN_USER_RID_ADMIN Administrator
* DOMAIN_USER_RID_GUEST Guest
* DOMAIN_USER_RID_KRBTGT krbtgt (Kerberos ticket-granting)
*
* Groups:
* DOMAIN_GROUP_RID_ADMINS Administrators
* DOMAIN_GROUP_RID_USERS Users
* DOMAIN_GROUP_RID_GUESTS Guests
* DOMAIN_GROUP_RID_COMPUTERS Computers
* DOMAIN_GROUP_RID_CONTROLLERS Domain Controllers
* DOMAIN_GROUP_RID_CERT_ADMINS Cert Publishers
* DOMAIN_GROUP_RID_SCHEMA_ADMINS Schema Admins
* DOMAIN_GROUP_RID_ENTERPRISE_ADMINS Enterprise Admins
* DOMAIN_GROUP_RID_POLICY_ADMINS Policy Admins (if present)
*
* Aliases:
* DOMAIN_ALIAS_RID_ADMINS Administrators alias
* DOMAIN_ALIAS_RID_USERS Users alias
* DOMAIN_ALIAS_RID_GUESTS Guests alias
* DOMAIN_ALIAS_RID_POWER_USERS Power Users
* DOMAIN_ALIAS_RID_ACCOUNT_OPS Account Operators
* DOMAIN_ALIAS_RID_SYSTEM_OPS Server Operators
* DOMAIN_ALIAS_RID_PRINT_OPS Print Operators
* DOMAIN_ALIAS_RID_BACKUP_OPS Backup Operators
* DOMAIN_ALIAS_RID_REPLICATOR Replicator
* DOMAIN_ALIAS_RID_RAS_SERVERS RAS Servers
* DOMAIN_ALIAS_RID_PREW2KCOMPACCESS Pre-Windows 2000 Compatible Access
*
* Note: The relative identifier (RID) refers to the portion of a SID, which
* identifies a user or group in relation to the authority that issued the SID.
* For example, the universal well-known SID Creator Owner ID (S-1-3-0) is
* made up of the identifier authority SECURITY_CREATOR_SID_AUTHORITY (3) and
* the relative identifier SECURITY_CREATOR_OWNER_RID (0).
*/
enum { /* Identifier authority. */
SECURITY_NULL_RID = 0, /* S-1-0 */
SECURITY_WORLD_RID = 0, /* S-1-1 */
SECURITY_LOCAL_RID = 0, /* S-1-2 */
SECURITY_CREATOR_OWNER_RID = 0, /* S-1-3 */
SECURITY_CREATOR_GROUP_RID = 1, /* S-1-3 */
SECURITY_CREATOR_OWNER_SERVER_RID = 2, /* S-1-3 */
SECURITY_CREATOR_GROUP_SERVER_RID = 3, /* S-1-3 */
SECURITY_DIALUP_RID = 1,
SECURITY_NETWORK_RID = 2,
SECURITY_BATCH_RID = 3,
SECURITY_INTERACTIVE_RID = 4,
SECURITY_SERVICE_RID = 6,
SECURITY_ANONYMOUS_LOGON_RID = 7,
SECURITY_PROXY_RID = 8,
SECURITY_ENTERPRISE_CONTROLLERS_RID = 9,
SECURITY_SERVER_LOGON_RID = 9,
SECURITY_PRINCIPAL_SELF_RID = 0xa,
SECURITY_AUTHENTICATED_USER_RID = 0xb,
SECURITY_RESTRICTED_CODE_RID = 0xc,
SECURITY_TERMINAL_SERVER_RID = 0xd,
SECURITY_LOGON_IDS_RID = 5,
SECURITY_LOGON_IDS_RID_COUNT = 3,
SECURITY_LOCAL_SYSTEM_RID = 0x12,
SECURITY_NT_NON_UNIQUE = 0x15,
SECURITY_BUILTIN_DOMAIN_RID = 0x20,
/*
* Well-known domain relative sub-authority values (RIDs).
*/
/* Users. */
DOMAIN_USER_RID_ADMIN = 0x1f4,
DOMAIN_USER_RID_GUEST = 0x1f5,
DOMAIN_USER_RID_KRBTGT = 0x1f6,
/* Groups. */
DOMAIN_GROUP_RID_ADMINS = 0x200,
DOMAIN_GROUP_RID_USERS = 0x201,
DOMAIN_GROUP_RID_GUESTS = 0x202,
DOMAIN_GROUP_RID_COMPUTERS = 0x203,
DOMAIN_GROUP_RID_CONTROLLERS = 0x204,
DOMAIN_GROUP_RID_CERT_ADMINS = 0x205,
DOMAIN_GROUP_RID_SCHEMA_ADMINS = 0x206,
DOMAIN_GROUP_RID_ENTERPRISE_ADMINS = 0x207,
DOMAIN_GROUP_RID_POLICY_ADMINS = 0x208,
/* Aliases. */
DOMAIN_ALIAS_RID_ADMINS = 0x220,
DOMAIN_ALIAS_RID_USERS = 0x221,
DOMAIN_ALIAS_RID_GUESTS = 0x222,
DOMAIN_ALIAS_RID_POWER_USERS = 0x223,
DOMAIN_ALIAS_RID_ACCOUNT_OPS = 0x224,
DOMAIN_ALIAS_RID_SYSTEM_OPS = 0x225,
DOMAIN_ALIAS_RID_PRINT_OPS = 0x226,
DOMAIN_ALIAS_RID_BACKUP_OPS = 0x227,
DOMAIN_ALIAS_RID_REPLICATOR = 0x228,
DOMAIN_ALIAS_RID_RAS_SERVERS = 0x229,
DOMAIN_ALIAS_RID_PREW2KCOMPACCESS = 0x22a,
};
/*
* The universal well-known SIDs:
*
* NULL_SID S-1-0-0
* WORLD_SID S-1-1-0
* LOCAL_SID S-1-2-0
* CREATOR_OWNER_SID S-1-3-0
* CREATOR_GROUP_SID S-1-3-1
* CREATOR_OWNER_SERVER_SID S-1-3-2
* CREATOR_GROUP_SERVER_SID S-1-3-3
*
* (Non-unique IDs) S-1-4
*
* NT well-known SIDs:
*
* NT_AUTHORITY_SID S-1-5
* DIALUP_SID S-1-5-1
*
* NETWORD_SID S-1-5-2
* BATCH_SID S-1-5-3
* INTERACTIVE_SID S-1-5-4
* SERVICE_SID S-1-5-6
* ANONYMOUS_LOGON_SID S-1-5-7 (aka null logon session)
* PROXY_SID S-1-5-8
* SERVER_LOGON_SID S-1-5-9 (aka domain controller account)
* SELF_SID S-1-5-10 (self RID)
* AUTHENTICATED_USER_SID S-1-5-11
* RESTRICTED_CODE_SID S-1-5-12 (running restricted code)
* TERMINAL_SERVER_SID S-1-5-13 (running on terminal server)
*
* (Logon IDs) S-1-5-5-X-Y
*
* (NT non-unique IDs) S-1-5-0x15-...
*
* (Built-in domain) S-1-5-0x20
*/
/*
* struct ntfs_sid - Security Identifier (SID) structure
*
* @revision: SID revision level (usually 1).
* @sub_authority_count: Number of sub-authorities (1 or more).
* @identifier_authority:
* 48-bit identifier authority (S-1-x-...).
* @parts.high_part: high 16 bits.
* @parts.low_part: low 32 bits.
* @value: raw 6-byte array.
* @sub_authority: Variable array of 32-bit RIDs.
* At least one; defines the SID relative to authority.
*
* The SID structure is a variable-length structure used to uniquely identify
* users or groups. SID stands for security identifier.
*
* The standard textual representation of the SID is of the form:
* S-R-I-S-S...
* Where:
* - The first "S" is the literal character 'S' identifying the following
* digits as a SID.
* - R is the revision level of the SID expressed as a sequence of digits
* either in decimal or hexadecimal (if the later, prefixed by "0x").
* - I is the 48-bit identifier_authority, expressed as digits as R above.
* - S... is one or more sub_authority values, expressed as digits as above.
*
* Example SID; the domain-relative SID of the local Administrators group on
* Windows NT/2k:
* S-1-5-32-544
* This translates to a SID with:
* revision = 1,
* sub_authority_count = 2,
* identifier_authority = {0,0,0,0,0,5}, // SECURITY_NT_AUTHORITY
* sub_authority[0] = 32, // SECURITY_BUILTIN_DOMAIN_RID
* sub_authority[1] = 544 // DOMAIN_ALIAS_RID_ADMINS
*/
struct ntfs_sid {
u8 revision;
u8 sub_authority_count;
union {
struct {
u16 high_part;
u32 low_part;
} __packed parts;
u8 value[6];
} identifier_authority;
__le32 sub_authority[];
} __packed;
/*
* enum - Predefined ACE types (8-bit) for NTFS security descriptors
*
* ACCESS_MIN_MS_ACE_TYPE: Minimum MS ACE type (0).
* ACCESS_ALLOWED_ACE_TYPE: Allow access (standard ACE).
* ACCESS_DENIED_ACE_TYPE: Deny access (standard ACE).
* SYSTEM_AUDIT_ACE_TYPE: Audit successful/failed access.
* SYSTEM_ALARM_ACE_TYPE: Alarm on access (not in Win2k+).
* ACCESS_MAX_MS_V2_ACE_TYPE: Max for V2 ACE types.
* ACCESS_ALLOWED_COMPOUND_ACE_TYPE:
* Compound ACE (legacy).
* ACCESS_MAX_MS_V3_ACE_TYPE: Max for V3 ACE types.
* ACCESS_MIN_MS_OBJECT_ACE_TYPE: Min for object ACE types (Win2k+).
* ACCESS_ALLOWED_OBJECT_ACE_TYPE: Allow with object-specific rights.
* ACCESS_DENIED_OBJECT_ACE_TYPE: Deny with object-specific rights.
* SYSTEM_AUDIT_OBJECT_ACE_TYPE: Audit with object-specific rights.
* SYSTEM_ALARM_OBJECT_ACE_TYPE: Alarm with object-specific rights.
* ACCESS_MAX_MS_OBJECT_ACE_TYPE: Max for object ACE types.
* ACCESS_MAX_MS_V4_ACE_TYPE: Max for V4 ACE types.
* ACCESS_MAX_MS_ACE_TYPE: Overall max ACE type (WinNT/2k).
*/
enum {
ACCESS_MIN_MS_ACE_TYPE = 0,
ACCESS_ALLOWED_ACE_TYPE = 0,
ACCESS_DENIED_ACE_TYPE = 1,
SYSTEM_AUDIT_ACE_TYPE = 2,
SYSTEM_ALARM_ACE_TYPE = 3,
ACCESS_MAX_MS_V2_ACE_TYPE = 3,
ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 4,
ACCESS_MAX_MS_V3_ACE_TYPE = 4,
ACCESS_MIN_MS_OBJECT_ACE_TYPE = 5,
ACCESS_ALLOWED_OBJECT_ACE_TYPE = 5,
ACCESS_DENIED_OBJECT_ACE_TYPE = 6,
SYSTEM_AUDIT_OBJECT_ACE_TYPE = 7,
SYSTEM_ALARM_OBJECT_ACE_TYPE = 8,
ACCESS_MAX_MS_OBJECT_ACE_TYPE = 8,
ACCESS_MAX_MS_V4_ACE_TYPE = 8,
ACCESS_MAX_MS_ACE_TYPE = 8,
} __packed;
/*
* enum - ACE inheritance and audit flags (8-bit)
*
* OBJECT_INHERIT_ACE: Object inherit (files inherit this ACE).
* CONTAINER_INHERIT_ACE: Container inherit (subdirectories inherit).
* NO_PROPAGATE_INHERIT_ACE: No propagation (stop inheritance after this level).
* INHERIT_ONLY_ACE: Inherit only (not applied to current object).
* INHERITED_ACE: ACE was inherited (Win2k+ only).
* VALID_INHERIT_FLAGS: Mask of all valid inheritance flags (0x1f).
* SUCCESSFUL_ACCESS_ACE_FLAG: Audit successful access (system audit ACE).
* FAILED_ACCESS_ACE_FLAG: Audit failed access (system audit ACE).
*
* SUCCESSFUL_ACCESS_ACE_FLAG is only used with system audit and alarm ACE
* types to indicate that a message is generated (in Windows!) for successful
* accesses.
*
* FAILED_ACCESS_ACE_FLAG is only used with system audit and alarm ACE types
* to indicate that a message is generated (in Windows!) for failed accesses.
*/
enum {
OBJECT_INHERIT_ACE = 0x01,
CONTAINER_INHERIT_ACE = 0x02,
NO_PROPAGATE_INHERIT_ACE = 0x04,
INHERIT_ONLY_ACE = 0x08,
INHERITED_ACE = 0x10,
VALID_INHERIT_FLAGS = 0x1f,
SUCCESSFUL_ACCESS_ACE_FLAG = 0x40,
FAILED_ACCESS_ACE_FLAG = 0x80,
} __packed;
/*
* enum - NTFS access rights masks (32-bit)
*
* FILE_READ_DATA / FILE_LIST_DIRECTORY: Read file data / list dir contents.
* FILE_WRITE_DATA / FILE_ADD_FILE: Write file data / create file in dir.
* FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY: Append data / create subdir.
* FILE_READ_EA: Read extended attributes.
* FILE_WRITE_EA: Write extended attributes.
* FILE_EXECUTE / FILE_TRAVERSE: Execute file / traverse dir.
* FILE_DELETE_CHILD: Delete children in dir.
* FILE_READ_ATTRIBUTES: Read attributes.
* FILE_WRITE_ATTRIBUTES: Write attributes.
*
* Standard rights (object-independent):
* DELETE: Delete object.
* READ_CONTROL: Read security descriptor/owner.
* WRITE_DAC: Modify DACL.
* WRITE_OWNER: Change owner.
* SYNCHRONIZE: Wait on object signal state.
*
* Combinations:
* STANDARD_RIGHTS_READ / WRITE / EXECUTE: Aliases for READ_CONTROL.
* STANDARD_RIGHTS_REQUIRED: DELETE + READ_CONTROL +
* WRITE_DAC + WRITE_OWNER.
* STANDARD_RIGHTS_ALL: Above + SYNCHRONIZE.
*
* System/access types:
* ACCESS_SYSTEM_SECURITY: Access system ACL.
* MAXIMUM_ALLOWED: Maximum allowed access.
*
* Generic rights (high bits, map to specific/standard):
* GENERIC_ALL: Full access.
* GENERIC_EXECUTE: Execute/traverse.
* GENERIC_WRITE: Write (append, attrs, data, EA, etc.).
* GENERIC_READ: Read (attrs, data, EA, etc.).
*
* The specific rights (bits 0 to 15). These depend on the type of the object
* being secured by the ACE.
*/
enum {
FILE_READ_DATA = cpu_to_le32(0x00000001),
FILE_LIST_DIRECTORY = cpu_to_le32(0x00000001),
FILE_WRITE_DATA = cpu_to_le32(0x00000002),
FILE_ADD_FILE = cpu_to_le32(0x00000002),
FILE_APPEND_DATA = cpu_to_le32(0x00000004),
FILE_ADD_SUBDIRECTORY = cpu_to_le32(0x00000004),
FILE_READ_EA = cpu_to_le32(0x00000008),
FILE_WRITE_EA = cpu_to_le32(0x00000010),
FILE_EXECUTE = cpu_to_le32(0x00000020),
FILE_TRAVERSE = cpu_to_le32(0x00000020),
FILE_DELETE_CHILD = cpu_to_le32(0x00000040),
FILE_READ_ATTRIBUTES = cpu_to_le32(0x00000080),
FILE_WRITE_ATTRIBUTES = cpu_to_le32(0x00000100),
DELETE = cpu_to_le32(0x00010000),
READ_CONTROL = cpu_to_le32(0x00020000),
WRITE_DAC = cpu_to_le32(0x00040000),
WRITE_OWNER = cpu_to_le32(0x00080000),
SYNCHRONIZE = cpu_to_le32(0x00100000),
STANDARD_RIGHTS_READ = cpu_to_le32(0x00020000),
STANDARD_RIGHTS_WRITE = cpu_to_le32(0x00020000),
STANDARD_RIGHTS_EXECUTE = cpu_to_le32(0x00020000),
STANDARD_RIGHTS_REQUIRED = cpu_to_le32(0x000f0000),
STANDARD_RIGHTS_ALL = cpu_to_le32(0x001f0000),
ACCESS_SYSTEM_SECURITY = cpu_to_le32(0x01000000),
MAXIMUM_ALLOWED = cpu_to_le32(0x02000000),
GENERIC_ALL = cpu_to_le32(0x10000000),
GENERIC_EXECUTE = cpu_to_le32(0x20000000),
GENERIC_WRITE = cpu_to_le32(0x40000000),
GENERIC_READ = cpu_to_le32(0x80000000),
};
/*
* struct ntfs_ace - Access Control Entry (ACE) structure
*
* @type: ACE type (ACCESS_ALLOWED_ACE_TYPE, ACCESS_DENIED_ACE_TYPE, etc.).
* @flags: Inheritance and audit flags (OBJECT_INHERIT_ACE, etc.).
* @size: Total byte size of this ACE (header + SID + variable data).
* @mask: Access rights mask (FILE_READ_DATA, DELETE, GENERIC_ALL, etc.).
* @sid: Security Identifier (SID) this ACE applies to.
*/
struct ntfs_ace {
u8 type;
u8 flags;
__le16 size;
__le32 mask;
struct ntfs_sid sid;
} __packed;
/*
* The object ACE flags (32-bit).
*/
enum {
ACE_OBJECT_TYPE_PRESENT = cpu_to_le32(1),
ACE_INHERITED_OBJECT_TYPE_PRESENT = cpu_to_le32(2),
};
/*
* struct ntfs_acl - NTFS Access Control List (ACL) header
*
* An ACL is an access-control list (ACL).
* An ACL starts with an ACL header structure, which specifies the size of
* the ACL and the number of ACEs it contains. The ACL header is followed by
* zero or more access control entries (ACEs). The ACL as well as each ACE
* are aligned on 4-byte boundaries.
*
* @revision: ACL revision level (usually 2 or 4).
* @alignment1: Padding/alignment byte (zero).
* @size: Total allocated size in bytes (header + all ACEs +
* free space).
* @ace_count: Number of ACE entries following the header.
* @alignment2: Padding/alignment (zero).
*/
struct ntfs_acl {
u8 revision;
u8 alignment1;
__le16 size;
__le16 ace_count;
__le16 alignment2;
} __packed;
static_assert(sizeof(struct ntfs_acl) == 8);
/*
* The security descriptor control flags (16-bit).
*
* SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the SID
* pointed to by the Owner field was provided by a defaulting mechanism
* rather than explicitly provided by the original provider of the
* security descriptor. This may affect the treatment of the SID with
* respect to inheritance of an owner.
*
* SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the SID in
* the Group field was provided by a defaulting mechanism rather than
* explicitly provided by the original provider of the security
* descriptor. This may affect the treatment of the SID with respect to
* inheritance of a primary group.
*
* SE_DACL_PRESENT - This boolean flag, when set, indicates that the security
* descriptor contains a discretionary ACL. If this flag is set and the
* Dacl field of the SECURITY_DESCRIPTOR is null, then a null ACL is
* explicitly being specified.
*
* SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the ACL
* pointed to by the Dacl field was provided by a defaulting mechanism
* rather than explicitly provided by the original provider of the
* security descriptor. This may affect the treatment of the ACL with
* respect to inheritance of an ACL. This flag is ignored if the
* DaclPresent flag is not set.
*
* SE_SACL_PRESENT - This boolean flag, when set, indicates that the security
* descriptor contains a system ACL pointed to by the Sacl field. If this
* flag is set and the Sacl field of the SECURITY_DESCRIPTOR is null, then
* an empty (but present) ACL is being specified.
*
* SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the ACL
* pointed to by the Sacl field was provided by a defaulting mechanism
* rather than explicitly provided by the original provider of the
* security descriptor. This may affect the treatment of the ACL with
* respect to inheritance of an ACL. This flag is ignored if the
* SaclPresent flag is not set.
*
* SE_SELF_RELATIVE - This boolean flag, when set, indicates that the security
* descriptor is in self-relative form. In this form, all fields of the
* security descriptor are contiguous in memory and all pointer fields are
* expressed as offsets from the beginning of the security descriptor.
*/
enum {
SE_OWNER_DEFAULTED = cpu_to_le16(0x0001),
SE_GROUP_DEFAULTED = cpu_to_le16(0x0002),
SE_DACL_PRESENT = cpu_to_le16(0x0004),
SE_DACL_DEFAULTED = cpu_to_le16(0x0008),
SE_SACL_PRESENT = cpu_to_le16(0x0010),
SE_SACL_DEFAULTED = cpu_to_le16(0x0020),
SE_DACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0100),
SE_SACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0200),
SE_DACL_AUTO_INHERITED = cpu_to_le16(0x0400),
SE_SACL_AUTO_INHERITED = cpu_to_le16(0x0800),
SE_DACL_PROTECTED = cpu_to_le16(0x1000),
SE_SACL_PROTECTED = cpu_to_le16(0x2000),
SE_RM_CONTROL_VALID = cpu_to_le16(0x4000),
SE_SELF_RELATIVE = cpu_to_le16(0x8000)
} __packed;
/*
* struct security_descriptor_relative - Relative security descriptor
*
* Self-relative security descriptor. Contains the owner and group SIDs as well
* as the sacl and dacl ACLs inside the security descriptor itself.
*
* @revision: Security descriptor revision (usually 1).
* @alignment: Padding/alignment byte (zero).
* @control: Control flags (SE_OWNER_DEFAULTED, SE_DACL_PRESENT,
* SE_SACL_PRESENT, SE_SACL_AUTO_INHERITED, etc.).
* @owner: Byte offset to owner SID (from start of descriptor).
* 0 if no owner SID present.
* @group: Byte offset to primary group SID.
* 0 if no group SID present.
* @sacl: Byte offset to System ACL (SACL).
* Valid only if SE_SACL_PRESENT in @control.
* 0 means NULL SACL.
* @dacl: Byte offset to Discretionary ACL (DACL).
* Valid only if SE_DACL_PRESENT in @control.
* 0 means NULL DACL (full access granted).
*/
struct security_descriptor_relative {
u8 revision;
u8 alignment;
__le16 control;
__le32 owner;
__le32 group;
__le32 sacl;
__le32 dacl;
} __packed;
static_assert(sizeof(struct security_descriptor_relative) == 20);
/*
* On NTFS 3.0+, all security descriptors are stored in FILE_Secure. Only one
* referenced instance of each unique security descriptor is stored.
*
* FILE_Secure contains no unnamed data attribute, i.e. it has zero length. It
* does, however, contain two indexes ($SDH and $SII) as well as a named data
* stream ($SDS).
*
* Every unique security descriptor is assigned a unique security identifier
* (security_id, not to be confused with a SID). The security_id is unique for
* the NTFS volume and is used as an index into the $SII index, which maps
* security_ids to the security descriptor's storage location within the $SDS
* data attribute. The $SII index is sorted by ascending security_id.
*
* A simple hash is computed from each security descriptor. This hash is used
* as an index into the $SDH index, which maps security descriptor hashes to
* the security descriptor's storage location within the $SDS data attribute.
* The $SDH index is sorted by security descriptor hash and is stored in a B+
* tree. When searching $SDH (with the intent of determining whether or not a
* new security descriptor is already present in the $SDS data stream), if a
* matching hash is found, but the security descriptors do not match, the
* search in the $SDH index is continued, searching for a next matching hash.
*
* When a precise match is found, the security_id coresponding to the security
* descriptor in the $SDS attribute is read from the found $SDH index entry and
* is stored in the $STANDARD_INFORMATION attribute of the file/directory to
* which the security descriptor is being applied. The $STANDARD_INFORMATION
* attribute is present in all base mft records (i.e. in all files and
* directories).
*
* If a match is not found, the security descriptor is assigned a new unique
* security_id and is added to the $SDS data attribute. Then, entries
* referencing the this security descriptor in the $SDS data attribute are
* added to the $SDH and $SII indexes.
*
* Note: Entries are never deleted from FILE_Secure, even if nothing
* references an entry any more.
*/
/*
* struct sii_index_key - Key for $SII index in $Secure file
*
* The index entry key used in the $SII index. The collation type is
* COLLATION_NTOFS_ULONG.
*
* @security_id: 32-bit security identifier.
* Unique ID assigned to a security descriptor.
*/
struct sii_index_key {
__le32 security_id;
} __packed;
/*
* struct sdh_index_key - Key for $SDH index in $Secure file
*
* The index entry key used in the $SDH index. The keys are sorted first by
* hash and then by security_id. The collation rule is
* COLLATION_NTOFS_SECURITY_HASH.
*
* @hash: 32-bit hash of the security descriptor.
* Used for quick collision checks and indexing.
* @security_id: 32-bit security identifier.
* Unique ID assigned to the descriptor.
*/
struct sdh_index_key {
__le32 hash;
__le32 security_id;
} __packed;
/*
* enum - NTFS volume flags (16-bit)
*
* These flags are stored in $VolumeInformation attribute.
* They indicate volume state and required actions.
*
* VOLUME_IS_DIRTY: Volume is dirty (needs chkdsk).
* VOLUME_RESIZE_LOG_FILE: Resize LogFile on next mount.
* VOLUME_UPGRADE_ON_MOUNT: Upgrade volume on mount (old NTFS).
* VOLUME_MOUNTED_ON_NT4: Mounted on NT4 (compatibility flag).
* VOLUME_DELETE_USN_UNDERWAY: USN journal deletion in progress.
* VOLUME_REPAIR_OBJECT_ID: Repair $ObjId on next mount.
* VOLUME_CHKDSK_UNDERWAY: Chkdsk is running.
* VOLUME_MODIFIED_BY_CHKDSK: Modified by chkdsk.
* VOLUME_FLAGS_MASK: Mask of all valid flags (0xc03f).
* VOLUME_MUST_MOUNT_RO_MASK: Flags forcing read-only mount (0xc027).
* If any set, mount read-only.
*/
enum {
VOLUME_IS_DIRTY = cpu_to_le16(0x0001),
VOLUME_RESIZE_LOG_FILE = cpu_to_le16(0x0002),
VOLUME_UPGRADE_ON_MOUNT = cpu_to_le16(0x0004),
VOLUME_MOUNTED_ON_NT4 = cpu_to_le16(0x0008),
VOLUME_DELETE_USN_UNDERWAY = cpu_to_le16(0x0010),
VOLUME_REPAIR_OBJECT_ID = cpu_to_le16(0x0020),
VOLUME_CHKDSK_UNDERWAY = cpu_to_le16(0x4000),
VOLUME_MODIFIED_BY_CHKDSK = cpu_to_le16(0x8000),
VOLUME_FLAGS_MASK = cpu_to_le16(0xc03f),
VOLUME_MUST_MOUNT_RO_MASK = cpu_to_le16(0xc027),
} __packed;
/*
* struct volume_information - $VOLUME_INFORMATION (0x70)
*
* @reserved: Reserved 64-bit field (currently unused).
* @major_ver: Major NTFS version number (e.g., 3 for NTFS 3.1).
* @minor_ver: Minor NTFS version number (e.g., 1 for NTFS 3.1).
* @flags: Volume flags (VOLUME_IS_DIRTY, VOLUME_CHKDSK_UNDERWAY, etc.).
* See volume flags enum for details.
*
* NOTE: Always resident.
* NOTE: Present only in FILE_Volume.
* NOTE: Windows 2000 uses NTFS 3.0 while Windows NT4 service pack 6a uses
* NTFS 1.2. I haven't personally seen other values yet.
*/
struct volume_information {
__le64 reserved;
u8 major_ver;
u8 minor_ver;
__le16 flags;
} __packed;
/*
* enum - Index header flags
*
* These flags are stored in the index header (INDEX_HEADER.flags) for both
* index root ($INDEX_ROOT) and index allocation blocks ($INDEX_ALLOCATION).
*
* For index root ($INDEX_ROOT attribute):
* SMALL_INDEX: Index fits entirely in root attribute (no $INDEX_ALLOCATION).
* LARGE_INDEX: Index too large for root; $INDEX_ALLOCATION present.
*
* For index blocks ($INDEX_ALLOCATION):
* LEAF_NODE: Leaf node (no child nodes; contains actual entries).
* INDEX_NODE: Internal node (indexes other nodes; contains keys/pointers).
*
* NODE_MASK: Mask to extract node type bits (0x01).
*/
enum {
SMALL_INDEX = 0,
LARGE_INDEX = 1,
LEAF_NODE = 0,
INDEX_NODE = 1,
NODE_MASK = 1,
} __packed;
/*
* struct index_header - Common header for index root and index blocks
*
* entries_offset: Byte offset to first INDEX_ENTRY (8-byte aligned).
* index_length: Bytes used by index entries (8-byte aligned).
* From entries_offset to end of used data.
* allocated_size: Total allocated bytes for this index block.
* Fixed size in index allocation; dynamic in root.
* flags: Index flags (SMALL_INDEX, LARGE_INDEX, LEAF_NODE, etc.).
* See INDEX_HEADER_FLAGS enum.
* reserved: 3 bytes reserved/padding (zero, 8-byte aligned).
*
* This is the header for indexes, describing the INDEX_ENTRY records, which
* follow the index_header. Together the index header and the index entries
* make up a complete index.
*
* IMPORTANT NOTE: The offset, length and size structure members are counted
* relative to the start of the index header structure and not relative to the
* start of the index root or index allocation structures themselves.
*
* For the index root attribute, the above two numbers are always
* equal, as the attribute is resident and it is resized as needed. In
* the case of the index allocation attribute the attribute is not
* resident and hence the allocated_size is a fixed value and must
* equal the index_block_size specified by the INDEX_ROOT attribute
* corresponding to the INDEX_ALLOCATION attribute this INDEX_BLOCK
* belongs to.
*/
struct index_header {
__le32 entries_offset;
__le32 index_length;
__le32 allocated_size;
u8 flags;
u8 reserved[3];
} __packed;
/*
* struct index_root - $INDEX_ROOT attribute (0x90).
*
* @type: Indexed attribute type ($FILE_NAME for dirs,
* 0 for view indexes).
* @collation_rule: Collation rule for sorting entries
* (COLLATION_FILE_NAME for $FILE_NAME).
* @index_block_size: Size of each index block in bytes
* (in $INDEX_ALLOCATION).
* @clusters_per_index_block:
* Clusters per index block (or log2(bytes)
* if < cluster).
* Power of 2; used for encoding block size.
* @reserved: 3 bytes reserved/alignment (zero).
* @index: Index header for root entries (entries follow
* immediately).
*
* NOTE: Always resident.
*
* This is followed by a sequence of index entries (INDEX_ENTRY structures)
* as described by the index header.
*
* When a directory is small enough to fit inside the index root then this
* is the only attribute describing the directory. When the directory is too
* large to fit in the index root, on the other hand, two additional attributes
* are present: an index allocation attribute, containing sub-nodes of the B+
* directory tree (see below), and a bitmap attribute, describing which virtual
* cluster numbers (vcns) in the index allocation attribute are in use by an
* index block.
*
* NOTE: The root directory (FILE_root) contains an entry for itself. Other
* directories do not contain entries for themselves, though.
*/
struct index_root {
__le32 type;
__le32 collation_rule;
__le32 index_block_size;
u8 clusters_per_index_block;
u8 reserved[3];
struct index_header index;
} __packed;
/*
* struct index_block - Index allocation (0xa0).
*
* @magic: Magic value "INDX" (see magic_INDX).
* @usa_ofs: Offset to Update Sequence Array (see ntfs_record).
* @usa_count: Number of USA entries (see ntfs_record).
* @lsn: Log sequence number of last modification.
* @index_block_vcn: VCN of this index block.
* Units: clusters if cluster_size <= index_block_size;
* sectors otherwise.
* @index: Index header describing entries in this block.
*
* When creating the index block, we place the update sequence array at this
* offset, i.e. before we start with the index entries. This also makes sense,
* otherwise we could run into problems with the update sequence array
* containing in itself the last two bytes of a sector which would mean that
* multi sector transfer protection wouldn't work. As you can't protect data
* by overwriting it since you then can't get it back...
* When reading use the data from the ntfs record header.
*
* NOTE: Always non-resident (doesn't make sense to be resident anyway!).
*
* This is an array of index blocks. Each index block starts with an
* index_block structure containing an index header, followed by a sequence of
* index entries (INDEX_ENTRY structures), as described by the struct index_header.
*/
struct index_block {
__le32 magic;
__le16 usa_ofs;
__le16 usa_count;
__le64 lsn;
__le64 index_block_vcn;
struct index_header index;
} __packed;
static_assert(sizeof(struct index_block) == 40);
/*
* struct reparse_index_key - Key for $R reparse index in $Extend/$Reparse
*
* @reparse_tag: Reparse point type (including flags, REPARSE_TAG_*).
* @file_id: MFT record number of the file with $REPARSE_POINT
* attribute.
*
* The system file FILE_Extend/$Reparse contains an index named $R listing
* all reparse points on the volume. The index entry keys are as defined
* below. Note, that there is no index data associated with the index entries.
*
* The index entries are sorted by the index key file_id. The collation rule is
* COLLATION_NTOFS_ULONGS.
*/
struct reparse_index_key {
__le32 reparse_tag;
__le64 file_id;
} __packed;
/*
* enum - Quota entry flags (32-bit) in $Quota/$Q
*
* These flags are stored in quota control entries ($Quota file).
* They control quota tracking, limits, and state.
*
* User quota flags (mask 0x00000007):
* @QUOTA_FLAG_DEFAULT_LIMITS: Use default limits.
* @QUOTA_FLAG_LIMIT_REACHED: Quota limit reached.
* @QUOTA_FLAG_ID_DELETED: Quota ID deleted.
* @QUOTA_FLAG_USER_MASK: Mask for user quota flags (0x00000007).
*
* Default entry flags (owner_id = QUOTA_DEFAULTS_ID):
* @QUOTA_FLAG_TRACKING_ENABLED: Quota tracking enabled.
* @QUOTA_FLAG_ENFORCEMENT_ENABLED: Quota enforcement enabled.
* @QUOTA_FLAG_TRACKING_REQUESTED: Tracking requested (pending).
* @QUOTA_FLAG_LOG_THRESHOLD: Log when threshold reached.
* @QUOTA_FLAG_LOG_LIMIT: Log when limit reached.
* @QUOTA_FLAG_OUT_OF_DATE: Quota data out of date.
* @QUOTA_FLAG_CORRUPT: Quota entry corrupt.
* @QUOTA_FLAG_PENDING_DELETES: Pending quota deletes.
*
*/
enum {
QUOTA_FLAG_DEFAULT_LIMITS = cpu_to_le32(0x00000001),
QUOTA_FLAG_LIMIT_REACHED = cpu_to_le32(0x00000002),
QUOTA_FLAG_ID_DELETED = cpu_to_le32(0x00000004),
QUOTA_FLAG_USER_MASK = cpu_to_le32(0x00000007),
QUOTA_FLAG_TRACKING_ENABLED = cpu_to_le32(0x00000010),
QUOTA_FLAG_ENFORCEMENT_ENABLED = cpu_to_le32(0x00000020),
QUOTA_FLAG_TRACKING_REQUESTED = cpu_to_le32(0x00000040),
QUOTA_FLAG_LOG_THRESHOLD = cpu_to_le32(0x00000080),
QUOTA_FLAG_LOG_LIMIT = cpu_to_le32(0x00000100),
QUOTA_FLAG_OUT_OF_DATE = cpu_to_le32(0x00000200),
QUOTA_FLAG_CORRUPT = cpu_to_le32(0x00000400),
QUOTA_FLAG_PENDING_DELETES = cpu_to_le32(0x00000800),
};
/*
* struct quota_control_entry - Quota entry in $Quota/$Q
*
* @version: Currently 2.
* @flags: Quota flags (QUOTA_FLAG_* bits).
* @bytes_used: Current quota usage in bytes.
* @change_time: Last modification time (NTFS timestamp).
* @threshold: Soft quota limit (-1 = unlimited).
* @limit: Hard quota limit (-1 = unlimited).
* @exceeded_time: Time soft quota has been exceeded.
* @sid: SID of user/object (zero for defaults entry).
*
* The system file FILE_Extend/$Quota contains two indexes $O and $Q. Quotas
* are on a per volume and per user basis.
*
* The $Q index contains one entry for each existing user_id on the volume. The
* index key is the user_id of the user/group owning this quota control entry,
* i.e. the key is the owner_id. The user_id of the owner of a file, i.e. the
* owner_id, is found in the standard information attribute. The collation rule
* for $Q is COLLATION_NTOFS_ULONG.
*
* The $O index contains one entry for each user/group who has been assigned
* a quota on that volume. The index key holds the SID of the user_id the
* entry belongs to, i.e. the owner_id. The collation rule for $O is
* COLLATION_NTOFS_SID.
*
* The $O index entry data is the user_id of the user corresponding to the SID.
* This user_id is used as an index into $Q to find the quota control entry
* associated with the SID.
*
* The $Q index entry data is the quota control entry and is defined below.
*/
struct quota_control_entry {
__le32 version;
__le32 flags;
__le64 bytes_used;
__le64 change_time;
__le64 threshold;
__le64 limit;
__le64 exceeded_time;
struct ntfs_sid sid;
} __packed;
/*
* Predefined owner_id values (32-bit).
*/
enum {
QUOTA_INVALID_ID = cpu_to_le32(0x00000000),
QUOTA_DEFAULTS_ID = cpu_to_le32(0x00000001),
QUOTA_FIRST_USER_ID = cpu_to_le32(0x00000100),
};
/*
* Current constants for quota control entries.
*/
enum {
/* Current version. */
QUOTA_VERSION = 2,
};
/*
* enum - Index entry flags (16-bit)
*
* These flags are in INDEX_ENTRY.flags (after key data).
* They describe entry type and status in index blocks/root.
*
* @INDEX_ENTRY_NODE: Entry points to a sub-node (index block VCN).
* (Not a leaf entry; internal node reference.)
* i.e. a reference to an index block in form of
* a virtual cluster number
* @INDEX_ENTRY_END: Last entry in index block/root.
* Does not represent a real file; can point to sub-node.
* @INDEX_ENTRY_SPACE_FILLER:
* Dummy value to force enum to 16-bit width.
*/
enum {
INDEX_ENTRY_NODE = cpu_to_le16(1),
INDEX_ENTRY_END = cpu_to_le16(2),
INDEX_ENTRY_SPACE_FILLER = cpu_to_le16(0xffff),
} __packed;
/*
* struct index_entry_header - Common header for all NTFS index entries
*
* This is the fixed header at the start of every INDEX_ENTRY in index
* blocks or index root. It is followed by the variable key, data, and
* sub-node VCN.
*
* Union @data:
* - When INDEX_ENTRY_END is not set:
* @data.dir.indexed_file: MFT reference of the file described by
* this entry. Used in directory indexes ($I30).
* - When INDEX_ENTRY_END is set or for view indexes:
* @data.vi.data_offset: Byte offset from end of this header to
* entry data.
* @data.vi.data_length: Length of data in bytes.
* @data.vi.reservedV: Reserved (zero).
*
* @length: Total byte size of this index entry
* (multiple of 8 bytes).
* @key_length: Byte size of the key (not multiple of 8 bytes).
* Key follows the header immediately.
* @flags: Bit field of INDEX_ENTRY_* flags (INDEX_ENTRY_NODE, etc.).
* @reserved: Reserved/padding (zero; align to 8 bytes).
*/
struct index_entry_header {
union {
struct {
__le64 indexed_file;
} __packed dir;
struct {
__le16 data_offset;
__le16 data_length;
__le32 reservedV;
} __packed vi;
} __packed data;
__le16 length;
__le16 key_length;
__le16 flags;
__le16 reserved;
} __packed;
static_assert(sizeof(struct index_entry_header) == 16);
/*
* struct index_entry - NTFS index entry structure
*
* This is an index entry. A sequence of such entries follows each index_header
* structure. Together they make up a complete index. The index follows either
* an index root attribute or an index allocation attribute.
*
* Union @data (valid when INDEX_ENTRY_END not set):
* @data.dir.indexed_file: MFT ref of file (for directory indexes).
* @data.vi.data_offset: Offset to data after key.
* @data.vi.data_length: Length of data in bytes.
* @data.vi.reservedV: Reserved (zero).
*
* Fields:
* @length: Total byte size of entry (multiple of 8 bytes).
* @key_length: Byte size of key (not multiple of 8).
* @flags: INDEX_ENTRY_* flags (NODE, END, etc.).
* @reserved: Reserved/padding (zero).
*
* Union @key (valid when INDEX_ENTRY_END not set)
* The key of the indexed attribute. NOTE: Only present
* if INDEX_ENTRY_END bit in flags is not set. NOTE: On
* NTFS versions before 3.0 the only valid key is the
* struct file_name_attr. On NTFS 3.0+ the following
* additional index keys are defined:
* @key.file_name: $FILE_NAME attr (for $I30 directory indexes).
* @key.sii: $SII key (for $Secure $SII index).
* @key.sdh: $SDH key (for $Secure $SDH index).
* @key.object_id: GUID (for $ObjId $O index).
* @key.reparse: Reparse tag + file ID (for $Reparse $R).
* @key.sid: SID (for $Quota $O index).
* @key.owner_id: User ID (for $Quota $Q index).
*
* The (optional) index data is inserted here when creating.
* __le64 vcn; If INDEX_ENTRY_NODE bit in flags is set, the last
* eight bytes of this index entry contain the virtual
* cluster number of the index block that holds the
* entries immediately preceding the current entry (the
* vcn references the corresponding cluster in the data
* of the non-resident index allocation attribute). If
* the key_length is zero, then the vcn immediately
* follows the INDEX_ENTRY_HEADER. Regardless of
* key_length, the address of the 8-byte boundary
* aligned vcn of INDEX_ENTRY{_HEADER} *ie is given by
* (char*)ie + le16_to_cpu(ie*)->length) - sizeof(VCN),
* where sizeof(VCN) can be hardcoded as 8 if wanted.
*
* NOTE: Before NTFS 3.0 only filename attributes were indexed.
*/
struct index_entry {
union {
struct {
__le64 indexed_file;
} __packed dir;
struct {
__le16 data_offset;
__le16 data_length;
__le32 reservedV;
} __packed vi;
} __packed data;
__le16 length;
__le16 key_length;
__le16 flags;
__le16 reserved;
union {
struct file_name_attr file_name;
struct sii_index_key sii;
struct sdh_index_key sdh;
struct guid object_id;
struct reparse_index_key reparse;
struct ntfs_sid sid;
__le32 owner_id;
} __packed key;
} __packed;
/*
* The reparse point tag defines the type of the reparse point. It also
* includes several flags, which further describe the reparse point.
*
* The reparse point tag is an unsigned 32-bit value divided in three parts:
*
* 1. The least significant 16 bits (i.e. bits 0 to 15) specify the type of
* the reparse point.
* 2. The 12 bits after this (i.e. bits 16 to 27) are reserved for future use.
* 3. The most significant four bits are flags describing the reparse point.
* They are defined as follows:
* bit 28: Directory bit. If set, the directory is not a surrogate
* and can be used the usual way.
* bit 29: Name surrogate bit. If set, the filename is an alias for
* another object in the system.
* bit 30: High-latency bit. If set, accessing the first byte of data will
* be slow. (E.g. the data is stored on a tape drive.)
* bit 31: Microsoft bit. If set, the tag is owned by Microsoft. User
* defined tags have to use zero here.
* 4. Moreover, on Windows 10 :
* Some flags may be used in bits 12 to 15 to further describe the
* reparse point.
*/
enum {
IO_REPARSE_TAG_DIRECTORY = cpu_to_le32(0x10000000),
IO_REPARSE_TAG_IS_ALIAS = cpu_to_le32(0x20000000),
IO_REPARSE_TAG_IS_HIGH_LATENCY = cpu_to_le32(0x40000000),
IO_REPARSE_TAG_IS_MICROSOFT = cpu_to_le32(0x80000000),
IO_REPARSE_TAG_RESERVED_ZERO = cpu_to_le32(0x00000000),
IO_REPARSE_TAG_RESERVED_ONE = cpu_to_le32(0x00000001),
IO_REPARSE_TAG_RESERVED_RANGE = cpu_to_le32(0x00000001),
IO_REPARSE_TAG_CSV = cpu_to_le32(0x80000009),
IO_REPARSE_TAG_DEDUP = cpu_to_le32(0x80000013),
IO_REPARSE_TAG_DFS = cpu_to_le32(0x8000000A),
IO_REPARSE_TAG_DFSR = cpu_to_le32(0x80000012),
IO_REPARSE_TAG_HSM = cpu_to_le32(0xC0000004),
IO_REPARSE_TAG_HSM2 = cpu_to_le32(0x80000006),
IO_REPARSE_TAG_MOUNT_POINT = cpu_to_le32(0xA0000003),
IO_REPARSE_TAG_NFS = cpu_to_le32(0x80000014),
IO_REPARSE_TAG_SIS = cpu_to_le32(0x80000007),
IO_REPARSE_TAG_SYMLINK = cpu_to_le32(0xA000000C),
IO_REPARSE_TAG_WIM = cpu_to_le32(0x80000008),
IO_REPARSE_TAG_DFM = cpu_to_le32(0x80000016),
IO_REPARSE_TAG_WOF = cpu_to_le32(0x80000017),
IO_REPARSE_TAG_WCI = cpu_to_le32(0x80000018),
IO_REPARSE_TAG_CLOUD = cpu_to_le32(0x9000001A),
IO_REPARSE_TAG_APPEXECLINK = cpu_to_le32(0x8000001B),
IO_REPARSE_TAG_GVFS = cpu_to_le32(0x9000001C),
IO_REPARSE_TAG_LX_SYMLINK = cpu_to_le32(0xA000001D),
IO_REPARSE_TAG_AF_UNIX = cpu_to_le32(0x80000023),
IO_REPARSE_TAG_LX_FIFO = cpu_to_le32(0x80000024),
IO_REPARSE_TAG_LX_CHR = cpu_to_le32(0x80000025),
IO_REPARSE_TAG_LX_BLK = cpu_to_le32(0x80000026),
IO_REPARSE_TAG_VALID_VALUES = cpu_to_le32(0xf000ffff),
IO_REPARSE_PLUGIN_SELECT = cpu_to_le32(0xffff0fff),
};
/*
* struct reparse_point - $REPARSE_POINT attribute content (0xc0)\
*
* @reparse_tag: Reparse point type (with flags; REPARSE_TAG_*).
* @reparse_data_length: Byte size of @reparse_data.
* @reserved: Reserved/padding (zero; 8-byte alignment).
* @reparse_data: Variable reparse data (meaning depends on @reparse_tag).
* - Symbolic link/junction: struct reparse_symlink
* - Mount point: similar symlink structure
* - Other tags: vendor-specific or extended data
*
* NOTE: Can be resident or non-resident.
*/
struct reparse_point {
__le32 reparse_tag;
__le16 reparse_data_length;
__le16 reserved;
u8 reparse_data[];
} __packed;
/*
* struct ea_information - $EA_INFORMATION attribute content (0xd0)
*
* @ea_length: Byte size of packed EAs.
* @need_ea_count: Number of EAs with NEED_EA bit set.
* @ea_query_length: Byte size needed to unpack/query EAs via ZwQueryEaFile().
* (Unpacked format size.)
*
* NOTE: Always resident. (Is this true???)
*/
struct ea_information {
__le16 ea_length;
__le16 need_ea_count;
__le32 ea_query_length;
} __packed;
/*
* enum - Extended attribute flags (8-bit)
*
* These flags are stored in the EA header of each extended attribute
* (in $EA attribute, type 0xe0).
*
* @NEED_EA: If set, the file cannot be properly interpreted
* without understanding its associated EAs.
* (Critical EA; applications must process it.)
*/
enum {
NEED_EA = 0x80
} __packed;
/*
* struct ea_attr - Extended attribute (EA) entry (0xe0)
*
* @next_entry_offset: Byte offset to the next EA_ATTR entry.
* (From start of current entry.)
* @flags: EA flags (NEED_EA = 0x80 if critical).
* @ea_name_length: Length of @ea_name in bytes (excluding '\0').
* @ea_value_length: Byte size of the EA value.
* @ea_name: ASCII name of the EA (zero-terminated).
* Value immediately follows the name.
* u8 ea_value[]; The value of the EA. Immediately follows the name.
*
* This is one variable-length record in the $EA attribute value.
* The attribute can be resident or non-resident.
* Sequence of these entries forms the packed EA list.
*
* NOTE: Can be resident or non-resident.
*/
struct ea_attr {
__le32 next_entry_offset;
u8 flags;
u8 ea_name_length;
__le16 ea_value_length;
u8 ea_name[];
} __packed;
#endif /* _LINUX_NTFS_LAYOUT_H */
Reference in New Issue View Git Blame Copy Permalink