mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2025-05-23 23:14:59 +03:00
c8fa39b46c
### Background Various admin operations will be invoked by some userspace task, but the work will be done on a separate kernel thread at a later time. Snapshots are an example, which are triggered through zfs_ioc_snapshot() -> dsl_dataset_snapshot(), but the actual work is from a task dispatched to dp_sync_taskq. Many such tasks end up in dsl_enforce_ds_ss_limits(), where various limits and permissions are enforced. Among other things, it is necessary to ensure that the invoking task (that is, the user) has permission to do things. We can't simply check if the running task has permission; it is a privileged kernel thread, which can do anything. However, in the general case it's not safe to simply query the task for its permissions at the check time, as the task may not exist any more, or its permissions may have changed since it was first invoked. So instead, we capture the permissions by saving CRED() in the user task, and then using it for the check through the secpolicy_* functions. ### Current implementation The current code calls CRED() to get the credential, which gets a pointer to the cred_t inside the current task and passes it to the worker task. However, it doesn't take a reference to the cred_t, and so expects that it won't change, and that the task continues to exist. In practice that is always the case, because we don't let the calling task return from the kernel until the work is done. For Linux, we also take a reference to the current task, because the Linux credential APIs for the most part do not check an arbitrary credential, but rather, query what a task can do. See secpolicy_zfs_proc(). Again, we don't take a reference on the task, just a pointer to it. ### Changes We change to calling crhold() on the task credential, and crfree() when we're done with it. This ensures it stays alive and unchanged for the duration of the call. On the Linux side, we change the main policy checking function priv_policy_ns() to use override_creds()/revert_creds() if necessary to make the provided credential active in the current task, allowing the standard task-permission APIs to do the needed check. Since the task pointer is no longer required, this lets us entirely remove secpolicy_zfs_proc() and the need to carry a task pointer around as well. Sponsored-by: https://despairlabs.com/sponsor/ Signed-off-by: Rob Norris <robn@despairlabs.com> Reviewed-by: Pavel Snajdr <snajpa@snajpa.net> Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Kyle Evans <kevans@FreeBSD.org> Reviewed-by: Tony Hutter <hutter2@llnl.gov>
90 lines
2.8 KiB
C
90 lines
2.8 KiB
C
// SPDX-License-Identifier: CDDL-1.0
|
|
/*
|
|
* CDDL HEADER START
|
|
*
|
|
* The contents of this file are subject to the terms of the
|
|
* Common Development and Distribution License (the "License").
|
|
* You may not use this file except in compliance with the License.
|
|
*
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
* or https://opensource.org/licenses/CDDL-1.0.
|
|
* See the License for the specific language governing permissions
|
|
* and limitations under the License.
|
|
*
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
*
|
|
* CDDL HEADER END
|
|
*/
|
|
|
|
/*
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
|
* Copyright (c) 2012, 2020 by Delphix. All rights reserved.
|
|
* Copyright 2011 Nexenta Systems, Inc. All rights reserved.
|
|
* Copyright (c) 2013, Joyent, Inc. All rights reserved.
|
|
* Copyright (c) 2019 Datto Inc.
|
|
*/
|
|
|
|
#ifndef _DMU_RECV_H
|
|
#define _DMU_RECV_H
|
|
|
|
#include <sys/inttypes.h>
|
|
#include <sys/dsl_bookmark.h>
|
|
#include <sys/dsl_dataset.h>
|
|
#include <sys/spa.h>
|
|
#include <sys/objlist.h>
|
|
|
|
extern const char *const recv_clone_name;
|
|
|
|
typedef struct dmu_recv_cookie {
|
|
struct dsl_dataset *drc_ds;
|
|
struct dmu_replay_record *drc_drr_begin;
|
|
struct drr_begin *drc_drrb;
|
|
const char *drc_tofs;
|
|
const char *drc_tosnap;
|
|
boolean_t drc_newfs;
|
|
boolean_t drc_byteswap;
|
|
uint64_t drc_featureflags;
|
|
boolean_t drc_force;
|
|
boolean_t drc_heal;
|
|
boolean_t drc_resumable;
|
|
boolean_t drc_should_save;
|
|
boolean_t drc_raw;
|
|
boolean_t drc_clone;
|
|
boolean_t drc_spill;
|
|
nvlist_t *drc_keynvl;
|
|
uint64_t drc_fromsnapobj;
|
|
uint64_t drc_ivset_guid;
|
|
void *drc_owner;
|
|
cred_t *drc_cred;
|
|
nvlist_t *drc_begin_nvl;
|
|
|
|
objset_t *drc_os;
|
|
zfs_file_t *drc_fp; /* The file to read the stream from */
|
|
uint64_t drc_voff; /* The current offset in the stream */
|
|
uint64_t drc_bytes_read;
|
|
/*
|
|
* A record that has had its payload read in, but hasn't yet been handed
|
|
* off to the worker thread.
|
|
*/
|
|
struct receive_record_arg *drc_rrd;
|
|
/* A record that has had its header read in, but not its payload. */
|
|
struct receive_record_arg *drc_next_rrd;
|
|
zio_cksum_t drc_cksum;
|
|
zio_cksum_t drc_prev_cksum;
|
|
/* Sorted list of objects not to issue prefetches for. */
|
|
objlist_t *drc_ignore_objlist;
|
|
} dmu_recv_cookie_t;
|
|
|
|
int dmu_recv_begin(const char *, const char *, dmu_replay_record_t *,
|
|
boolean_t, boolean_t, boolean_t, nvlist_t *, nvlist_t *, const char *,
|
|
dmu_recv_cookie_t *, zfs_file_t *, offset_t *);
|
|
int dmu_recv_stream(dmu_recv_cookie_t *, offset_t *);
|
|
int dmu_recv_end(dmu_recv_cookie_t *, void *);
|
|
boolean_t dmu_objset_is_receiving(objset_t *);
|
|
|
|
#endif /* _DMU_RECV_H */
|