libbe(3): Don't allow bootfs to be destroyed

Previously, the following sequence of events was feasible under some circumstance: bectl create test bectl activate test # the test BE dataset gets promoted and set as bootfs bectl destroy test I was unable to reproduce the destroy succeeding, but we should be rejecting this before it even gets to libzfs because it would leave the system in an inconsistent state. Forcing the user to be explicit as to which environment should be activated instead is much better. Reported by: Graham Perrin <grahamperrin@gmail.com> MFC after: 3 days
2019-01-07 16:16:47 +00:00 · 2019-01-07 16:16:47 +00:00 · f08dac4e90
commit f08dac4e90
parent 354c6a4422
1 changed files with 2 additions and 1 deletions
--- a/lib/libbe/be.c
+++ b/lib/libbe/be.c
@ -211,7 +211,8 @@ be_destroy(libbe_handle_t *lbh, const char *name, int options)
 		if (!zfs_dataset_exists(lbh->lzh, path, ZFS_TYPE_FILESYSTEM))
 			return (set_error(lbh, BE_ERR_NOENT));

-		if (strcmp(path, lbh->rootfs) == 0)
+		if (strcmp(path, lbh->rootfs) == 0 ||
+		    strcmp(path, lbh->bootfs) == 0)
 			return (set_error(lbh, BE_ERR_DESTROYACT));

 		fs = zfs_open(lbh->lzh, p, ZFS_TYPE_FILESYSTEM);