1 // SPDX-License-Identifier: CDDL-1.0 2 /* 3 * CDDL HEADER START 4 * 5 * The contents of this file are subject to the terms of the 6 * Common Development and Distribution License (the "License"). 7 * You may not use this file except in compliance with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or https://opensource.org/licenses/CDDL-1.0. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 /* 27 * Copyright (c) 2013, 2016 by Delphix. All rights reserved. 28 */ 29 30 /* 31 * Common name validation routines for ZFS. These routines are shared by the 32 * userland code as well as the ioctl() layer to ensure that we don't 33 * inadvertently expose a hole through direct ioctl()s that never gets tested. 34 * In userland, however, we want significantly more information about _why_ the 35 * name is invalid. In the kernel, we only care whether it's valid or not. 36 * Each routine therefore takes a 'namecheck_err_t' which describes exactly why 37 * the name failed to validate. 38 */ 39 40 #if !defined(_KERNEL) 41 #include <string.h> 42 #endif 43 44 #include <sys/dsl_dir.h> 45 #include <sys/param.h> 46 #include <sys/nvpair.h> 47 #include "zfs_namecheck.h" 48 #include "zfs_deleg.h" 49 50 /* 51 * Deeply nested datasets can overflow the stack, so we put a limit 52 * in the amount of nesting a path can have. zfs_max_dataset_nesting 53 * can be tuned temporarily to fix existing datasets that exceed our 54 * predefined limit. 55 */ 56 int zfs_max_dataset_nesting = 50; 57 58 static int 59 valid_char(char c) 60 { 61 return ((c >= 'a' && c <= 'z') || 62 (c >= 'A' && c <= 'Z') || 63 (c >= '0' && c <= '9') || 64 c == '-' || c == '_' || c == '.' || c == ':' || c == ' '); 65 } 66 67 /* 68 * Looks at a path and returns its level of nesting (depth). 69 */ 70 int 71 get_dataset_depth(const char *path) 72 { 73 const char *loc = path; 74 int nesting = 0; 75 76 /* 77 * Keep track of nesting until you hit the end of the 78 * path or found the snapshot/bookmark separator. 79 */ 80 for (int i = 0; loc[i] != '\0' && 81 loc[i] != '@' && 82 loc[i] != '#'; i++) { 83 if (loc[i] == '/') 84 nesting++; 85 } 86 87 return (nesting); 88 } 89 90 /* 91 * Snapshot names must be made up of alphanumeric characters plus the following 92 * characters: 93 * 94 * [-_.: ] 95 * 96 * Returns 0 on success, -1 on error. 97 */ 98 int 99 zfs_component_namecheck(const char *path, namecheck_err_t *why, char *what) 100 { 101 const char *loc; 102 103 if (strlen(path) >= ZFS_MAX_DATASET_NAME_LEN) { 104 if (why) 105 *why = NAME_ERR_TOOLONG; 106 return (-1); 107 } 108 109 if (path[0] == '\0') { 110 if (why) 111 *why = NAME_ERR_EMPTY_COMPONENT; 112 return (-1); 113 } 114 115 for (loc = path; *loc; loc++) { 116 if (!valid_char(*loc)) { 117 if (why) { 118 *why = NAME_ERR_INVALCHAR; 119 *what = *loc; 120 } 121 return (-1); 122 } 123 } 124 return (0); 125 } 126 127 128 /* 129 * Permissions set name must start with the letter '@' followed by the 130 * same character restrictions as snapshot names, except that the name 131 * cannot exceed 64 characters. 132 * 133 * Returns 0 on success, -1 on error. 134 */ 135 int 136 permset_namecheck(const char *path, namecheck_err_t *why, char *what) 137 { 138 if (strlen(path) >= ZFS_PERMSET_MAXLEN) { 139 if (why) 140 *why = NAME_ERR_TOOLONG; 141 return (-1); 142 } 143 144 if (path[0] != '@') { 145 if (why) { 146 *why = NAME_ERR_NO_AT; 147 *what = path[0]; 148 } 149 return (-1); 150 } 151 152 return (zfs_component_namecheck(&path[1], why, what)); 153 } 154 155 /* 156 * Dataset paths should not be deeper than zfs_max_dataset_nesting 157 * in terms of nesting. 158 * 159 * Returns 0 on success, -1 on error. 160 */ 161 int 162 dataset_nestcheck(const char *path) 163 { 164 return ((get_dataset_depth(path) < zfs_max_dataset_nesting) ? 0 : -1); 165 } 166 167 /* 168 * Entity names must be of the following form: 169 * 170 * [component/]*[component][(@|#)component]? 171 * 172 * Where each component is made up of alphanumeric characters plus the following 173 * characters: 174 * 175 * [-_.: %] 176 * 177 * We allow '%' here as we use that character internally to create unique 178 * names for temporary clones (for online recv). 179 * 180 * Returns 0 on success, -1 on error. 181 */ 182 int 183 entity_namecheck(const char *path, namecheck_err_t *why, char *what) 184 { 185 const char *end; 186 187 EQUIV(why == NULL, what == NULL); 188 189 /* 190 * Make sure the name is not too long. 191 */ 192 if (strlen(path) >= ZFS_MAX_DATASET_NAME_LEN) { 193 if (why) 194 *why = NAME_ERR_TOOLONG; 195 return (-1); 196 } 197 198 /* Explicitly check for a leading slash. */ 199 if (path[0] == '/') { 200 if (why) 201 *why = NAME_ERR_LEADING_SLASH; 202 return (-1); 203 } 204 205 if (path[0] == '\0') { 206 if (why) 207 *why = NAME_ERR_EMPTY_COMPONENT; 208 return (-1); 209 } 210 211 const char *start = path; 212 boolean_t found_delim = B_FALSE; 213 for (;;) { 214 /* Find the end of this component */ 215 end = start; 216 while (*end != '/' && *end != '@' && *end != '#' && 217 *end != '\0') 218 end++; 219 220 if (*end == '\0' && end[-1] == '/') { 221 /* trailing slashes are not allowed */ 222 if (why) 223 *why = NAME_ERR_TRAILING_SLASH; 224 return (-1); 225 } 226 227 /* Validate the contents of this component */ 228 for (const char *loc = start; loc != end; loc++) { 229 if (!valid_char(*loc) && *loc != '%') { 230 if (why) { 231 *why = NAME_ERR_INVALCHAR; 232 *what = *loc; 233 } 234 return (-1); 235 } 236 } 237 238 if (*end == '\0' || *end == '/') { 239 int component_length = end - start; 240 /* Validate the contents of this component is not '.' */ 241 if (component_length == 1) { 242 if (start[0] == '.') { 243 if (why) 244 *why = NAME_ERR_SELF_REF; 245 return (-1); 246 } 247 } 248 249 /* Validate the content of this component is not '..' */ 250 if (component_length == 2) { 251 if (start[0] == '.' && start[1] == '.') { 252 if (why) 253 *why = NAME_ERR_PARENT_REF; 254 return (-1); 255 } 256 } 257 } 258 259 /* Snapshot or bookmark delimiter found */ 260 if (*end == '@' || *end == '#') { 261 /* Multiple delimiters are not allowed */ 262 if (found_delim != 0) { 263 if (why) 264 *why = NAME_ERR_MULTIPLE_DELIMITERS; 265 return (-1); 266 } 267 268 found_delim = B_TRUE; 269 } 270 271 /* Zero-length components are not allowed */ 272 if (start == end) { 273 if (why) 274 *why = NAME_ERR_EMPTY_COMPONENT; 275 return (-1); 276 } 277 278 /* If we've reached the end of the string, we're OK */ 279 if (*end == '\0') 280 return (0); 281 282 /* 283 * If there is a '/' in a snapshot or bookmark name 284 * then report an error 285 */ 286 if (*end == '/' && found_delim != 0) { 287 if (why) 288 *why = NAME_ERR_TRAILING_SLASH; 289 return (-1); 290 } 291 292 /* Update to the next component */ 293 start = end + 1; 294 } 295 } 296 297 /* 298 * Dataset is any entity, except bookmark 299 */ 300 int 301 dataset_namecheck(const char *path, namecheck_err_t *why, char *what) 302 { 303 int ret = entity_namecheck(path, why, what); 304 305 if (ret == 0 && strchr(path, '#') != NULL) { 306 if (why != NULL) { 307 *why = NAME_ERR_INVALCHAR; 308 *what = '#'; 309 } 310 return (-1); 311 } 312 313 return (ret); 314 } 315 316 /* 317 * Assert path is a valid bookmark name 318 */ 319 int 320 bookmark_namecheck(const char *path, namecheck_err_t *why, char *what) 321 { 322 int ret = entity_namecheck(path, why, what); 323 324 if (ret == 0 && strchr(path, '#') == NULL) { 325 if (why != NULL) { 326 *why = NAME_ERR_NO_POUND; 327 *what = '#'; 328 } 329 return (-1); 330 } 331 332 return (ret); 333 } 334 335 /* 336 * Assert path is a valid snapshot name 337 */ 338 int 339 snapshot_namecheck(const char *path, namecheck_err_t *why, char *what) 340 { 341 int ret = entity_namecheck(path, why, what); 342 343 if (ret == 0 && strchr(path, '@') == NULL) { 344 if (why != NULL) { 345 *why = NAME_ERR_NO_AT; 346 *what = '@'; 347 } 348 return (-1); 349 } 350 351 return (ret); 352 } 353 354 /* 355 * mountpoint names must be of the following form: 356 * 357 * /[component][/]*[component][/] 358 * 359 * Returns 0 on success, -1 on error. 360 */ 361 int 362 mountpoint_namecheck(const char *path, namecheck_err_t *why) 363 { 364 const char *start, *end; 365 366 /* 367 * Make sure none of the mountpoint component names are too long. 368 * If a component name is too long then the mkdir of the mountpoint 369 * will fail but then the mountpoint property will be set to a value 370 * that can never be mounted. Better to fail before setting the prop. 371 * Extra slashes are OK, they will be tossed by the mountpoint mkdir. 372 */ 373 374 if (path == NULL || *path != '/') { 375 if (why) 376 *why = NAME_ERR_LEADING_SLASH; 377 return (-1); 378 } 379 380 /* Skip leading slash */ 381 start = &path[1]; 382 do { 383 end = start; 384 while (*end != '/' && *end != '\0') 385 end++; 386 387 if (end - start >= ZFS_MAX_DATASET_NAME_LEN) { 388 if (why) 389 *why = NAME_ERR_TOOLONG; 390 return (-1); 391 } 392 start = end + 1; 393 394 } while (*end != '\0'); 395 396 return (0); 397 } 398 399 /* 400 * For pool names, we have the same set of valid characters as described in 401 * dataset names, with the additional restriction that the pool name must begin 402 * with a letter. The pool names 'raidz' and 'mirror' are also reserved names 403 * that cannot be used. 404 * 405 * Returns 0 on success, -1 on error. 406 */ 407 int 408 pool_namecheck(const char *pool, namecheck_err_t *why, char *what) 409 { 410 const char *c; 411 412 /* 413 * Make sure the name is not too long. 414 * If we're creating a pool with version >= SPA_VERSION_DSL_SCRUB (v11) 415 * we need to account for additional space needed by the origin ds which 416 * will also be snapshotted: "poolname"+"/"+"$ORIGIN"+"@"+"$ORIGIN". 417 * Play it safe and enforce this limit even if the pool version is < 11 418 * so it can be upgraded without issues. 419 */ 420 if (strlen(pool) >= (ZFS_MAX_DATASET_NAME_LEN - 2 - 421 strlen(ORIGIN_DIR_NAME) * 2)) { 422 if (why) 423 *why = NAME_ERR_TOOLONG; 424 return (-1); 425 } 426 427 c = pool; 428 while (*c != '\0') { 429 if (!valid_char(*c)) { 430 if (why) { 431 *why = NAME_ERR_INVALCHAR; 432 *what = *c; 433 } 434 return (-1); 435 } 436 c++; 437 } 438 439 if (!(*pool >= 'a' && *pool <= 'z') && 440 !(*pool >= 'A' && *pool <= 'Z')) { 441 if (why) 442 *why = NAME_ERR_NOLETTER; 443 return (-1); 444 } 445 446 if (strcmp(pool, "mirror") == 0 || 447 strcmp(pool, "raidz") == 0 || 448 strcmp(pool, "draid") == 0) { 449 if (why) 450 *why = NAME_ERR_RESERVED; 451 return (-1); 452 } 453 454 return (0); 455 } 456 457 EXPORT_SYMBOL(entity_namecheck); 458 EXPORT_SYMBOL(pool_namecheck); 459 EXPORT_SYMBOL(dataset_namecheck); 460 EXPORT_SYMBOL(bookmark_namecheck); 461 EXPORT_SYMBOL(snapshot_namecheck); 462 EXPORT_SYMBOL(zfs_component_namecheck); 463 EXPORT_SYMBOL(dataset_nestcheck); 464 EXPORT_SYMBOL(get_dataset_depth); 465 EXPORT_SYMBOL(zfs_max_dataset_nesting); 466 467 ZFS_MODULE_PARAM(zfs, zfs_, max_dataset_nesting, INT, ZMOD_RW, 468 "Limit to the amount of nesting a path can have. Defaults to 50."); 469