5056 ZFS deadlock on db_mtx and dn_holds
Reviewed by: Will Andrews <willa@spectralogic.com>
Reviewed by: Matt Ahrens <mahrens@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Approved by: Dan McDonald <danmcd@omniti.com>

          --- old/usr/src/uts/common/fs/zfs/dsl_deleg.c
          +++ new/usr/src/uts/common/fs/zfs/dsl_deleg.c

   1    1  /*
   2    2   * CDDL HEADER START
   3    3   *
   4    4   * The contents of this file are subject to the terms of the
   5    5   * Common Development and Distribution License (the "License").
   6    6   * You may not use this file except in compliance with the License.
   7    7   *
   8    8   * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9    9   * or http://www.opensolaris.org/os/licensing.
  10   10   * See the License for the specific language governing permissions
  11   11   * and limitations under the License.
  12   12   *
  13   13   * When distributing Covered Code, include this CDDL HEADER in each
  14   14   * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15   15   * If applicable, add the following below this CDDL HEADER, with the
  16   16   * fields enclosed by brackets "[]" replaced with your own identifying
  17   17   * information: Portions Copyright [yyyy] [name of copyright owner]
  18   18   *
  19   19   * CDDL HEADER END
  20   20   */
  21   21  /*
  22   22   * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23   23   * Copyright (c) 2011, 2014 by Delphix. All rights reserved.
  24   24   */
  25   25  
  26   26  /*
  27   27   * DSL permissions are stored in a two level zap attribute
  28   28   * mechanism.   The first level identifies the "class" of
  29   29   * entry.  The class is identified by the first 2 letters of
  30   30   * the attribute.  The second letter "l" or "d" identifies whether
  31   31   * it is a local or descendent permission.  The first letter
  32   32   * identifies the type of entry.
  33   33   *
  34   34   * ul$<id>    identifies permissions granted locally for this userid.
  35   35   * ud$<id>    identifies permissions granted on descendent datasets for
  36   36   *            this userid.
  37   37   * Ul$<id>    identifies permission sets granted locally for this userid.
  38   38   * Ud$<id>    identifies permission sets granted on descendent datasets for
  39   39   *            this userid.
  40   40   * gl$<id>    identifies permissions granted locally for this groupid.
  41   41   * gd$<id>    identifies permissions granted on descendent datasets for
  42   42   *            this groupid.
  43   43   * Gl$<id>    identifies permission sets granted locally for this groupid.
  44   44   * Gd$<id>    identifies permission sets granted on descendent datasets for
  45   45   *            this groupid.
  46   46   * el$        identifies permissions granted locally for everyone.
  47   47   * ed$        identifies permissions granted on descendent datasets
  48   48   *            for everyone.
  49   49   * El$        identifies permission sets granted locally for everyone.
  50   50   * Ed$        identifies permission sets granted to descendent datasets for
  51   51   *            everyone.
  52   52   * c-$        identifies permission to create at dataset creation time.
  53   53   * C-$        identifies permission sets to grant locally at dataset creation
  54   54   *            time.
  55   55   * s-$@<name> permissions defined in specified set @<name>
  56   56   * S-$@<name> Sets defined in named set @<name>
  57   57   *
  58   58   * Each of the above entities points to another zap attribute that contains one
  59   59   * attribute for each allowed permission, such as create, destroy,...
  60   60   * All of the "upper" case class types will specify permission set names
  61   61   * rather than permissions.
  62   62   *
  63   63   * Basically it looks something like this:
  64   64   * ul$12 -> ZAP OBJ -> permissions...
  65   65   *
  66   66   * The ZAP OBJ is referred to as the jump object.
  67   67   */
  68   68  
  69   69  #include <sys/dmu.h>
  70   70  #include <sys/dmu_objset.h>
  71   71  #include <sys/dmu_tx.h>
  72   72  #include <sys/dsl_dataset.h>
  73   73  #include <sys/dsl_dir.h>
  74   74  #include <sys/dsl_prop.h>
  75   75  #include <sys/dsl_synctask.h>
  76   76  #include <sys/dsl_deleg.h>
  77   77  #include <sys/spa.h>
  78   78  #include <sys/zap.h>
  79   79  #include <sys/fs/zfs.h>
  80   80  #include <sys/cred.h>
  81   81  #include <sys/sunddi.h>
  82   82  
  83   83  #include "zfs_deleg.h"
  84   84  
  85   85  /*
  86   86   * Validate that user is allowed to delegate specified permissions.
  87   87   *
  88   88   * In order to delegate "create" you must have "create"
  89   89   * and "allow".
  90   90   */
  91   91  int
  92   92  dsl_deleg_can_allow(char *ddname, nvlist_t *nvp, cred_t *cr)
  93   93  {
  94   94          nvpair_t *whopair = NULL;
  95   95          int error;
  96   96  
  97   97          if ((error = dsl_deleg_access(ddname, ZFS_DELEG_PERM_ALLOW, cr)) != 0)
  98   98                  return (error);
  99   99  
 100  100          while (whopair = nvlist_next_nvpair(nvp, whopair)) {
 101  101                  nvlist_t *perms;
 102  102                  nvpair_t *permpair = NULL;
 103  103  
 104  104                  VERIFY(nvpair_value_nvlist(whopair, &perms) == 0);
 105  105  
 106  106                  while (permpair = nvlist_next_nvpair(perms, permpair)) {
 107  107                          const char *perm = nvpair_name(permpair);
 108  108  
 109  109                          if (strcmp(perm, ZFS_DELEG_PERM_ALLOW) == 0)
 110  110                                  return (SET_ERROR(EPERM));
 111  111  
 112  112                          if ((error = dsl_deleg_access(ddname, perm, cr)) != 0)
 113  113                                  return (error);
 114  114                  }
 115  115          }
 116  116          return (0);
 117  117  }
 118  118  
 119  119  /*
 120  120   * Validate that user is allowed to unallow specified permissions.  They
 121  121   * must have the 'allow' permission, and even then can only unallow
 122  122   * perms for their uid.
 123  123   */
 124  124  int
 125  125  dsl_deleg_can_unallow(char *ddname, nvlist_t *nvp, cred_t *cr)
 126  126  {
 127  127          nvpair_t *whopair = NULL;
 128  128          int error;
 129  129          char idstr[32];
 130  130  
 131  131          if ((error = dsl_deleg_access(ddname, ZFS_DELEG_PERM_ALLOW, cr)) != 0)
 132  132                  return (error);
 133  133  
 134  134          (void) snprintf(idstr, sizeof (idstr), "%lld",
 135  135              (longlong_t)crgetuid(cr));
 136  136  
 137  137          while (whopair = nvlist_next_nvpair(nvp, whopair)) {
 138  138                  zfs_deleg_who_type_t type = nvpair_name(whopair)[0];
 139  139  
 140  140                  if (type != ZFS_DELEG_USER &&
 141  141                      type != ZFS_DELEG_USER_SETS)
 142  142                          return (SET_ERROR(EPERM));
 143  143  
 144  144                  if (strcmp(idstr, &nvpair_name(whopair)[3]) != 0)
 145  145                          return (SET_ERROR(EPERM));
 146  146          }
 147  147          return (0);
 148  148  }
 149  149  
 150  150  typedef struct dsl_deleg_arg {
 151  151          const char *dda_name;
 152  152          nvlist_t *dda_nvlist;
 153  153  } dsl_deleg_arg_t;
 154  154  
 155  155  static void
 156  156  dsl_deleg_set_sync(void *arg, dmu_tx_t *tx)
 157  157  {
 158  158          dsl_deleg_arg_t *dda = arg;
 159  159          dsl_dir_t *dd;
 160  160          dsl_pool_t *dp = dmu_tx_pool(tx);
 161  161          objset_t *mos = dp->dp_meta_objset;
 162  162          nvpair_t *whopair = NULL;
 163  163          uint64_t zapobj;
 164  164  
 165  165          VERIFY0(dsl_dir_hold(dp, dda->dda_name, FTAG, &dd, NULL));
 166  166  
 167  167          zapobj = dsl_dir_phys(dd)->dd_deleg_zapobj;
 168  168          if (zapobj == 0) {
 169  169                  dmu_buf_will_dirty(dd->dd_dbuf, tx);
 170  170                  zapobj = dsl_dir_phys(dd)->dd_deleg_zapobj = zap_create(mos,
 171  171                      DMU_OT_DSL_PERMS, DMU_OT_NONE, 0, tx);
 172  172          }
 173  173  
 174  174          while (whopair = nvlist_next_nvpair(dda->dda_nvlist, whopair)) {
 175  175                  const char *whokey = nvpair_name(whopair);
 176  176                  nvlist_t *perms;
 177  177                  nvpair_t *permpair = NULL;
 178  178                  uint64_t jumpobj;
 179  179  
 180  180                  perms = fnvpair_value_nvlist(whopair);
 181  181  
 182  182                  if (zap_lookup(mos, zapobj, whokey, 8, 1, &jumpobj) != 0) {
 183  183                          jumpobj = zap_create_link(mos, DMU_OT_DSL_PERMS,
 184  184                              zapobj, whokey, tx);
 185  185                  }
 186  186  
 187  187                  while (permpair = nvlist_next_nvpair(perms, permpair)) {
 188  188                          const char *perm = nvpair_name(permpair);
 189  189                          uint64_t n = 0;
 190  190  
 191  191                          VERIFY(zap_update(mos, jumpobj,
 192  192                              perm, 8, 1, &n, tx) == 0);
 193  193                          spa_history_log_internal_dd(dd, "permission update", tx,
 194  194                              "%s %s", whokey, perm);
 195  195                  }
 196  196          }
 197  197          dsl_dir_rele(dd, FTAG);
 198  198  }
 199  199  
 200  200  static void
 201  201  dsl_deleg_unset_sync(void *arg, dmu_tx_t *tx)
 202  202  {
 203  203          dsl_deleg_arg_t *dda = arg;
 204  204          dsl_dir_t *dd;
 205  205          dsl_pool_t *dp = dmu_tx_pool(tx);
 206  206          objset_t *mos = dp->dp_meta_objset;
 207  207          nvpair_t *whopair = NULL;
 208  208          uint64_t zapobj;
 209  209  
 210  210          VERIFY0(dsl_dir_hold(dp, dda->dda_name, FTAG, &dd, NULL));
 211  211          zapobj = dsl_dir_phys(dd)->dd_deleg_zapobj;
 212  212          if (zapobj == 0) {
 213  213                  dsl_dir_rele(dd, FTAG);
 214  214                  return;
 215  215          }
 216  216  
 217  217          while (whopair = nvlist_next_nvpair(dda->dda_nvlist, whopair)) {
 218  218                  const char *whokey = nvpair_name(whopair);
 219  219                  nvlist_t *perms;
 220  220                  nvpair_t *permpair = NULL;
 221  221                  uint64_t jumpobj;
 222  222  
 223  223                  if (nvpair_value_nvlist(whopair, &perms) != 0) {
 224  224                          if (zap_lookup(mos, zapobj, whokey, 8,
 225  225                              1, &jumpobj) == 0) {
 226  226                                  (void) zap_remove(mos, zapobj, whokey, tx);
 227  227                                  VERIFY(0 == zap_destroy(mos, jumpobj, tx));
 228  228                          }
 229  229                          spa_history_log_internal_dd(dd, "permission who remove",
 230  230                              tx, "%s", whokey);
 231  231                          continue;
 232  232                  }
 233  233  
 234  234                  if (zap_lookup(mos, zapobj, whokey, 8, 1, &jumpobj) != 0)
 235  235                          continue;
 236  236  
 237  237                  while (permpair = nvlist_next_nvpair(perms, permpair)) {
 238  238                          const char *perm = nvpair_name(permpair);
 239  239                          uint64_t n = 0;
 240  240  
 241  241                          (void) zap_remove(mos, jumpobj, perm, tx);
 242  242                          if (zap_count(mos, jumpobj, &n) == 0 && n == 0) {
 243  243                                  (void) zap_remove(mos, zapobj,
 244  244                                      whokey, tx);
 245  245                                  VERIFY(0 == zap_destroy(mos,
 246  246                                      jumpobj, tx));
 247  247                          }
 248  248                          spa_history_log_internal_dd(dd, "permission remove", tx,
 249  249                              "%s %s", whokey, perm);
 250  250                  }
 251  251          }
 252  252          dsl_dir_rele(dd, FTAG);
 253  253  }
 254  254  
 255  255  static int
 256  256  dsl_deleg_check(void *arg, dmu_tx_t *tx)
 257  257  {
 258  258          dsl_deleg_arg_t *dda = arg;
 259  259          dsl_dir_t *dd;
 260  260          int error;
 261  261  
 262  262          if (spa_version(dmu_tx_pool(tx)->dp_spa) <
 263  263              SPA_VERSION_DELEGATED_PERMS) {
 264  264                  return (SET_ERROR(ENOTSUP));
 265  265          }
 266  266  
 267  267          error = dsl_dir_hold(dmu_tx_pool(tx), dda->dda_name, FTAG, &dd, NULL);
 268  268          if (error == 0)
 269  269                  dsl_dir_rele(dd, FTAG);
 270  270          return (error);
 271  271  }
 272  272  
 273  273  int
 274  274  dsl_deleg_set(const char *ddname, nvlist_t *nvp, boolean_t unset)
 275  275  {
 276  276          dsl_deleg_arg_t dda;
 277  277  
 278  278          /* nvp must already have been verified to be valid */
 279  279  
 280  280          dda.dda_name = ddname;
 281  281          dda.dda_nvlist = nvp;
 282  282  
 283  283          return (dsl_sync_task(ddname, dsl_deleg_check,
 284  284              unset ? dsl_deleg_unset_sync : dsl_deleg_set_sync,
 285  285              &dda, fnvlist_num_pairs(nvp), ZFS_SPACE_CHECK_RESERVED));
 286  286  }
 287  287  
 288  288  /*
 289  289   * Find all 'allow' permissions from a given point and then continue
 290  290   * traversing up to the root.
 291  291   *
 292  292   * This function constructs an nvlist of nvlists.
 293  293   * each setpoint is an nvlist composed of an nvlist of an nvlist
 294  294   * of the individual * users/groups/everyone/create
 295  295   * permissions.
 296  296   *
 297  297   * The nvlist will look like this.
 298  298   *
 299  299   * { source fsname -> { whokeys { permissions,...}, ...}}
 300  300   *
 301  301   * The fsname nvpairs will be arranged in a bottom up order.  For example,
 302  302   * if we have the following structure a/b/c then the nvpairs for the fsnames
 303  303   * will be ordered a/b/c, a/b, a.
 304  304   */
 305  305  int
 306  306  dsl_deleg_get(const char *ddname, nvlist_t **nvp)
 307  307  {
 308  308          dsl_dir_t *dd, *startdd;
 309  309          dsl_pool_t *dp;
 310  310          int error;
 311  311          objset_t *mos;
 312  312  
 313  313          error = dsl_pool_hold(ddname, FTAG, &dp);
 314  314          if (error != 0)
 315  315                  return (error);
 316  316  
 317  317          error = dsl_dir_hold(dp, ddname, FTAG, &startdd, NULL);
 318  318          if (error != 0) {
 319  319                  dsl_pool_rele(dp, FTAG);
 320  320                  return (error);
 321  321          }
 322  322  
 323  323          dp = startdd->dd_pool;
 324  324          mos = dp->dp_meta_objset;
 325  325  
 326  326          VERIFY(nvlist_alloc(nvp, NV_UNIQUE_NAME, KM_SLEEP) == 0);
 327  327  
 328  328          for (dd = startdd; dd != NULL; dd = dd->dd_parent) {
 329  329                  zap_cursor_t basezc;
 330  330                  zap_attribute_t baseza;
 331  331                  nvlist_t *sp_nvp;
 332  332                  uint64_t n;
 333  333                  char source[MAXNAMELEN];
 334  334  
 335  335                  if (dsl_dir_phys(dd)->dd_deleg_zapobj == 0 ||
 336  336                      zap_count(mos,
 337  337                      dsl_dir_phys(dd)->dd_deleg_zapobj, &n) != 0 || n == 0)
 338  338                          continue;
 339  339  
 340  340                  sp_nvp = fnvlist_alloc();
 341  341                  for (zap_cursor_init(&basezc, mos,
 342  342                      dsl_dir_phys(dd)->dd_deleg_zapobj);
 343  343                      zap_cursor_retrieve(&basezc, &baseza) == 0;
 344  344                      zap_cursor_advance(&basezc)) {
 345  345                          zap_cursor_t zc;
 346  346                          zap_attribute_t za;
 347  347                          nvlist_t *perms_nvp;
 348  348  
 349  349                          ASSERT(baseza.za_integer_length == 8);
 350  350                          ASSERT(baseza.za_num_integers == 1);
 351  351  
 352  352                          perms_nvp = fnvlist_alloc();
 353  353                          for (zap_cursor_init(&zc, mos, baseza.za_first_integer);
 354  354                              zap_cursor_retrieve(&zc, &za) == 0;
 355  355                              zap_cursor_advance(&zc)) {
 356  356                                  fnvlist_add_boolean(perms_nvp, za.za_name);
 357  357                          }
 358  358                          zap_cursor_fini(&zc);
 359  359                          fnvlist_add_nvlist(sp_nvp, baseza.za_name, perms_nvp);
 360  360                          fnvlist_free(perms_nvp);
 361  361                  }
 362  362  
 363  363                  zap_cursor_fini(&basezc);
 364  364  
 365  365                  dsl_dir_name(dd, source);
 366  366                  fnvlist_add_nvlist(*nvp, source, sp_nvp);
 367  367                  nvlist_free(sp_nvp);
 368  368          }
 369  369  
 370  370          dsl_dir_rele(startdd, FTAG);
 371  371          dsl_pool_rele(dp, FTAG);
 372  372          return (0);
 373  373  }
 374  374  
 375  375  /*
 376  376   * Routines for dsl_deleg_access() -- access checking.
 377  377   */
 378  378  typedef struct perm_set {
 379  379          avl_node_t      p_node;
 380  380          boolean_t       p_matched;
 381  381          char            p_setname[ZFS_MAX_DELEG_NAME];
 382  382  } perm_set_t;
 383  383  
 384  384  static int
 385  385  perm_set_compare(const void *arg1, const void *arg2)
 386  386  {
 387  387          const perm_set_t *node1 = arg1;
 388  388          const perm_set_t *node2 = arg2;
 389  389          int val;
 390  390  
 391  391          val = strcmp(node1->p_setname, node2->p_setname);
 392  392          if (val == 0)
 393  393                  return (0);
 394  394          return (val > 0 ? 1 : -1);
 395  395  }
 396  396  
 397  397  /*
 398  398   * Determine whether a specified permission exists.
 399  399   *
 400  400   * First the base attribute has to be retrieved.  i.e. ul$12
 401  401   * Once the base object has been retrieved the actual permission
 402  402   * is lookup up in the zap object the base object points to.
 403  403   *
 404  404   * Return 0 if permission exists, ENOENT if there is no whokey, EPERM if
 405  405   * there is no perm in that jumpobj.
 406  406   */
 407  407  static int
 408  408  dsl_check_access(objset_t *mos, uint64_t zapobj,
 409  409      char type, char checkflag, void *valp, const char *perm)
 410  410  {
 411  411          int error;
 412  412          uint64_t jumpobj, zero;
 413  413          char whokey[ZFS_MAX_DELEG_NAME];
 414  414  
 415  415          zfs_deleg_whokey(whokey, type, checkflag, valp);
 416  416          error = zap_lookup(mos, zapobj, whokey, 8, 1, &jumpobj);
 417  417          if (error == 0) {
 418  418                  error = zap_lookup(mos, jumpobj, perm, 8, 1, &zero);
 419  419                  if (error == ENOENT)
 420  420                          error = SET_ERROR(EPERM);
 421  421          }
 422  422          return (error);
 423  423  }
 424  424  
 425  425  /*
 426  426   * check a specified user/group for a requested permission
 427  427   */
 428  428  static int
 429  429  dsl_check_user_access(objset_t *mos, uint64_t zapobj, const char *perm,
 430  430      int checkflag, cred_t *cr)
 431  431  {
 432  432          const   gid_t *gids;
 433  433          int     ngids;
 434  434          int     i;
 435  435          uint64_t id;
 436  436  
 437  437          /* check for user */
 438  438          id = crgetuid(cr);
 439  439          if (dsl_check_access(mos, zapobj,
 440  440              ZFS_DELEG_USER, checkflag, &id, perm) == 0)
 441  441                  return (0);
 442  442  
 443  443          /* check for users primary group */
 444  444          id = crgetgid(cr);
 445  445          if (dsl_check_access(mos, zapobj,
 446  446              ZFS_DELEG_GROUP, checkflag, &id, perm) == 0)
 447  447                  return (0);
 448  448  
 449  449          /* check for everyone entry */
 450  450          id = -1;
 451  451          if (dsl_check_access(mos, zapobj,
 452  452              ZFS_DELEG_EVERYONE, checkflag, &id, perm) == 0)
 453  453                  return (0);
 454  454  
 455  455          /* check each supplemental group user is a member of */
 456  456          ngids = crgetngroups(cr);
 457  457          gids = crgetgroups(cr);
 458  458          for (i = 0; i != ngids; i++) {
 459  459                  id = gids[i];
 460  460                  if (dsl_check_access(mos, zapobj,
 461  461                      ZFS_DELEG_GROUP, checkflag, &id, perm) == 0)
 462  462                          return (0);
 463  463          }
 464  464  
 465  465          return (SET_ERROR(EPERM));
 466  466  }
 467  467  
 468  468  /*
 469  469   * Iterate over the sets specified in the specified zapobj
 470  470   * and load them into the permsets avl tree.
 471  471   */
 472  472  static int
 473  473  dsl_load_sets(objset_t *mos, uint64_t zapobj,
 474  474      char type, char checkflag, void *valp, avl_tree_t *avl)
 475  475  {
 476  476          zap_cursor_t zc;
 477  477          zap_attribute_t za;
 478  478          perm_set_t *permnode;
 479  479          avl_index_t idx;
 480  480          uint64_t jumpobj;
 481  481          int error;
 482  482          char whokey[ZFS_MAX_DELEG_NAME];
 483  483  
 484  484          zfs_deleg_whokey(whokey, type, checkflag, valp);
 485  485  
 486  486          error = zap_lookup(mos, zapobj, whokey, 8, 1, &jumpobj);
 487  487          if (error != 0)
 488  488                  return (error);
 489  489  
 490  490          for (zap_cursor_init(&zc, mos, jumpobj);
 491  491              zap_cursor_retrieve(&zc, &za) == 0;
 492  492              zap_cursor_advance(&zc)) {
 493  493                  permnode = kmem_alloc(sizeof (perm_set_t), KM_SLEEP);
 494  494                  (void) strlcpy(permnode->p_setname, za.za_name,
 495  495                      sizeof (permnode->p_setname));
 496  496                  permnode->p_matched = B_FALSE;
 497  497  
 498  498                  if (avl_find(avl, permnode, &idx) == NULL) {
 499  499                          avl_insert(avl, permnode, idx);
 500  500                  } else {
 501  501                          kmem_free(permnode, sizeof (perm_set_t));
 502  502                  }
 503  503          }
 504  504          zap_cursor_fini(&zc);
 505  505          return (0);
 506  506  }
 507  507  
 508  508  /*
 509  509   * Load all permissions user based on cred belongs to.
 510  510   */
 511  511  static void
 512  512  dsl_load_user_sets(objset_t *mos, uint64_t zapobj, avl_tree_t *avl,
 513  513      char checkflag, cred_t *cr)
 514  514  {
 515  515          const   gid_t *gids;
 516  516          int     ngids, i;
 517  517          uint64_t id;
 518  518  
 519  519          id = crgetuid(cr);
 520  520          (void) dsl_load_sets(mos, zapobj,
 521  521              ZFS_DELEG_USER_SETS, checkflag, &id, avl);
 522  522  
 523  523          id = crgetgid(cr);
 524  524          (void) dsl_load_sets(mos, zapobj,
 525  525              ZFS_DELEG_GROUP_SETS, checkflag, &id, avl);
 526  526  
 527  527          (void) dsl_load_sets(mos, zapobj,
 528  528              ZFS_DELEG_EVERYONE_SETS, checkflag, NULL, avl);
 529  529  
 530  530          ngids = crgetngroups(cr);
 531  531          gids = crgetgroups(cr);
 532  532          for (i = 0; i != ngids; i++) {
 533  533                  id = gids[i];
 534  534                  (void) dsl_load_sets(mos, zapobj,
 535  535                      ZFS_DELEG_GROUP_SETS, checkflag, &id, avl);
 536  536          }
 537  537  }
 538  538  
 539  539  /*
 540  540   * Check if user has requested permission.
 541  541   */
 542  542  int
 543  543  dsl_deleg_access_impl(dsl_dataset_t *ds, const char *perm, cred_t *cr)
 544  544  {
 545  545          dsl_dir_t *dd;
 546  546          dsl_pool_t *dp;
 547  547          void *cookie;
 548  548          int     error;
 549  549          char    checkflag;
 550  550          objset_t *mos;
 551  551          avl_tree_t permsets;
 552  552          perm_set_t *setnode;
 553  553  

 554  554          dp = ds->ds_dir->dd_pool;
 555  555          mos = dp->dp_meta_objset;
 556  556  
 557  557          if (dsl_delegation_on(mos) == B_FALSE)
 558  558                  return (SET_ERROR(ECANCELED));
 559  559  
 560  560          if (spa_version(dmu_objset_spa(dp->dp_meta_objset)) <
 561  561              SPA_VERSION_DELEGATED_PERMS)
 562  562                  return (SET_ERROR(EPERM));
 563  563  
 564      -        if (dsl_dataset_is_snapshot(ds)) {
      564 +        if (ds->ds_is_snapshot) {
 565  565                  /*
 566  566                   * Snapshots are treated as descendents only,
 567  567                   * local permissions do not apply.
 568  568                   */
 569  569                  checkflag = ZFS_DELEG_DESCENDENT;
 570  570          } else {
 571  571                  checkflag = ZFS_DELEG_LOCAL;
 572  572          }
 573  573  
 574  574          avl_create(&permsets, perm_set_compare, sizeof (perm_set_t),

 575  575              offsetof(perm_set_t, p_node));
 576  576  
 577  577          ASSERT(dsl_pool_config_held(dp));
 578  578          for (dd = ds->ds_dir; dd != NULL; dd = dd->dd_parent,
 579  579              checkflag = ZFS_DELEG_DESCENDENT) {
 580  580                  uint64_t zapobj;
 581  581                  boolean_t expanded;
 582  582  
 583  583                  /*
 584  584                   * If not in global zone then make sure
 585  585                   * the zoned property is set
 586  586                   */
 587  587                  if (!INGLOBALZONE(curproc)) {
 588  588                          uint64_t zoned;
 589  589  
 590  590                          if (dsl_prop_get_dd(dd,
 591  591                              zfs_prop_to_name(ZFS_PROP_ZONED),
 592  592                              8, 1, &zoned, NULL, B_FALSE) != 0)
 593  593                                  break;
 594  594                          if (!zoned)
 595  595                                  break;
 596  596                  }
 597  597                  zapobj = dsl_dir_phys(dd)->dd_deleg_zapobj;
 598  598  
 599  599                  if (zapobj == 0)
 600  600                          continue;
 601  601  
 602  602                  dsl_load_user_sets(mos, zapobj, &permsets, checkflag, cr);
 603  603  again:
 604  604                  expanded = B_FALSE;
 605  605                  for (setnode = avl_first(&permsets); setnode;
 606  606                      setnode = AVL_NEXT(&permsets, setnode)) {
 607  607                          if (setnode->p_matched == B_TRUE)
 608  608                                  continue;
 609  609  
 610  610                          /* See if this set directly grants this permission */
 611  611                          error = dsl_check_access(mos, zapobj,
 612  612                              ZFS_DELEG_NAMED_SET, 0, setnode->p_setname, perm);
 613  613                          if (error == 0)
 614  614                                  goto success;
 615  615                          if (error == EPERM)
 616  616                                  setnode->p_matched = B_TRUE;
 617  617  
 618  618                          /* See if this set includes other sets */
 619  619                          error = dsl_load_sets(mos, zapobj,
 620  620                              ZFS_DELEG_NAMED_SET_SETS, 0,
 621  621                              setnode->p_setname, &permsets);
 622  622                          if (error == 0)
 623  623                                  setnode->p_matched = expanded = B_TRUE;
 624  624                  }
 625  625                  /*
 626  626                   * If we expanded any sets, that will define more sets,
 627  627                   * which we need to check.
 628  628                   */
 629  629                  if (expanded)
 630  630                          goto again;
 631  631  
 632  632                  error = dsl_check_user_access(mos, zapobj, perm, checkflag, cr);
 633  633                  if (error == 0)
 634  634                          goto success;
 635  635          }
 636  636          error = SET_ERROR(EPERM);
 637  637  success:
 638  638  
 639  639          cookie = NULL;
 640  640          while ((setnode = avl_destroy_nodes(&permsets, &cookie)) != NULL)
 641  641                  kmem_free(setnode, sizeof (perm_set_t));
 642  642  
 643  643          return (error);
 644  644  }
 645  645  
 646  646  int
 647  647  dsl_deleg_access(const char *dsname, const char *perm, cred_t *cr)
 648  648  {
 649  649          dsl_pool_t *dp;
 650  650          dsl_dataset_t *ds;
 651  651          int error;
 652  652  
 653  653          error = dsl_pool_hold(dsname, FTAG, &dp);
 654  654          if (error != 0)
 655  655                  return (error);
 656  656          error = dsl_dataset_hold(dp, dsname, FTAG, &ds);
 657  657          if (error == 0) {
 658  658                  error = dsl_deleg_access_impl(ds, perm, cr);
 659  659                  dsl_dataset_rele(ds, FTAG);
 660  660          }
 661  661          dsl_pool_rele(dp, FTAG);
 662  662  
 663  663          return (error);
 664  664  }
 665  665  
 666  666  /*
 667  667   * Other routines.
 668  668   */
 669  669  
 670  670  static void
 671  671  copy_create_perms(dsl_dir_t *dd, uint64_t pzapobj,
 672  672      boolean_t dosets, uint64_t uid, dmu_tx_t *tx)
 673  673  {
 674  674          objset_t *mos = dd->dd_pool->dp_meta_objset;
 675  675          uint64_t jumpobj, pjumpobj;
 676  676          uint64_t zapobj = dsl_dir_phys(dd)->dd_deleg_zapobj;
 677  677          zap_cursor_t zc;
 678  678          zap_attribute_t za;
 679  679          char whokey[ZFS_MAX_DELEG_NAME];
 680  680  
 681  681          zfs_deleg_whokey(whokey,
 682  682              dosets ? ZFS_DELEG_CREATE_SETS : ZFS_DELEG_CREATE,
 683  683              ZFS_DELEG_LOCAL, NULL);
 684  684          if (zap_lookup(mos, pzapobj, whokey, 8, 1, &pjumpobj) != 0)
 685  685                  return;
 686  686  
 687  687          if (zapobj == 0) {
 688  688                  dmu_buf_will_dirty(dd->dd_dbuf, tx);
 689  689                  zapobj = dsl_dir_phys(dd)->dd_deleg_zapobj = zap_create(mos,
 690  690                      DMU_OT_DSL_PERMS, DMU_OT_NONE, 0, tx);
 691  691          }
 692  692  
 693  693          zfs_deleg_whokey(whokey,
 694  694              dosets ? ZFS_DELEG_USER_SETS : ZFS_DELEG_USER,
 695  695              ZFS_DELEG_LOCAL, &uid);
 696  696          if (zap_lookup(mos, zapobj, whokey, 8, 1, &jumpobj) == ENOENT) {
 697  697                  jumpobj = zap_create(mos, DMU_OT_DSL_PERMS, DMU_OT_NONE, 0, tx);
 698  698                  VERIFY(zap_add(mos, zapobj, whokey, 8, 1, &jumpobj, tx) == 0);
 699  699          }
 700  700  
 701  701          for (zap_cursor_init(&zc, mos, pjumpobj);
 702  702              zap_cursor_retrieve(&zc, &za) == 0;
 703  703              zap_cursor_advance(&zc)) {
 704  704                  uint64_t zero = 0;
 705  705                  ASSERT(za.za_integer_length == 8 && za.za_num_integers == 1);
 706  706  
 707  707                  VERIFY(zap_update(mos, jumpobj, za.za_name,
 708  708                      8, 1, &zero, tx) == 0);
 709  709          }
 710  710          zap_cursor_fini(&zc);
 711  711  }
 712  712  
 713  713  /*
 714  714   * set all create time permission on new dataset.
 715  715   */
 716  716  void
 717  717  dsl_deleg_set_create_perms(dsl_dir_t *sdd, dmu_tx_t *tx, cred_t *cr)
 718  718  {
 719  719          dsl_dir_t *dd;
 720  720          uint64_t uid = crgetuid(cr);
 721  721  
 722  722          if (spa_version(dmu_objset_spa(sdd->dd_pool->dp_meta_objset)) <
 723  723              SPA_VERSION_DELEGATED_PERMS)
 724  724                  return;
 725  725  
 726  726          for (dd = sdd->dd_parent; dd != NULL; dd = dd->dd_parent) {
 727  727                  uint64_t pzapobj = dsl_dir_phys(dd)->dd_deleg_zapobj;
 728  728  
 729  729                  if (pzapobj == 0)
 730  730                          continue;
 731  731  
 732  732                  copy_create_perms(sdd, pzapobj, B_FALSE, uid, tx);
 733  733                  copy_create_perms(sdd, pzapobj, B_TRUE, uid, tx);
 734  734          }
 735  735  }
 736  736  
 737  737  int
 738  738  dsl_deleg_destroy(objset_t *mos, uint64_t zapobj, dmu_tx_t *tx)
 739  739  {
 740  740          zap_cursor_t zc;
 741  741          zap_attribute_t za;
 742  742  
 743  743          if (zapobj == 0)
 744  744                  return (0);
 745  745  
 746  746          for (zap_cursor_init(&zc, mos, zapobj);
 747  747              zap_cursor_retrieve(&zc, &za) == 0;
 748  748              zap_cursor_advance(&zc)) {
 749  749                  ASSERT(za.za_integer_length == 8 && za.za_num_integers == 1);
 750  750                  VERIFY(0 == zap_destroy(mos, za.za_first_integer, tx));
 751  751          }
 752  752          zap_cursor_fini(&zc);
 753  753          VERIFY(0 == zap_destroy(mos, zapobj, tx));
 754  754          return (0);
 755  755  }
 756  756  
 757  757  boolean_t
 758  758  dsl_delegation_on(objset_t *os)
 759  759  {
 760  760          return (!!spa_delegation(os->os_spa));
 761  761  }

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX