filesystem_limit/snapshot_limit is incorrectly enforced against root

The filesystem_limit and snapshot_limit properties limit the number of
filesystems or snapshots that can be created below this dataset.
According to the manpage, "The limit is not enforced if the user is
allowed to change the limit."  Two types of users are allowed to change
the limit:

1. Those that have been delegated the `filesystem_limit` or
`snapshot_limit` permission, e.g. with
`zfs allow USER filesystem_limit DATASET`.  This works properly.

2. A user with elevated system privileges (e.g. root).  This does not
work - the root user will incorrectly get an error when trying to create
a snapshot/filesystem, if it exceeds the `_limit` property.

The problem is that `priv_policy_ns()` does not work if the `cred_t` is
not that of the current process.  This happens when
`dsl_enforce_ds_ss_limits()` is called in syncing context (as part of a
sync task's check func) to determine the permissions of the
corresponding user process.

This commit fixes the issue by passing the `task_struct` (typedef'ed as
a `proc_t`) to syncing context, and then using `has_capability()` to
determine if that process is privileged.  Note that we still need to
pass the `cred_t` to syncing context so that we can check if the user
was delegated this permission with `zfs allow`.

This problem only impacts Linux.  Wrappers are added to FreeBSD but it
continues to use `priv_check_cred()`, which works on arbitrary `cred_t`.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Ryan Moeller <ryan@ixsystems.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #8226
Closes #10545
This commit is contained in:
Matthew Ahrens 2020-07-11 17:18:02 -07:00 committed by GitHub
parent 217f48373f
commit e59a377a8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 104 additions and 48 deletions

View File

@ -37,6 +37,7 @@ struct vattr;
int secpolicy_nfs(cred_t *cr);
int secpolicy_zfs(cred_t *crd);
int secpolicy_zfs_proc(cred_t *cr, proc_t *proc);
int secpolicy_sys_config(cred_t *cr, int checkonly);
int secpolicy_zinject(cred_t *cr);
int secpolicy_fs_unmount(cred_t *cr, struct mount *vfsp);

View File

@ -48,6 +48,7 @@ int secpolicy_vnode_setid_retain(const cred_t *, boolean_t);
int secpolicy_vnode_setids_setgids(const cred_t *, gid_t);
int secpolicy_zinject(const cred_t *);
int secpolicy_zfs(const cred_t *);
int secpolicy_zfs_proc(const cred_t *, proc_t *);
void secpolicy_setid_clear(vattr_t *, cred_t *);
int secpolicy_setid_setsticky_clear(struct inode *, vattr_t *,
const vattr_t *, cred_t *);

View File

@ -58,6 +58,7 @@ typedef struct dmu_recv_cookie {
uint64_t drc_ivset_guid;
void *drc_owner;
cred_t *drc_cred;
proc_t *drc_proc;
nvlist_t *drc_begin_nvl;
objset_t *drc_os;

View File

@ -284,6 +284,7 @@ typedef struct dsl_dataset_promote_arg {
uint64_t used, comp, uncomp, unique, cloneusedsnap, originusedsnap;
nvlist_t *err_ds;
cred_t *cr;
proc_t *proc;
} dsl_dataset_promote_arg_t;
typedef struct dsl_dataset_rollback_arg {
@ -298,6 +299,7 @@ typedef struct dsl_dataset_snapshot_arg {
nvlist_t *ddsa_props;
nvlist_t *ddsa_errors;
cred_t *ddsa_cr;
proc_t *ddsa_proc;
} dsl_dataset_snapshot_arg_t;
/*
@ -445,7 +447,7 @@ int dsl_dataset_clone_swap_check_impl(dsl_dataset_t *clone,
void dsl_dataset_clone_swap_sync_impl(dsl_dataset_t *clone,
dsl_dataset_t *origin_head, dmu_tx_t *tx);
int dsl_dataset_snapshot_check_impl(dsl_dataset_t *ds, const char *snapname,
dmu_tx_t *tx, boolean_t recv, uint64_t cnt, cred_t *cr);
dmu_tx_t *tx, boolean_t recv, uint64_t cnt, cred_t *cr, proc_t *proc);
void dsl_dataset_snapshot_sync_impl(dsl_dataset_t *ds, const char *snapname,
dmu_tx_t *tx);

View File

@ -180,11 +180,11 @@ int dsl_dir_set_reservation(const char *ddname, zprop_source_t source,
uint64_t reservation);
int dsl_dir_activate_fs_ss_limit(const char *);
int dsl_fs_ss_limit_check(dsl_dir_t *, uint64_t, zfs_prop_t, dsl_dir_t *,
cred_t *);
cred_t *, proc_t *);
void dsl_fs_ss_count_adjust(dsl_dir_t *, int64_t, const char *, dmu_tx_t *);
int dsl_dir_rename(const char *oldname, const char *newname);
int dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space, cred_t *);
uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space, cred_t *, proc_t *);
boolean_t dsl_dir_is_clone(dsl_dir_t *dd);
void dsl_dir_new_refreservation(dsl_dir_t *dd, struct dsl_dataset *ds,
uint64_t reservation, cred_t *cr, dmu_tx_t *tx);

View File

@ -75,6 +75,7 @@ typedef struct zcp_run_info {
* rather than the 'current' thread's.
*/
cred_t *zri_cred;
proc_t *zri_proc;
/*
* The tx in which this channel program is running.

View File

@ -709,6 +709,7 @@ extern int zfs_secpolicy_rename_perms(const char *from, const char *to,
cred_t *cr);
extern int zfs_secpolicy_destroy_perms(const char *name, cred_t *cr);
extern int secpolicy_zfs(const cred_t *cr);
extern int secpolicy_zfs_proc(const cred_t *cr, proc_t *proc);
extern zoneid_t getzoneid(void);
/* SID stuff */

View File

@ -909,6 +909,12 @@ secpolicy_zfs(const cred_t *cr)
return (0);
}
int
secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
{
return (0);
}
ksiddomain_t *
ksid_lookupdomain(const char *dom)
{

View File

@ -52,6 +52,13 @@ secpolicy_zfs(cred_t *cr)
return (spl_priv_check_cred(cr, PRIV_VFS_MOUNT));
}
int
secpolicy_zfs_proc(cred_t *cr, proc_t *proc)
{
return (spl_priv_check_cred(cr, PRIV_VFS_MOUNT));
}
int
secpolicy_sys_config(cred_t *cr, int checkonly __unused)
{

View File

@ -42,11 +42,9 @@
* all other cases this function must fail and return the passed err.
*/
static int
priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
priv_policy_ns(const cred_t *cr, int capability, int err,
struct user_namespace *ns)
{
ASSERT3S(all, ==, B_FALSE);
if (cr != CRED() && (cr != kcred))
return (err);
@ -61,13 +59,13 @@ priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
}
static int
priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
priv_policy(const cred_t *cr, int capability, int err)
{
return (priv_policy_ns(cr, capability, all, err, NULL));
return (priv_policy_ns(cr, capability, err, NULL));
}
static int
priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
priv_policy_user(const cred_t *cr, int capability, int err)
{
/*
* All priv_policy_user checks are preceded by kuid/kgid_has_mapping()
@ -76,9 +74,9 @@ priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
* namespace.
*/
#if defined(CONFIG_USER_NS)
return (priv_policy_ns(cr, capability, all, err, cr->user_ns));
return (priv_policy_ns(cr, capability, err, cr->user_ns));
#else
return (priv_policy_ns(cr, capability, all, err, NULL));
return (priv_policy_ns(cr, capability, err, NULL));
#endif
}
@ -89,7 +87,7 @@ priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
int
secpolicy_nfs(const cred_t *cr)
{
return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
}
/*
@ -98,7 +96,7 @@ secpolicy_nfs(const cred_t *cr)
int
secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
{
return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EPERM));
return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
}
/*
@ -134,10 +132,10 @@ secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
return (EPERM);
#endif
if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
if (priv_policy_user(cr, CAP_DAC_OVERRIDE, EPERM) == 0)
return (0);
if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, EPERM) == 0)
return (0);
return (EPERM);
@ -157,7 +155,7 @@ secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
return (EPERM);
#endif
return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
return (priv_policy_user(cr, CAP_FOWNER, EPERM));
}
/*
@ -166,7 +164,7 @@ secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
int
secpolicy_vnode_create_gid(const cred_t *cr)
{
return (priv_policy(cr, CAP_SETGID, B_FALSE, EPERM));
return (priv_policy(cr, CAP_SETGID, EPERM));
}
/*
@ -176,7 +174,7 @@ secpolicy_vnode_create_gid(const cred_t *cr)
int
secpolicy_vnode_remove(const cred_t *cr)
{
return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
return (priv_policy(cr, CAP_FOWNER, EPERM));
}
/*
@ -194,7 +192,7 @@ secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
return (EPERM);
#endif
return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
return (priv_policy_user(cr, CAP_FOWNER, EPERM));
}
/*
@ -208,7 +206,7 @@ secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
int
secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
{
return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
return (priv_policy_user(cr, CAP_FSETID, EPERM));
}
/*
@ -222,7 +220,7 @@ secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
return (EPERM);
#endif
if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
return (priv_policy_user(cr, CAP_FSETID, EPERM));
return (0);
}
@ -234,7 +232,7 @@ secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
int
secpolicy_zinject(const cred_t *cr)
{
return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
}
/*
@ -244,7 +242,20 @@ secpolicy_zinject(const cred_t *cr)
int
secpolicy_zfs(const cred_t *cr)
{
return (priv_policy(cr, CAP_SYS_ADMIN, B_FALSE, EACCES));
return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
}
/*
* Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
* the current process. Takes both cred_t and proc_t so that this can work
* easily on all platforms.
*/
int
secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
{
if (!has_capability(proc, CAP_SYS_ADMIN))
return (EACCES);
return (0);
}
void
@ -273,7 +284,7 @@ secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
return (EPERM);
#endif
return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
return (priv_policy_user(cr, CAP_FSETID, EPERM));
}
/*

View File

@ -1096,6 +1096,7 @@ dmu_objset_create_impl(spa_t *spa, dsl_dataset_t *ds, blkptr_t *bp,
typedef struct dmu_objset_create_arg {
const char *doca_name;
cred_t *doca_cred;
proc_t *doca_proc;
void (*doca_userfunc)(objset_t *os, void *arg,
cred_t *cr, dmu_tx_t *tx);
void *doca_userarg;
@ -1140,7 +1141,7 @@ dmu_objset_create_check(void *arg, dmu_tx_t *tx)
}
error = dsl_fs_ss_limit_check(pdd, 1, ZFS_PROP_FILESYSTEM_LIMIT, NULL,
doca->doca_cred);
doca->doca_cred, doca->doca_proc);
if (error != 0) {
dsl_dir_rele(pdd, FTAG);
return (error);
@ -1268,6 +1269,7 @@ dmu_objset_create(const char *name, dmu_objset_type_t type, uint64_t flags,
doca.doca_name = name;
doca.doca_cred = CRED();
doca.doca_proc = curproc;
doca.doca_flags = flags;
doca.doca_userfunc = func;
doca.doca_userarg = arg;
@ -1296,6 +1298,7 @@ typedef struct dmu_objset_clone_arg {
const char *doca_clone;
const char *doca_origin;
cred_t *doca_cred;
proc_t *doca_proc;
} dmu_objset_clone_arg_t;
/*ARGSUSED*/
@ -1324,7 +1327,7 @@ dmu_objset_clone_check(void *arg, dmu_tx_t *tx)
}
error = dsl_fs_ss_limit_check(pdd, 1, ZFS_PROP_FILESYSTEM_LIMIT, NULL,
doca->doca_cred);
doca->doca_cred, doca->doca_proc);
if (error != 0) {
dsl_dir_rele(pdd, FTAG);
return (SET_ERROR(EDQUOT));
@ -1383,6 +1386,7 @@ dmu_objset_clone(const char *clone, const char *origin)
doca.doca_clone = clone;
doca.doca_origin = origin;
doca.doca_cred = CRED();
doca.doca_proc = curproc;
int rv = dsl_sync_task(clone,
dmu_objset_clone_check, dmu_objset_clone_sync, &doca,

View File

@ -126,6 +126,7 @@ typedef struct dmu_recv_begin_arg {
const char *drba_origin;
dmu_recv_cookie_t *drba_cookie;
cred_t *drba_cred;
proc_t *drba_proc;
dsl_crypto_params_t *drba_dcp;
} dmu_recv_begin_arg_t;
@ -398,7 +399,7 @@ recv_begin_check_existing_impl(dmu_recv_begin_arg_t *drba, dsl_dataset_t *ds,
* against that limit.
*/
error = dsl_fs_ss_limit_check(ds->ds_dir, 1, ZFS_PROP_SNAPSHOT_LIMIT,
NULL, drba->drba_cred);
NULL, drba->drba_cred, drba->drba_proc);
if (error != 0)
return (error);
@ -679,14 +680,16 @@ dmu_recv_begin_check(void *arg, dmu_tx_t *tx)
* filesystems and increment those counts during begin_sync).
*/
error = dsl_fs_ss_limit_check(ds->ds_dir, 1,
ZFS_PROP_FILESYSTEM_LIMIT, NULL, drba->drba_cred);
ZFS_PROP_FILESYSTEM_LIMIT, NULL,
drba->drba_cred, drba->drba_proc);
if (error != 0) {
dsl_dataset_rele(ds, FTAG);
return (error);
}
error = dsl_fs_ss_limit_check(ds->ds_dir, 1,
ZFS_PROP_SNAPSHOT_LIMIT, NULL, drba->drba_cred);
ZFS_PROP_SNAPSHOT_LIMIT, NULL,
drba->drba_cred, drba->drba_proc);
if (error != 0) {
dsl_dataset_rele(ds, FTAG);
return (error);
@ -1152,6 +1155,7 @@ dmu_recv_begin(char *tofs, char *tosnap, dmu_replay_record_t *drr_begin,
drc->drc_force = force;
drc->drc_resumable = resumable;
drc->drc_cred = CRED();
drc->drc_proc = curproc;
drc->drc_clone = (origin != NULL);
if (drc->drc_drrb->drr_magic == BSWAP_64(DMU_BACKUP_MAGIC)) {
@ -1199,6 +1203,7 @@ dmu_recv_begin(char *tofs, char *tosnap, dmu_replay_record_t *drr_begin,
drba.drba_origin = origin;
drba.drba_cookie = drc;
drba.drba_cred = CRED();
drba.drba_proc = curproc;
if (drc->drc_featureflags & DMU_BACKUP_FEATURE_RESUMING) {
err = dsl_sync_task(tofs,
@ -3133,7 +3138,8 @@ dmu_recv_end_check(void *arg, dmu_tx_t *tx)
return (error);
}
error = dsl_dataset_snapshot_check_impl(origin_head,
drc->drc_tosnap, tx, B_TRUE, 1, drc->drc_cred);
drc->drc_tosnap, tx, B_TRUE, 1,
drc->drc_cred, drc->drc_proc);
dsl_dataset_rele(origin_head, FTAG);
if (error != 0)
return (error);
@ -3141,7 +3147,8 @@ dmu_recv_end_check(void *arg, dmu_tx_t *tx)
error = dsl_destroy_head_check_impl(drc->drc_ds, 1);
} else {
error = dsl_dataset_snapshot_check_impl(drc->drc_ds,
drc->drc_tosnap, tx, B_TRUE, 1, drc->drc_cred);
drc->drc_tosnap, tx, B_TRUE, 1,
drc->drc_cred, drc->drc_proc);
}
return (error);
}

View File

@ -1465,7 +1465,7 @@ dsl_dataset_snapshot_reserve_space(dsl_dataset_t *ds, dmu_tx_t *tx)
int
dsl_dataset_snapshot_check_impl(dsl_dataset_t *ds, const char *snapname,
dmu_tx_t *tx, boolean_t recv, uint64_t cnt, cred_t *cr)
dmu_tx_t *tx, boolean_t recv, uint64_t cnt, cred_t *cr, proc_t *proc)
{
int error;
uint64_t value;
@ -1510,7 +1510,7 @@ dsl_dataset_snapshot_check_impl(dsl_dataset_t *ds, const char *snapname,
*/
if (cnt != 0 && cr != NULL) {
error = dsl_fs_ss_limit_check(ds->ds_dir, cnt,
ZFS_PROP_SNAPSHOT_LIMIT, NULL, cr);
ZFS_PROP_SNAPSHOT_LIMIT, NULL, cr, proc);
if (error != 0)
return (error);
}
@ -1611,7 +1611,7 @@ dsl_dataset_snapshot_check(void *arg, dmu_tx_t *tx)
if (error == 0) {
error = dsl_fs_ss_limit_check(ds->ds_dir, cnt,
ZFS_PROP_SNAPSHOT_LIMIT, NULL,
ddsa->ddsa_cr);
ddsa->ddsa_cr, ddsa->ddsa_proc);
dsl_dataset_rele(ds, FTAG);
}
@ -1649,7 +1649,7 @@ dsl_dataset_snapshot_check(void *arg, dmu_tx_t *tx)
if (error == 0) {
/* passing 0/NULL skips dsl_fs_ss_limit_check */
error = dsl_dataset_snapshot_check_impl(ds,
atp + 1, tx, B_FALSE, 0, NULL);
atp + 1, tx, B_FALSE, 0, NULL, NULL);
dsl_dataset_rele(ds, FTAG);
}
@ -1927,6 +1927,7 @@ dsl_dataset_snapshot(nvlist_t *snaps, nvlist_t *props, nvlist_t *errors)
ddsa.ddsa_props = props;
ddsa.ddsa_errors = errors;
ddsa.ddsa_cr = CRED();
ddsa.ddsa_proc = curproc;
if (error == 0) {
error = dsl_sync_task(firstname, dsl_dataset_snapshot_check,
@ -1974,7 +1975,7 @@ dsl_dataset_snapshot_tmp_check(void *arg, dmu_tx_t *tx)
/* NULL cred means no limit check for tmp snapshot */
error = dsl_dataset_snapshot_check_impl(ds, ddsta->ddsta_snapname,
tx, B_FALSE, 0, NULL);
tx, B_FALSE, 0, NULL, NULL);
if (error != 0) {
dsl_dataset_rele(ds, FTAG);
return (error);
@ -3477,7 +3478,7 @@ dsl_dataset_promote_check(void *arg, dmu_tx_t *tx)
/* Check that there is enough space and limit headroom here */
err = dsl_dir_transfer_possible(origin_ds->ds_dir, hds->ds_dir,
0, ss_mv_cnt, ddpa->used, ddpa->cr);
0, ss_mv_cnt, ddpa->used, ddpa->cr, ddpa->proc);
if (err != 0)
goto out;
@ -3904,6 +3905,7 @@ dsl_dataset_promote(const char *name, char *conflsnap)
ddpa.ddpa_clonename = name;
ddpa.err_ds = fnvlist_alloc();
ddpa.cr = CRED();
ddpa.proc = curproc;
error = dsl_sync_task(name, dsl_dataset_promote_check,
dsl_dataset_promote_sync, &ddpa,

View File

@ -749,7 +749,8 @@ typedef enum {
} enforce_res_t;
static enforce_res_t
dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop, cred_t *cr)
dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop,
cred_t *cr, proc_t *proc)
{
enforce_res_t enforce = ENFORCE_ALWAYS;
uint64_t obj;
@ -764,7 +765,13 @@ dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop, cred_t *cr)
if (crgetzoneid(cr) != GLOBAL_ZONEID)
return (ENFORCE_ALWAYS);
if (secpolicy_zfs(cr) == 0)
/*
* We are checking the saved credentials of the user process, which is
* not the current process. Note that we can't use secpolicy_zfs(),
* because it only works if the cred is that of the current process (on
* Linux).
*/
if (secpolicy_zfs_proc(cr, proc) == 0)
return (ENFORCE_NEVER);
#endif
@ -799,7 +806,7 @@ dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop, cred_t *cr)
*/
int
dsl_fs_ss_limit_check(dsl_dir_t *dd, uint64_t delta, zfs_prop_t prop,
dsl_dir_t *ancestor, cred_t *cr)
dsl_dir_t *ancestor, cred_t *cr, proc_t *proc)
{
objset_t *os = dd->dd_pool->dp_meta_objset;
uint64_t limit, count;
@ -819,7 +826,7 @@ dsl_fs_ss_limit_check(dsl_dir_t *dd, uint64_t delta, zfs_prop_t prop,
* are allowed to change the limit on the current dataset, but there
* is another limit in the tree above.
*/
enforce = dsl_enforce_ds_ss_limits(dd, prop, cr);
enforce = dsl_enforce_ds_ss_limits(dd, prop, cr, proc);
if (enforce == ENFORCE_NEVER)
return (0);
@ -871,7 +878,7 @@ dsl_fs_ss_limit_check(dsl_dir_t *dd, uint64_t delta, zfs_prop_t prop,
if (dd->dd_parent != NULL)
err = dsl_fs_ss_limit_check(dd->dd_parent, delta, prop,
ancestor, cr);
ancestor, cr, proc);
return (err);
}
@ -1840,6 +1847,7 @@ typedef struct dsl_dir_rename_arg {
const char *ddra_oldname;
const char *ddra_newname;
cred_t *ddra_cred;
proc_t *ddra_proc;
} dsl_dir_rename_arg_t;
typedef struct dsl_valid_rename_arg {
@ -2018,7 +2026,8 @@ dsl_dir_rename_check(void *arg, dmu_tx_t *tx)
}
error = dsl_dir_transfer_possible(dd->dd_parent,
newparent, fs_cnt, ss_cnt, myspace, ddra->ddra_cred);
newparent, fs_cnt, ss_cnt, myspace,
ddra->ddra_cred, ddra->ddra_proc);
if (error != 0) {
dsl_dir_rele(newparent, FTAG);
dsl_dir_rele(dd, FTAG);
@ -2138,6 +2147,7 @@ dsl_dir_rename(const char *oldname, const char *newname)
ddra.ddra_oldname = oldname;
ddra.ddra_newname = newname;
ddra.ddra_cred = CRED();
ddra.ddra_proc = curproc;
return (dsl_sync_task(oldname,
dsl_dir_rename_check, dsl_dir_rename_sync, &ddra,
@ -2146,7 +2156,8 @@ dsl_dir_rename(const char *oldname, const char *newname)
int
dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space, cred_t *cr)
uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space,
cred_t *cr, proc_t *proc)
{
dsl_dir_t *ancestor;
int64_t adelta;
@ -2160,11 +2171,11 @@ dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
return (SET_ERROR(ENOSPC));
err = dsl_fs_ss_limit_check(tdd, fs_cnt, ZFS_PROP_FILESYSTEM_LIMIT,
ancestor, cr);
ancestor, cr, proc);
if (err != 0)
return (err);
err = dsl_fs_ss_limit_check(tdd, ss_cnt, ZFS_PROP_SNAPSHOT_LIMIT,
ancestor, cr);
ancestor, cr, proc);
if (err != 0)
return (err);

View File

@ -1150,6 +1150,7 @@ zcp_eval(const char *poolname, const char *program, boolean_t sync,
runinfo.zri_outnvl = outnvl;
runinfo.zri_result = 0;
runinfo.zri_cred = CRED();
runinfo.zri_proc = curproc;
runinfo.zri_timed_out = B_FALSE;
runinfo.zri_canceled = B_FALSE;
runinfo.zri_sync = sync;

View File

@ -186,6 +186,7 @@ zcp_synctask_promote(lua_State *state, boolean_t sync, nvlist_t *err_details)
ddpa.ddpa_clonename = dsname;
ddpa.err_ds = err_details;
ddpa.cr = ri->zri_cred;
ddpa.proc = ri->zri_proc;
/*
* If there was a snapshot name conflict, then err_ds will be filled
@ -269,6 +270,7 @@ zcp_synctask_snapshot(lua_State *state, boolean_t sync, nvlist_t *err_details)
ddsa.ddsa_errors = NULL;
ddsa.ddsa_props = NULL;
ddsa.ddsa_cr = ri->zri_cred;
ddsa.ddsa_proc = ri->zri_proc;
ddsa.ddsa_snaps = fnvlist_alloc();
fnvlist_add_boolean(ddsa.ddsa_snaps, dsname);

View File

@ -171,8 +171,6 @@ elif sys.platform.startswith('linux'):
'casenorm/mixed_formd_delete': ['FAIL', '7633'],
'casenorm/sensitive_formd_lookup': ['FAIL', '7633'],
'casenorm/sensitive_formd_delete': ['FAIL', '7633'],
'limits/filesystem_limit': ['FAIL', '8226'],
'limits/snapshot_limit': ['FAIL', '8226'],
'removal/removal_with_zdb': ['SKIP', known_reason],
})