From f08dac4e90b48e70d8ee88638cff70b1cfe4fc8f Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Mon, 7 Jan 2019 16:16:47 +0000 Subject: [PATCH] libbe(3): Don't allow bootfs to be destroyed Previously, the following sequence of events was feasible under some circumstance: bectl create test bectl activate test # the test BE dataset gets promoted and set as bootfs bectl destroy test I was unable to reproduce the destroy succeeding, but we should be rejecting this before it even gets to libzfs because it would leave the system in an inconsistent state. Forcing the user to be explicit as to which environment should be activated instead is much better. Reported by: Graham Perrin MFC after: 3 days --- lib/libbe/be.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/libbe/be.c b/lib/libbe/be.c index be073eed9a8e..24a0e0ae1b78 100644 --- a/lib/libbe/be.c +++ b/lib/libbe/be.c @@ -211,7 +211,8 @@ be_destroy(libbe_handle_t *lbh, const char *name, int options) if (!zfs_dataset_exists(lbh->lzh, path, ZFS_TYPE_FILESYSTEM)) return (set_error(lbh, BE_ERR_NOENT)); - if (strcmp(path, lbh->rootfs) == 0) + if (strcmp(path, lbh->rootfs) == 0 || + strcmp(path, lbh->bootfs) == 0) return (set_error(lbh, BE_ERR_DESTROYACT)); fs = zfs_open(lbh->lzh, p, ZFS_TYPE_FILESYSTEM);