diff options
author | Tom Caputi <[email protected]> | 2018-02-21 15:30:11 -0500 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2018-02-21 12:30:11 -0800 |
commit | 4a385862b7a9c62f5ec46462e92db48c3c5ec7d9 (patch) | |
tree | 0bc578f3cc4ce9937b4aa8c74ecef8071b72eea0 /module | |
parent | b1d217338a51b025b802ebf6a759f45dcd8e3b4c (diff) |
Prevent raw zfs recv -F if dataset is unencrypted
The current design of ZFS encryption only allows a dataset to
have one DSL Crypto Key at a time. As a result, it is important
that the zfs receive code ensures that only one key can be in use
at a time for a given DSL Directory. zfs receive -F complicates
this, since the new dataset is received as a clone of the existing
one so that an atomic switch can be done at the end. To prevent
confusion about which dataset is actually encrypted a check was
added to ensure that encrypted datasets cannot use zfs recv -F to
completely replace existing datasets. Unfortunately, the check did
not take into account unencrypted datasets being overriden by
encrypted ones as a case.
Along the same lines, the code also failed to ensure that raw
recieves could not be done on top of existing unencrypted
datasets, which causes amny problems since the new stream cannot
be decrypted.
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Tom Caputi <[email protected]>
Closes #7199
Diffstat (limited to 'module')
-rw-r--r-- | module/zfs/dmu_send.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/module/zfs/dmu_send.c b/module/zfs/dmu_send.c index 8ca77e95d..bbb319822 100644 --- a/module/zfs/dmu_send.c +++ b/module/zfs/dmu_send.c @@ -1522,6 +1522,10 @@ recv_begin_check_existing_impl(dmu_recv_begin_arg_t *drba, dsl_dataset_t *ds, uint64_t val; int error; dsl_pool_t *dp = ds->ds_dir->dd_pool; + struct drr_begin *drrb = drba->drba_cookie->drc_drrb; + uint64_t featureflags = DMU_GET_FEATUREFLAGS(drrb->drr_versioninfo); + boolean_t encrypted = ds->ds_dir->dd_crypto_obj != 0; + boolean_t raw = (featureflags & DMU_BACKUP_FEATURE_RAW) != 0; /* temporary clone name must not exist */ error = zap_lookup(dp->dp_meta_objset, @@ -1555,6 +1559,10 @@ recv_begin_check_existing_impl(dmu_recv_begin_arg_t *drba, dsl_dataset_t *ds, dsl_dataset_t *snap; uint64_t obj = dsl_dataset_phys(ds)->ds_prev_snap_obj; + /* Can't perform a raw receive on top of a non-raw receive */ + if (!encrypted && raw) + return (SET_ERROR(EINVAL)); + /* Find snapshot in this dir that matches fromguid. */ while (obj != 0) { error = dsl_dataset_hold_obj(dp, obj, FTAG, @@ -1599,7 +1607,7 @@ recv_begin_check_existing_impl(dmu_recv_begin_arg_t *drba, dsl_dataset_t *ds, * dsl dir to point to the old encryption key and * the new one at the same time during the receive. */ - if (ds->ds_dir->dd_crypto_obj != 0) + if ((!encrypted && raw) || encrypted) return (SET_ERROR(EINVAL)); drba->drba_snapobj = 0; |