/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * All NTFS associated on-disk structures. * * Copyright (c) 2001-2005 Anton Altaparmakov * Copyright (c) 2002 Richard Russon */ #ifndef _LINUX_NTFS_LAYOUT_H #define _LINUX_NTFS_LAYOUT_H #include #include #include #include /* The NTFS oem_id "NTFS " */ #define magicNTFS cpu_to_le64(0x202020205346544eULL) /* * Location of bootsector on partition: * The standard NTFS_BOOT_SECTOR is on sector 0 of the partition. * On NT4 and above there is one backup copy of the boot sector to * be found on the last sector of the partition (not normally accessible * from within Windows as the bootsector contained number of sectors * value is one less than the actual value!). * On versions of NT 3.51 and earlier, the backup copy was located at * number of sectors/2 (integer divide), i.e. in the middle of the volume. */ /* * BIOS parameter block (bpb) structure. * * @bytes_per_sector: Size of a sector in bytes (usually 512). * Matches the logical sector size of the underlying device. * @sectors_per_cluster: Size of a cluster in sectors (NTFS cluster size / sector size). * @reserved_sectors: Number of reserved sectors at the beginning of the volume. * Always set to 0 in NTFS. * @fats: Number of FAT tables. * Always 0 in NTFS (no FAT tables exist). * @root_entries: Number of entries in the root directory. * Always 0 in NTFS. * @sectors: Total number of sectors on the volume. * Always 0 in NTFS (use @large_sectors instead). * @media_type: Media descriptor byte. * 0xF8 for hard disk (fixed media) in NTFS. * @sectors_per_fat: Number of sectors per FAT table. * Always 0 in NTFS. * @sectors_per_track: Number of sectors per track. * Irrelevant for NTFS. * @heads: Number of heads (CHS geometry). * Irrelevant for NTFS. * @hidden_sectors: Number of hidden sectors before the start of the partition. * Always 0 in NTFS boot sector. * @large_sectors: Total number of sectors on the volume. */ struct bios_parameter_block { __le16 bytes_per_sector; u8 sectors_per_cluster; __le16 reserved_sectors; u8 fats; __le16 root_entries; __le16 sectors; u8 media_type; __le16 sectors_per_fat; __le16 sectors_per_track; __le16 heads; __le32 hidden_sectors; __le32 large_sectors; } __packed; /* * NTFS boot sector structure. * * @jump: 3-byte jump instruction to boot code (irrelevant for NTFS). * Typically 0xEB 0x52 0x90 or similar. * @oem_id: OEM identifier string (8 bytes). * Always "NTFS " (with trailing spaces) in NTFS volumes. * @bpb: Legacy BIOS Parameter Block (see struct bios_parameter_block). * Mostly zeroed or set to fixed values for NTFS compatibility. * @unused: 4 bytes, reserved/unused. * NTFS disk editors show it as: * - physical_drive (0x80 for fixed disk) * - current_head (0) * - extended_boot_signature (0x80 or 0x28) * - unused (0) * Always zero in practice for NTFS. * @number_of_sectors: Number of sectors in volume. Gives maximum volume * size of 2^63 sectors. Assuming standard sector * size of 512 bytes, the maximum byte size is * approx. 4.7x10^21 bytes. (-; * @mft_lcn: Logical cluster number (LCN) of the $MFT data attribute. * Location of the Master File Table. * @mftmirr_lcn: LCN of the $MFTMirr (first 3-4 MFT records copy). * Mirror for boot-time recovery. * @clusters_per_mft_record: * Size of each MFT record in clusters. * @reserved0: 3 bytes, reserved/zero. * @clusters_per_index_record: * Size of each index block/record in clusters. * @reserved1: 3 bytes, reserved/zero. * @volume_serial_number: * 64-bit volume serial number. * Used for identification (irrelevant for NTFS operation). * @checksum: 32-bit checksum of the boot sector (excluding this field). * Used to detect boot sector corruption. * @bootstrap: 426 bytes of bootstrap code. * Irrelevant for NTFS (contains x86 boot loader stub). * @end_of_sector_marker: * 2-byte end-of-sector signature. * Always 0xAA55 (little-endian magic number). */ struct ntfs_boot_sector { u8 jump[3]; __le64 oem_id; struct bios_parameter_block bpb; u8 unused[4]; __le64 number_of_sectors; __le64 mft_lcn; __le64 mftmirr_lcn; s8 clusters_per_mft_record; u8 reserved0[3]; s8 clusters_per_index_record; u8 reserved1[3]; __le64 volume_serial_number; __le32 checksum; u8 bootstrap[426]; __le16 end_of_sector_marker; } __packed; static_assert(sizeof(struct ntfs_boot_sector) == 512); /* * Magic identifiers present at the beginning of all ntfs record containing * records (like mft records for example). * * magic_FILE: MFT entry header ("FILE" in ASCII). * Used in $MFT/$DATA for all master file table records. * magic_INDX: Index buffer header ("INDX" in ASCII). * Used in $INDEX_ALLOCATION attributes (directories, $I30 indexes). * magic_HOLE: Hole marker ("HOLE" in ASCII). * Introduced in NTFS 3.0+, used for sparse/hole regions in some contexts. * magic_RSTR: Restart page header ("RSTR" in ASCII). * Used in LogFile for restart pages (transaction log recovery). * magic_RCRD: Log record page header ("RCRD" in ASCII). * Used in LogFile for individual log record pages. * magic_CHKD: Chkdsk modified marker ("CHKD" in ASCII). * Set by chkdsk when it modifies a record; indicates repair was done. * magic_BAAD: Bad record marker ("BAAD" in ASCII). * Indicates a multi-sector transfer failure was detected. * The record is corrupted/unusable; often set during I/O errors. * magic_empty: Empty/uninitialized page marker (0xffffffff). * Used in LogFile when a page is filled with 0xff bytes * and has not yet been initialized. Must be formatted before use. */ enum { magic_FILE = cpu_to_le32(0x454c4946), magic_INDX = cpu_to_le32(0x58444e49), magic_HOLE = cpu_to_le32(0x454c4f48), magic_RSTR = cpu_to_le32(0x52545352), magic_RCRD = cpu_to_le32(0x44524352), magic_CHKD = cpu_to_le32(0x444b4843), magic_BAAD = cpu_to_le32(0x44414142), magic_empty = cpu_to_le32(0xffffffff) }; /* * Generic magic comparison macros. Finally found a use for the ## preprocessor * operator! (-8 */ static inline bool __ntfs_is_magic(__le32 x, __le32 r) { return (x == r); } #define ntfs_is_magic(x, m) __ntfs_is_magic(x, magic_##m) static inline bool __ntfs_is_magicp(__le32 *p, __le32 r) { return (*p == r); } #define ntfs_is_magicp(p, m) __ntfs_is_magicp(p, magic_##m) /* * Specialised magic comparison macros for the NTFS_RECORD_TYPEs defined above. */ #define ntfs_is_file_record(x) (ntfs_is_magic(x, FILE)) #define ntfs_is_file_recordp(p) (ntfs_is_magicp(p, FILE)) #define ntfs_is_mft_record(x) (ntfs_is_file_record(x)) #define ntfs_is_mft_recordp(p) (ntfs_is_file_recordp(p)) #define ntfs_is_indx_record(x) (ntfs_is_magic(x, INDX)) #define ntfs_is_indx_recordp(p) (ntfs_is_magicp(p, INDX)) #define ntfs_is_hole_record(x) (ntfs_is_magic(x, HOLE)) #define ntfs_is_hole_recordp(p) (ntfs_is_magicp(p, HOLE)) #define ntfs_is_rstr_record(x) (ntfs_is_magic(x, RSTR)) #define ntfs_is_rstr_recordp(p) (ntfs_is_magicp(p, RSTR)) #define ntfs_is_rcrd_record(x) (ntfs_is_magic(x, RCRD)) #define ntfs_is_rcrd_recordp(p) (ntfs_is_magicp(p, RCRD)) #define ntfs_is_chkd_record(x) (ntfs_is_magic(x, CHKD)) #define ntfs_is_chkd_recordp(p) (ntfs_is_magicp(p, CHKD)) #define ntfs_is_baad_record(x) (ntfs_is_magic(x, BAAD)) #define ntfs_is_baad_recordp(p) (ntfs_is_magicp(p, BAAD)) #define ntfs_is_empty_record(x) (ntfs_is_magic(x, empty)) #define ntfs_is_empty_recordp(p) (ntfs_is_magicp(p, empty)) /* * struct ntfs_record - Common header for all multi-sector protected NTFS records * * @magic: 4-byte magic identifier for the record type and/or status. * Common values are defined in the magic_* enum (FILE, INDX, RSTR, * RCRD, CHKD, BAAD, HOLE, empty). * - "FILE" = MFT record * - "INDX" = Index allocation block * - "BAAD" = Record corrupted (multi-sector fixup failed) * - 0xffffffff = Uninitialized/empty page * @usa_ofs: Offset (in bytes) from the start of this record to the Update * Sequence Array (USA). * The USA is located at record + usa_ofs. * @usa_count: Number of 16-bit entries in the USA array (including the Update * Sequence Number itself). * - Number of fixup locations = usa_count - 1 * - Each fixup location is a 16-bit value in the record that needs * protection against torn writes. * * The Update Sequence Array (usa) is an array of the __le16 values which belong * to the end of each sector protected by the update sequence record in which * this array is contained. Note that the first entry is the Update Sequence * Number (usn), a cyclic counter of how many times the protected record has * been written to disk. The values 0 and -1 (ie. 0xffff) are not used. All * last le16's of each sector have to be equal to the usn (during reading) or * are set to it (during writing). If they are not, an incomplete multi sector * transfer has occurred when the data was written. * The maximum size for the update sequence array is fixed to: * maximum size = usa_ofs + (usa_count * 2) = 510 bytes * The 510 bytes comes from the fact that the last __le16 in the array has to * (obviously) finish before the last __le16 of the first 512-byte sector. * This formula can be used as a consistency check in that usa_ofs + * (usa_count * 2) has to be less than or equal to 510. */ struct ntfs_record { __le32 magic; __le16 usa_ofs; __le16 usa_count; } __packed; /* * System files mft record numbers. All these files are always marked as used * in the bitmap attribute of the mft; presumably in order to avoid accidental * allocation for random other mft records. Also, the sequence number for each * of the system files is always equal to their mft record number and it is * never modified. * * FILE_MFT: Master File Table (MFT) itself. * Data attribute contains all MFT entries; * Bitmap attribute tracks which records are in use (bit==1). * FILE_MFTMirr: MFT mirror: copy of the first four (or more) MFT records * in its data attribute. * If cluster size > 4 KiB, copies first N records where * N = cluster_size / mft_record_size. * FILE_LogFile: Journaling log (LogFile) in data attribute. * Used for transaction logging and recovery. * FILE_Volume: Volume information and name. * Contains $VolumeName (label) and $VolumeInformation * (flags, NTFS version). Windows calls this the volume DASD. * FILE_AttrDef: Attribute definitions array in data attribute. * Defines all possible attribute types and their properties. * FILE_root: Root directory ($Root). * The top-level directory of the filesystem. * FILE_Bitmap: Cluster allocation bitmap ($Bitmap) in data attribute. * Tracks free/used clusters (LCNs) on the volume. * FILE_Boot: Boot sector ($Boot) in data attribute. * Always located at cluster 0; contains BPB and NTFS parameters. * FILE_BadClus: Bad cluster list ($BadClus) in non-resident data attribute. * Marks all known bad clusters. * FILE_Secure: Security descriptors ($Secure). * Contains shared $SDS (security descriptors) and two indexes * ($SDH, $SII). Introduced in Windows 2000. * Before that, it was called $Quota but was unused. * FILE_UpCase: Uppercase table ($UpCase) in data attribute. * Maps all 65536 Unicode characters to their uppercase forms. * FILE_Extend: System directory ($Extend). * Contains additional system files ($ObjId, $Quota, $Reparse, * $UsnJrnl, etc.). Introduced in NTFS 3.0 (Windows 2000). * FILE_reserved12: Reserved for future use (MFT records 12–15). * FILE_reserved13: Reserved. * FILE_reserved14: Reserved. * FILE_reserved15: Reserved. * FILE_first_user: First possible user-created file MFT record number. * Used as a boundary to distinguish system files from user files. */ enum { FILE_MFT = 0, FILE_MFTMirr = 1, FILE_LogFile = 2, FILE_Volume = 3, FILE_AttrDef = 4, FILE_root = 5, FILE_Bitmap = 6, FILE_Boot = 7, FILE_BadClus = 8, FILE_Secure = 9, FILE_UpCase = 10, FILE_Extend = 11, FILE_reserved12 = 12, FILE_reserved13 = 13, FILE_reserved14 = 14, FILE_reserved15 = 15, FILE_first_user = 16, }; /* * enum - Flags for MFT record header * * These are the so far known MFT_RECORD_* flags (16-bit) which contain * information about the mft record in which they are present. * * MFT_RECORD_IN_USE: This MFT record is allocated and in use. * (bit set = record is valid/used; clear = free) * MFT_RECORD_IS_DIRECTORY: This MFT record represents a directory. * (Used to quickly distinguish files from directories) * MFT_RECORD_IS_4: Indicates the record is a special "record 4" type. * (Rarely used; related to NTFS internal special cases, * often for $AttrDef or early system files) * MFT_RECORD_IS_VIEW_INDEX: This MFT record is used as a view index. * (Specific to NTFS indexed views or object ID indexes) * MFT_REC_SPACE_FILLER: Dummy value to force the enum to be 16-bit wide. * (Not a real flag; just a sentinel to ensure the type * is __le16 and no higher bits are accidentally used) */ enum { MFT_RECORD_IN_USE = cpu_to_le16(0x0001), MFT_RECORD_IS_DIRECTORY = cpu_to_le16(0x0002), MFT_RECORD_IS_4 = cpu_to_le16(0x0004), MFT_RECORD_IS_VIEW_INDEX = cpu_to_le16(0x0008), MFT_REC_SPACE_FILLER = cpu_to_le16(0xffff), /*Just to make flags 16-bit.*/ } __packed; /* * mft references (aka file references or file record segment references) are * used whenever a structure needs to refer to a record in the mft. * * A reference consists of a 48-bit index into the mft and a 16-bit sequence * number used to detect stale references. * * For error reporting purposes we treat the 48-bit index as a signed quantity. * * The sequence number is a circular counter (skipping 0) describing how many * times the referenced mft record has been (re)used. This has to match the * sequence number of the mft record being referenced, otherwise the reference * is considered stale and removed. * * If the sequence number is zero it is assumed that no sequence number * consistency checking should be performed. */ /* * Define two unpacking macros to get to the reference (MREF) and * sequence number (MSEQNO) respectively. * The _LE versions are to be applied on little endian MFT_REFs. * Note: The _LE versions will return a CPU endian formatted value! */ #define MFT_REF_MASK_CPU 0x0000ffffffffffffULL #define MFT_REF_MASK_LE cpu_to_le64(MFT_REF_MASK_CPU) #define MK_MREF(m, s) ((u64)(((u64)(s) << 48) | \ ((u64)(m) & MFT_REF_MASK_CPU))) #define MK_LE_MREF(m, s) cpu_to_le64(MK_MREF(m, s)) #define MREF(x) ((unsigned long)((x) & MFT_REF_MASK_CPU)) #define MSEQNO(x) ((u16)(((x) >> 48) & 0xffff)) #define MREF_LE(x) ((unsigned long)(le64_to_cpu(x) & MFT_REF_MASK_CPU)) #define MREF_INO(x) ((unsigned long)MREF_LE(x)) #define MSEQNO_LE(x) ((u16)((le64_to_cpu(x) >> 48) & 0xffff)) #define IS_ERR_MREF(x) (((x) & 0x0000800000000000ULL) ? true : false) #define ERR_MREF(x) ((u64)((s64)(x))) #define MREF_ERR(x) ((int)((s64)(x))) /* * struct mft_record - NTFS Master File Table (MFT) record header * * The mft record header present at the beginning of every record in the mft. * This is followed by a sequence of variable length attribute records which * is terminated by an attribute of type AT_END which is a truncated attribute * in that it only consists of the attribute type code AT_END and none of the * other members of the attribute structure are present. * * magic: Record magic ("FILE" for valid MFT entries). * See ntfs_record magic enum for other values. * usa_ofs: Offset to Update Sequence Array (see ntfs_record). * usa_count: Number of entries in USA (see ntfs_record). * lsn: Log sequence number (LSN) from LogFile. * Incremented on every modification to this record. * sequence_number: Reuse count of this MFT record slot. * Incremented (skipping zero) when the file is deleted. * Zero means never reused or special case. * Part of MFT reference (together with record number). * link_count: Number of hard links (directory entries) to this file. * Only meaningful in base MFT records. * When deleting a directory entry: * - If link_count == 1, delete the whole file * - Else remove only the $FILE_NAME attribute and decrement * attrs_offset: Byte offset from start of MFT record to first attribute. * Must be 8-byte aligned. * flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum). * MFT_RECORD_IN_USE cleared when record is freed/deleted. * bytes_in_use: Number of bytes actually used in this MFT record. * Must be 8-byte aligned. * Includes header + all attributes + padding. * bytes_allocated: Total allocated size of this MFT record. * Usually equal to MFT record size (1024 bytes or cluster size). * base_mft_record: MFT reference to the base record. * 0 for base records. * Non-zero for extension records → points to base record * containing the $ATTRIBUTE_LIST that describes this extension. * next_attr_instance: Next attribute instance number to assign. * Incremented after each use. * Reset to 0 when MFT record is reused. * First instance is always 0. * reserved: Reserved for alignment (NTFS 3.1+). * mft_record_number: This MFT record's number (index in $MFT). * Only present in NTFS 3.1+ (Windows XP and above). */ struct mft_record { __le32 magic; __le16 usa_ofs; __le16 usa_count; __le64 lsn; __le16 sequence_number; __le16 link_count; __le16 attrs_offset; __le16 flags; __le32 bytes_in_use; __le32 bytes_allocated; __le64 base_mft_record; __le16 next_attr_instance; __le16 reserved; __le32 mft_record_number; } __packed; static_assert(sizeof(struct mft_record) == 48); /**x * struct mft_record_old - Old NTFS MFT record header (pre-NTFS 3.1 / Windows XP) * * This is the older version of the MFT record header used in NTFS versions * prior to 3.1 (Windows XP and later). It lacks the additional fields * @reserved and @mft_record_number that were added in NTFS 3.1+. * * @magic: Record magic ("FILE" for valid MFT entries). * See ntfs_record magic enum for other values. * @usa_ofs: Offset to Update Sequence Array (see ntfs_record). * @usa_count: Number of entries in USA (see ntfs_record). * @lsn: Log sequence number (LSN) from LogFile. * Incremented on every modification to this record. * @sequence_number: Reuse count of this MFT record slot. * Incremented (skipping zero) when the file is deleted. * Zero means never reused or special case. * Part of MFT reference (together with record number). * @link_count: Number of hard links (directory entries) to this file. * Only meaningful in base MFT records. * When deleting a directory entry: * - If link_count == 1, delete the whole file * - Else remove only the $FILE_NAME attribute and decrement * @attrs_offset: Byte offset from start of MFT record to first attribute. * Must be 8-byte aligned. * @flags: Bit array of MFT_RECORD_* flags (see MFT_RECORD_IN_USE enum). * MFT_RECORD_IN_USE cleared when record is freed/deleted. * @bytes_in_use: Number of bytes actually used in this MFT record. * Must be 8-byte aligned. * Includes header + all attributes + padding. * @bytes_allocated: Total allocated size of this MFT record. * Usually equal to MFT record size (1024 bytes or cluster size). * @base_mft_record: MFT reference to the base record. * 0 for base records. * Non-zero for extension records → points to base record * containing the $ATTRIBUTE_LIST that describes this extension. * @next_attr_instance: Next attribute instance number to assign. * Incremented after each use. * Reset to 0 when MFT record is reused. * First instance is always 0. */ struct mft_record_old { __le32 magic; __le16 usa_ofs; __le16 usa_count; __le64 lsn; __le16 sequence_number; __le16 link_count; __le16 attrs_offset; __le16 flags; __le32 bytes_in_use; __le32 bytes_allocated; __le64 base_mft_record; __le16 next_attr_instance; } __packed; static_assert(sizeof(struct mft_record_old) == 42); /* * System defined attributes (32-bit). Each attribute type has a corresponding * attribute name (Unicode string of maximum 64 character length) as described * by the attribute definitions present in the data attribute of the $AttrDef * system file. On NTFS 3.0 volumes the names are just as the types are named * in the below defines exchanging AT_ for the dollar sign ($). If that is not * a revealing choice of symbol I do not know what is... (-; */ enum { AT_UNUSED = cpu_to_le32(0), AT_STANDARD_INFORMATION = cpu_to_le32(0x10), AT_ATTRIBUTE_LIST = cpu_to_le32(0x20), AT_FILE_NAME = cpu_to_le32(0x30), AT_OBJECT_ID = cpu_to_le32(0x40), AT_SECURITY_DESCRIPTOR = cpu_to_le32(0x50), AT_VOLUME_NAME = cpu_to_le32(0x60), AT_VOLUME_INFORMATION = cpu_to_le32(0x70), AT_DATA = cpu_to_le32(0x80), AT_INDEX_ROOT = cpu_to_le32(0x90), AT_INDEX_ALLOCATION = cpu_to_le32(0xa0), AT_BITMAP = cpu_to_le32(0xb0), AT_REPARSE_POINT = cpu_to_le32(0xc0), AT_EA_INFORMATION = cpu_to_le32(0xd0), AT_EA = cpu_to_le32(0xe0), AT_PROPERTY_SET = cpu_to_le32(0xf0), AT_LOGGED_UTILITY_STREAM = cpu_to_le32(0x100), AT_FIRST_USER_DEFINED_ATTRIBUTE = cpu_to_le32(0x1000), AT_END = cpu_to_le32(0xffffffff) }; /* * The collation rules for sorting views/indexes/etc (32-bit). * * COLLATION_BINARY - Collate by binary compare where the first byte is most * significant. * COLLATION_UNICODE_STRING - Collate Unicode strings by comparing their binary * Unicode values, except that when a character can be uppercased, the * upper case value collates before the lower case one. * COLLATION_FILE_NAME - Collate file names as Unicode strings. The collation * is done very much like COLLATION_UNICODE_STRING. In fact I have no idea * what the difference is. Perhaps the difference is that file names * would treat some special characters in an odd way (see * unistr.c::ntfs_collate_names() and unistr.c::legal_ansi_char_array[] * for what I mean but COLLATION_UNICODE_STRING would not give any special * treatment to any characters at all, but this is speculation. * COLLATION_NTOFS_ULONG - Sorting is done according to ascending __le32 key * values. E.g. used for $SII index in FILE_Secure, which sorts by * security_id (le32). * COLLATION_NTOFS_SID - Sorting is done according to ascending SID values. * E.g. used for $O index in FILE_Extend/$Quota. * COLLATION_NTOFS_SECURITY_HASH - Sorting is done first by ascending hash * values and second by ascending security_id values. E.g. used for $SDH * index in FILE_Secure. * COLLATION_NTOFS_ULONGS - Sorting is done according to a sequence of ascending * __le32 key values. E.g. used for $O index in FILE_Extend/$ObjId, which * sorts by object_id (16-byte), by splitting up the object_id in four * __le32 values and using them as individual keys. E.g. take the following * two security_ids, stored as follows on disk: * 1st: a1 61 65 b7 65 7b d4 11 9e 3d 00 e0 81 10 42 59 * 2nd: 38 14 37 d2 d2 f3 d4 11 a5 21 c8 6b 79 b1 97 45 * To compare them, they are split into four __le32 values each, like so: * 1st: 0xb76561a1 0x11d47b65 0xe0003d9e 0x59421081 * 2nd: 0xd2371438 0x11d4f3d2 0x6bc821a5 0x4597b179 * Now, it is apparent why the 2nd object_id collates after the 1st: the * first __le32 value of the 1st object_id is less than the first __le32 of * the 2nd object_id. If the first __le32 values of both object_ids were * equal then the second __le32 values would be compared, etc. */ enum { COLLATION_BINARY = cpu_to_le32(0x00), COLLATION_FILE_NAME = cpu_to_le32(0x01), COLLATION_UNICODE_STRING = cpu_to_le32(0x02), COLLATION_NTOFS_ULONG = cpu_to_le32(0x10), COLLATION_NTOFS_SID = cpu_to_le32(0x11), COLLATION_NTOFS_SECURITY_HASH = cpu_to_le32(0x12), COLLATION_NTOFS_ULONGS = cpu_to_le32(0x13), }; /* * enum - Attribute definition flags * * The flags (32-bit) describing attribute properties in the attribute * definition structure. * The INDEXABLE flag is fairly certainly correct as only the file * name attribute has this flag set and this is the only attribute indexed in * NT4. * * ATTR_DEF_INDEXABLE: Attribute can be indexed. * (Used for creating indexes like $I30, $SDH, etc.) * ATTR_DEF_MULTIPLE: Attribute type can be present multiple times * in the MFT record of an inode. * (e.g., multiple $FILE_NAME, $DATA streams) * ATTR_DEF_NOT_ZERO: Attribute value must contain at least one non-zero byte. * (Prevents empty or all-zero values) * ATTR_DEF_INDEXED_UNIQUE: Attribute must be indexed and the value must be unique * for this attribute type across all MFT records of an inode. * (e.g., security descriptor IDs in $Secure) * ATTR_DEF_NAMED_UNIQUE: Attribute must be named and the name must be unique * for this attribute type across all MFT records of an inode. * (e.g., named $DATA streams or alternate data streams) * ATTR_DEF_RESIDENT: Attribute must be resident (stored in MFT record). * (Cannot be non-resident/sparse/compressed) * ATTR_DEF_ALWAYS_LOG: Always log modifications to this attribute in LogFile, * regardless of whether it is resident or non-resident. * Without this flag, modifications are logged only if resident. * (Used for critical metadata attributes) */ enum { ATTR_DEF_INDEXABLE = cpu_to_le32(0x02), ATTR_DEF_MULTIPLE = cpu_to_le32(0x04), ATTR_DEF_NOT_ZERO = cpu_to_le32(0x08), ATTR_DEF_INDEXED_UNIQUE = cpu_to_le32(0x10), ATTR_DEF_NAMED_UNIQUE = cpu_to_le32(0x20), ATTR_DEF_RESIDENT = cpu_to_le32(0x40), ATTR_DEF_ALWAYS_LOG = cpu_to_le32(0x80), }; /* * struct attr_def - Attribute definition entry ($AttrDef array) * * The data attribute of FILE_AttrDef contains a sequence of attribute * definitions for the NTFS volume. With this, it is supposed to be safe for an * older NTFS driver to mount a volume containing a newer NTFS version without * damaging it (that's the theory. In practice it's: not damaging it too much). * Entries are sorted by attribute type. The flags describe whether the * attribute can be resident/non-resident and possibly other things, but the * actual bits are unknown. * * @name: Unicode (UTF-16LE) name of the attribute (e.g. "$DATA", "$FILE_NAME"). * Zero-terminated string, maximum 0x40 characters (128 bytes). * Used for human-readable display and debugging. * @type: Attribute type code (ATTR_TYPE_* constants). * Defines which attribute this entry describes. * @display_rule: Default display rule (usually 0; rarely used in modern NTFS). * Controls how the attribute is displayed in tools (legacy). * @collation_rule: Default collation rule for indexing this attribute. * Determines sort order when indexed (e.g. CASE_SENSITIVE, UNICODE). * Used in $I30, $SDH, $SII, etc. * @flags: Bit array of attribute constraints (ATTR_DEF_* flags). * See ATTR_DEF_INDEXABLE, ATTR_DEF_MULTIPLE, etc. * Defines whether the attribute can be indexed, multiple, resident-only, etc. * @min_size: Optional minimum size of the attribute value (in bytes). * 0 means no minimum enforced. * @max_size: Maximum allowed size of the attribute value (in bytes). */ struct attr_def { __le16 name[0x40]; __le32 type; __le32 display_rule; __le32 collation_rule; __le32 flags; __le64 min_size; __le64 max_size; } __packed; static_assert(sizeof(struct attr_def) == 160); /* * enum - Attribute flags (16-bit) for non-resident attributes * * ATTR_IS_COMPRESSED: Attribute is compressed. * If set, data is compressed using the method in * ATTR_COMPRESSION_MASK. * ATTR_COMPRESSION_MASK: Mask for compression method. * Valid values are defined in NTFS compression types * (e.g., 0x02 = LZNT1, etc.). * Also serves as the first illegal value for method. * ATTR_IS_ENCRYPTED: Attribute is encrypted. * Data is encrypted using EFS (Encrypting File System). * ATTR_IS_SPARSE: Attribute is sparse. * Contains holes (unallocated regions) that read as zeros. */ enum { ATTR_IS_COMPRESSED = cpu_to_le16(0x0001), ATTR_COMPRESSION_MASK = cpu_to_le16(0x00ff), ATTR_IS_ENCRYPTED = cpu_to_le16(0x4000), ATTR_IS_SPARSE = cpu_to_le16(0x8000), } __packed; /* * Attribute compression. * * Only the data attribute is ever compressed in the current ntfs driver in * Windows. Further, compression is only applied when the data attribute is * non-resident. Finally, to use compression, the maximum allowed cluster size * on a volume is 4kib. * * The compression method is based on independently compressing blocks of X * clusters, where X is determined from the compression_unit value found in the * non-resident attribute record header (more precisely: X = 2^compression_unit * clusters). On Windows NT/2k, X always is 16 clusters (compression_unit = 4). * * There are three different cases of how a compression block of X clusters * can be stored: * * 1) The data in the block is all zero (a sparse block): * This is stored as a sparse block in the runlist, i.e. the runlist * entry has length = X and lcn = -1. The mapping pairs array actually * uses a delta_lcn value length of 0, i.e. delta_lcn is not present at * all, which is then interpreted by the driver as lcn = -1. * NOTE: Even uncompressed files can be sparse on NTFS 3.0 volumes, then * the same principles apply as above, except that the length is not * restricted to being any particular value. * * 2) The data in the block is not compressed: * This happens when compression doesn't reduce the size of the block * in clusters. I.e. if compression has a small effect so that the * compressed data still occupies X clusters, then the uncompressed data * is stored in the block. * This case is recognised by the fact that the runlist entry has * length = X and lcn >= 0. The mapping pairs array stores this as * normal with a run length of X and some specific delta_lcn, i.e. * delta_lcn has to be present. * * 3) The data in the block is compressed: * The common case. This case is recognised by the fact that the run * list entry has length L < X and lcn >= 0. The mapping pairs array * stores this as normal with a run length of X and some specific * delta_lcn, i.e. delta_lcn has to be present. This runlist entry is * immediately followed by a sparse entry with length = X - L and * lcn = -1. The latter entry is to make up the vcn counting to the * full compression block size X. * * In fact, life is more complicated because adjacent entries of the same type * can be coalesced. This means that one has to keep track of the number of * clusters handled and work on a basis of X clusters at a time being one * block. An example: if length L > X this means that this particular runlist * entry contains a block of length X and part of one or more blocks of length * L - X. Another example: if length L < X, this does not necessarily mean that * the block is compressed as it might be that the lcn changes inside the block * and hence the following runlist entry describes the continuation of the * potentially compressed block. The block would be compressed if the * following runlist entry describes at least X - L sparse clusters, thus * making up the compression block length as described in point 3 above. (Of * course, there can be several runlist entries with small lengths so that the * sparse entry does not follow the first data containing entry with * length < X.) * * NOTE: At the end of the compressed attribute value, there most likely is not * just the right amount of data to make up a compression block, thus this data * is not even attempted to be compressed. It is just stored as is, unless * the number of clusters it occupies is reduced when compressed in which case * it is stored as a compressed compression block, complete with sparse * clusters at the end. */ /* * enum - Flags for resident attributes (8-bit) * * RESIDENT_ATTR_IS_INDEXED: Attribute is referenced in an index. * (e.g., part of an index key or entry) * Has implications for deletion and modification: * - Cannot be freely removed if indexed * - Index must be updated when value changes * - Used for attributes like $FILE_NAME in directories */ enum { RESIDENT_ATTR_IS_INDEXED = 0x01, } __packed; /* * struct attr_record - NTFS attribute record header * * Common header for both resident and non-resident attributes. * Always aligned to an 8-byte boundary on disk. * Located at attrs_offset in the MFT record (see struct mft_record). * * @type: 32-bit attribute type (ATTR_TYPE_* constants). * Identifies the attribute * (e.g. 0x10 = $STANDARD_INFORMATION). * @length: Total byte size of this attribute record (resident). * 8-byte aligned; used to locate the next attribute. * @non_resident: 0 = resident attribute * 1 = non-resident attribute * @name_length: Number of Unicode characters in the attribute name. * 0 if unnamed (most system attributes are unnamed). * @name_offset: Byte offset from start of attribute record to the name. * 8-byte aligned; when creating, place at end of header. * @flags: Attribute flags (see ATTR_IS_COMPRESSED, * ATTR_IS_ENCRYPTED, etc.). * For resident: see RESIDENT_ATTR_* flags. * @instance: Unique instance number within this MFT record. * Incremented via next_attr_instance; unique per record. * * Resident attributes (when @non_resident == 0): * @data.resident.value_length: Byte size of the attribute value. * @data.resident.value_offset: Byte offset from start of attribute * record to the value data. * 8-byte aligned if name present. * @data.resident.flags: Resident-specific flags * @data.resident.reserved: Reserved/alignment to 8 bytes. * * Non-resident attributes (when @non_resident == 1): * @data.non_resident.lowest_vcn: Lowest valid VCN in this extent. * Usually 0 unless attribute list is used. * @data.non_resident.highest_vcn: Highest valid VCN in this extent. * -1 for zero-length, 0 for single extent. * @data.non_resident.mapping_pairs_offset: * Byte offset to mapping pairs array * (VCN → LCN mappings). * 8-byte aligned when creating. * @data.non_resident.compression_unit: * Log2 of clusters per compression unit. * 0 = not compressed. * WinNT4 used 4; sparse files use 0 * on XP SP2+. * @data.non_resident.reserved: 5 bytes for 8-byte alignment. * @data.non_resident.allocated_size: * Allocated disk space in bytes. * For compressed: logical allocated size. * @data.non_resident.data_size: Logical attribute value size in bytes. * Can be larger than allocated_size if * compressed/sparse. * @data.non_resident.initialized_size: * Initialized portion size in bytes. * Usually equals data_size. * @data.non_resident.compressed_size: * Compressed on-disk size in bytes. * Only present when compressed or sparse. * Actual disk usage. */ struct attr_record { __le32 type; __le32 length; u8 non_resident; u8 name_length; __le16 name_offset; __le16 flags; __le16 instance; union { struct { __le32 value_length; __le16 value_offset; u8 flags; s8 reserved; } __packed resident; struct { __le64 lowest_vcn; __le64 highest_vcn; __le16 mapping_pairs_offset; u8 compression_unit; u8 reserved[5]; __le64 allocated_size; __le64 data_size; __le64 initialized_size; __le64 compressed_size; } __packed non_resident; } __packed data; } __packed; /* * enum - NTFS file attribute flags (32-bit) * * File attribute flags (32-bit) appearing in the file_attributes fields of the * STANDARD_INFORMATION attribute of MFT_RECORDs and the FILENAME_ATTR * attributes of MFT_RECORDs and directory index entries. * * All of the below flags appear in the directory index entries but only some * appear in the STANDARD_INFORMATION attribute whilst only some others appear * in the FILENAME_ATTR attribute of MFT_RECORDs. Unless otherwise stated the * flags appear in all of the above. * * FILE_ATTR_READONLY: File is read-only. * FILE_ATTR_HIDDEN: File is hidden (not shown by default). * FILE_ATTR_SYSTEM: System file (protected by OS). * FILE_ATTR_DIRECTORY: Directory flag (reserved in NT; use MFT flag instead). * FILE_ATTR_ARCHIVE: File needs archiving (backup flag). * FILE_ATTR_DEVICE: Device file (rarely used). * FILE_ATTR_NORMAL: Normal file (no special attributes). * FILE_ATTR_TEMPORARY: Temporary file (delete on close). * FILE_ATTR_SPARSE_FILE: Sparse file (contains holes). * FILE_ATTR_REPARSE_POINT: Reparse point (junction, symlink, mount point). * FILE_ATTR_COMPRESSED: File is compressed. * FILE_ATTR_OFFLINE: File data is offline (not locally available). * FILE_ATTR_NOT_CONTENT_INDEXED: * File is excluded from content indexing. * FILE_ATTR_ENCRYPTED: File is encrypted (EFS). * FILE_ATTR_VALID_FLAGS: Mask of all valid flags for reading. * FILE_ATTR_VALID_SET_FLAGS: Mask of flags that can be set by user. * FILE_ATTRIBUTE_RECALL_ON_OPEN: * Recall data on open (cloud/HSM related). * FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT: * $FILE_NAME has duplicate index entry. * FILE_ATTR_DUP_VIEW_INDEX_PRESENT: * Duplicate view index present (object ID, quota, etc.). */ enum { FILE_ATTR_READONLY = cpu_to_le32(0x00000001), FILE_ATTR_HIDDEN = cpu_to_le32(0x00000002), FILE_ATTR_SYSTEM = cpu_to_le32(0x00000004), /* Old DOS volid. Unused in NT. = cpu_to_le32(0x00000008), */ FILE_ATTR_DIRECTORY = cpu_to_le32(0x00000010), FILE_ATTR_ARCHIVE = cpu_to_le32(0x00000020), FILE_ATTR_DEVICE = cpu_to_le32(0x00000040), FILE_ATTR_NORMAL = cpu_to_le32(0x00000080), FILE_ATTR_TEMPORARY = cpu_to_le32(0x00000100), FILE_ATTR_SPARSE_FILE = cpu_to_le32(0x00000200), FILE_ATTR_REPARSE_POINT = cpu_to_le32(0x00000400), FILE_ATTR_COMPRESSED = cpu_to_le32(0x00000800), FILE_ATTR_OFFLINE = cpu_to_le32(0x00001000), FILE_ATTR_NOT_CONTENT_INDEXED = cpu_to_le32(0x00002000), FILE_ATTR_ENCRYPTED = cpu_to_le32(0x00004000), FILE_ATTR_VALID_FLAGS = cpu_to_le32(0x00007fb7), FILE_ATTR_VALID_SET_FLAGS = cpu_to_le32(0x000031a7), FILE_ATTRIBUTE_RECALL_ON_OPEN = cpu_to_le32(0x00040000), FILE_ATTR_DUP_FILE_NAME_INDEX_PRESENT = cpu_to_le32(0x10000000), FILE_ATTR_DUP_VIEW_INDEX_PRESENT = cpu_to_le32(0x20000000), }; /* * NOTE on times in NTFS: All times are in MS standard time format, i.e. they * are the number of 100-nanosecond intervals since 1st January 1601, 00:00:00 * universal coordinated time (UTC). (In Linux time starts 1st January 1970, * 00:00:00 UTC and is stored as the number of 1-second intervals since then.) */ /* * struct standard_information - $STANDARD_INFORMATION attribute content * * NOTE: Always resident. * NOTE: Present in all base file records on a volume. * NOTE: There is conflicting information about the meaning of each of the time * fields but the meaning as defined below has been verified to be * correct by practical experimentation on Windows NT4 SP6a and is hence * assumed to be the one and only correct interpretation. * * @creation_time: File creation time (NTFS timestamp). * Updated on filename change(?). * @last_data_change_time: Last modification time of data streams. * @last_mft_change_time: Last modification time of this MFT record. * @last_access_time: Last access time (approximate). * Not updated on read-only volumes; can be disabled. * @file_attributes: File attribute flags (FILE_ATTR_* bits). * * Union (version-specific fields): * @ver.v1.reserved12: 12 bytes reserved/alignment (NTFS 1.2 only). * * @ver.v3 (NTFS 3.x / Windows 2000+): * @maximum_versions: Max allowed file versions (0 = disabled). * @version_number: Current version number (0 if disabled). * @class_id: Class ID (from bidirectional index?). * @owner_id: Owner ID (maps to $Quota via $Q index). * @security_id: Security ID (maps to $Secure $SII/$SDS). * @quota_charged: Quota charge in bytes (0 if quotas disabled). * @usn: Last USN from $UsnJrnl (0 if disabled). */ struct standard_information { __le64 creation_time; __le64 last_data_change_time; __le64 last_mft_change_time; __le64 last_access_time; __le32 file_attributes; union { struct { u8 reserved12[12]; } __packed v1; struct { __le32 maximum_versions; __le32 version_number; __le32 class_id; __le32 owner_id; __le32 security_id; __le64 quota_charged; __le64 usn; } __packed v3; } __packed ver; } __packed; /* * struct attr_list_entry - Entry in $ATTRIBUTE_LIST attribute. * * @type: Attribute type code (ATTR_TYPE_*). * @length: Byte size of this entry (8-byte aligned). * @name_length: Unicode char count of attribute name (0 if unnamed). * @name_offset: Byte offset from start of entry to name (always set). * @lowest_vcn: Lowest VCN of this attribute extent (usually 0). * Signed value; non-zero when attribute spans extents. * @mft_reference: MFT record reference holding this attribute extent. * @instance: Attribute instance number (if lowest_vcn == 0); else 0. * @name: Variable Unicode name (use @name_offset when reading). * * - Can be either resident or non-resident. * - Value consists of a sequence of variable length, 8-byte aligned, * ATTR_LIST_ENTRY records. * - The list is not terminated by anything at all! The only way to know when * the end is reached is to keep track of the current offset and compare it to * the attribute value size. * - The attribute list attribute contains one entry for each attribute of * the file in which the list is located, except for the list attribute * itself. The list is sorted: first by attribute type, second by attribute * name (if present), third by instance number. The extents of one * non-resident attribute (if present) immediately follow after the initial * extent. They are ordered by lowest_vcn and have their instance set to zero. * It is not allowed to have two attributes with all sorting keys equal. * - Further restrictions: * - If not resident, the vcn to lcn mapping array has to fit inside the * base mft record. * - The attribute list attribute value has a maximum size of 256kb. This * is imposed by the Windows cache manager. * - Attribute lists are only used when the attributes of mft record do not * fit inside the mft record despite all attributes (that can be made * non-resident) having been made non-resident. This can happen e.g. when: * - File has a large number of hard links (lots of file name * attributes present). * - The mapping pairs array of some non-resident attribute becomes so * large due to fragmentation that it overflows the mft record. * - The security descriptor is very complex (not applicable to * NTFS 3.0 volumes). * - There are many named streams. */ struct attr_list_entry { __le32 type; __le16 length; u8 name_length; u8 name_offset; __le64 lowest_vcn; __le64 mft_reference; __le16 instance; __le16 name[]; } __packed; /* * The maximum allowed length for a file name. */ #define MAXIMUM_FILE_NAME_LENGTH 255 /* * enum - Possible namespaces for filenames in ntfs (8-bit). * * FILE_NAME_POSIX POSIX namespace (case sensitive, most permissive). * Allows all Unicode except '\0' and '/'. * WinNT/2k/2003 default utilities ignore case * differences. SFU (Services For Unix) enables true * case sensitivity. * SFU restricts some chars: '"', '/', '<', '>', '\'. * FILE_NAME_WIN32 Standard WinNT/2k long filename namespace * (case insensitive). * Disallows '\0', '"', '*', '/', ':', '<', '>', '?', * '\', '|'. Names cannot end with '.' or space. * FILE_NAME_DOS DOS 8.3 namespace (uppercase only). * Allows 8-bit chars > space except '"', '*', '+', * ',', '/', ':', ';', '<', '=', '>', '?', '\'. * FILE_NAME_WIN32_AND_DOS * Win32 and DOS names are identical (single record). * Value 0x03 indicates both are stored in one entry. */ enum { FILE_NAME_POSIX = 0x00, FILE_NAME_WIN32 = 0x01, FILE_NAME_DOS = 0x02, FILE_NAME_WIN32_AND_DOS = 0x03, } __packed; /* * struct file_name_attr - $FILE_NAME attribute content * * NOTE: Always resident. * NOTE: All fields, except the parent_directory, are only updated when the * filename is changed. Until then, they just become out of sync with * reality and the more up to date values are present in the standard * information attribute. * NOTE: There is conflicting information about the meaning of each of the time * fields but the meaning as defined below has been verified to be * correct by practical experimentation on Windows NT4 SP6a and is hence * assumed to be the one and only correct interpretation. * * @parent_directory: MFT reference to parent directory. * @creation_time: File creation time (NTFS timestamp). * @last_data_change_time: * Last data modification time. * @last_mft_change_time: * Last MFT record modification time. * @last_access_time: Last access time (approximate; may not * update always). * @allocated_size: On-disk allocated size for unnamed $DATA. * Equals compressed_size if compressed/sparse. * 0 for directories or no $DATA. * Multiple of cluster size. * @data_size: Logical size of unnamed $DATA. * 0 for directories or no $DATA. * @file_attributes: File attribute flags (FILE_ATTR_* bits). * @type.ea.packed_ea_size: * Size needed to pack EAs (if present). * @type.ea.reserved: Alignment padding. * @type.rp.reparse_point_tag: * Reparse point type (if reparse point, no EAs). * @file_name_length: Length of filename in Unicode characters. * @file_name_type: Namespace (FILE_NAME_POSIX, WIN32, DOS, etc.). * @file_name: Variable-length Unicode filename. */ struct file_name_attr { __le64 parent_directory; __le64 creation_time; __le64 last_data_change_time; __le64 last_mft_change_time; __le64 last_access_time; __le64 allocated_size; __le64 data_size; __le32 file_attributes; union { struct { __le16 packed_ea_size; __le16 reserved; } __packed ea; struct { __le32 reparse_point_tag; } __packed rp; } __packed type; u8 file_name_length; u8 file_name_type; __le16 file_name[]; } __packed; /* * struct guid - Globally Unique Identifier (GUID) structure * * GUID structures store globally unique identifiers (GUID). A GUID is a * 128-bit value consisting of one group of eight hexadecimal digits, followed * by three groups of four hexadecimal digits each, followed by one group of * twelve hexadecimal digits. GUIDs are Microsoft's implementation of the * distributed computing environment (DCE) universally unique identifier (UUID). * Example of a GUID: * 1F010768-5A73-BC91-0010A52216A7 * * @data1: First 32 bits (first 8 hex digits). * @data2: Next 16 bits (first group of 4 hex digits). * @data3: Next 16 bits (second group of 4 hex digits). * @data4: Final 64 bits (third group of 4 + last 12 hex digits). * data4[0-1]: third group; data4[2-7]: remaining part. */ struct guid { __le32 data1; __le16 data2; __le16 data3; u8 data4[8]; } __packed; /* * struct object_id_attr - $OBJECT_ID attribute content (NTFS 3.0+) * * NOTE: Always resident. * * @object_id: Unique 128-bit GUID assigned to the file. * Core identifier; always present. * * Optional extended info (union; total value size 16–64 bytes): * @extended_info.birth_volume_id: * Birth volume GUID (where file was first created). * @extended_info.birth_object_id: * Birth object GUID (original ID before copy/move). * @extended_info.domain_id: * Domain GUID (usually zero; reserved). */ struct object_id_attr { struct guid object_id; union { struct { struct guid birth_volume_id; struct guid birth_object_id; struct guid domain_id; } __packed; u8 extended_info[48]; } __packed; } __packed; /* * enum - RIDs (Relative Identifiers) in Windows/NTFS security * * These relative identifiers (RIDs) are used with the above identifier * authorities to make up universal well-known SIDs. * * SECURITY_NULL_RID S-1-0 (Null authority) * SECURITY_WORLD_RID S-1-1 (World/Everyone) * SECURITY_LOCAL_RID S-1-2 (Local) * SECURITY_CREATOR_OWNER_RID S-1-3-0 (Creator Owner) * SECURITY_CREATOR_GROUP_RID S-1-3-1 (Creator Group) * SECURITY_CREATOR_OWNER_SERVER_RID S-1-3-2 (Server Creator Owner) * SECURITY_CREATOR_GROUP_SERVER_RID S-1-3-3 (Server Creator Group) * SECURITY_DIALUP_RID S-1-5-1 (Dialup) * SECURITY_NETWORK_RID S-1-5-2 (Network) * SECURITY_BATCH_RID S-1-5-3 (Batch) * SECURITY_INTERACTIVE_RID S-1-5-4 (Interactive) * SECURITY_SERVICE_RID S-1-5-6 (Service) * SECURITY_ANONYMOUS_LOGON_RID S-1-5-7 (Anonymous Logon) * SECURITY_PROXY_RID S-1-5-8 (Proxy) * SECURITY_ENTERPRISE_CONTROLLERS_RID S-1-5-9 (Enterprise DCs) * SECURITY_SERVER_LOGON_RID S-1-5-9 (Server Logon alias) * SECURITY_PRINCIPAL_SELF_RID S-1-5-10 (Self/PrincipalSelf) * SECURITY_AUTHENTICATED_USER_RID S-1-5-11 (Authenticated Users) * SECURITY_RESTRICTED_CODE_RID S-1-5-12 (Restricted Code) * SECURITY_TERMINAL_SERVER_RID S-1-5-13 (Terminal Server) * SECURITY_LOGON_IDS_RID S-1-5-5 (Logon session IDs base) * SECURITY_LOCAL_SYSTEM_RID S-1-5-18 (Local System) * SECURITY_NT_NON_UNIQUE S-1-5-21 (NT non-unique authority) * SECURITY_BUILTIN_DOMAIN_RID S-1-5-32 (Built-in domain) * * Built-in domain relative RIDs (S-1-5-32-...): * Users: * DOMAIN_USER_RID_ADMIN Administrator * DOMAIN_USER_RID_GUEST Guest * DOMAIN_USER_RID_KRBTGT krbtgt (Kerberos ticket-granting) * * Groups: * DOMAIN_GROUP_RID_ADMINS Administrators * DOMAIN_GROUP_RID_USERS Users * DOMAIN_GROUP_RID_GUESTS Guests * DOMAIN_GROUP_RID_COMPUTERS Computers * DOMAIN_GROUP_RID_CONTROLLERS Domain Controllers * DOMAIN_GROUP_RID_CERT_ADMINS Cert Publishers * DOMAIN_GROUP_RID_SCHEMA_ADMINS Schema Admins * DOMAIN_GROUP_RID_ENTERPRISE_ADMINS Enterprise Admins * DOMAIN_GROUP_RID_POLICY_ADMINS Policy Admins (if present) * * Aliases: * DOMAIN_ALIAS_RID_ADMINS Administrators alias * DOMAIN_ALIAS_RID_USERS Users alias * DOMAIN_ALIAS_RID_GUESTS Guests alias * DOMAIN_ALIAS_RID_POWER_USERS Power Users * DOMAIN_ALIAS_RID_ACCOUNT_OPS Account Operators * DOMAIN_ALIAS_RID_SYSTEM_OPS Server Operators * DOMAIN_ALIAS_RID_PRINT_OPS Print Operators * DOMAIN_ALIAS_RID_BACKUP_OPS Backup Operators * DOMAIN_ALIAS_RID_REPLICATOR Replicator * DOMAIN_ALIAS_RID_RAS_SERVERS RAS Servers * DOMAIN_ALIAS_RID_PREW2KCOMPACCESS Pre-Windows 2000 Compatible Access * * Note: The relative identifier (RID) refers to the portion of a SID, which * identifies a user or group in relation to the authority that issued the SID. * For example, the universal well-known SID Creator Owner ID (S-1-3-0) is * made up of the identifier authority SECURITY_CREATOR_SID_AUTHORITY (3) and * the relative identifier SECURITY_CREATOR_OWNER_RID (0). */ enum { /* Identifier authority. */ SECURITY_NULL_RID = 0, /* S-1-0 */ SECURITY_WORLD_RID = 0, /* S-1-1 */ SECURITY_LOCAL_RID = 0, /* S-1-2 */ SECURITY_CREATOR_OWNER_RID = 0, /* S-1-3 */ SECURITY_CREATOR_GROUP_RID = 1, /* S-1-3 */ SECURITY_CREATOR_OWNER_SERVER_RID = 2, /* S-1-3 */ SECURITY_CREATOR_GROUP_SERVER_RID = 3, /* S-1-3 */ SECURITY_DIALUP_RID = 1, SECURITY_NETWORK_RID = 2, SECURITY_BATCH_RID = 3, SECURITY_INTERACTIVE_RID = 4, SECURITY_SERVICE_RID = 6, SECURITY_ANONYMOUS_LOGON_RID = 7, SECURITY_PROXY_RID = 8, SECURITY_ENTERPRISE_CONTROLLERS_RID = 9, SECURITY_SERVER_LOGON_RID = 9, SECURITY_PRINCIPAL_SELF_RID = 0xa, SECURITY_AUTHENTICATED_USER_RID = 0xb, SECURITY_RESTRICTED_CODE_RID = 0xc, SECURITY_TERMINAL_SERVER_RID = 0xd, SECURITY_LOGON_IDS_RID = 5, SECURITY_LOGON_IDS_RID_COUNT = 3, SECURITY_LOCAL_SYSTEM_RID = 0x12, SECURITY_NT_NON_UNIQUE = 0x15, SECURITY_BUILTIN_DOMAIN_RID = 0x20, /* * Well-known domain relative sub-authority values (RIDs). */ /* Users. */ DOMAIN_USER_RID_ADMIN = 0x1f4, DOMAIN_USER_RID_GUEST = 0x1f5, DOMAIN_USER_RID_KRBTGT = 0x1f6, /* Groups. */ DOMAIN_GROUP_RID_ADMINS = 0x200, DOMAIN_GROUP_RID_USERS = 0x201, DOMAIN_GROUP_RID_GUESTS = 0x202, DOMAIN_GROUP_RID_COMPUTERS = 0x203, DOMAIN_GROUP_RID_CONTROLLERS = 0x204, DOMAIN_GROUP_RID_CERT_ADMINS = 0x205, DOMAIN_GROUP_RID_SCHEMA_ADMINS = 0x206, DOMAIN_GROUP_RID_ENTERPRISE_ADMINS = 0x207, DOMAIN_GROUP_RID_POLICY_ADMINS = 0x208, /* Aliases. */ DOMAIN_ALIAS_RID_ADMINS = 0x220, DOMAIN_ALIAS_RID_USERS = 0x221, DOMAIN_ALIAS_RID_GUESTS = 0x222, DOMAIN_ALIAS_RID_POWER_USERS = 0x223, DOMAIN_ALIAS_RID_ACCOUNT_OPS = 0x224, DOMAIN_ALIAS_RID_SYSTEM_OPS = 0x225, DOMAIN_ALIAS_RID_PRINT_OPS = 0x226, DOMAIN_ALIAS_RID_BACKUP_OPS = 0x227, DOMAIN_ALIAS_RID_REPLICATOR = 0x228, DOMAIN_ALIAS_RID_RAS_SERVERS = 0x229, DOMAIN_ALIAS_RID_PREW2KCOMPACCESS = 0x22a, }; /* * The universal well-known SIDs: * * NULL_SID S-1-0-0 * WORLD_SID S-1-1-0 * LOCAL_SID S-1-2-0 * CREATOR_OWNER_SID S-1-3-0 * CREATOR_GROUP_SID S-1-3-1 * CREATOR_OWNER_SERVER_SID S-1-3-2 * CREATOR_GROUP_SERVER_SID S-1-3-3 * * (Non-unique IDs) S-1-4 * * NT well-known SIDs: * * NT_AUTHORITY_SID S-1-5 * DIALUP_SID S-1-5-1 * * NETWORD_SID S-1-5-2 * BATCH_SID S-1-5-3 * INTERACTIVE_SID S-1-5-4 * SERVICE_SID S-1-5-6 * ANONYMOUS_LOGON_SID S-1-5-7 (aka null logon session) * PROXY_SID S-1-5-8 * SERVER_LOGON_SID S-1-5-9 (aka domain controller account) * SELF_SID S-1-5-10 (self RID) * AUTHENTICATED_USER_SID S-1-5-11 * RESTRICTED_CODE_SID S-1-5-12 (running restricted code) * TERMINAL_SERVER_SID S-1-5-13 (running on terminal server) * * (Logon IDs) S-1-5-5-X-Y * * (NT non-unique IDs) S-1-5-0x15-... * * (Built-in domain) S-1-5-0x20 */ /* * struct ntfs_sid - Security Identifier (SID) structure * * @revision: SID revision level (usually 1). * @sub_authority_count: Number of sub-authorities (1 or more). * @identifier_authority: * 48-bit identifier authority (S-1-x-...). * @parts.high_part: high 16 bits. * @parts.low_part: low 32 bits. * @value: raw 6-byte array. * @sub_authority: Variable array of 32-bit RIDs. * At least one; defines the SID relative to authority. * * The SID structure is a variable-length structure used to uniquely identify * users or groups. SID stands for security identifier. * * The standard textual representation of the SID is of the form: * S-R-I-S-S... * Where: * - The first "S" is the literal character 'S' identifying the following * digits as a SID. * - R is the revision level of the SID expressed as a sequence of digits * either in decimal or hexadecimal (if the later, prefixed by "0x"). * - I is the 48-bit identifier_authority, expressed as digits as R above. * - S... is one or more sub_authority values, expressed as digits as above. * * Example SID; the domain-relative SID of the local Administrators group on * Windows NT/2k: * S-1-5-32-544 * This translates to a SID with: * revision = 1, * sub_authority_count = 2, * identifier_authority = {0,0,0,0,0,5}, // SECURITY_NT_AUTHORITY * sub_authority[0] = 32, // SECURITY_BUILTIN_DOMAIN_RID * sub_authority[1] = 544 // DOMAIN_ALIAS_RID_ADMINS */ struct ntfs_sid { u8 revision; u8 sub_authority_count; union { struct { u16 high_part; u32 low_part; } __packed parts; u8 value[6]; } identifier_authority; __le32 sub_authority[]; } __packed; /* * enum - Predefined ACE types (8-bit) for NTFS security descriptors * * ACCESS_MIN_MS_ACE_TYPE: Minimum MS ACE type (0). * ACCESS_ALLOWED_ACE_TYPE: Allow access (standard ACE). * ACCESS_DENIED_ACE_TYPE: Deny access (standard ACE). * SYSTEM_AUDIT_ACE_TYPE: Audit successful/failed access. * SYSTEM_ALARM_ACE_TYPE: Alarm on access (not in Win2k+). * ACCESS_MAX_MS_V2_ACE_TYPE: Max for V2 ACE types. * ACCESS_ALLOWED_COMPOUND_ACE_TYPE: * Compound ACE (legacy). * ACCESS_MAX_MS_V3_ACE_TYPE: Max for V3 ACE types. * ACCESS_MIN_MS_OBJECT_ACE_TYPE: Min for object ACE types (Win2k+). * ACCESS_ALLOWED_OBJECT_ACE_TYPE: Allow with object-specific rights. * ACCESS_DENIED_OBJECT_ACE_TYPE: Deny with object-specific rights. * SYSTEM_AUDIT_OBJECT_ACE_TYPE: Audit with object-specific rights. * SYSTEM_ALARM_OBJECT_ACE_TYPE: Alarm with object-specific rights. * ACCESS_MAX_MS_OBJECT_ACE_TYPE: Max for object ACE types. * ACCESS_MAX_MS_V4_ACE_TYPE: Max for V4 ACE types. * ACCESS_MAX_MS_ACE_TYPE: Overall max ACE type (WinNT/2k). */ enum { ACCESS_MIN_MS_ACE_TYPE = 0, ACCESS_ALLOWED_ACE_TYPE = 0, ACCESS_DENIED_ACE_TYPE = 1, SYSTEM_AUDIT_ACE_TYPE = 2, SYSTEM_ALARM_ACE_TYPE = 3, ACCESS_MAX_MS_V2_ACE_TYPE = 3, ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 4, ACCESS_MAX_MS_V3_ACE_TYPE = 4, ACCESS_MIN_MS_OBJECT_ACE_TYPE = 5, ACCESS_ALLOWED_OBJECT_ACE_TYPE = 5, ACCESS_DENIED_OBJECT_ACE_TYPE = 6, SYSTEM_AUDIT_OBJECT_ACE_TYPE = 7, SYSTEM_ALARM_OBJECT_ACE_TYPE = 8, ACCESS_MAX_MS_OBJECT_ACE_TYPE = 8, ACCESS_MAX_MS_V4_ACE_TYPE = 8, ACCESS_MAX_MS_ACE_TYPE = 8, } __packed; /* * enum - ACE inheritance and audit flags (8-bit) * * OBJECT_INHERIT_ACE: Object inherit (files inherit this ACE). * CONTAINER_INHERIT_ACE: Container inherit (subdirectories inherit). * NO_PROPAGATE_INHERIT_ACE: No propagation (stop inheritance after this level). * INHERIT_ONLY_ACE: Inherit only (not applied to current object). * INHERITED_ACE: ACE was inherited (Win2k+ only). * VALID_INHERIT_FLAGS: Mask of all valid inheritance flags (0x1f). * SUCCESSFUL_ACCESS_ACE_FLAG: Audit successful access (system audit ACE). * FAILED_ACCESS_ACE_FLAG: Audit failed access (system audit ACE). * * SUCCESSFUL_ACCESS_ACE_FLAG is only used with system audit and alarm ACE * types to indicate that a message is generated (in Windows!) for successful * accesses. * * FAILED_ACCESS_ACE_FLAG is only used with system audit and alarm ACE types * to indicate that a message is generated (in Windows!) for failed accesses. */ enum { OBJECT_INHERIT_ACE = 0x01, CONTAINER_INHERIT_ACE = 0x02, NO_PROPAGATE_INHERIT_ACE = 0x04, INHERIT_ONLY_ACE = 0x08, INHERITED_ACE = 0x10, VALID_INHERIT_FLAGS = 0x1f, SUCCESSFUL_ACCESS_ACE_FLAG = 0x40, FAILED_ACCESS_ACE_FLAG = 0x80, } __packed; /* * enum - NTFS access rights masks (32-bit) * * FILE_READ_DATA / FILE_LIST_DIRECTORY: Read file data / list dir contents. * FILE_WRITE_DATA / FILE_ADD_FILE: Write file data / create file in dir. * FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY: Append data / create subdir. * FILE_READ_EA: Read extended attributes. * FILE_WRITE_EA: Write extended attributes. * FILE_EXECUTE / FILE_TRAVERSE: Execute file / traverse dir. * FILE_DELETE_CHILD: Delete children in dir. * FILE_READ_ATTRIBUTES: Read attributes. * FILE_WRITE_ATTRIBUTES: Write attributes. * * Standard rights (object-independent): * DELETE: Delete object. * READ_CONTROL: Read security descriptor/owner. * WRITE_DAC: Modify DACL. * WRITE_OWNER: Change owner. * SYNCHRONIZE: Wait on object signal state. * * Combinations: * STANDARD_RIGHTS_READ / WRITE / EXECUTE: Aliases for READ_CONTROL. * STANDARD_RIGHTS_REQUIRED: DELETE + READ_CONTROL + * WRITE_DAC + WRITE_OWNER. * STANDARD_RIGHTS_ALL: Above + SYNCHRONIZE. * * System/access types: * ACCESS_SYSTEM_SECURITY: Access system ACL. * MAXIMUM_ALLOWED: Maximum allowed access. * * Generic rights (high bits, map to specific/standard): * GENERIC_ALL: Full access. * GENERIC_EXECUTE: Execute/traverse. * GENERIC_WRITE: Write (append, attrs, data, EA, etc.). * GENERIC_READ: Read (attrs, data, EA, etc.). * * The specific rights (bits 0 to 15). These depend on the type of the object * being secured by the ACE. */ enum { FILE_READ_DATA = cpu_to_le32(0x00000001), FILE_LIST_DIRECTORY = cpu_to_le32(0x00000001), FILE_WRITE_DATA = cpu_to_le32(0x00000002), FILE_ADD_FILE = cpu_to_le32(0x00000002), FILE_APPEND_DATA = cpu_to_le32(0x00000004), FILE_ADD_SUBDIRECTORY = cpu_to_le32(0x00000004), FILE_READ_EA = cpu_to_le32(0x00000008), FILE_WRITE_EA = cpu_to_le32(0x00000010), FILE_EXECUTE = cpu_to_le32(0x00000020), FILE_TRAVERSE = cpu_to_le32(0x00000020), FILE_DELETE_CHILD = cpu_to_le32(0x00000040), FILE_READ_ATTRIBUTES = cpu_to_le32(0x00000080), FILE_WRITE_ATTRIBUTES = cpu_to_le32(0x00000100), DELETE = cpu_to_le32(0x00010000), READ_CONTROL = cpu_to_le32(0x00020000), WRITE_DAC = cpu_to_le32(0x00040000), WRITE_OWNER = cpu_to_le32(0x00080000), SYNCHRONIZE = cpu_to_le32(0x00100000), STANDARD_RIGHTS_READ = cpu_to_le32(0x00020000), STANDARD_RIGHTS_WRITE = cpu_to_le32(0x00020000), STANDARD_RIGHTS_EXECUTE = cpu_to_le32(0x00020000), STANDARD_RIGHTS_REQUIRED = cpu_to_le32(0x000f0000), STANDARD_RIGHTS_ALL = cpu_to_le32(0x001f0000), ACCESS_SYSTEM_SECURITY = cpu_to_le32(0x01000000), MAXIMUM_ALLOWED = cpu_to_le32(0x02000000), GENERIC_ALL = cpu_to_le32(0x10000000), GENERIC_EXECUTE = cpu_to_le32(0x20000000), GENERIC_WRITE = cpu_to_le32(0x40000000), GENERIC_READ = cpu_to_le32(0x80000000), }; /* * struct ntfs_ace - Access Control Entry (ACE) structure * * @type: ACE type (ACCESS_ALLOWED_ACE_TYPE, ACCESS_DENIED_ACE_TYPE, etc.). * @flags: Inheritance and audit flags (OBJECT_INHERIT_ACE, etc.). * @size: Total byte size of this ACE (header + SID + variable data). * @mask: Access rights mask (FILE_READ_DATA, DELETE, GENERIC_ALL, etc.). * @sid: Security Identifier (SID) this ACE applies to. */ struct ntfs_ace { u8 type; u8 flags; __le16 size; __le32 mask; struct ntfs_sid sid; } __packed; /* * The object ACE flags (32-bit). */ enum { ACE_OBJECT_TYPE_PRESENT = cpu_to_le32(1), ACE_INHERITED_OBJECT_TYPE_PRESENT = cpu_to_le32(2), }; /* * struct ntfs_acl - NTFS Access Control List (ACL) header * * An ACL is an access-control list (ACL). * An ACL starts with an ACL header structure, which specifies the size of * the ACL and the number of ACEs it contains. The ACL header is followed by * zero or more access control entries (ACEs). The ACL as well as each ACE * are aligned on 4-byte boundaries. * * @revision: ACL revision level (usually 2 or 4). * @alignment1: Padding/alignment byte (zero). * @size: Total allocated size in bytes (header + all ACEs + * free space). * @ace_count: Number of ACE entries following the header. * @alignment2: Padding/alignment (zero). */ struct ntfs_acl { u8 revision; u8 alignment1; __le16 size; __le16 ace_count; __le16 alignment2; } __packed; static_assert(sizeof(struct ntfs_acl) == 8); /* * The security descriptor control flags (16-bit). * * SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the SID * pointed to by the Owner field was provided by a defaulting mechanism * rather than explicitly provided by the original provider of the * security descriptor. This may affect the treatment of the SID with * respect to inheritance of an owner. * * SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the SID in * the Group field was provided by a defaulting mechanism rather than * explicitly provided by the original provider of the security * descriptor. This may affect the treatment of the SID with respect to * inheritance of a primary group. * * SE_DACL_PRESENT - This boolean flag, when set, indicates that the security * descriptor contains a discretionary ACL. If this flag is set and the * Dacl field of the SECURITY_DESCRIPTOR is null, then a null ACL is * explicitly being specified. * * SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the ACL * pointed to by the Dacl field was provided by a defaulting mechanism * rather than explicitly provided by the original provider of the * security descriptor. This may affect the treatment of the ACL with * respect to inheritance of an ACL. This flag is ignored if the * DaclPresent flag is not set. * * SE_SACL_PRESENT - This boolean flag, when set, indicates that the security * descriptor contains a system ACL pointed to by the Sacl field. If this * flag is set and the Sacl field of the SECURITY_DESCRIPTOR is null, then * an empty (but present) ACL is being specified. * * SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the ACL * pointed to by the Sacl field was provided by a defaulting mechanism * rather than explicitly provided by the original provider of the * security descriptor. This may affect the treatment of the ACL with * respect to inheritance of an ACL. This flag is ignored if the * SaclPresent flag is not set. * * SE_SELF_RELATIVE - This boolean flag, when set, indicates that the security * descriptor is in self-relative form. In this form, all fields of the * security descriptor are contiguous in memory and all pointer fields are * expressed as offsets from the beginning of the security descriptor. */ enum { SE_OWNER_DEFAULTED = cpu_to_le16(0x0001), SE_GROUP_DEFAULTED = cpu_to_le16(0x0002), SE_DACL_PRESENT = cpu_to_le16(0x0004), SE_DACL_DEFAULTED = cpu_to_le16(0x0008), SE_SACL_PRESENT = cpu_to_le16(0x0010), SE_SACL_DEFAULTED = cpu_to_le16(0x0020), SE_DACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0100), SE_SACL_AUTO_INHERIT_REQ = cpu_to_le16(0x0200), SE_DACL_AUTO_INHERITED = cpu_to_le16(0x0400), SE_SACL_AUTO_INHERITED = cpu_to_le16(0x0800), SE_DACL_PROTECTED = cpu_to_le16(0x1000), SE_SACL_PROTECTED = cpu_to_le16(0x2000), SE_RM_CONTROL_VALID = cpu_to_le16(0x4000), SE_SELF_RELATIVE = cpu_to_le16(0x8000) } __packed; /* * struct security_descriptor_relative - Relative security descriptor * * Self-relative security descriptor. Contains the owner and group SIDs as well * as the sacl and dacl ACLs inside the security descriptor itself. * * @revision: Security descriptor revision (usually 1). * @alignment: Padding/alignment byte (zero). * @control: Control flags (SE_OWNER_DEFAULTED, SE_DACL_PRESENT, * SE_SACL_PRESENT, SE_SACL_AUTO_INHERITED, etc.). * @owner: Byte offset to owner SID (from start of descriptor). * 0 if no owner SID present. * @group: Byte offset to primary group SID. * 0 if no group SID present. * @sacl: Byte offset to System ACL (SACL). * Valid only if SE_SACL_PRESENT in @control. * 0 means NULL SACL. * @dacl: Byte offset to Discretionary ACL (DACL). * Valid only if SE_DACL_PRESENT in @control. * 0 means NULL DACL (full access granted). */ struct security_descriptor_relative { u8 revision; u8 alignment; __le16 control; __le32 owner; __le32 group; __le32 sacl; __le32 dacl; } __packed; static_assert(sizeof(struct security_descriptor_relative) == 20); /* * On NTFS 3.0+, all security descriptors are stored in FILE_Secure. Only one * referenced instance of each unique security descriptor is stored. * * FILE_Secure contains no unnamed data attribute, i.e. it has zero length. It * does, however, contain two indexes ($SDH and $SII) as well as a named data * stream ($SDS). * * Every unique security descriptor is assigned a unique security identifier * (security_id, not to be confused with a SID). The security_id is unique for * the NTFS volume and is used as an index into the $SII index, which maps * security_ids to the security descriptor's storage location within the $SDS * data attribute. The $SII index is sorted by ascending security_id. * * A simple hash is computed from each security descriptor. This hash is used * as an index into the $SDH index, which maps security descriptor hashes to * the security descriptor's storage location within the $SDS data attribute. * The $SDH index is sorted by security descriptor hash and is stored in a B+ * tree. When searching $SDH (with the intent of determining whether or not a * new security descriptor is already present in the $SDS data stream), if a * matching hash is found, but the security descriptors do not match, the * search in the $SDH index is continued, searching for a next matching hash. * * When a precise match is found, the security_id coresponding to the security * descriptor in the $SDS attribute is read from the found $SDH index entry and * is stored in the $STANDARD_INFORMATION attribute of the file/directory to * which the security descriptor is being applied. The $STANDARD_INFORMATION * attribute is present in all base mft records (i.e. in all files and * directories). * * If a match is not found, the security descriptor is assigned a new unique * security_id and is added to the $SDS data attribute. Then, entries * referencing the this security descriptor in the $SDS data attribute are * added to the $SDH and $SII indexes. * * Note: Entries are never deleted from FILE_Secure, even if nothing * references an entry any more. */ /* * struct sii_index_key - Key for $SII index in $Secure file * * The index entry key used in the $SII index. The collation type is * COLLATION_NTOFS_ULONG. * * @security_id: 32-bit security identifier. * Unique ID assigned to a security descriptor. */ struct sii_index_key { __le32 security_id; } __packed; /* * struct sdh_index_key - Key for $SDH index in $Secure file * * The index entry key used in the $SDH index. The keys are sorted first by * hash and then by security_id. The collation rule is * COLLATION_NTOFS_SECURITY_HASH. * * @hash: 32-bit hash of the security descriptor. * Used for quick collision checks and indexing. * @security_id: 32-bit security identifier. * Unique ID assigned to the descriptor. */ struct sdh_index_key { __le32 hash; __le32 security_id; } __packed; /* * enum - NTFS volume flags (16-bit) * * These flags are stored in $VolumeInformation attribute. * They indicate volume state and required actions. * * VOLUME_IS_DIRTY: Volume is dirty (needs chkdsk). * VOLUME_RESIZE_LOG_FILE: Resize LogFile on next mount. * VOLUME_UPGRADE_ON_MOUNT: Upgrade volume on mount (old NTFS). * VOLUME_MOUNTED_ON_NT4: Mounted on NT4 (compatibility flag). * VOLUME_DELETE_USN_UNDERWAY: USN journal deletion in progress. * VOLUME_REPAIR_OBJECT_ID: Repair $ObjId on next mount. * VOLUME_CHKDSK_UNDERWAY: Chkdsk is running. * VOLUME_MODIFIED_BY_CHKDSK: Modified by chkdsk. * VOLUME_FLAGS_MASK: Mask of all valid flags (0xc03f). * VOLUME_MUST_MOUNT_RO_MASK: Flags forcing read-only mount (0xc027). * If any set, mount read-only. */ enum { VOLUME_IS_DIRTY = cpu_to_le16(0x0001), VOLUME_RESIZE_LOG_FILE = cpu_to_le16(0x0002), VOLUME_UPGRADE_ON_MOUNT = cpu_to_le16(0x0004), VOLUME_MOUNTED_ON_NT4 = cpu_to_le16(0x0008), VOLUME_DELETE_USN_UNDERWAY = cpu_to_le16(0x0010), VOLUME_REPAIR_OBJECT_ID = cpu_to_le16(0x0020), VOLUME_CHKDSK_UNDERWAY = cpu_to_le16(0x4000), VOLUME_MODIFIED_BY_CHKDSK = cpu_to_le16(0x8000), VOLUME_FLAGS_MASK = cpu_to_le16(0xc03f), VOLUME_MUST_MOUNT_RO_MASK = cpu_to_le16(0xc027), } __packed; /* * struct volume_information - $VOLUME_INFORMATION (0x70) * * @reserved: Reserved 64-bit field (currently unused). * @major_ver: Major NTFS version number (e.g., 3 for NTFS 3.1). * @minor_ver: Minor NTFS version number (e.g., 1 for NTFS 3.1). * @flags: Volume flags (VOLUME_IS_DIRTY, VOLUME_CHKDSK_UNDERWAY, etc.). * See volume flags enum for details. * * NOTE: Always resident. * NOTE: Present only in FILE_Volume. * NOTE: Windows 2000 uses NTFS 3.0 while Windows NT4 service pack 6a uses * NTFS 1.2. I haven't personally seen other values yet. */ struct volume_information { __le64 reserved; u8 major_ver; u8 minor_ver; __le16 flags; } __packed; /* * enum - Index header flags * * These flags are stored in the index header (INDEX_HEADER.flags) for both * index root ($INDEX_ROOT) and index allocation blocks ($INDEX_ALLOCATION). * * For index root ($INDEX_ROOT attribute): * SMALL_INDEX: Index fits entirely in root attribute (no $INDEX_ALLOCATION). * LARGE_INDEX: Index too large for root; $INDEX_ALLOCATION present. * * For index blocks ($INDEX_ALLOCATION): * LEAF_NODE: Leaf node (no child nodes; contains actual entries). * INDEX_NODE: Internal node (indexes other nodes; contains keys/pointers). * * NODE_MASK: Mask to extract node type bits (0x01). */ enum { SMALL_INDEX = 0, LARGE_INDEX = 1, LEAF_NODE = 0, INDEX_NODE = 1, NODE_MASK = 1, } __packed; /* * struct index_header - Common header for index root and index blocks * * entries_offset: Byte offset to first INDEX_ENTRY (8-byte aligned). * index_length: Bytes used by index entries (8-byte aligned). * From entries_offset to end of used data. * allocated_size: Total allocated bytes for this index block. * Fixed size in index allocation; dynamic in root. * flags: Index flags (SMALL_INDEX, LARGE_INDEX, LEAF_NODE, etc.). * See INDEX_HEADER_FLAGS enum. * reserved: 3 bytes reserved/padding (zero, 8-byte aligned). * * This is the header for indexes, describing the INDEX_ENTRY records, which * follow the index_header. Together the index header and the index entries * make up a complete index. * * IMPORTANT NOTE: The offset, length and size structure members are counted * relative to the start of the index header structure and not relative to the * start of the index root or index allocation structures themselves. * * For the index root attribute, the above two numbers are always * equal, as the attribute is resident and it is resized as needed. In * the case of the index allocation attribute the attribute is not * resident and hence the allocated_size is a fixed value and must * equal the index_block_size specified by the INDEX_ROOT attribute * corresponding to the INDEX_ALLOCATION attribute this INDEX_BLOCK * belongs to. */ struct index_header { __le32 entries_offset; __le32 index_length; __le32 allocated_size; u8 flags; u8 reserved[3]; } __packed; /* * struct index_root - $INDEX_ROOT attribute (0x90). * * @type: Indexed attribute type ($FILE_NAME for dirs, * 0 for view indexes). * @collation_rule: Collation rule for sorting entries * (COLLATION_FILE_NAME for $FILE_NAME). * @index_block_size: Size of each index block in bytes * (in $INDEX_ALLOCATION). * @clusters_per_index_block: * Clusters per index block (or log2(bytes) * if < cluster). * Power of 2; used for encoding block size. * @reserved: 3 bytes reserved/alignment (zero). * @index: Index header for root entries (entries follow * immediately). * * NOTE: Always resident. * * This is followed by a sequence of index entries (INDEX_ENTRY structures) * as described by the index header. * * When a directory is small enough to fit inside the index root then this * is the only attribute describing the directory. When the directory is too * large to fit in the index root, on the other hand, two additional attributes * are present: an index allocation attribute, containing sub-nodes of the B+ * directory tree (see below), and a bitmap attribute, describing which virtual * cluster numbers (vcns) in the index allocation attribute are in use by an * index block. * * NOTE: The root directory (FILE_root) contains an entry for itself. Other * directories do not contain entries for themselves, though. */ struct index_root { __le32 type; __le32 collation_rule; __le32 index_block_size; u8 clusters_per_index_block; u8 reserved[3]; struct index_header index; } __packed; /* * struct index_block - Index allocation (0xa0). * * @magic: Magic value "INDX" (see magic_INDX). * @usa_ofs: Offset to Update Sequence Array (see ntfs_record). * @usa_count: Number of USA entries (see ntfs_record). * @lsn: Log sequence number of last modification. * @index_block_vcn: VCN of this index block. * Units: clusters if cluster_size <= index_block_size; * sectors otherwise. * @index: Index header describing entries in this block. * * When creating the index block, we place the update sequence array at this * offset, i.e. before we start with the index entries. This also makes sense, * otherwise we could run into problems with the update sequence array * containing in itself the last two bytes of a sector which would mean that * multi sector transfer protection wouldn't work. As you can't protect data * by overwriting it since you then can't get it back... * When reading use the data from the ntfs record header. * * NOTE: Always non-resident (doesn't make sense to be resident anyway!). * * This is an array of index blocks. Each index block starts with an * index_block structure containing an index header, followed by a sequence of * index entries (INDEX_ENTRY structures), as described by the struct index_header. */ struct index_block { __le32 magic; __le16 usa_ofs; __le16 usa_count; __le64 lsn; __le64 index_block_vcn; struct index_header index; } __packed; static_assert(sizeof(struct index_block) == 40); /* * struct reparse_index_key - Key for $R reparse index in $Extend/$Reparse * * @reparse_tag: Reparse point type (including flags, REPARSE_TAG_*). * @file_id: MFT record number of the file with $REPARSE_POINT * attribute. * * The system file FILE_Extend/$Reparse contains an index named $R listing * all reparse points on the volume. The index entry keys are as defined * below. Note, that there is no index data associated with the index entries. * * The index entries are sorted by the index key file_id. The collation rule is * COLLATION_NTOFS_ULONGS. */ struct reparse_index_key { __le32 reparse_tag; __le64 file_id; } __packed; /* * enum - Quota entry flags (32-bit) in $Quota/$Q * * These flags are stored in quota control entries ($Quota file). * They control quota tracking, limits, and state. * * User quota flags (mask 0x00000007): * @QUOTA_FLAG_DEFAULT_LIMITS: Use default limits. * @QUOTA_FLAG_LIMIT_REACHED: Quota limit reached. * @QUOTA_FLAG_ID_DELETED: Quota ID deleted. * @QUOTA_FLAG_USER_MASK: Mask for user quota flags (0x00000007). * * Default entry flags (owner_id = QUOTA_DEFAULTS_ID): * @QUOTA_FLAG_TRACKING_ENABLED: Quota tracking enabled. * @QUOTA_FLAG_ENFORCEMENT_ENABLED: Quota enforcement enabled. * @QUOTA_FLAG_TRACKING_REQUESTED: Tracking requested (pending). * @QUOTA_FLAG_LOG_THRESHOLD: Log when threshold reached. * @QUOTA_FLAG_LOG_LIMIT: Log when limit reached. * @QUOTA_FLAG_OUT_OF_DATE: Quota data out of date. * @QUOTA_FLAG_CORRUPT: Quota entry corrupt. * @QUOTA_FLAG_PENDING_DELETES: Pending quota deletes. * */ enum { QUOTA_FLAG_DEFAULT_LIMITS = cpu_to_le32(0x00000001), QUOTA_FLAG_LIMIT_REACHED = cpu_to_le32(0x00000002), QUOTA_FLAG_ID_DELETED = cpu_to_le32(0x00000004), QUOTA_FLAG_USER_MASK = cpu_to_le32(0x00000007), QUOTA_FLAG_TRACKING_ENABLED = cpu_to_le32(0x00000010), QUOTA_FLAG_ENFORCEMENT_ENABLED = cpu_to_le32(0x00000020), QUOTA_FLAG_TRACKING_REQUESTED = cpu_to_le32(0x00000040), QUOTA_FLAG_LOG_THRESHOLD = cpu_to_le32(0x00000080), QUOTA_FLAG_LOG_LIMIT = cpu_to_le32(0x00000100), QUOTA_FLAG_OUT_OF_DATE = cpu_to_le32(0x00000200), QUOTA_FLAG_CORRUPT = cpu_to_le32(0x00000400), QUOTA_FLAG_PENDING_DELETES = cpu_to_le32(0x00000800), }; /* * struct quota_control_entry - Quota entry in $Quota/$Q * * @version: Currently 2. * @flags: Quota flags (QUOTA_FLAG_* bits). * @bytes_used: Current quota usage in bytes. * @change_time: Last modification time (NTFS timestamp). * @threshold: Soft quota limit (-1 = unlimited). * @limit: Hard quota limit (-1 = unlimited). * @exceeded_time: Time soft quota has been exceeded. * @sid: SID of user/object (zero for defaults entry). * * The system file FILE_Extend/$Quota contains two indexes $O and $Q. Quotas * are on a per volume and per user basis. * * The $Q index contains one entry for each existing user_id on the volume. The * index key is the user_id of the user/group owning this quota control entry, * i.e. the key is the owner_id. The user_id of the owner of a file, i.e. the * owner_id, is found in the standard information attribute. The collation rule * for $Q is COLLATION_NTOFS_ULONG. * * The $O index contains one entry for each user/group who has been assigned * a quota on that volume. The index key holds the SID of the user_id the * entry belongs to, i.e. the owner_id. The collation rule for $O is * COLLATION_NTOFS_SID. * * The $O index entry data is the user_id of the user corresponding to the SID. * This user_id is used as an index into $Q to find the quota control entry * associated with the SID. * * The $Q index entry data is the quota control entry and is defined below. */ struct quota_control_entry { __le32 version; __le32 flags; __le64 bytes_used; __le64 change_time; __le64 threshold; __le64 limit; __le64 exceeded_time; struct ntfs_sid sid; } __packed; /* * Predefined owner_id values (32-bit). */ enum { QUOTA_INVALID_ID = cpu_to_le32(0x00000000), QUOTA_DEFAULTS_ID = cpu_to_le32(0x00000001), QUOTA_FIRST_USER_ID = cpu_to_le32(0x00000100), }; /* * Current constants for quota control entries. */ enum { /* Current version. */ QUOTA_VERSION = 2, }; /* * enum - Index entry flags (16-bit) * * These flags are in INDEX_ENTRY.flags (after key data). * They describe entry type and status in index blocks/root. * * @INDEX_ENTRY_NODE: Entry points to a sub-node (index block VCN). * (Not a leaf entry; internal node reference.) * i.e. a reference to an index block in form of * a virtual cluster number * @INDEX_ENTRY_END: Last entry in index block/root. * Does not represent a real file; can point to sub-node. * @INDEX_ENTRY_SPACE_FILLER: * Dummy value to force enum to 16-bit width. */ enum { INDEX_ENTRY_NODE = cpu_to_le16(1), INDEX_ENTRY_END = cpu_to_le16(2), INDEX_ENTRY_SPACE_FILLER = cpu_to_le16(0xffff), } __packed; /* * struct index_entry_header - Common header for all NTFS index entries * * This is the fixed header at the start of every INDEX_ENTRY in index * blocks or index root. It is followed by the variable key, data, and * sub-node VCN. * * Union @data: * - When INDEX_ENTRY_END is not set: * @data.dir.indexed_file: MFT reference of the file described by * this entry. Used in directory indexes ($I30). * - When INDEX_ENTRY_END is set or for view indexes: * @data.vi.data_offset: Byte offset from end of this header to * entry data. * @data.vi.data_length: Length of data in bytes. * @data.vi.reservedV: Reserved (zero). * * @length: Total byte size of this index entry * (multiple of 8 bytes). * @key_length: Byte size of the key (not multiple of 8 bytes). * Key follows the header immediately. * @flags: Bit field of INDEX_ENTRY_* flags (INDEX_ENTRY_NODE, etc.). * @reserved: Reserved/padding (zero; align to 8 bytes). */ struct index_entry_header { union { struct { __le64 indexed_file; } __packed dir; struct { __le16 data_offset; __le16 data_length; __le32 reservedV; } __packed vi; } __packed data; __le16 length; __le16 key_length; __le16 flags; __le16 reserved; } __packed; static_assert(sizeof(struct index_entry_header) == 16); /* * struct index_entry - NTFS index entry structure * * This is an index entry. A sequence of such entries follows each index_header * structure. Together they make up a complete index. The index follows either * an index root attribute or an index allocation attribute. * * Union @data (valid when INDEX_ENTRY_END not set): * @data.dir.indexed_file: MFT ref of file (for directory indexes). * @data.vi.data_offset: Offset to data after key. * @data.vi.data_length: Length of data in bytes. * @data.vi.reservedV: Reserved (zero). * * Fields: * @length: Total byte size of entry (multiple of 8 bytes). * @key_length: Byte size of key (not multiple of 8). * @flags: INDEX_ENTRY_* flags (NODE, END, etc.). * @reserved: Reserved/padding (zero). * * Union @key (valid when INDEX_ENTRY_END not set) * The key of the indexed attribute. NOTE: Only present * if INDEX_ENTRY_END bit in flags is not set. NOTE: On * NTFS versions before 3.0 the only valid key is the * struct file_name_attr. On NTFS 3.0+ the following * additional index keys are defined: * @key.file_name: $FILE_NAME attr (for $I30 directory indexes). * @key.sii: $SII key (for $Secure $SII index). * @key.sdh: $SDH key (for $Secure $SDH index). * @key.object_id: GUID (for $ObjId $O index). * @key.reparse: Reparse tag + file ID (for $Reparse $R). * @key.sid: SID (for $Quota $O index). * @key.owner_id: User ID (for $Quota $Q index). * * The (optional) index data is inserted here when creating. * __le64 vcn; If INDEX_ENTRY_NODE bit in flags is set, the last * eight bytes of this index entry contain the virtual * cluster number of the index block that holds the * entries immediately preceding the current entry (the * vcn references the corresponding cluster in the data * of the non-resident index allocation attribute). If * the key_length is zero, then the vcn immediately * follows the INDEX_ENTRY_HEADER. Regardless of * key_length, the address of the 8-byte boundary * aligned vcn of INDEX_ENTRY{_HEADER} *ie is given by * (char*)ie + le16_to_cpu(ie*)->length) - sizeof(VCN), * where sizeof(VCN) can be hardcoded as 8 if wanted. * * NOTE: Before NTFS 3.0 only filename attributes were indexed. */ struct index_entry { union { struct { __le64 indexed_file; } __packed dir; struct { __le16 data_offset; __le16 data_length; __le32 reservedV; } __packed vi; } __packed data; __le16 length; __le16 key_length; __le16 flags; __le16 reserved; union { struct file_name_attr file_name; struct sii_index_key sii; struct sdh_index_key sdh; struct guid object_id; struct reparse_index_key reparse; struct ntfs_sid sid; __le32 owner_id; } __packed key; } __packed; /* * The reparse point tag defines the type of the reparse point. It also * includes several flags, which further describe the reparse point. * * The reparse point tag is an unsigned 32-bit value divided in three parts: * * 1. The least significant 16 bits (i.e. bits 0 to 15) specify the type of * the reparse point. * 2. The 12 bits after this (i.e. bits 16 to 27) are reserved for future use. * 3. The most significant four bits are flags describing the reparse point. * They are defined as follows: * bit 28: Directory bit. If set, the directory is not a surrogate * and can be used the usual way. * bit 29: Name surrogate bit. If set, the filename is an alias for * another object in the system. * bit 30: High-latency bit. If set, accessing the first byte of data will * be slow. (E.g. the data is stored on a tape drive.) * bit 31: Microsoft bit. If set, the tag is owned by Microsoft. User * defined tags have to use zero here. * 4. Moreover, on Windows 10 : * Some flags may be used in bits 12 to 15 to further describe the * reparse point. */ enum { IO_REPARSE_TAG_DIRECTORY = cpu_to_le32(0x10000000), IO_REPARSE_TAG_IS_ALIAS = cpu_to_le32(0x20000000), IO_REPARSE_TAG_IS_HIGH_LATENCY = cpu_to_le32(0x40000000), IO_REPARSE_TAG_IS_MICROSOFT = cpu_to_le32(0x80000000), IO_REPARSE_TAG_RESERVED_ZERO = cpu_to_le32(0x00000000), IO_REPARSE_TAG_RESERVED_ONE = cpu_to_le32(0x00000001), IO_REPARSE_TAG_RESERVED_RANGE = cpu_to_le32(0x00000001), IO_REPARSE_TAG_CSV = cpu_to_le32(0x80000009), IO_REPARSE_TAG_DEDUP = cpu_to_le32(0x80000013), IO_REPARSE_TAG_DFS = cpu_to_le32(0x8000000A), IO_REPARSE_TAG_DFSR = cpu_to_le32(0x80000012), IO_REPARSE_TAG_HSM = cpu_to_le32(0xC0000004), IO_REPARSE_TAG_HSM2 = cpu_to_le32(0x80000006), IO_REPARSE_TAG_MOUNT_POINT = cpu_to_le32(0xA0000003), IO_REPARSE_TAG_NFS = cpu_to_le32(0x80000014), IO_REPARSE_TAG_SIS = cpu_to_le32(0x80000007), IO_REPARSE_TAG_SYMLINK = cpu_to_le32(0xA000000C), IO_REPARSE_TAG_WIM = cpu_to_le32(0x80000008), IO_REPARSE_TAG_DFM = cpu_to_le32(0x80000016), IO_REPARSE_TAG_WOF = cpu_to_le32(0x80000017), IO_REPARSE_TAG_WCI = cpu_to_le32(0x80000018), IO_REPARSE_TAG_CLOUD = cpu_to_le32(0x9000001A), IO_REPARSE_TAG_APPEXECLINK = cpu_to_le32(0x8000001B), IO_REPARSE_TAG_GVFS = cpu_to_le32(0x9000001C), IO_REPARSE_TAG_LX_SYMLINK = cpu_to_le32(0xA000001D), IO_REPARSE_TAG_AF_UNIX = cpu_to_le32(0x80000023), IO_REPARSE_TAG_LX_FIFO = cpu_to_le32(0x80000024), IO_REPARSE_TAG_LX_CHR = cpu_to_le32(0x80000025), IO_REPARSE_TAG_LX_BLK = cpu_to_le32(0x80000026), IO_REPARSE_TAG_VALID_VALUES = cpu_to_le32(0xf000ffff), IO_REPARSE_PLUGIN_SELECT = cpu_to_le32(0xffff0fff), }; /* * struct reparse_point - $REPARSE_POINT attribute content (0xc0)\ * * @reparse_tag: Reparse point type (with flags; REPARSE_TAG_*). * @reparse_data_length: Byte size of @reparse_data. * @reserved: Reserved/padding (zero; 8-byte alignment). * @reparse_data: Variable reparse data (meaning depends on @reparse_tag). * - Symbolic link/junction: struct reparse_symlink * - Mount point: similar symlink structure * - Other tags: vendor-specific or extended data * * NOTE: Can be resident or non-resident. */ struct reparse_point { __le32 reparse_tag; __le16 reparse_data_length; __le16 reserved; u8 reparse_data[]; } __packed; /* * struct ea_information - $EA_INFORMATION attribute content (0xd0) * * @ea_length: Byte size of packed EAs. * @need_ea_count: Number of EAs with NEED_EA bit set. * @ea_query_length: Byte size needed to unpack/query EAs via ZwQueryEaFile(). * (Unpacked format size.) * * NOTE: Always resident. (Is this true???) */ struct ea_information { __le16 ea_length; __le16 need_ea_count; __le32 ea_query_length; } __packed; /* * enum - Extended attribute flags (8-bit) * * These flags are stored in the EA header of each extended attribute * (in $EA attribute, type 0xe0). * * @NEED_EA: If set, the file cannot be properly interpreted * without understanding its associated EAs. * (Critical EA; applications must process it.) */ enum { NEED_EA = 0x80 } __packed; /* * struct ea_attr - Extended attribute (EA) entry (0xe0) * * @next_entry_offset: Byte offset to the next EA_ATTR entry. * (From start of current entry.) * @flags: EA flags (NEED_EA = 0x80 if critical). * @ea_name_length: Length of @ea_name in bytes (excluding '\0'). * @ea_value_length: Byte size of the EA value. * @ea_name: ASCII name of the EA (zero-terminated). * Value immediately follows the name. * u8 ea_value[]; The value of the EA. Immediately follows the name. * * This is one variable-length record in the $EA attribute value. * The attribute can be resident or non-resident. * Sequence of these entries forms the packed EA list. * * NOTE: Can be resident or non-resident. */ struct ea_attr { __le32 next_entry_offset; u8 flags; u8 ea_name_length; __le16 ea_value_length; u8 ea_name[]; } __packed; #endif /* _LINUX_NTFS_LAYOUT_H */