xref: /titanic_44/usr/src/uts/common/fs/zfs/zfs_ioctl.c (revision 8f18d1fadf6a0c20fac9ff7259a5368faa3c3bfb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/param.h>
28 #include <sys/errno.h>
29 #include <sys/uio.h>
30 #include <sys/buf.h>
31 #include <sys/modctl.h>
32 #include <sys/open.h>
33 #include <sys/file.h>
34 #include <sys/kmem.h>
35 #include <sys/conf.h>
36 #include <sys/cmn_err.h>
37 #include <sys/stat.h>
38 #include <sys/zfs_ioctl.h>
39 #include <sys/zfs_znode.h>
40 #include <sys/zap.h>
41 #include <sys/spa.h>
42 #include <sys/spa_impl.h>
43 #include <sys/vdev.h>
44 #include <sys/vdev_impl.h>
45 #include <sys/dmu.h>
46 #include <sys/dsl_dir.h>
47 #include <sys/dsl_dataset.h>
48 #include <sys/dsl_prop.h>
49 #include <sys/dsl_deleg.h>
50 #include <sys/dmu_objset.h>
51 #include <sys/ddi.h>
52 #include <sys/sunddi.h>
53 #include <sys/sunldi.h>
54 #include <sys/policy.h>
55 #include <sys/zone.h>
56 #include <sys/nvpair.h>
57 #include <sys/pathname.h>
58 #include <sys/mount.h>
59 #include <sys/sdt.h>
60 #include <sys/fs/zfs.h>
61 #include <sys/zfs_ctldir.h>
62 #include <sys/zfs_dir.h>
63 #include <sys/zvol.h>
64 #include <sharefs/share.h>
65 #include <sys/dmu_objset.h>
66 
67 #include "zfs_namecheck.h"
68 #include "zfs_prop.h"
69 #include "zfs_deleg.h"
70 
71 extern struct modlfs zfs_modlfs;
72 
73 extern void zfs_init(void);
74 extern void zfs_fini(void);
75 
76 ldi_ident_t zfs_li = NULL;
77 dev_info_t *zfs_dip;
78 
79 typedef int zfs_ioc_func_t(zfs_cmd_t *);
80 typedef int zfs_secpolicy_func_t(zfs_cmd_t *, cred_t *);
81 
82 typedef enum {
83 	NO_NAME,
84 	POOL_NAME,
85 	DATASET_NAME
86 } zfs_ioc_namecheck_t;
87 
88 typedef struct zfs_ioc_vec {
89 	zfs_ioc_func_t		*zvec_func;
90 	zfs_secpolicy_func_t	*zvec_secpolicy;
91 	zfs_ioc_namecheck_t	zvec_namecheck;
92 	boolean_t		zvec_his_log;
93 	boolean_t		zvec_pool_check;
94 } zfs_ioc_vec_t;
95 
96 /* This array is indexed by zfs_userquota_prop_t */
97 static const char *userquota_perms[] = {
98 	ZFS_DELEG_PERM_USERUSED,
99 	ZFS_DELEG_PERM_USERQUOTA,
100 	ZFS_DELEG_PERM_GROUPUSED,
101 	ZFS_DELEG_PERM_GROUPQUOTA,
102 };
103 
104 static int zfs_ioc_userspace_upgrade(zfs_cmd_t *zc);
105 static void clear_props(char *dataset, nvlist_t *props, nvlist_t *newprops);
106 static int zfs_fill_zplprops_root(uint64_t, nvlist_t *, nvlist_t *,
107     boolean_t *);
108 int zfs_set_prop_nvlist(const char *, nvlist_t *);
109 
110 /* _NOTE(PRINTFLIKE(4)) - this is printf-like, but lint is too whiney */
111 void
112 __dprintf(const char *file, const char *func, int line, const char *fmt, ...)
113 {
114 	const char *newfile;
115 	char buf[256];
116 	va_list adx;
117 
118 	/*
119 	 * Get rid of annoying "../common/" prefix to filename.
120 	 */
121 	newfile = strrchr(file, '/');
122 	if (newfile != NULL) {
123 		newfile = newfile + 1; /* Get rid of leading / */
124 	} else {
125 		newfile = file;
126 	}
127 
128 	va_start(adx, fmt);
129 	(void) vsnprintf(buf, sizeof (buf), fmt, adx);
130 	va_end(adx);
131 
132 	/*
133 	 * To get this data, use the zfs-dprintf probe as so:
134 	 * dtrace -q -n 'zfs-dprintf \
135 	 *	/stringof(arg0) == "dbuf.c"/ \
136 	 *	{printf("%s: %s", stringof(arg1), stringof(arg3))}'
137 	 * arg0 = file name
138 	 * arg1 = function name
139 	 * arg2 = line number
140 	 * arg3 = message
141 	 */
142 	DTRACE_PROBE4(zfs__dprintf,
143 	    char *, newfile, char *, func, int, line, char *, buf);
144 }
145 
146 static void
147 history_str_free(char *buf)
148 {
149 	kmem_free(buf, HIS_MAX_RECORD_LEN);
150 }
151 
152 static char *
153 history_str_get(zfs_cmd_t *zc)
154 {
155 	char *buf;
156 
157 	if (zc->zc_history == NULL)
158 		return (NULL);
159 
160 	buf = kmem_alloc(HIS_MAX_RECORD_LEN, KM_SLEEP);
161 	if (copyinstr((void *)(uintptr_t)zc->zc_history,
162 	    buf, HIS_MAX_RECORD_LEN, NULL) != 0) {
163 		history_str_free(buf);
164 		return (NULL);
165 	}
166 
167 	buf[HIS_MAX_RECORD_LEN -1] = '\0';
168 
169 	return (buf);
170 }
171 
172 /*
173  * Check to see if the named dataset is currently defined as bootable
174  */
175 static boolean_t
176 zfs_is_bootfs(const char *name)
177 {
178 	objset_t *os;
179 
180 	if (dmu_objset_hold(name, FTAG, &os) == 0) {
181 		boolean_t ret;
182 		ret = (dmu_objset_id(os) == dmu_objset_spa(os)->spa_bootfs);
183 		dmu_objset_rele(os, FTAG);
184 		return (ret);
185 	}
186 	return (B_FALSE);
187 }
188 
189 /*
190  * zfs_earlier_version
191  *
192  *	Return non-zero if the spa version is less than requested version.
193  */
194 static int
195 zfs_earlier_version(const char *name, int version)
196 {
197 	spa_t *spa;
198 
199 	if (spa_open(name, &spa, FTAG) == 0) {
200 		if (spa_version(spa) < version) {
201 			spa_close(spa, FTAG);
202 			return (1);
203 		}
204 		spa_close(spa, FTAG);
205 	}
206 	return (0);
207 }
208 
209 /*
210  * zpl_earlier_version
211  *
212  * Return TRUE if the ZPL version is less than requested version.
213  */
214 static boolean_t
215 zpl_earlier_version(const char *name, int version)
216 {
217 	objset_t *os;
218 	boolean_t rc = B_TRUE;
219 
220 	if (dmu_objset_hold(name, FTAG, &os) == 0) {
221 		uint64_t zplversion;
222 
223 		if (dmu_objset_type(os) != DMU_OST_ZFS) {
224 			dmu_objset_rele(os, FTAG);
225 			return (B_TRUE);
226 		}
227 		/* XXX reading from non-owned objset */
228 		if (zfs_get_zplprop(os, ZFS_PROP_VERSION, &zplversion) == 0)
229 			rc = zplversion < version;
230 		dmu_objset_rele(os, FTAG);
231 	}
232 	return (rc);
233 }
234 
235 static void
236 zfs_log_history(zfs_cmd_t *zc)
237 {
238 	spa_t *spa;
239 	char *buf;
240 
241 	if ((buf = history_str_get(zc)) == NULL)
242 		return;
243 
244 	if (spa_open(zc->zc_name, &spa, FTAG) == 0) {
245 		if (spa_version(spa) >= SPA_VERSION_ZPOOL_HISTORY)
246 			(void) spa_history_log(spa, buf, LOG_CMD_NORMAL);
247 		spa_close(spa, FTAG);
248 	}
249 	history_str_free(buf);
250 }
251 
252 /*
253  * Policy for top-level read operations (list pools).  Requires no privileges,
254  * and can be used in the local zone, as there is no associated dataset.
255  */
256 /* ARGSUSED */
257 static int
258 zfs_secpolicy_none(zfs_cmd_t *zc, cred_t *cr)
259 {
260 	return (0);
261 }
262 
263 /*
264  * Policy for dataset read operations (list children, get statistics).  Requires
265  * no privileges, but must be visible in the local zone.
266  */
267 /* ARGSUSED */
268 static int
269 zfs_secpolicy_read(zfs_cmd_t *zc, cred_t *cr)
270 {
271 	if (INGLOBALZONE(curproc) ||
272 	    zone_dataset_visible(zc->zc_name, NULL))
273 		return (0);
274 
275 	return (ENOENT);
276 }
277 
278 static int
279 zfs_dozonecheck(const char *dataset, cred_t *cr)
280 {
281 	uint64_t zoned;
282 	int writable = 1;
283 
284 	/*
285 	 * The dataset must be visible by this zone -- check this first
286 	 * so they don't see EPERM on something they shouldn't know about.
287 	 */
288 	if (!INGLOBALZONE(curproc) &&
289 	    !zone_dataset_visible(dataset, &writable))
290 		return (ENOENT);
291 
292 	if (dsl_prop_get_integer(dataset, "zoned", &zoned, NULL))
293 		return (ENOENT);
294 
295 	if (INGLOBALZONE(curproc)) {
296 		/*
297 		 * If the fs is zoned, only root can access it from the
298 		 * global zone.
299 		 */
300 		if (secpolicy_zfs(cr) && zoned)
301 			return (EPERM);
302 	} else {
303 		/*
304 		 * If we are in a local zone, the 'zoned' property must be set.
305 		 */
306 		if (!zoned)
307 			return (EPERM);
308 
309 		/* must be writable by this zone */
310 		if (!writable)
311 			return (EPERM);
312 	}
313 	return (0);
314 }
315 
316 int
317 zfs_secpolicy_write_perms(const char *name, const char *perm, cred_t *cr)
318 {
319 	int error;
320 
321 	error = zfs_dozonecheck(name, cr);
322 	if (error == 0) {
323 		error = secpolicy_zfs(cr);
324 		if (error)
325 			error = dsl_deleg_access(name, perm, cr);
326 	}
327 	return (error);
328 }
329 
330 static int
331 zfs_secpolicy_setprop(const char *name, zfs_prop_t prop, cred_t *cr)
332 {
333 	/*
334 	 * Check permissions for special properties.
335 	 */
336 	switch (prop) {
337 	case ZFS_PROP_ZONED:
338 		/*
339 		 * Disallow setting of 'zoned' from within a local zone.
340 		 */
341 		if (!INGLOBALZONE(curproc))
342 			return (EPERM);
343 		break;
344 
345 	case ZFS_PROP_QUOTA:
346 		if (!INGLOBALZONE(curproc)) {
347 			uint64_t zoned;
348 			char setpoint[MAXNAMELEN];
349 			/*
350 			 * Unprivileged users are allowed to modify the
351 			 * quota on things *under* (ie. contained by)
352 			 * the thing they own.
353 			 */
354 			if (dsl_prop_get_integer(name, "zoned", &zoned,
355 			    setpoint))
356 				return (EPERM);
357 			if (!zoned || strlen(name) <= strlen(setpoint))
358 				return (EPERM);
359 		}
360 		break;
361 	}
362 
363 	return (zfs_secpolicy_write_perms(name, zfs_prop_to_name(prop), cr));
364 }
365 
366 int
367 zfs_secpolicy_fsacl(zfs_cmd_t *zc, cred_t *cr)
368 {
369 	int error;
370 
371 	error = zfs_dozonecheck(zc->zc_name, cr);
372 	if (error)
373 		return (error);
374 
375 	/*
376 	 * permission to set permissions will be evaluated later in
377 	 * dsl_deleg_can_allow()
378 	 */
379 	return (0);
380 }
381 
382 int
383 zfs_secpolicy_rollback(zfs_cmd_t *zc, cred_t *cr)
384 {
385 	return (zfs_secpolicy_write_perms(zc->zc_name,
386 	    ZFS_DELEG_PERM_ROLLBACK, cr));
387 }
388 
389 int
390 zfs_secpolicy_send(zfs_cmd_t *zc, cred_t *cr)
391 {
392 	return (zfs_secpolicy_write_perms(zc->zc_name,
393 	    ZFS_DELEG_PERM_SEND, cr));
394 }
395 
396 static int
397 zfs_secpolicy_deleg_share(zfs_cmd_t *zc, cred_t *cr)
398 {
399 	vnode_t *vp;
400 	int error;
401 
402 	if ((error = lookupname(zc->zc_value, UIO_SYSSPACE,
403 	    NO_FOLLOW, NULL, &vp)) != 0)
404 		return (error);
405 
406 	/* Now make sure mntpnt and dataset are ZFS */
407 
408 	if (vp->v_vfsp->vfs_fstype != zfsfstype ||
409 	    (strcmp((char *)refstr_value(vp->v_vfsp->vfs_resource),
410 	    zc->zc_name) != 0)) {
411 		VN_RELE(vp);
412 		return (EPERM);
413 	}
414 
415 	VN_RELE(vp);
416 	return (dsl_deleg_access(zc->zc_name,
417 	    ZFS_DELEG_PERM_SHARE, cr));
418 }
419 
420 int
421 zfs_secpolicy_share(zfs_cmd_t *zc, cred_t *cr)
422 {
423 	if (!INGLOBALZONE(curproc))
424 		return (EPERM);
425 
426 	if (secpolicy_nfs(cr) == 0) {
427 		return (0);
428 	} else {
429 		return (zfs_secpolicy_deleg_share(zc, cr));
430 	}
431 }
432 
433 int
434 zfs_secpolicy_smb_acl(zfs_cmd_t *zc, cred_t *cr)
435 {
436 	if (!INGLOBALZONE(curproc))
437 		return (EPERM);
438 
439 	if (secpolicy_smb(cr) == 0) {
440 		return (0);
441 	} else {
442 		return (zfs_secpolicy_deleg_share(zc, cr));
443 	}
444 }
445 
446 static int
447 zfs_get_parent(const char *datasetname, char *parent, int parentsize)
448 {
449 	char *cp;
450 
451 	/*
452 	 * Remove the @bla or /bla from the end of the name to get the parent.
453 	 */
454 	(void) strncpy(parent, datasetname, parentsize);
455 	cp = strrchr(parent, '@');
456 	if (cp != NULL) {
457 		cp[0] = '\0';
458 	} else {
459 		cp = strrchr(parent, '/');
460 		if (cp == NULL)
461 			return (ENOENT);
462 		cp[0] = '\0';
463 	}
464 
465 	return (0);
466 }
467 
468 int
469 zfs_secpolicy_destroy_perms(const char *name, cred_t *cr)
470 {
471 	int error;
472 
473 	if ((error = zfs_secpolicy_write_perms(name,
474 	    ZFS_DELEG_PERM_MOUNT, cr)) != 0)
475 		return (error);
476 
477 	return (zfs_secpolicy_write_perms(name, ZFS_DELEG_PERM_DESTROY, cr));
478 }
479 
480 static int
481 zfs_secpolicy_destroy(zfs_cmd_t *zc, cred_t *cr)
482 {
483 	return (zfs_secpolicy_destroy_perms(zc->zc_name, cr));
484 }
485 
486 /*
487  * Must have sys_config privilege to check the iscsi permission
488  */
489 /* ARGSUSED */
490 static int
491 zfs_secpolicy_iscsi(zfs_cmd_t *zc, cred_t *cr)
492 {
493 	return (secpolicy_zfs(cr));
494 }
495 
496 int
497 zfs_secpolicy_rename_perms(const char *from, const char *to, cred_t *cr)
498 {
499 	char 	parentname[MAXNAMELEN];
500 	int	error;
501 
502 	if ((error = zfs_secpolicy_write_perms(from,
503 	    ZFS_DELEG_PERM_RENAME, cr)) != 0)
504 		return (error);
505 
506 	if ((error = zfs_secpolicy_write_perms(from,
507 	    ZFS_DELEG_PERM_MOUNT, cr)) != 0)
508 		return (error);
509 
510 	if ((error = zfs_get_parent(to, parentname,
511 	    sizeof (parentname))) != 0)
512 		return (error);
513 
514 	if ((error = zfs_secpolicy_write_perms(parentname,
515 	    ZFS_DELEG_PERM_CREATE, cr)) != 0)
516 		return (error);
517 
518 	if ((error = zfs_secpolicy_write_perms(parentname,
519 	    ZFS_DELEG_PERM_MOUNT, cr)) != 0)
520 		return (error);
521 
522 	return (error);
523 }
524 
525 static int
526 zfs_secpolicy_rename(zfs_cmd_t *zc, cred_t *cr)
527 {
528 	return (zfs_secpolicy_rename_perms(zc->zc_name, zc->zc_value, cr));
529 }
530 
531 static int
532 zfs_secpolicy_promote(zfs_cmd_t *zc, cred_t *cr)
533 {
534 	char 	parentname[MAXNAMELEN];
535 	objset_t *clone;
536 	int error;
537 
538 	error = zfs_secpolicy_write_perms(zc->zc_name,
539 	    ZFS_DELEG_PERM_PROMOTE, cr);
540 	if (error)
541 		return (error);
542 
543 	error = dmu_objset_hold(zc->zc_name, FTAG, &clone);
544 
545 	if (error == 0) {
546 		dsl_dataset_t *pclone = NULL;
547 		dsl_dir_t *dd;
548 		dd = clone->os_dsl_dataset->ds_dir;
549 
550 		rw_enter(&dd->dd_pool->dp_config_rwlock, RW_READER);
551 		error = dsl_dataset_hold_obj(dd->dd_pool,
552 		    dd->dd_phys->dd_origin_obj, FTAG, &pclone);
553 		rw_exit(&dd->dd_pool->dp_config_rwlock);
554 		if (error) {
555 			dmu_objset_rele(clone, FTAG);
556 			return (error);
557 		}
558 
559 		error = zfs_secpolicy_write_perms(zc->zc_name,
560 		    ZFS_DELEG_PERM_MOUNT, cr);
561 
562 		dsl_dataset_name(pclone, parentname);
563 		dmu_objset_rele(clone, FTAG);
564 		dsl_dataset_rele(pclone, FTAG);
565 		if (error == 0)
566 			error = zfs_secpolicy_write_perms(parentname,
567 			    ZFS_DELEG_PERM_PROMOTE, cr);
568 	}
569 	return (error);
570 }
571 
572 static int
573 zfs_secpolicy_receive(zfs_cmd_t *zc, cred_t *cr)
574 {
575 	int error;
576 
577 	if ((error = zfs_secpolicy_write_perms(zc->zc_name,
578 	    ZFS_DELEG_PERM_RECEIVE, cr)) != 0)
579 		return (error);
580 
581 	if ((error = zfs_secpolicy_write_perms(zc->zc_name,
582 	    ZFS_DELEG_PERM_MOUNT, cr)) != 0)
583 		return (error);
584 
585 	return (zfs_secpolicy_write_perms(zc->zc_name,
586 	    ZFS_DELEG_PERM_CREATE, cr));
587 }
588 
589 int
590 zfs_secpolicy_snapshot_perms(const char *name, cred_t *cr)
591 {
592 	return (zfs_secpolicy_write_perms(name,
593 	    ZFS_DELEG_PERM_SNAPSHOT, cr));
594 }
595 
596 static int
597 zfs_secpolicy_snapshot(zfs_cmd_t *zc, cred_t *cr)
598 {
599 
600 	return (zfs_secpolicy_snapshot_perms(zc->zc_name, cr));
601 }
602 
603 static int
604 zfs_secpolicy_create(zfs_cmd_t *zc, cred_t *cr)
605 {
606 	char 	parentname[MAXNAMELEN];
607 	int 	error;
608 
609 	if ((error = zfs_get_parent(zc->zc_name, parentname,
610 	    sizeof (parentname))) != 0)
611 		return (error);
612 
613 	if (zc->zc_value[0] != '\0') {
614 		if ((error = zfs_secpolicy_write_perms(zc->zc_value,
615 		    ZFS_DELEG_PERM_CLONE, cr)) != 0)
616 			return (error);
617 	}
618 
619 	if ((error = zfs_secpolicy_write_perms(parentname,
620 	    ZFS_DELEG_PERM_CREATE, cr)) != 0)
621 		return (error);
622 
623 	error = zfs_secpolicy_write_perms(parentname,
624 	    ZFS_DELEG_PERM_MOUNT, cr);
625 
626 	return (error);
627 }
628 
629 static int
630 zfs_secpolicy_umount(zfs_cmd_t *zc, cred_t *cr)
631 {
632 	int error;
633 
634 	error = secpolicy_fs_unmount(cr, NULL);
635 	if (error) {
636 		error = dsl_deleg_access(zc->zc_name, ZFS_DELEG_PERM_MOUNT, cr);
637 	}
638 	return (error);
639 }
640 
641 /*
642  * Policy for pool operations - create/destroy pools, add vdevs, etc.  Requires
643  * SYS_CONFIG privilege, which is not available in a local zone.
644  */
645 /* ARGSUSED */
646 static int
647 zfs_secpolicy_config(zfs_cmd_t *zc, cred_t *cr)
648 {
649 	if (secpolicy_sys_config(cr, B_FALSE) != 0)
650 		return (EPERM);
651 
652 	return (0);
653 }
654 
655 /*
656  * Policy for fault injection.  Requires all privileges.
657  */
658 /* ARGSUSED */
659 static int
660 zfs_secpolicy_inject(zfs_cmd_t *zc, cred_t *cr)
661 {
662 	return (secpolicy_zinject(cr));
663 }
664 
665 static int
666 zfs_secpolicy_inherit(zfs_cmd_t *zc, cred_t *cr)
667 {
668 	zfs_prop_t prop = zfs_name_to_prop(zc->zc_value);
669 
670 	if (prop == ZPROP_INVAL) {
671 		if (!zfs_prop_user(zc->zc_value))
672 			return (EINVAL);
673 		return (zfs_secpolicy_write_perms(zc->zc_name,
674 		    ZFS_DELEG_PERM_USERPROP, cr));
675 	} else {
676 		if (!zfs_prop_inheritable(prop))
677 			return (EINVAL);
678 		return (zfs_secpolicy_setprop(zc->zc_name, prop, cr));
679 	}
680 }
681 
682 static int
683 zfs_secpolicy_userspace_one(zfs_cmd_t *zc, cred_t *cr)
684 {
685 	int err = zfs_secpolicy_read(zc, cr);
686 	if (err)
687 		return (err);
688 
689 	if (zc->zc_objset_type >= ZFS_NUM_USERQUOTA_PROPS)
690 		return (EINVAL);
691 
692 	if (zc->zc_value[0] == 0) {
693 		/*
694 		 * They are asking about a posix uid/gid.  If it's
695 		 * themself, allow it.
696 		 */
697 		if (zc->zc_objset_type == ZFS_PROP_USERUSED ||
698 		    zc->zc_objset_type == ZFS_PROP_USERQUOTA) {
699 			if (zc->zc_guid == crgetuid(cr))
700 				return (0);
701 		} else {
702 			if (groupmember(zc->zc_guid, cr))
703 				return (0);
704 		}
705 	}
706 
707 	return (zfs_secpolicy_write_perms(zc->zc_name,
708 	    userquota_perms[zc->zc_objset_type], cr));
709 }
710 
711 static int
712 zfs_secpolicy_userspace_many(zfs_cmd_t *zc, cred_t *cr)
713 {
714 	int err = zfs_secpolicy_read(zc, cr);
715 	if (err)
716 		return (err);
717 
718 	if (zc->zc_objset_type >= ZFS_NUM_USERQUOTA_PROPS)
719 		return (EINVAL);
720 
721 	return (zfs_secpolicy_write_perms(zc->zc_name,
722 	    userquota_perms[zc->zc_objset_type], cr));
723 }
724 
725 static int
726 zfs_secpolicy_userspace_upgrade(zfs_cmd_t *zc, cred_t *cr)
727 {
728 	return (zfs_secpolicy_setprop(zc->zc_name, ZFS_PROP_VERSION, cr));
729 }
730 
731 static int
732 zfs_secpolicy_hold(zfs_cmd_t *zc, cred_t *cr)
733 {
734 	return (zfs_secpolicy_write_perms(zc->zc_name,
735 	    ZFS_DELEG_PERM_HOLD, cr));
736 }
737 
738 static int
739 zfs_secpolicy_release(zfs_cmd_t *zc, cred_t *cr)
740 {
741 	return (zfs_secpolicy_write_perms(zc->zc_name,
742 	    ZFS_DELEG_PERM_RELEASE, cr));
743 }
744 
745 /*
746  * Returns the nvlist as specified by the user in the zfs_cmd_t.
747  */
748 static int
749 get_nvlist(uint64_t nvl, uint64_t size, int iflag, nvlist_t **nvp)
750 {
751 	char *packed;
752 	int error;
753 	nvlist_t *list = NULL;
754 
755 	/*
756 	 * Read in and unpack the user-supplied nvlist.
757 	 */
758 	if (size == 0)
759 		return (EINVAL);
760 
761 	packed = kmem_alloc(size, KM_SLEEP);
762 
763 	if ((error = ddi_copyin((void *)(uintptr_t)nvl, packed, size,
764 	    iflag)) != 0) {
765 		kmem_free(packed, size);
766 		return (error);
767 	}
768 
769 	if ((error = nvlist_unpack(packed, size, &list, 0)) != 0) {
770 		kmem_free(packed, size);
771 		return (error);
772 	}
773 
774 	kmem_free(packed, size);
775 
776 	*nvp = list;
777 	return (0);
778 }
779 
780 static int
781 put_nvlist(zfs_cmd_t *zc, nvlist_t *nvl)
782 {
783 	char *packed = NULL;
784 	size_t size;
785 	int error;
786 
787 	VERIFY(nvlist_size(nvl, &size, NV_ENCODE_NATIVE) == 0);
788 
789 	if (size > zc->zc_nvlist_dst_size) {
790 		error = ENOMEM;
791 	} else {
792 		packed = kmem_alloc(size, KM_SLEEP);
793 		VERIFY(nvlist_pack(nvl, &packed, &size, NV_ENCODE_NATIVE,
794 		    KM_SLEEP) == 0);
795 		error = ddi_copyout(packed,
796 		    (void *)(uintptr_t)zc->zc_nvlist_dst, size, zc->zc_iflags);
797 		kmem_free(packed, size);
798 	}
799 
800 	zc->zc_nvlist_dst_size = size;
801 	return (error);
802 }
803 
804 static int
805 getzfsvfs(const char *dsname, zfsvfs_t **zvp)
806 {
807 	objset_t *os;
808 	int error;
809 
810 	error = dmu_objset_hold(dsname, FTAG, &os);
811 	if (error)
812 		return (error);
813 	if (dmu_objset_type(os) != DMU_OST_ZFS) {
814 		dmu_objset_rele(os, FTAG);
815 		return (EINVAL);
816 	}
817 
818 	mutex_enter(&os->os_user_ptr_lock);
819 	*zvp = dmu_objset_get_user(os);
820 	if (*zvp) {
821 		VFS_HOLD((*zvp)->z_vfs);
822 	} else {
823 		error = ESRCH;
824 	}
825 	mutex_exit(&os->os_user_ptr_lock);
826 	dmu_objset_rele(os, FTAG);
827 	return (error);
828 }
829 
830 /*
831  * Find a zfsvfs_t for a mounted filesystem, or create our own, in which
832  * case its z_vfs will be NULL, and it will be opened as the owner.
833  */
834 static int
835 zfsvfs_hold(const char *name, void *tag, zfsvfs_t **zvp)
836 {
837 	int error = 0;
838 
839 	if (getzfsvfs(name, zvp) != 0)
840 		error = zfsvfs_create(name, zvp);
841 	if (error == 0) {
842 		rrw_enter(&(*zvp)->z_teardown_lock, RW_READER, tag);
843 		if ((*zvp)->z_unmounted) {
844 			/*
845 			 * XXX we could probably try again, since the unmounting
846 			 * thread should be just about to disassociate the
847 			 * objset from the zfsvfs.
848 			 */
849 			rrw_exit(&(*zvp)->z_teardown_lock, tag);
850 			return (EBUSY);
851 		}
852 	}
853 	return (error);
854 }
855 
856 static void
857 zfsvfs_rele(zfsvfs_t *zfsvfs, void *tag)
858 {
859 	rrw_exit(&zfsvfs->z_teardown_lock, tag);
860 
861 	if (zfsvfs->z_vfs) {
862 		VFS_RELE(zfsvfs->z_vfs);
863 	} else {
864 		dmu_objset_disown(zfsvfs->z_os, zfsvfs);
865 		zfsvfs_free(zfsvfs);
866 	}
867 }
868 
869 static int
870 zfs_ioc_pool_create(zfs_cmd_t *zc)
871 {
872 	int error;
873 	nvlist_t *config, *props = NULL;
874 	nvlist_t *rootprops = NULL;
875 	nvlist_t *zplprops = NULL;
876 	char *buf;
877 
878 	if (error = get_nvlist(zc->zc_nvlist_conf, zc->zc_nvlist_conf_size,
879 	    zc->zc_iflags, &config))
880 		return (error);
881 
882 	if (zc->zc_nvlist_src_size != 0 && (error =
883 	    get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
884 	    zc->zc_iflags, &props))) {
885 		nvlist_free(config);
886 		return (error);
887 	}
888 
889 	if (props) {
890 		nvlist_t *nvl = NULL;
891 		uint64_t version = SPA_VERSION;
892 
893 		(void) nvlist_lookup_uint64(props,
894 		    zpool_prop_to_name(ZPOOL_PROP_VERSION), &version);
895 		if (version < SPA_VERSION_INITIAL || version > SPA_VERSION) {
896 			error = EINVAL;
897 			goto pool_props_bad;
898 		}
899 		(void) nvlist_lookup_nvlist(props, ZPOOL_ROOTFS_PROPS, &nvl);
900 		if (nvl) {
901 			error = nvlist_dup(nvl, &rootprops, KM_SLEEP);
902 			if (error != 0) {
903 				nvlist_free(config);
904 				nvlist_free(props);
905 				return (error);
906 			}
907 			(void) nvlist_remove_all(props, ZPOOL_ROOTFS_PROPS);
908 		}
909 		VERIFY(nvlist_alloc(&zplprops, NV_UNIQUE_NAME, KM_SLEEP) == 0);
910 		error = zfs_fill_zplprops_root(version, rootprops,
911 		    zplprops, NULL);
912 		if (error)
913 			goto pool_props_bad;
914 	}
915 
916 	buf = history_str_get(zc);
917 
918 	error = spa_create(zc->zc_name, config, props, buf, zplprops);
919 
920 	/*
921 	 * Set the remaining root properties
922 	 */
923 	if (!error &&
924 	    (error = zfs_set_prop_nvlist(zc->zc_name, rootprops)) != 0)
925 		(void) spa_destroy(zc->zc_name);
926 
927 	if (buf != NULL)
928 		history_str_free(buf);
929 
930 pool_props_bad:
931 	nvlist_free(rootprops);
932 	nvlist_free(zplprops);
933 	nvlist_free(config);
934 	nvlist_free(props);
935 
936 	return (error);
937 }
938 
939 static int
940 zfs_ioc_pool_destroy(zfs_cmd_t *zc)
941 {
942 	int error;
943 	zfs_log_history(zc);
944 	error = spa_destroy(zc->zc_name);
945 	if (error == 0)
946 		zvol_remove_minors(zc->zc_name);
947 	return (error);
948 }
949 
950 static int
951 zfs_ioc_pool_import(zfs_cmd_t *zc)
952 {
953 	int error;
954 	nvlist_t *config, *props = NULL;
955 	uint64_t guid;
956 
957 	if ((error = get_nvlist(zc->zc_nvlist_conf, zc->zc_nvlist_conf_size,
958 	    zc->zc_iflags, &config)) != 0)
959 		return (error);
960 
961 	if (zc->zc_nvlist_src_size != 0 && (error =
962 	    get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
963 	    zc->zc_iflags, &props))) {
964 		nvlist_free(config);
965 		return (error);
966 	}
967 
968 	if (nvlist_lookup_uint64(config, ZPOOL_CONFIG_POOL_GUID, &guid) != 0 ||
969 	    guid != zc->zc_guid)
970 		error = EINVAL;
971 	else if (zc->zc_cookie)
972 		error = spa_import_verbatim(zc->zc_name, config,
973 		    props);
974 	else
975 		error = spa_import(zc->zc_name, config, props);
976 
977 	nvlist_free(config);
978 
979 	if (props)
980 		nvlist_free(props);
981 
982 	return (error);
983 }
984 
985 static int
986 zfs_ioc_pool_export(zfs_cmd_t *zc)
987 {
988 	int error;
989 	boolean_t force = (boolean_t)zc->zc_cookie;
990 	boolean_t hardforce = (boolean_t)zc->zc_guid;
991 
992 	zfs_log_history(zc);
993 	error = spa_export(zc->zc_name, NULL, force, hardforce);
994 	if (error == 0)
995 		zvol_remove_minors(zc->zc_name);
996 	return (error);
997 }
998 
999 static int
1000 zfs_ioc_pool_configs(zfs_cmd_t *zc)
1001 {
1002 	nvlist_t *configs;
1003 	int error;
1004 
1005 	if ((configs = spa_all_configs(&zc->zc_cookie)) == NULL)
1006 		return (EEXIST);
1007 
1008 	error = put_nvlist(zc, configs);
1009 
1010 	nvlist_free(configs);
1011 
1012 	return (error);
1013 }
1014 
1015 static int
1016 zfs_ioc_pool_stats(zfs_cmd_t *zc)
1017 {
1018 	nvlist_t *config;
1019 	int error;
1020 	int ret = 0;
1021 
1022 	error = spa_get_stats(zc->zc_name, &config, zc->zc_value,
1023 	    sizeof (zc->zc_value));
1024 
1025 	if (config != NULL) {
1026 		ret = put_nvlist(zc, config);
1027 		nvlist_free(config);
1028 
1029 		/*
1030 		 * The config may be present even if 'error' is non-zero.
1031 		 * In this case we return success, and preserve the real errno
1032 		 * in 'zc_cookie'.
1033 		 */
1034 		zc->zc_cookie = error;
1035 	} else {
1036 		ret = error;
1037 	}
1038 
1039 	return (ret);
1040 }
1041 
1042 /*
1043  * Try to import the given pool, returning pool stats as appropriate so that
1044  * user land knows which devices are available and overall pool health.
1045  */
1046 static int
1047 zfs_ioc_pool_tryimport(zfs_cmd_t *zc)
1048 {
1049 	nvlist_t *tryconfig, *config;
1050 	int error;
1051 
1052 	if ((error = get_nvlist(zc->zc_nvlist_conf, zc->zc_nvlist_conf_size,
1053 	    zc->zc_iflags, &tryconfig)) != 0)
1054 		return (error);
1055 
1056 	config = spa_tryimport(tryconfig);
1057 
1058 	nvlist_free(tryconfig);
1059 
1060 	if (config == NULL)
1061 		return (EINVAL);
1062 
1063 	error = put_nvlist(zc, config);
1064 	nvlist_free(config);
1065 
1066 	return (error);
1067 }
1068 
1069 static int
1070 zfs_ioc_pool_scrub(zfs_cmd_t *zc)
1071 {
1072 	spa_t *spa;
1073 	int error;
1074 
1075 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
1076 		return (error);
1077 
1078 	error = spa_scrub(spa, zc->zc_cookie);
1079 
1080 	spa_close(spa, FTAG);
1081 
1082 	return (error);
1083 }
1084 
1085 static int
1086 zfs_ioc_pool_freeze(zfs_cmd_t *zc)
1087 {
1088 	spa_t *spa;
1089 	int error;
1090 
1091 	error = spa_open(zc->zc_name, &spa, FTAG);
1092 	if (error == 0) {
1093 		spa_freeze(spa);
1094 		spa_close(spa, FTAG);
1095 	}
1096 	return (error);
1097 }
1098 
1099 static int
1100 zfs_ioc_pool_upgrade(zfs_cmd_t *zc)
1101 {
1102 	spa_t *spa;
1103 	int error;
1104 
1105 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
1106 		return (error);
1107 
1108 	if (zc->zc_cookie < spa_version(spa) || zc->zc_cookie > SPA_VERSION) {
1109 		spa_close(spa, FTAG);
1110 		return (EINVAL);
1111 	}
1112 
1113 	spa_upgrade(spa, zc->zc_cookie);
1114 	spa_close(spa, FTAG);
1115 
1116 	return (error);
1117 }
1118 
1119 static int
1120 zfs_ioc_pool_get_history(zfs_cmd_t *zc)
1121 {
1122 	spa_t *spa;
1123 	char *hist_buf;
1124 	uint64_t size;
1125 	int error;
1126 
1127 	if ((size = zc->zc_history_len) == 0)
1128 		return (EINVAL);
1129 
1130 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
1131 		return (error);
1132 
1133 	if (spa_version(spa) < SPA_VERSION_ZPOOL_HISTORY) {
1134 		spa_close(spa, FTAG);
1135 		return (ENOTSUP);
1136 	}
1137 
1138 	hist_buf = kmem_alloc(size, KM_SLEEP);
1139 	if ((error = spa_history_get(spa, &zc->zc_history_offset,
1140 	    &zc->zc_history_len, hist_buf)) == 0) {
1141 		error = ddi_copyout(hist_buf,
1142 		    (void *)(uintptr_t)zc->zc_history,
1143 		    zc->zc_history_len, zc->zc_iflags);
1144 	}
1145 
1146 	spa_close(spa, FTAG);
1147 	kmem_free(hist_buf, size);
1148 	return (error);
1149 }
1150 
1151 static int
1152 zfs_ioc_dsobj_to_dsname(zfs_cmd_t *zc)
1153 {
1154 	int error;
1155 
1156 	if (error = dsl_dsobj_to_dsname(zc->zc_name, zc->zc_obj, zc->zc_value))
1157 		return (error);
1158 
1159 	return (0);
1160 }
1161 
1162 /*
1163  * inputs:
1164  * zc_name		name of filesystem
1165  * zc_obj		object to find
1166  *
1167  * outputs:
1168  * zc_value		name of object
1169  */
1170 static int
1171 zfs_ioc_obj_to_path(zfs_cmd_t *zc)
1172 {
1173 	objset_t *os;
1174 	int error;
1175 
1176 	/* XXX reading from objset not owned */
1177 	if ((error = dmu_objset_hold(zc->zc_name, FTAG, &os)) != 0)
1178 		return (error);
1179 	if (dmu_objset_type(os) != DMU_OST_ZFS) {
1180 		dmu_objset_rele(os, FTAG);
1181 		return (EINVAL);
1182 	}
1183 	error = zfs_obj_to_path(os, zc->zc_obj, zc->zc_value,
1184 	    sizeof (zc->zc_value));
1185 	dmu_objset_rele(os, FTAG);
1186 
1187 	return (error);
1188 }
1189 
1190 static int
1191 zfs_ioc_vdev_add(zfs_cmd_t *zc)
1192 {
1193 	spa_t *spa;
1194 	int error;
1195 	nvlist_t *config, **l2cache, **spares;
1196 	uint_t nl2cache = 0, nspares = 0;
1197 
1198 	error = spa_open(zc->zc_name, &spa, FTAG);
1199 	if (error != 0)
1200 		return (error);
1201 
1202 	error = get_nvlist(zc->zc_nvlist_conf, zc->zc_nvlist_conf_size,
1203 	    zc->zc_iflags, &config);
1204 	(void) nvlist_lookup_nvlist_array(config, ZPOOL_CONFIG_L2CACHE,
1205 	    &l2cache, &nl2cache);
1206 
1207 	(void) nvlist_lookup_nvlist_array(config, ZPOOL_CONFIG_SPARES,
1208 	    &spares, &nspares);
1209 
1210 	/*
1211 	 * A root pool with concatenated devices is not supported.
1212 	 * Thus, can not add a device to a root pool.
1213 	 *
1214 	 * Intent log device can not be added to a rootpool because
1215 	 * during mountroot, zil is replayed, a seperated log device
1216 	 * can not be accessed during the mountroot time.
1217 	 *
1218 	 * l2cache and spare devices are ok to be added to a rootpool.
1219 	 */
1220 	if (spa->spa_bootfs != 0 && nl2cache == 0 && nspares == 0) {
1221 		spa_close(spa, FTAG);
1222 		return (EDOM);
1223 	}
1224 
1225 	if (error == 0) {
1226 		error = spa_vdev_add(spa, config);
1227 		nvlist_free(config);
1228 	}
1229 	spa_close(spa, FTAG);
1230 	return (error);
1231 }
1232 
1233 static int
1234 zfs_ioc_vdev_remove(zfs_cmd_t *zc)
1235 {
1236 	spa_t *spa;
1237 	int error;
1238 
1239 	error = spa_open(zc->zc_name, &spa, FTAG);
1240 	if (error != 0)
1241 		return (error);
1242 	error = spa_vdev_remove(spa, zc->zc_guid, B_FALSE);
1243 	spa_close(spa, FTAG);
1244 	return (error);
1245 }
1246 
1247 static int
1248 zfs_ioc_vdev_set_state(zfs_cmd_t *zc)
1249 {
1250 	boolean_t nslock;
1251 	spa_t *spa;
1252 	int error;
1253 	vdev_state_t newstate = VDEV_STATE_UNKNOWN;
1254 
1255 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
1256 		return (error);
1257 	nslock = spa_uses_zvols(spa);
1258 	if (nslock)
1259 		mutex_enter(&spa_namespace_lock);
1260 	switch (zc->zc_cookie) {
1261 	case VDEV_STATE_ONLINE:
1262 		error = vdev_online(spa, zc->zc_guid, zc->zc_obj, &newstate);
1263 		break;
1264 
1265 	case VDEV_STATE_OFFLINE:
1266 		error = vdev_offline(spa, zc->zc_guid, zc->zc_obj);
1267 		break;
1268 
1269 	case VDEV_STATE_FAULTED:
1270 		error = vdev_fault(spa, zc->zc_guid);
1271 		break;
1272 
1273 	case VDEV_STATE_DEGRADED:
1274 		error = vdev_degrade(spa, zc->zc_guid);
1275 		break;
1276 
1277 	default:
1278 		error = EINVAL;
1279 	}
1280 	if (nslock)
1281 		mutex_exit(&spa_namespace_lock);
1282 	zc->zc_cookie = newstate;
1283 	spa_close(spa, FTAG);
1284 	return (error);
1285 }
1286 
1287 static int
1288 zfs_ioc_vdev_attach(zfs_cmd_t *zc)
1289 {
1290 	spa_t *spa;
1291 	int replacing = zc->zc_cookie;
1292 	nvlist_t *config;
1293 	int error;
1294 
1295 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
1296 		return (error);
1297 
1298 	if ((error = get_nvlist(zc->zc_nvlist_conf, zc->zc_nvlist_conf_size,
1299 	    zc->zc_iflags, &config)) == 0) {
1300 		error = spa_vdev_attach(spa, zc->zc_guid, config, replacing);
1301 		nvlist_free(config);
1302 	}
1303 
1304 	spa_close(spa, FTAG);
1305 	return (error);
1306 }
1307 
1308 static int
1309 zfs_ioc_vdev_detach(zfs_cmd_t *zc)
1310 {
1311 	spa_t *spa;
1312 	int error;
1313 
1314 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
1315 		return (error);
1316 
1317 	error = spa_vdev_detach(spa, zc->zc_guid, 0, B_FALSE);
1318 
1319 	spa_close(spa, FTAG);
1320 	return (error);
1321 }
1322 
1323 static int
1324 zfs_ioc_vdev_setpath(zfs_cmd_t *zc)
1325 {
1326 	spa_t *spa;
1327 	char *path = zc->zc_value;
1328 	uint64_t guid = zc->zc_guid;
1329 	int error;
1330 
1331 	error = spa_open(zc->zc_name, &spa, FTAG);
1332 	if (error != 0)
1333 		return (error);
1334 
1335 	error = spa_vdev_setpath(spa, guid, path);
1336 	spa_close(spa, FTAG);
1337 	return (error);
1338 }
1339 
1340 static int
1341 zfs_ioc_vdev_setfru(zfs_cmd_t *zc)
1342 {
1343 	spa_t *spa;
1344 	char *fru = zc->zc_value;
1345 	uint64_t guid = zc->zc_guid;
1346 	int error;
1347 
1348 	error = spa_open(zc->zc_name, &spa, FTAG);
1349 	if (error != 0)
1350 		return (error);
1351 
1352 	error = spa_vdev_setfru(spa, guid, fru);
1353 	spa_close(spa, FTAG);
1354 	return (error);
1355 }
1356 
1357 /*
1358  * inputs:
1359  * zc_name		name of filesystem
1360  * zc_nvlist_dst_size	size of buffer for property nvlist
1361  *
1362  * outputs:
1363  * zc_objset_stats	stats
1364  * zc_nvlist_dst	property nvlist
1365  * zc_nvlist_dst_size	size of property nvlist
1366  */
1367 static int
1368 zfs_ioc_objset_stats(zfs_cmd_t *zc)
1369 {
1370 	objset_t *os = NULL;
1371 	int error;
1372 	nvlist_t *nv;
1373 
1374 	if (error = dmu_objset_hold(zc->zc_name, FTAG, &os))
1375 		return (error);
1376 
1377 	dmu_objset_fast_stat(os, &zc->zc_objset_stats);
1378 
1379 	if (zc->zc_nvlist_dst != 0 &&
1380 	    (error = dsl_prop_get_all(os, &nv, FALSE)) == 0) {
1381 		dmu_objset_stats(os, nv);
1382 		/*
1383 		 * NB: zvol_get_stats() will read the objset contents,
1384 		 * which we aren't supposed to do with a
1385 		 * DS_MODE_USER hold, because it could be
1386 		 * inconsistent.  So this is a bit of a workaround...
1387 		 * XXX reading with out owning
1388 		 */
1389 		if (!zc->zc_objset_stats.dds_inconsistent) {
1390 			if (dmu_objset_type(os) == DMU_OST_ZVOL)
1391 				VERIFY(zvol_get_stats(os, nv) == 0);
1392 		}
1393 		error = put_nvlist(zc, nv);
1394 		nvlist_free(nv);
1395 	}
1396 
1397 	dmu_objset_rele(os, FTAG);
1398 	return (error);
1399 }
1400 
1401 static int
1402 nvl_add_zplprop(objset_t *os, nvlist_t *props, zfs_prop_t prop)
1403 {
1404 	uint64_t value;
1405 	int error;
1406 
1407 	/*
1408 	 * zfs_get_zplprop() will either find a value or give us
1409 	 * the default value (if there is one).
1410 	 */
1411 	if ((error = zfs_get_zplprop(os, prop, &value)) != 0)
1412 		return (error);
1413 	VERIFY(nvlist_add_uint64(props, zfs_prop_to_name(prop), value) == 0);
1414 	return (0);
1415 }
1416 
1417 /*
1418  * inputs:
1419  * zc_name		name of filesystem
1420  * zc_nvlist_dst_size	size of buffer for zpl property nvlist
1421  *
1422  * outputs:
1423  * zc_nvlist_dst	zpl property nvlist
1424  * zc_nvlist_dst_size	size of zpl property nvlist
1425  */
1426 static int
1427 zfs_ioc_objset_zplprops(zfs_cmd_t *zc)
1428 {
1429 	objset_t *os;
1430 	int err;
1431 
1432 	/* XXX reading without owning */
1433 	if (err = dmu_objset_hold(zc->zc_name, FTAG, &os))
1434 		return (err);
1435 
1436 	dmu_objset_fast_stat(os, &zc->zc_objset_stats);
1437 
1438 	/*
1439 	 * NB: nvl_add_zplprop() will read the objset contents,
1440 	 * which we aren't supposed to do with a DS_MODE_USER
1441 	 * hold, because it could be inconsistent.
1442 	 */
1443 	if (zc->zc_nvlist_dst != NULL &&
1444 	    !zc->zc_objset_stats.dds_inconsistent &&
1445 	    dmu_objset_type(os) == DMU_OST_ZFS) {
1446 		nvlist_t *nv;
1447 
1448 		VERIFY(nvlist_alloc(&nv, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1449 		if ((err = nvl_add_zplprop(os, nv, ZFS_PROP_VERSION)) == 0 &&
1450 		    (err = nvl_add_zplprop(os, nv, ZFS_PROP_NORMALIZE)) == 0 &&
1451 		    (err = nvl_add_zplprop(os, nv, ZFS_PROP_UTF8ONLY)) == 0 &&
1452 		    (err = nvl_add_zplprop(os, nv, ZFS_PROP_CASE)) == 0)
1453 			err = put_nvlist(zc, nv);
1454 		nvlist_free(nv);
1455 	} else {
1456 		err = ENOENT;
1457 	}
1458 	dmu_objset_rele(os, FTAG);
1459 	return (err);
1460 }
1461 
1462 static boolean_t
1463 dataset_name_hidden(const char *name)
1464 {
1465 	/*
1466 	 * Skip over datasets that are not visible in this zone,
1467 	 * internal datasets (which have a $ in their name), and
1468 	 * temporary datasets (which have a % in their name).
1469 	 */
1470 	if (strchr(name, '$') != NULL)
1471 		return (B_TRUE);
1472 	if (strchr(name, '%') != NULL)
1473 		return (B_TRUE);
1474 	if (!INGLOBALZONE(curproc) && !zone_dataset_visible(name, NULL))
1475 		return (B_TRUE);
1476 	return (B_FALSE);
1477 }
1478 
1479 /*
1480  * inputs:
1481  * zc_name		name of filesystem
1482  * zc_cookie		zap cursor
1483  * zc_nvlist_dst_size	size of buffer for property nvlist
1484  *
1485  * outputs:
1486  * zc_name		name of next filesystem
1487  * zc_cookie		zap cursor
1488  * zc_objset_stats	stats
1489  * zc_nvlist_dst	property nvlist
1490  * zc_nvlist_dst_size	size of property nvlist
1491  */
1492 static int
1493 zfs_ioc_dataset_list_next(zfs_cmd_t *zc)
1494 {
1495 	objset_t *os;
1496 	int error;
1497 	char *p;
1498 
1499 	if (error = dmu_objset_hold(zc->zc_name, FTAG, &os)) {
1500 		if (error == ENOENT)
1501 			error = ESRCH;
1502 		return (error);
1503 	}
1504 
1505 	p = strrchr(zc->zc_name, '/');
1506 	if (p == NULL || p[1] != '\0')
1507 		(void) strlcat(zc->zc_name, "/", sizeof (zc->zc_name));
1508 	p = zc->zc_name + strlen(zc->zc_name);
1509 
1510 	/*
1511 	 * Pre-fetch the datasets.  dmu_objset_prefetch() always returns 0
1512 	 * but is not declared void because its called by dmu_objset_find().
1513 	 */
1514 	if (zc->zc_cookie == 0) {
1515 		uint64_t cookie = 0;
1516 		int len = sizeof (zc->zc_name) - (p - zc->zc_name);
1517 
1518 		while (dmu_dir_list_next(os, len, p, NULL, &cookie) == 0)
1519 			(void) dmu_objset_prefetch(p, NULL);
1520 	}
1521 
1522 	do {
1523 		error = dmu_dir_list_next(os,
1524 		    sizeof (zc->zc_name) - (p - zc->zc_name), p,
1525 		    NULL, &zc->zc_cookie);
1526 		if (error == ENOENT)
1527 			error = ESRCH;
1528 	} while (error == 0 && dataset_name_hidden(zc->zc_name) &&
1529 	    !(zc->zc_iflags & FKIOCTL));
1530 	dmu_objset_rele(os, FTAG);
1531 
1532 	/*
1533 	 * If it's an internal dataset (ie. with a '$' in its name),
1534 	 * don't try to get stats for it, otherwise we'll return ENOENT.
1535 	 */
1536 	if (error == 0 && strchr(zc->zc_name, '$') == NULL)
1537 		error = zfs_ioc_objset_stats(zc); /* fill in the stats */
1538 	return (error);
1539 }
1540 
1541 /*
1542  * inputs:
1543  * zc_name		name of filesystem
1544  * zc_cookie		zap cursor
1545  * zc_nvlist_dst_size	size of buffer for property nvlist
1546  *
1547  * outputs:
1548  * zc_name		name of next snapshot
1549  * zc_objset_stats	stats
1550  * zc_nvlist_dst	property nvlist
1551  * zc_nvlist_dst_size	size of property nvlist
1552  */
1553 static int
1554 zfs_ioc_snapshot_list_next(zfs_cmd_t *zc)
1555 {
1556 	objset_t *os;
1557 	int error;
1558 
1559 	if (zc->zc_cookie == 0)
1560 		(void) dmu_objset_find(zc->zc_name, dmu_objset_prefetch,
1561 		    NULL, DS_FIND_SNAPSHOTS);
1562 
1563 	error = dmu_objset_hold(zc->zc_name, FTAG, &os);
1564 	if (error)
1565 		return (error == ENOENT ? ESRCH : error);
1566 
1567 	/*
1568 	 * A dataset name of maximum length cannot have any snapshots,
1569 	 * so exit immediately.
1570 	 */
1571 	if (strlcat(zc->zc_name, "@", sizeof (zc->zc_name)) >= MAXNAMELEN) {
1572 		dmu_objset_rele(os, FTAG);
1573 		return (ESRCH);
1574 	}
1575 
1576 	error = dmu_snapshot_list_next(os,
1577 	    sizeof (zc->zc_name) - strlen(zc->zc_name),
1578 	    zc->zc_name + strlen(zc->zc_name), NULL, &zc->zc_cookie, NULL);
1579 	dmu_objset_rele(os, FTAG);
1580 	if (error == 0)
1581 		error = zfs_ioc_objset_stats(zc); /* fill in the stats */
1582 	else if (error == ENOENT)
1583 		error = ESRCH;
1584 
1585 	/* if we failed, undo the @ that we tacked on to zc_name */
1586 	if (error)
1587 		*strchr(zc->zc_name, '@') = '\0';
1588 	return (error);
1589 }
1590 
1591 int
1592 zfs_set_prop_nvlist(const char *name, nvlist_t *nvl)
1593 {
1594 	nvpair_t *elem;
1595 	int error = 0;
1596 	uint64_t intval;
1597 	char *strval;
1598 	nvlist_t *genericnvl;
1599 	boolean_t issnap = (strchr(name, '@') != NULL);
1600 
1601 	/*
1602 	 * First validate permission to set all of the properties
1603 	 */
1604 	elem = NULL;
1605 	while ((elem = nvlist_next_nvpair(nvl, elem)) != NULL) {
1606 		const char *propname = nvpair_name(elem);
1607 		zfs_prop_t prop = zfs_name_to_prop(propname);
1608 
1609 		if (prop == ZPROP_INVAL) {
1610 			/*
1611 			 * If this is a user-defined property, it must be a
1612 			 * string, and there is no further validation to do.
1613 			 */
1614 			if (zfs_prop_user(propname) &&
1615 			    nvpair_type(elem) == DATA_TYPE_STRING) {
1616 				if (error = zfs_secpolicy_write_perms(name,
1617 				    ZFS_DELEG_PERM_USERPROP, CRED()))
1618 					return (error);
1619 				continue;
1620 			}
1621 
1622 			if (!issnap && zfs_prop_userquota(propname) &&
1623 			    nvpair_type(elem) == DATA_TYPE_UINT64_ARRAY) {
1624 				const char *perm;
1625 				const char *up = zfs_userquota_prop_prefixes
1626 				    [ZFS_PROP_USERQUOTA];
1627 				if (strncmp(propname, up, strlen(up)) == 0)
1628 					perm = ZFS_DELEG_PERM_USERQUOTA;
1629 				else
1630 					perm = ZFS_DELEG_PERM_GROUPQUOTA;
1631 				if (error = zfs_secpolicy_write_perms(name,
1632 				    perm, CRED()))
1633 					return (error);
1634 				continue;
1635 			}
1636 
1637 			return (EINVAL);
1638 		}
1639 
1640 		if (issnap)
1641 			return (EINVAL);
1642 
1643 		if ((error = zfs_secpolicy_setprop(name, prop, CRED())) != 0)
1644 			return (error);
1645 
1646 		/*
1647 		 * Check that this value is valid for this pool version
1648 		 */
1649 		switch (prop) {
1650 		case ZFS_PROP_COMPRESSION:
1651 			/*
1652 			 * If the user specified gzip compression, make sure
1653 			 * the SPA supports it. We ignore any errors here since
1654 			 * we'll catch them later.
1655 			 */
1656 			if (nvpair_type(elem) == DATA_TYPE_UINT64 &&
1657 			    nvpair_value_uint64(elem, &intval) == 0) {
1658 				if (intval >= ZIO_COMPRESS_GZIP_1 &&
1659 				    intval <= ZIO_COMPRESS_GZIP_9 &&
1660 				    zfs_earlier_version(name,
1661 				    SPA_VERSION_GZIP_COMPRESSION))
1662 					return (ENOTSUP);
1663 
1664 				/*
1665 				 * If this is a bootable dataset then
1666 				 * verify that the compression algorithm
1667 				 * is supported for booting. We must return
1668 				 * something other than ENOTSUP since it
1669 				 * implies a downrev pool version.
1670 				 */
1671 				if (zfs_is_bootfs(name) &&
1672 				    !BOOTFS_COMPRESS_VALID(intval))
1673 					return (ERANGE);
1674 			}
1675 			break;
1676 
1677 		case ZFS_PROP_COPIES:
1678 			if (zfs_earlier_version(name, SPA_VERSION_DITTO_BLOCKS))
1679 				return (ENOTSUP);
1680 			break;
1681 
1682 		case ZFS_PROP_SHARESMB:
1683 			if (zpl_earlier_version(name, ZPL_VERSION_FUID))
1684 				return (ENOTSUP);
1685 			break;
1686 
1687 		case ZFS_PROP_ACLINHERIT:
1688 			if (nvpair_type(elem) == DATA_TYPE_UINT64 &&
1689 			    nvpair_value_uint64(elem, &intval) == 0)
1690 				if (intval == ZFS_ACL_PASSTHROUGH_X &&
1691 				    zfs_earlier_version(name,
1692 				    SPA_VERSION_PASSTHROUGH_X))
1693 					return (ENOTSUP);
1694 		}
1695 	}
1696 
1697 	VERIFY(nvlist_alloc(&genericnvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1698 	elem = NULL;
1699 	while ((elem = nvlist_next_nvpair(nvl, elem)) != NULL) {
1700 		const char *propname = nvpair_name(elem);
1701 		zfs_prop_t prop = zfs_name_to_prop(propname);
1702 
1703 		if (prop == ZPROP_INVAL) {
1704 			if (zfs_prop_userquota(propname)) {
1705 				uint64_t *valary;
1706 				unsigned int vallen;
1707 				const char *domain;
1708 				zfs_userquota_prop_t type;
1709 				uint64_t rid;
1710 				uint64_t quota;
1711 				zfsvfs_t *zfsvfs;
1712 
1713 				VERIFY(nvpair_value_uint64_array(elem,
1714 				    &valary, &vallen) == 0);
1715 				VERIFY(vallen == 3);
1716 				type = valary[0];
1717 				rid = valary[1];
1718 				quota = valary[2];
1719 				domain = propname +
1720 				    strlen(zfs_userquota_prop_prefixes[type]);
1721 
1722 				error = zfsvfs_hold(name, FTAG, &zfsvfs);
1723 				if (error == 0) {
1724 					error = zfs_set_userquota(zfsvfs,
1725 					    type, domain, rid, quota);
1726 					zfsvfs_rele(zfsvfs, FTAG);
1727 				}
1728 				if (error == 0)
1729 					continue;
1730 				else
1731 					goto out;
1732 			} else if (zfs_prop_user(propname)) {
1733 				VERIFY(nvpair_value_string(elem, &strval) == 0);
1734 				error = dsl_prop_set(name, propname, 1,
1735 				    strlen(strval) + 1, strval);
1736 				if (error == 0)
1737 					continue;
1738 				else
1739 					goto out;
1740 			}
1741 		}
1742 
1743 		switch (prop) {
1744 		case ZFS_PROP_QUOTA:
1745 			if ((error = nvpair_value_uint64(elem, &intval)) != 0 ||
1746 			    (error = dsl_dir_set_quota(name, intval)) != 0)
1747 				goto out;
1748 			break;
1749 
1750 		case ZFS_PROP_REFQUOTA:
1751 			if ((error = nvpair_value_uint64(elem, &intval)) != 0 ||
1752 			    (error = dsl_dataset_set_quota(name, intval)) != 0)
1753 				goto out;
1754 			break;
1755 
1756 		case ZFS_PROP_RESERVATION:
1757 			if ((error = nvpair_value_uint64(elem, &intval)) != 0 ||
1758 			    (error = dsl_dir_set_reservation(name,
1759 			    intval)) != 0)
1760 				goto out;
1761 			break;
1762 
1763 		case ZFS_PROP_REFRESERVATION:
1764 			if ((error = nvpair_value_uint64(elem, &intval)) != 0 ||
1765 			    (error = dsl_dataset_set_reservation(name,
1766 			    intval)) != 0)
1767 				goto out;
1768 			break;
1769 
1770 		case ZFS_PROP_VOLSIZE:
1771 			if ((error = nvpair_value_uint64(elem, &intval)) != 0 ||
1772 			    (error = zvol_set_volsize(name,
1773 			    ddi_driver_major(zfs_dip), intval)) != 0)
1774 				goto out;
1775 			break;
1776 
1777 		case ZFS_PROP_VERSION:
1778 		{
1779 			zfsvfs_t *zfsvfs;
1780 
1781 			if ((error = nvpair_value_uint64(elem, &intval)) != 0)
1782 				goto out;
1783 			if ((error = zfsvfs_hold(name, FTAG, &zfsvfs)) != 0)
1784 				goto out;
1785 			error = zfs_set_version(zfsvfs, intval);
1786 			zfsvfs_rele(zfsvfs, FTAG);
1787 
1788 			if (error == 0 && intval >= ZPL_VERSION_USERSPACE) {
1789 				zfs_cmd_t zc = { 0 };
1790 				(void) strcpy(zc.zc_name, name);
1791 				(void) zfs_ioc_userspace_upgrade(&zc);
1792 			}
1793 			if (error)
1794 				goto out;
1795 			break;
1796 		}
1797 
1798 		default:
1799 			if (nvpair_type(elem) == DATA_TYPE_STRING) {
1800 				if (zfs_prop_get_type(prop) !=
1801 				    PROP_TYPE_STRING) {
1802 					error = EINVAL;
1803 					goto out;
1804 				}
1805 			} else if (nvpair_type(elem) == DATA_TYPE_UINT64) {
1806 				const char *unused;
1807 
1808 				VERIFY(nvpair_value_uint64(elem, &intval) == 0);
1809 
1810 				switch (zfs_prop_get_type(prop)) {
1811 				case PROP_TYPE_NUMBER:
1812 					break;
1813 				case PROP_TYPE_STRING:
1814 					error = EINVAL;
1815 					goto out;
1816 				case PROP_TYPE_INDEX:
1817 					if (zfs_prop_index_to_string(prop,
1818 					    intval, &unused) != 0) {
1819 						error = EINVAL;
1820 						goto out;
1821 					}
1822 					break;
1823 				default:
1824 					cmn_err(CE_PANIC,
1825 					    "unknown property type");
1826 					break;
1827 				}
1828 			} else {
1829 				error = EINVAL;
1830 				goto out;
1831 			}
1832 			if ((error = nvlist_add_nvpair(genericnvl, elem)) != 0)
1833 				goto out;
1834 		}
1835 	}
1836 
1837 	if (nvlist_next_nvpair(genericnvl, NULL) != NULL) {
1838 		error = dsl_props_set(name, genericnvl);
1839 	}
1840 out:
1841 	nvlist_free(genericnvl);
1842 	return (error);
1843 }
1844 
1845 /*
1846  * Check that all the properties are valid user properties.
1847  */
1848 static int
1849 zfs_check_userprops(char *fsname, nvlist_t *nvl)
1850 {
1851 	nvpair_t *elem = NULL;
1852 	int error = 0;
1853 
1854 	while ((elem = nvlist_next_nvpair(nvl, elem)) != NULL) {
1855 		const char *propname = nvpair_name(elem);
1856 		char *valstr;
1857 
1858 		if (!zfs_prop_user(propname) ||
1859 		    nvpair_type(elem) != DATA_TYPE_STRING)
1860 			return (EINVAL);
1861 
1862 		if (error = zfs_secpolicy_write_perms(fsname,
1863 		    ZFS_DELEG_PERM_USERPROP, CRED()))
1864 			return (error);
1865 
1866 		if (strlen(propname) >= ZAP_MAXNAMELEN)
1867 			return (ENAMETOOLONG);
1868 
1869 		VERIFY(nvpair_value_string(elem, &valstr) == 0);
1870 		if (strlen(valstr) >= ZAP_MAXVALUELEN)
1871 			return (E2BIG);
1872 	}
1873 	return (0);
1874 }
1875 
1876 /*
1877  * inputs:
1878  * zc_name		name of filesystem
1879  * zc_value		name of property to set
1880  * zc_nvlist_src{_size}	nvlist of properties to apply
1881  * zc_cookie		clear existing local props?
1882  *
1883  * outputs:		none
1884  */
1885 static int
1886 zfs_ioc_set_prop(zfs_cmd_t *zc)
1887 {
1888 	nvlist_t *nvl;
1889 	int error;
1890 
1891 	if ((error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
1892 	    zc->zc_iflags, &nvl)) != 0)
1893 		return (error);
1894 
1895 	if (zc->zc_cookie) {
1896 		nvlist_t *origprops;
1897 		objset_t *os;
1898 
1899 		if (dmu_objset_hold(zc->zc_name, FTAG, &os) == 0) {
1900 			if (dsl_prop_get_all(os, &origprops, TRUE) == 0) {
1901 				clear_props(zc->zc_name, origprops, nvl);
1902 				nvlist_free(origprops);
1903 			}
1904 			dmu_objset_rele(os, FTAG);
1905 		}
1906 
1907 	}
1908 
1909 	error = zfs_set_prop_nvlist(zc->zc_name, nvl);
1910 
1911 	nvlist_free(nvl);
1912 	return (error);
1913 }
1914 
1915 /*
1916  * inputs:
1917  * zc_name		name of filesystem
1918  * zc_value		name of property to inherit
1919  *
1920  * outputs:		none
1921  */
1922 static int
1923 zfs_ioc_inherit_prop(zfs_cmd_t *zc)
1924 {
1925 	/* the property name has been validated by zfs_secpolicy_inherit() */
1926 	return (dsl_prop_set(zc->zc_name, zc->zc_value, 0, 0, NULL));
1927 }
1928 
1929 static int
1930 zfs_ioc_pool_set_props(zfs_cmd_t *zc)
1931 {
1932 	nvlist_t *props;
1933 	spa_t *spa;
1934 	int error;
1935 	nvpair_t *elem;
1936 
1937 	if ((error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
1938 	    zc->zc_iflags, &props)))
1939 		return (error);
1940 
1941 	/*
1942 	 * If the only property is the configfile, then just do a spa_lookup()
1943 	 * to handle the faulted case.
1944 	 */
1945 	elem = nvlist_next_nvpair(props, NULL);
1946 	if (elem != NULL && strcmp(nvpair_name(elem),
1947 	    zpool_prop_to_name(ZPOOL_PROP_CACHEFILE)) == 0 &&
1948 	    nvlist_next_nvpair(props, elem) == NULL) {
1949 		mutex_enter(&spa_namespace_lock);
1950 		if ((spa = spa_lookup(zc->zc_name)) != NULL) {
1951 			spa_configfile_set(spa, props, B_FALSE);
1952 			spa_config_sync(spa, B_FALSE, B_TRUE);
1953 		}
1954 		mutex_exit(&spa_namespace_lock);
1955 		if (spa != NULL) {
1956 			nvlist_free(props);
1957 			return (0);
1958 		}
1959 	}
1960 
1961 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0) {
1962 		nvlist_free(props);
1963 		return (error);
1964 	}
1965 
1966 	error = spa_prop_set(spa, props);
1967 
1968 	nvlist_free(props);
1969 	spa_close(spa, FTAG);
1970 
1971 	return (error);
1972 }
1973 
1974 static int
1975 zfs_ioc_pool_get_props(zfs_cmd_t *zc)
1976 {
1977 	spa_t *spa;
1978 	int error;
1979 	nvlist_t *nvp = NULL;
1980 
1981 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0) {
1982 		/*
1983 		 * If the pool is faulted, there may be properties we can still
1984 		 * get (such as altroot and cachefile), so attempt to get them
1985 		 * anyway.
1986 		 */
1987 		mutex_enter(&spa_namespace_lock);
1988 		if ((spa = spa_lookup(zc->zc_name)) != NULL)
1989 			error = spa_prop_get(spa, &nvp);
1990 		mutex_exit(&spa_namespace_lock);
1991 	} else {
1992 		error = spa_prop_get(spa, &nvp);
1993 		spa_close(spa, FTAG);
1994 	}
1995 
1996 	if (error == 0 && zc->zc_nvlist_dst != NULL)
1997 		error = put_nvlist(zc, nvp);
1998 	else
1999 		error = EFAULT;
2000 
2001 	nvlist_free(nvp);
2002 	return (error);
2003 }
2004 
2005 static int
2006 zfs_ioc_iscsi_perm_check(zfs_cmd_t *zc)
2007 {
2008 	nvlist_t *nvp;
2009 	int error;
2010 	uint32_t uid;
2011 	uint32_t gid;
2012 	uint32_t *groups;
2013 	uint_t group_cnt;
2014 	cred_t	*usercred;
2015 
2016 	if ((error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
2017 	    zc->zc_iflags, &nvp)) != 0) {
2018 		return (error);
2019 	}
2020 
2021 	if ((error = nvlist_lookup_uint32(nvp,
2022 	    ZFS_DELEG_PERM_UID, &uid)) != 0) {
2023 		nvlist_free(nvp);
2024 		return (EPERM);
2025 	}
2026 
2027 	if ((error = nvlist_lookup_uint32(nvp,
2028 	    ZFS_DELEG_PERM_GID, &gid)) != 0) {
2029 		nvlist_free(nvp);
2030 		return (EPERM);
2031 	}
2032 
2033 	if ((error = nvlist_lookup_uint32_array(nvp, ZFS_DELEG_PERM_GROUPS,
2034 	    &groups, &group_cnt)) != 0) {
2035 		nvlist_free(nvp);
2036 		return (EPERM);
2037 	}
2038 	usercred = cralloc();
2039 	if ((crsetugid(usercred, uid, gid) != 0) ||
2040 	    (crsetgroups(usercred, group_cnt, (gid_t *)groups) != 0)) {
2041 		nvlist_free(nvp);
2042 		crfree(usercred);
2043 		return (EPERM);
2044 	}
2045 	nvlist_free(nvp);
2046 	error = dsl_deleg_access(zc->zc_name,
2047 	    zfs_prop_to_name(ZFS_PROP_SHAREISCSI), usercred);
2048 	crfree(usercred);
2049 	return (error);
2050 }
2051 
2052 /*
2053  * inputs:
2054  * zc_name		name of filesystem
2055  * zc_nvlist_src{_size}	nvlist of delegated permissions
2056  * zc_perm_action	allow/unallow flag
2057  *
2058  * outputs:		none
2059  */
2060 static int
2061 zfs_ioc_set_fsacl(zfs_cmd_t *zc)
2062 {
2063 	int error;
2064 	nvlist_t *fsaclnv = NULL;
2065 
2066 	if ((error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
2067 	    zc->zc_iflags, &fsaclnv)) != 0)
2068 		return (error);
2069 
2070 	/*
2071 	 * Verify nvlist is constructed correctly
2072 	 */
2073 	if ((error = zfs_deleg_verify_nvlist(fsaclnv)) != 0) {
2074 		nvlist_free(fsaclnv);
2075 		return (EINVAL);
2076 	}
2077 
2078 	/*
2079 	 * If we don't have PRIV_SYS_MOUNT, then validate
2080 	 * that user is allowed to hand out each permission in
2081 	 * the nvlist(s)
2082 	 */
2083 
2084 	error = secpolicy_zfs(CRED());
2085 	if (error) {
2086 		if (zc->zc_perm_action == B_FALSE) {
2087 			error = dsl_deleg_can_allow(zc->zc_name,
2088 			    fsaclnv, CRED());
2089 		} else {
2090 			error = dsl_deleg_can_unallow(zc->zc_name,
2091 			    fsaclnv, CRED());
2092 		}
2093 	}
2094 
2095 	if (error == 0)
2096 		error = dsl_deleg_set(zc->zc_name, fsaclnv, zc->zc_perm_action);
2097 
2098 	nvlist_free(fsaclnv);
2099 	return (error);
2100 }
2101 
2102 /*
2103  * inputs:
2104  * zc_name		name of filesystem
2105  *
2106  * outputs:
2107  * zc_nvlist_src{_size}	nvlist of delegated permissions
2108  */
2109 static int
2110 zfs_ioc_get_fsacl(zfs_cmd_t *zc)
2111 {
2112 	nvlist_t *nvp;
2113 	int error;
2114 
2115 	if ((error = dsl_deleg_get(zc->zc_name, &nvp)) == 0) {
2116 		error = put_nvlist(zc, nvp);
2117 		nvlist_free(nvp);
2118 	}
2119 
2120 	return (error);
2121 }
2122 
2123 /*
2124  * Search the vfs list for a specified resource.  Returns a pointer to it
2125  * or NULL if no suitable entry is found. The caller of this routine
2126  * is responsible for releasing the returned vfs pointer.
2127  */
2128 static vfs_t *
2129 zfs_get_vfs(const char *resource)
2130 {
2131 	struct vfs *vfsp;
2132 	struct vfs *vfs_found = NULL;
2133 
2134 	vfs_list_read_lock();
2135 	vfsp = rootvfs;
2136 	do {
2137 		if (strcmp(refstr_value(vfsp->vfs_resource), resource) == 0) {
2138 			VFS_HOLD(vfsp);
2139 			vfs_found = vfsp;
2140 			break;
2141 		}
2142 		vfsp = vfsp->vfs_next;
2143 	} while (vfsp != rootvfs);
2144 	vfs_list_unlock();
2145 	return (vfs_found);
2146 }
2147 
2148 /* ARGSUSED */
2149 static void
2150 zfs_create_cb(objset_t *os, void *arg, cred_t *cr, dmu_tx_t *tx)
2151 {
2152 	zfs_creat_t *zct = arg;
2153 
2154 	zfs_create_fs(os, cr, zct->zct_zplprops, tx);
2155 }
2156 
2157 #define	ZFS_PROP_UNDEFINED	((uint64_t)-1)
2158 
2159 /*
2160  * inputs:
2161  * createprops		list of properties requested by creator
2162  * default_zplver	zpl version to use if unspecified in createprops
2163  * fuids_ok		fuids allowed in this version of the spa?
2164  * os			parent objset pointer (NULL if root fs)
2165  *
2166  * outputs:
2167  * zplprops	values for the zplprops we attach to the master node object
2168  * is_ci	true if requested file system will be purely case-insensitive
2169  *
2170  * Determine the settings for utf8only, normalization and
2171  * casesensitivity.  Specific values may have been requested by the
2172  * creator and/or we can inherit values from the parent dataset.  If
2173  * the file system is of too early a vintage, a creator can not
2174  * request settings for these properties, even if the requested
2175  * setting is the default value.  We don't actually want to create dsl
2176  * properties for these, so remove them from the source nvlist after
2177  * processing.
2178  */
2179 static int
2180 zfs_fill_zplprops_impl(objset_t *os, uint64_t zplver,
2181     boolean_t fuids_ok, nvlist_t *createprops, nvlist_t *zplprops,
2182     boolean_t *is_ci)
2183 {
2184 	uint64_t sense = ZFS_PROP_UNDEFINED;
2185 	uint64_t norm = ZFS_PROP_UNDEFINED;
2186 	uint64_t u8 = ZFS_PROP_UNDEFINED;
2187 
2188 	ASSERT(zplprops != NULL);
2189 
2190 	/*
2191 	 * Pull out creator prop choices, if any.
2192 	 */
2193 	if (createprops) {
2194 		(void) nvlist_lookup_uint64(createprops,
2195 		    zfs_prop_to_name(ZFS_PROP_VERSION), &zplver);
2196 		(void) nvlist_lookup_uint64(createprops,
2197 		    zfs_prop_to_name(ZFS_PROP_NORMALIZE), &norm);
2198 		(void) nvlist_remove_all(createprops,
2199 		    zfs_prop_to_name(ZFS_PROP_NORMALIZE));
2200 		(void) nvlist_lookup_uint64(createprops,
2201 		    zfs_prop_to_name(ZFS_PROP_UTF8ONLY), &u8);
2202 		(void) nvlist_remove_all(createprops,
2203 		    zfs_prop_to_name(ZFS_PROP_UTF8ONLY));
2204 		(void) nvlist_lookup_uint64(createprops,
2205 		    zfs_prop_to_name(ZFS_PROP_CASE), &sense);
2206 		(void) nvlist_remove_all(createprops,
2207 		    zfs_prop_to_name(ZFS_PROP_CASE));
2208 	}
2209 
2210 	/*
2211 	 * If the zpl version requested is whacky or the file system
2212 	 * or pool is version is too "young" to support normalization
2213 	 * and the creator tried to set a value for one of the props,
2214 	 * error out.
2215 	 */
2216 	if ((zplver < ZPL_VERSION_INITIAL || zplver > ZPL_VERSION) ||
2217 	    (zplver >= ZPL_VERSION_FUID && !fuids_ok) ||
2218 	    (zplver < ZPL_VERSION_NORMALIZATION &&
2219 	    (norm != ZFS_PROP_UNDEFINED || u8 != ZFS_PROP_UNDEFINED ||
2220 	    sense != ZFS_PROP_UNDEFINED)))
2221 		return (ENOTSUP);
2222 
2223 	/*
2224 	 * Put the version in the zplprops
2225 	 */
2226 	VERIFY(nvlist_add_uint64(zplprops,
2227 	    zfs_prop_to_name(ZFS_PROP_VERSION), zplver) == 0);
2228 
2229 	if (norm == ZFS_PROP_UNDEFINED)
2230 		VERIFY(zfs_get_zplprop(os, ZFS_PROP_NORMALIZE, &norm) == 0);
2231 	VERIFY(nvlist_add_uint64(zplprops,
2232 	    zfs_prop_to_name(ZFS_PROP_NORMALIZE), norm) == 0);
2233 
2234 	/*
2235 	 * If we're normalizing, names must always be valid UTF-8 strings.
2236 	 */
2237 	if (norm)
2238 		u8 = 1;
2239 	if (u8 == ZFS_PROP_UNDEFINED)
2240 		VERIFY(zfs_get_zplprop(os, ZFS_PROP_UTF8ONLY, &u8) == 0);
2241 	VERIFY(nvlist_add_uint64(zplprops,
2242 	    zfs_prop_to_name(ZFS_PROP_UTF8ONLY), u8) == 0);
2243 
2244 	if (sense == ZFS_PROP_UNDEFINED)
2245 		VERIFY(zfs_get_zplprop(os, ZFS_PROP_CASE, &sense) == 0);
2246 	VERIFY(nvlist_add_uint64(zplprops,
2247 	    zfs_prop_to_name(ZFS_PROP_CASE), sense) == 0);
2248 
2249 	if (is_ci)
2250 		*is_ci = (sense == ZFS_CASE_INSENSITIVE);
2251 
2252 	return (0);
2253 }
2254 
2255 static int
2256 zfs_fill_zplprops(const char *dataset, nvlist_t *createprops,
2257     nvlist_t *zplprops, boolean_t *is_ci)
2258 {
2259 	boolean_t fuids_ok = B_TRUE;
2260 	uint64_t zplver = ZPL_VERSION;
2261 	objset_t *os = NULL;
2262 	char parentname[MAXNAMELEN];
2263 	char *cp;
2264 	int error;
2265 
2266 	(void) strlcpy(parentname, dataset, sizeof (parentname));
2267 	cp = strrchr(parentname, '/');
2268 	ASSERT(cp != NULL);
2269 	cp[0] = '\0';
2270 
2271 	if (zfs_earlier_version(dataset, SPA_VERSION_USERSPACE))
2272 		zplver = ZPL_VERSION_USERSPACE - 1;
2273 	if (zfs_earlier_version(dataset, SPA_VERSION_FUID)) {
2274 		zplver = ZPL_VERSION_FUID - 1;
2275 		fuids_ok = B_FALSE;
2276 	}
2277 
2278 	/*
2279 	 * Open parent object set so we can inherit zplprop values.
2280 	 */
2281 	if ((error = dmu_objset_hold(parentname, FTAG, &os)) != 0)
2282 		return (error);
2283 
2284 	error = zfs_fill_zplprops_impl(os, zplver, fuids_ok, createprops,
2285 	    zplprops, is_ci);
2286 	dmu_objset_rele(os, FTAG);
2287 	return (error);
2288 }
2289 
2290 static int
2291 zfs_fill_zplprops_root(uint64_t spa_vers, nvlist_t *createprops,
2292     nvlist_t *zplprops, boolean_t *is_ci)
2293 {
2294 	boolean_t fuids_ok = B_TRUE;
2295 	uint64_t zplver = ZPL_VERSION;
2296 	int error;
2297 
2298 	if (spa_vers < SPA_VERSION_FUID) {
2299 		zplver = ZPL_VERSION_FUID - 1;
2300 		fuids_ok = B_FALSE;
2301 	}
2302 
2303 	error = zfs_fill_zplprops_impl(NULL, zplver, fuids_ok, createprops,
2304 	    zplprops, is_ci);
2305 	return (error);
2306 }
2307 
2308 /*
2309  * inputs:
2310  * zc_objset_type	type of objset to create (fs vs zvol)
2311  * zc_name		name of new objset
2312  * zc_value		name of snapshot to clone from (may be empty)
2313  * zc_nvlist_src{_size}	nvlist of properties to apply
2314  *
2315  * outputs: none
2316  */
2317 static int
2318 zfs_ioc_create(zfs_cmd_t *zc)
2319 {
2320 	objset_t *clone;
2321 	int error = 0;
2322 	zfs_creat_t zct;
2323 	nvlist_t *nvprops = NULL;
2324 	void (*cbfunc)(objset_t *os, void *arg, cred_t *cr, dmu_tx_t *tx);
2325 	dmu_objset_type_t type = zc->zc_objset_type;
2326 
2327 	switch (type) {
2328 
2329 	case DMU_OST_ZFS:
2330 		cbfunc = zfs_create_cb;
2331 		break;
2332 
2333 	case DMU_OST_ZVOL:
2334 		cbfunc = zvol_create_cb;
2335 		break;
2336 
2337 	default:
2338 		cbfunc = NULL;
2339 		break;
2340 	}
2341 	if (strchr(zc->zc_name, '@') ||
2342 	    strchr(zc->zc_name, '%'))
2343 		return (EINVAL);
2344 
2345 	if (zc->zc_nvlist_src != NULL &&
2346 	    (error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
2347 	    zc->zc_iflags, &nvprops)) != 0)
2348 		return (error);
2349 
2350 	zct.zct_zplprops = NULL;
2351 	zct.zct_props = nvprops;
2352 
2353 	if (zc->zc_value[0] != '\0') {
2354 		/*
2355 		 * We're creating a clone of an existing snapshot.
2356 		 */
2357 		zc->zc_value[sizeof (zc->zc_value) - 1] = '\0';
2358 		if (dataset_namecheck(zc->zc_value, NULL, NULL) != 0) {
2359 			nvlist_free(nvprops);
2360 			return (EINVAL);
2361 		}
2362 
2363 		error = dmu_objset_hold(zc->zc_value, FTAG, &clone);
2364 		if (error) {
2365 			nvlist_free(nvprops);
2366 			return (error);
2367 		}
2368 
2369 		error = dmu_objset_clone(zc->zc_name, dmu_objset_ds(clone), 0);
2370 		dmu_objset_rele(clone, FTAG);
2371 		if (error) {
2372 			nvlist_free(nvprops);
2373 			return (error);
2374 		}
2375 	} else {
2376 		boolean_t is_insensitive = B_FALSE;
2377 
2378 		if (cbfunc == NULL) {
2379 			nvlist_free(nvprops);
2380 			return (EINVAL);
2381 		}
2382 
2383 		if (type == DMU_OST_ZVOL) {
2384 			uint64_t volsize, volblocksize;
2385 
2386 			if (nvprops == NULL ||
2387 			    nvlist_lookup_uint64(nvprops,
2388 			    zfs_prop_to_name(ZFS_PROP_VOLSIZE),
2389 			    &volsize) != 0) {
2390 				nvlist_free(nvprops);
2391 				return (EINVAL);
2392 			}
2393 
2394 			if ((error = nvlist_lookup_uint64(nvprops,
2395 			    zfs_prop_to_name(ZFS_PROP_VOLBLOCKSIZE),
2396 			    &volblocksize)) != 0 && error != ENOENT) {
2397 				nvlist_free(nvprops);
2398 				return (EINVAL);
2399 			}
2400 
2401 			if (error != 0)
2402 				volblocksize = zfs_prop_default_numeric(
2403 				    ZFS_PROP_VOLBLOCKSIZE);
2404 
2405 			if ((error = zvol_check_volblocksize(
2406 			    volblocksize)) != 0 ||
2407 			    (error = zvol_check_volsize(volsize,
2408 			    volblocksize)) != 0) {
2409 				nvlist_free(nvprops);
2410 				return (error);
2411 			}
2412 		} else if (type == DMU_OST_ZFS) {
2413 			int error;
2414 
2415 			/*
2416 			 * We have to have normalization and
2417 			 * case-folding flags correct when we do the
2418 			 * file system creation, so go figure them out
2419 			 * now.
2420 			 */
2421 			VERIFY(nvlist_alloc(&zct.zct_zplprops,
2422 			    NV_UNIQUE_NAME, KM_SLEEP) == 0);
2423 			error = zfs_fill_zplprops(zc->zc_name, nvprops,
2424 			    zct.zct_zplprops, &is_insensitive);
2425 			if (error != 0) {
2426 				nvlist_free(nvprops);
2427 				nvlist_free(zct.zct_zplprops);
2428 				return (error);
2429 			}
2430 		}
2431 		error = dmu_objset_create(zc->zc_name, type,
2432 		    is_insensitive ? DS_FLAG_CI_DATASET : 0, cbfunc, &zct);
2433 		nvlist_free(zct.zct_zplprops);
2434 	}
2435 
2436 	/*
2437 	 * It would be nice to do this atomically.
2438 	 */
2439 	if (error == 0) {
2440 		if ((error = zfs_set_prop_nvlist(zc->zc_name, nvprops)) != 0)
2441 			(void) dmu_objset_destroy(zc->zc_name, B_FALSE);
2442 	}
2443 	nvlist_free(nvprops);
2444 	return (error);
2445 }
2446 
2447 /*
2448  * inputs:
2449  * zc_name	name of filesystem
2450  * zc_value	short name of snapshot
2451  * zc_cookie	recursive flag
2452  * zc_nvlist_src[_size] property list
2453  *
2454  * outputs:
2455  * zc_value	short snapname (i.e. part after the '@')
2456  */
2457 static int
2458 zfs_ioc_snapshot(zfs_cmd_t *zc)
2459 {
2460 	nvlist_t *nvprops = NULL;
2461 	int error;
2462 	boolean_t recursive = zc->zc_cookie;
2463 
2464 	if (snapshot_namecheck(zc->zc_value, NULL, NULL) != 0)
2465 		return (EINVAL);
2466 
2467 	if (zc->zc_nvlist_src != NULL &&
2468 	    (error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
2469 	    zc->zc_iflags, &nvprops)) != 0)
2470 		return (error);
2471 
2472 	error = zfs_check_userprops(zc->zc_name, nvprops);
2473 	if (error)
2474 		goto out;
2475 
2476 	if (nvprops != NULL && nvlist_next_nvpair(nvprops, NULL) != NULL &&
2477 	    zfs_earlier_version(zc->zc_name, SPA_VERSION_SNAP_PROPS)) {
2478 		error = ENOTSUP;
2479 		goto out;
2480 	}
2481 
2482 	error = dmu_objset_snapshot(zc->zc_name, zc->zc_value,
2483 	    nvprops, recursive);
2484 
2485 out:
2486 	nvlist_free(nvprops);
2487 	return (error);
2488 }
2489 
2490 int
2491 zfs_unmount_snap(char *name, void *arg)
2492 {
2493 	vfs_t *vfsp = NULL;
2494 
2495 	if (arg) {
2496 		char *snapname = arg;
2497 		int len = strlen(name) + strlen(snapname) + 2;
2498 		char *buf = kmem_alloc(len, KM_SLEEP);
2499 
2500 		(void) strcpy(buf, name);
2501 		(void) strcat(buf, "@");
2502 		(void) strcat(buf, snapname);
2503 		vfsp = zfs_get_vfs(buf);
2504 		kmem_free(buf, len);
2505 	} else if (strchr(name, '@')) {
2506 		vfsp = zfs_get_vfs(name);
2507 	}
2508 
2509 	if (vfsp) {
2510 		/*
2511 		 * Always force the unmount for snapshots.
2512 		 */
2513 		int flag = MS_FORCE;
2514 		int err;
2515 
2516 		if ((err = vn_vfswlock(vfsp->vfs_vnodecovered)) != 0) {
2517 			VFS_RELE(vfsp);
2518 			return (err);
2519 		}
2520 		VFS_RELE(vfsp);
2521 		if ((err = dounmount(vfsp, flag, kcred)) != 0)
2522 			return (err);
2523 	}
2524 	return (0);
2525 }
2526 
2527 /*
2528  * inputs:
2529  * zc_name		name of filesystem
2530  * zc_value		short name of snapshot
2531  * zc_defer_destroy	mark for deferred destroy
2532  *
2533  * outputs:	none
2534  */
2535 static int
2536 zfs_ioc_destroy_snaps(zfs_cmd_t *zc)
2537 {
2538 	int err;
2539 
2540 	if (snapshot_namecheck(zc->zc_value, NULL, NULL) != 0)
2541 		return (EINVAL);
2542 	err = dmu_objset_find(zc->zc_name,
2543 	    zfs_unmount_snap, zc->zc_value, DS_FIND_CHILDREN);
2544 	if (err)
2545 		return (err);
2546 	return (dmu_snapshots_destroy(zc->zc_name, zc->zc_value,
2547 	    zc->zc_defer_destroy));
2548 }
2549 
2550 /*
2551  * inputs:
2552  * zc_name		name of dataset to destroy
2553  * zc_objset_type	type of objset
2554  * zc_defer_destroy	mark for deferred destroy
2555  *
2556  * outputs:		none
2557  */
2558 static int
2559 zfs_ioc_destroy(zfs_cmd_t *zc)
2560 {
2561 	int err;
2562 	if (strchr(zc->zc_name, '@') && zc->zc_objset_type == DMU_OST_ZFS) {
2563 		err = zfs_unmount_snap(zc->zc_name, NULL);
2564 		if (err)
2565 			return (err);
2566 	}
2567 
2568 	err = dmu_objset_destroy(zc->zc_name, zc->zc_defer_destroy);
2569 	if (zc->zc_objset_type == DMU_OST_ZVOL && err == 0)
2570 		zvol_remove_minor(zc->zc_name);
2571 	return (err);
2572 }
2573 
2574 /*
2575  * inputs:
2576  * zc_name	name of dataset to rollback (to most recent snapshot)
2577  *
2578  * outputs:	none
2579  */
2580 static int
2581 zfs_ioc_rollback(zfs_cmd_t *zc)
2582 {
2583 	dsl_dataset_t *ds, *clone;
2584 	int error;
2585 	zfsvfs_t *zfsvfs;
2586 	char *clone_name;
2587 
2588 	error = dsl_dataset_hold(zc->zc_name, FTAG, &ds);
2589 	if (error)
2590 		return (error);
2591 
2592 	/* must not be a snapshot */
2593 	if (dsl_dataset_is_snapshot(ds)) {
2594 		dsl_dataset_rele(ds, FTAG);
2595 		return (EINVAL);
2596 	}
2597 
2598 	/* must have a most recent snapshot */
2599 	if (ds->ds_phys->ds_prev_snap_txg < TXG_INITIAL) {
2600 		dsl_dataset_rele(ds, FTAG);
2601 		return (EINVAL);
2602 	}
2603 
2604 	/*
2605 	 * Create clone of most recent snapshot.
2606 	 */
2607 	clone_name = kmem_asprintf("%s/%%rollback", zc->zc_name);
2608 	error = dmu_objset_clone(clone_name, ds->ds_prev, DS_FLAG_INCONSISTENT);
2609 	if (error)
2610 		goto out;
2611 
2612 	error = dsl_dataset_own(clone_name, B_TRUE, FTAG, &clone);
2613 	if (error)
2614 		goto out;
2615 
2616 	/*
2617 	 * Do clone swap.
2618 	 */
2619 	if (getzfsvfs(zc->zc_name, &zfsvfs) == 0) {
2620 		error = zfs_suspend_fs(zfsvfs);
2621 		if (error == 0) {
2622 			int resume_err;
2623 
2624 			if (dsl_dataset_tryown(ds, B_FALSE, FTAG)) {
2625 				error = dsl_dataset_clone_swap(clone, ds,
2626 				    B_TRUE);
2627 				dsl_dataset_disown(ds, FTAG);
2628 				ds = NULL;
2629 			} else {
2630 				error = EBUSY;
2631 			}
2632 			resume_err = zfs_resume_fs(zfsvfs, zc->zc_name);
2633 			error = error ? error : resume_err;
2634 		}
2635 		VFS_RELE(zfsvfs->z_vfs);
2636 	} else {
2637 		if (dsl_dataset_tryown(ds, B_FALSE, FTAG)) {
2638 			error = dsl_dataset_clone_swap(clone, ds, B_TRUE);
2639 			dsl_dataset_disown(ds, FTAG);
2640 			ds = NULL;
2641 		} else {
2642 			error = EBUSY;
2643 		}
2644 	}
2645 
2646 	/*
2647 	 * Destroy clone (which also closes it).
2648 	 */
2649 	(void) dsl_dataset_destroy(clone, FTAG, B_FALSE);
2650 
2651 out:
2652 	strfree(clone_name);
2653 	if (ds)
2654 		dsl_dataset_rele(ds, FTAG);
2655 	return (error);
2656 }
2657 
2658 /*
2659  * inputs:
2660  * zc_name	old name of dataset
2661  * zc_value	new name of dataset
2662  * zc_cookie	recursive flag (only valid for snapshots)
2663  *
2664  * outputs:	none
2665  */
2666 static int
2667 zfs_ioc_rename(zfs_cmd_t *zc)
2668 {
2669 	boolean_t recursive = zc->zc_cookie & 1;
2670 
2671 	zc->zc_value[sizeof (zc->zc_value) - 1] = '\0';
2672 	if (dataset_namecheck(zc->zc_value, NULL, NULL) != 0 ||
2673 	    strchr(zc->zc_value, '%'))
2674 		return (EINVAL);
2675 
2676 	/*
2677 	 * Unmount snapshot unless we're doing a recursive rename,
2678 	 * in which case the dataset code figures out which snapshots
2679 	 * to unmount.
2680 	 */
2681 	if (!recursive && strchr(zc->zc_name, '@') != NULL &&
2682 	    zc->zc_objset_type == DMU_OST_ZFS) {
2683 		int err = zfs_unmount_snap(zc->zc_name, NULL);
2684 		if (err)
2685 			return (err);
2686 	}
2687 	if (zc->zc_objset_type == DMU_OST_ZVOL)
2688 		(void) zvol_remove_minor(zc->zc_name);
2689 	return (dmu_objset_rename(zc->zc_name, zc->zc_value, recursive));
2690 }
2691 
2692 static void
2693 clear_props(char *dataset, nvlist_t *props, nvlist_t *newprops)
2694 {
2695 	zfs_cmd_t *zc;
2696 	nvpair_t *prop;
2697 
2698 	if (props == NULL)
2699 		return;
2700 	zc = kmem_alloc(sizeof (zfs_cmd_t), KM_SLEEP);
2701 	(void) strcpy(zc->zc_name, dataset);
2702 	for (prop = nvlist_next_nvpair(props, NULL); prop;
2703 	    prop = nvlist_next_nvpair(props, prop)) {
2704 		if (newprops != NULL &&
2705 		    nvlist_exists(newprops, nvpair_name(prop)))
2706 			continue;
2707 		(void) strcpy(zc->zc_value, nvpair_name(prop));
2708 		if (zfs_secpolicy_inherit(zc, CRED()) == 0)
2709 			(void) zfs_ioc_inherit_prop(zc);
2710 	}
2711 	kmem_free(zc, sizeof (zfs_cmd_t));
2712 }
2713 
2714 /*
2715  * inputs:
2716  * zc_name		name of containing filesystem
2717  * zc_nvlist_src{_size}	nvlist of properties to apply
2718  * zc_value		name of snapshot to create
2719  * zc_string		name of clone origin (if DRR_FLAG_CLONE)
2720  * zc_cookie		file descriptor to recv from
2721  * zc_begin_record	the BEGIN record of the stream (not byteswapped)
2722  * zc_guid		force flag
2723  *
2724  * outputs:
2725  * zc_cookie		number of bytes read
2726  */
2727 static int
2728 zfs_ioc_recv(zfs_cmd_t *zc)
2729 {
2730 	file_t *fp;
2731 	objset_t *os;
2732 	dmu_recv_cookie_t drc;
2733 	boolean_t force = (boolean_t)zc->zc_guid;
2734 	int error, fd;
2735 	offset_t off;
2736 	nvlist_t *props = NULL;
2737 	nvlist_t *origprops = NULL;
2738 	objset_t *origin = NULL;
2739 	char *tosnap;
2740 	char tofs[ZFS_MAXNAMELEN];
2741 
2742 	if (dataset_namecheck(zc->zc_value, NULL, NULL) != 0 ||
2743 	    strchr(zc->zc_value, '@') == NULL ||
2744 	    strchr(zc->zc_value, '%'))
2745 		return (EINVAL);
2746 
2747 	(void) strcpy(tofs, zc->zc_value);
2748 	tosnap = strchr(tofs, '@');
2749 	*tosnap = '\0';
2750 	tosnap++;
2751 
2752 	if (zc->zc_nvlist_src != NULL &&
2753 	    (error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
2754 	    zc->zc_iflags, &props)) != 0)
2755 		return (error);
2756 
2757 	fd = zc->zc_cookie;
2758 	fp = getf(fd);
2759 	if (fp == NULL) {
2760 		nvlist_free(props);
2761 		return (EBADF);
2762 	}
2763 
2764 	if (props && dmu_objset_hold(tofs, FTAG, &os) == 0) {
2765 		/*
2766 		 * If new properties are supplied, they are to completely
2767 		 * replace the existing ones, so stash away the existing ones.
2768 		 */
2769 		(void) dsl_prop_get_all(os, &origprops, B_TRUE);
2770 
2771 		dmu_objset_rele(os, FTAG);
2772 	}
2773 
2774 	if (zc->zc_string[0]) {
2775 		error = dmu_objset_hold(zc->zc_string, FTAG, &origin);
2776 		if (error)
2777 			goto out;
2778 	}
2779 
2780 	error = dmu_recv_begin(tofs, tosnap, &zc->zc_begin_record,
2781 	    force, origin, &drc);
2782 	if (origin)
2783 		dmu_objset_rele(origin, FTAG);
2784 	if (error)
2785 		goto out;
2786 
2787 	/*
2788 	 * Reset properties.  We do this before we receive the stream
2789 	 * so that the properties are applied to the new data.
2790 	 */
2791 	if (props) {
2792 		clear_props(tofs, origprops, props);
2793 		/*
2794 		 * XXX - Note, this is all-or-nothing; should be best-effort.
2795 		 */
2796 		(void) zfs_set_prop_nvlist(tofs, props);
2797 	}
2798 
2799 	off = fp->f_offset;
2800 	error = dmu_recv_stream(&drc, fp->f_vnode, &off);
2801 
2802 	if (error == 0) {
2803 		zfsvfs_t *zfsvfs = NULL;
2804 
2805 		if (getzfsvfs(tofs, &zfsvfs) == 0) {
2806 			/* online recv */
2807 			int end_err;
2808 
2809 			error = zfs_suspend_fs(zfsvfs);
2810 			/*
2811 			 * If the suspend fails, then the recv_end will
2812 			 * likely also fail, and clean up after itself.
2813 			 */
2814 			end_err = dmu_recv_end(&drc);
2815 			if (error == 0) {
2816 				int resume_err =
2817 				    zfs_resume_fs(zfsvfs, tofs);
2818 				error = error ? error : resume_err;
2819 			}
2820 			error = error ? error : end_err;
2821 			VFS_RELE(zfsvfs->z_vfs);
2822 		} else {
2823 			error = dmu_recv_end(&drc);
2824 		}
2825 	}
2826 
2827 	zc->zc_cookie = off - fp->f_offset;
2828 	if (VOP_SEEK(fp->f_vnode, fp->f_offset, &off, NULL) == 0)
2829 		fp->f_offset = off;
2830 
2831 	/*
2832 	 * On error, restore the original props.
2833 	 */
2834 	if (error && props) {
2835 		clear_props(tofs, props, NULL);
2836 		(void) zfs_set_prop_nvlist(tofs, origprops);
2837 	}
2838 out:
2839 	nvlist_free(props);
2840 	nvlist_free(origprops);
2841 	releasef(fd);
2842 	return (error);
2843 }
2844 
2845 /*
2846  * inputs:
2847  * zc_name	name of snapshot to send
2848  * zc_value	short name of incremental fromsnap (may be empty)
2849  * zc_cookie	file descriptor to send stream to
2850  * zc_obj	fromorigin flag (mutually exclusive with zc_value)
2851  *
2852  * outputs: none
2853  */
2854 static int
2855 zfs_ioc_send(zfs_cmd_t *zc)
2856 {
2857 	objset_t *fromsnap = NULL;
2858 	objset_t *tosnap;
2859 	file_t *fp;
2860 	int error;
2861 	offset_t off;
2862 
2863 	error = dmu_objset_hold(zc->zc_name, FTAG, &tosnap);
2864 	if (error)
2865 		return (error);
2866 
2867 	if (zc->zc_value[0] != '\0') {
2868 		char *buf;
2869 		char *cp;
2870 
2871 		buf = kmem_alloc(MAXPATHLEN, KM_SLEEP);
2872 		(void) strncpy(buf, zc->zc_name, MAXPATHLEN);
2873 		cp = strchr(buf, '@');
2874 		if (cp)
2875 			*(cp+1) = 0;
2876 		(void) strncat(buf, zc->zc_value, MAXPATHLEN);
2877 		error = dmu_objset_hold(buf, FTAG, &fromsnap);
2878 		kmem_free(buf, MAXPATHLEN);
2879 		if (error) {
2880 			dmu_objset_rele(tosnap, FTAG);
2881 			return (error);
2882 		}
2883 	}
2884 
2885 	fp = getf(zc->zc_cookie);
2886 	if (fp == NULL) {
2887 		dmu_objset_rele(tosnap, FTAG);
2888 		if (fromsnap)
2889 			dmu_objset_rele(fromsnap, FTAG);
2890 		return (EBADF);
2891 	}
2892 
2893 	off = fp->f_offset;
2894 	error = dmu_sendbackup(tosnap, fromsnap, zc->zc_obj, fp->f_vnode, &off);
2895 
2896 	if (VOP_SEEK(fp->f_vnode, fp->f_offset, &off, NULL) == 0)
2897 		fp->f_offset = off;
2898 	releasef(zc->zc_cookie);
2899 	if (fromsnap)
2900 		dmu_objset_rele(fromsnap, FTAG);
2901 	dmu_objset_rele(tosnap, FTAG);
2902 	return (error);
2903 }
2904 
2905 static int
2906 zfs_ioc_inject_fault(zfs_cmd_t *zc)
2907 {
2908 	int id, error;
2909 
2910 	error = zio_inject_fault(zc->zc_name, (int)zc->zc_guid, &id,
2911 	    &zc->zc_inject_record);
2912 
2913 	if (error == 0)
2914 		zc->zc_guid = (uint64_t)id;
2915 
2916 	return (error);
2917 }
2918 
2919 static int
2920 zfs_ioc_clear_fault(zfs_cmd_t *zc)
2921 {
2922 	return (zio_clear_fault((int)zc->zc_guid));
2923 }
2924 
2925 static int
2926 zfs_ioc_inject_list_next(zfs_cmd_t *zc)
2927 {
2928 	int id = (int)zc->zc_guid;
2929 	int error;
2930 
2931 	error = zio_inject_list_next(&id, zc->zc_name, sizeof (zc->zc_name),
2932 	    &zc->zc_inject_record);
2933 
2934 	zc->zc_guid = id;
2935 
2936 	return (error);
2937 }
2938 
2939 static int
2940 zfs_ioc_error_log(zfs_cmd_t *zc)
2941 {
2942 	spa_t *spa;
2943 	int error;
2944 	size_t count = (size_t)zc->zc_nvlist_dst_size;
2945 
2946 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
2947 		return (error);
2948 
2949 	error = spa_get_errlog(spa, (void *)(uintptr_t)zc->zc_nvlist_dst,
2950 	    &count);
2951 	if (error == 0)
2952 		zc->zc_nvlist_dst_size = count;
2953 	else
2954 		zc->zc_nvlist_dst_size = spa_get_errlog_size(spa);
2955 
2956 	spa_close(spa, FTAG);
2957 
2958 	return (error);
2959 }
2960 
2961 static int
2962 zfs_ioc_clear(zfs_cmd_t *zc)
2963 {
2964 	spa_t *spa;
2965 	vdev_t *vd;
2966 	int error;
2967 
2968 	/*
2969 	 * On zpool clear we also fix up missing slogs
2970 	 */
2971 	mutex_enter(&spa_namespace_lock);
2972 	spa = spa_lookup(zc->zc_name);
2973 	if (spa == NULL) {
2974 		mutex_exit(&spa_namespace_lock);
2975 		return (EIO);
2976 	}
2977 	if (spa->spa_log_state == SPA_LOG_MISSING) {
2978 		/* we need to let spa_open/spa_load clear the chains */
2979 		spa->spa_log_state = SPA_LOG_CLEAR;
2980 	}
2981 	mutex_exit(&spa_namespace_lock);
2982 
2983 	if ((error = spa_open(zc->zc_name, &spa, FTAG)) != 0)
2984 		return (error);
2985 
2986 	spa_vdev_state_enter(spa, SCL_NONE);
2987 
2988 	if (zc->zc_guid == 0) {
2989 		vd = NULL;
2990 	} else {
2991 		vd = spa_lookup_by_guid(spa, zc->zc_guid, B_TRUE);
2992 		if (vd == NULL) {
2993 			(void) spa_vdev_state_exit(spa, NULL, ENODEV);
2994 			spa_close(spa, FTAG);
2995 			return (ENODEV);
2996 		}
2997 	}
2998 
2999 	vdev_clear(spa, vd);
3000 
3001 	(void) spa_vdev_state_exit(spa, NULL, 0);
3002 
3003 	/*
3004 	 * Resume any suspended I/Os.
3005 	 */
3006 	if (zio_resume(spa) != 0)
3007 		error = EIO;
3008 
3009 	spa_close(spa, FTAG);
3010 
3011 	return (error);
3012 }
3013 
3014 /*
3015  * inputs:
3016  * zc_name	name of filesystem
3017  * zc_value	name of origin snapshot
3018  *
3019  * outputs:
3020  * zc_string	name of conflicting snapshot, if there is one
3021  */
3022 static int
3023 zfs_ioc_promote(zfs_cmd_t *zc)
3024 {
3025 	char *cp;
3026 
3027 	/*
3028 	 * We don't need to unmount *all* the origin fs's snapshots, but
3029 	 * it's easier.
3030 	 */
3031 	cp = strchr(zc->zc_value, '@');
3032 	if (cp)
3033 		*cp = '\0';
3034 	(void) dmu_objset_find(zc->zc_value,
3035 	    zfs_unmount_snap, NULL, DS_FIND_SNAPSHOTS);
3036 	return (dsl_dataset_promote(zc->zc_name, zc->zc_string));
3037 }
3038 
3039 /*
3040  * Retrieve a single {user|group}{used|quota}@... property.
3041  *
3042  * inputs:
3043  * zc_name	name of filesystem
3044  * zc_objset_type zfs_userquota_prop_t
3045  * zc_value	domain name (eg. "S-1-234-567-89")
3046  * zc_guid	RID/UID/GID
3047  *
3048  * outputs:
3049  * zc_cookie	property value
3050  */
3051 static int
3052 zfs_ioc_userspace_one(zfs_cmd_t *zc)
3053 {
3054 	zfsvfs_t *zfsvfs;
3055 	int error;
3056 
3057 	if (zc->zc_objset_type >= ZFS_NUM_USERQUOTA_PROPS)
3058 		return (EINVAL);
3059 
3060 	error = zfsvfs_hold(zc->zc_name, FTAG, &zfsvfs);
3061 	if (error)
3062 		return (error);
3063 
3064 	error = zfs_userspace_one(zfsvfs,
3065 	    zc->zc_objset_type, zc->zc_value, zc->zc_guid, &zc->zc_cookie);
3066 	zfsvfs_rele(zfsvfs, FTAG);
3067 
3068 	return (error);
3069 }
3070 
3071 /*
3072  * inputs:
3073  * zc_name		name of filesystem
3074  * zc_cookie		zap cursor
3075  * zc_objset_type	zfs_userquota_prop_t
3076  * zc_nvlist_dst[_size] buffer to fill (not really an nvlist)
3077  *
3078  * outputs:
3079  * zc_nvlist_dst[_size]	data buffer (array of zfs_useracct_t)
3080  * zc_cookie	zap cursor
3081  */
3082 static int
3083 zfs_ioc_userspace_many(zfs_cmd_t *zc)
3084 {
3085 	zfsvfs_t *zfsvfs;
3086 	int error;
3087 
3088 	error = zfsvfs_hold(zc->zc_name, FTAG, &zfsvfs);
3089 	if (error)
3090 		return (error);
3091 
3092 	int bufsize = zc->zc_nvlist_dst_size;
3093 	void *buf = kmem_alloc(bufsize, KM_SLEEP);
3094 
3095 	error = zfs_userspace_many(zfsvfs, zc->zc_objset_type, &zc->zc_cookie,
3096 	    buf, &zc->zc_nvlist_dst_size);
3097 
3098 	if (error == 0) {
3099 		error = xcopyout(buf,
3100 		    (void *)(uintptr_t)zc->zc_nvlist_dst,
3101 		    zc->zc_nvlist_dst_size);
3102 	}
3103 	kmem_free(buf, bufsize);
3104 	zfsvfs_rele(zfsvfs, FTAG);
3105 
3106 	return (error);
3107 }
3108 
3109 /*
3110  * inputs:
3111  * zc_name		name of filesystem
3112  *
3113  * outputs:
3114  * none
3115  */
3116 static int
3117 zfs_ioc_userspace_upgrade(zfs_cmd_t *zc)
3118 {
3119 	objset_t *os;
3120 	int error;
3121 	zfsvfs_t *zfsvfs;
3122 
3123 	if (getzfsvfs(zc->zc_name, &zfsvfs) == 0) {
3124 		if (!dmu_objset_userused_enabled(zfsvfs->z_os)) {
3125 			/*
3126 			 * If userused is not enabled, it may be because the
3127 			 * objset needs to be closed & reopened (to grow the
3128 			 * objset_phys_t).  Suspend/resume the fs will do that.
3129 			 */
3130 			error = zfs_suspend_fs(zfsvfs);
3131 			if (error == 0)
3132 				error = zfs_resume_fs(zfsvfs, zc->zc_name);
3133 		}
3134 		if (error == 0)
3135 			error = dmu_objset_userspace_upgrade(zfsvfs->z_os);
3136 		VFS_RELE(zfsvfs->z_vfs);
3137 	} else {
3138 		/* XXX kind of reading contents without owning */
3139 		error = dmu_objset_hold(zc->zc_name, FTAG, &os);
3140 		if (error)
3141 			return (error);
3142 
3143 		error = dmu_objset_userspace_upgrade(os);
3144 		dmu_objset_rele(os, FTAG);
3145 	}
3146 
3147 	return (error);
3148 }
3149 
3150 /*
3151  * We don't want to have a hard dependency
3152  * against some special symbols in sharefs
3153  * nfs, and smbsrv.  Determine them if needed when
3154  * the first file system is shared.
3155  * Neither sharefs, nfs or smbsrv are unloadable modules.
3156  */
3157 int (*znfsexport_fs)(void *arg);
3158 int (*zshare_fs)(enum sharefs_sys_op, share_t *, uint32_t);
3159 int (*zsmbexport_fs)(void *arg, boolean_t add_share);
3160 
3161 int zfs_nfsshare_inited;
3162 int zfs_smbshare_inited;
3163 
3164 ddi_modhandle_t nfs_mod;
3165 ddi_modhandle_t sharefs_mod;
3166 ddi_modhandle_t smbsrv_mod;
3167 kmutex_t zfs_share_lock;
3168 
3169 static int
3170 zfs_init_sharefs()
3171 {
3172 	int error;
3173 
3174 	ASSERT(MUTEX_HELD(&zfs_share_lock));
3175 	/* Both NFS and SMB shares also require sharetab support. */
3176 	if (sharefs_mod == NULL && ((sharefs_mod =
3177 	    ddi_modopen("fs/sharefs",
3178 	    KRTLD_MODE_FIRST, &error)) == NULL)) {
3179 		return (ENOSYS);
3180 	}
3181 	if (zshare_fs == NULL && ((zshare_fs =
3182 	    (int (*)(enum sharefs_sys_op, share_t *, uint32_t))
3183 	    ddi_modsym(sharefs_mod, "sharefs_impl", &error)) == NULL)) {
3184 		return (ENOSYS);
3185 	}
3186 	return (0);
3187 }
3188 
3189 static int
3190 zfs_ioc_share(zfs_cmd_t *zc)
3191 {
3192 	int error;
3193 	int opcode;
3194 
3195 	switch (zc->zc_share.z_sharetype) {
3196 	case ZFS_SHARE_NFS:
3197 	case ZFS_UNSHARE_NFS:
3198 		if (zfs_nfsshare_inited == 0) {
3199 			mutex_enter(&zfs_share_lock);
3200 			if (nfs_mod == NULL && ((nfs_mod = ddi_modopen("fs/nfs",
3201 			    KRTLD_MODE_FIRST, &error)) == NULL)) {
3202 				mutex_exit(&zfs_share_lock);
3203 				return (ENOSYS);
3204 			}
3205 			if (znfsexport_fs == NULL &&
3206 			    ((znfsexport_fs = (int (*)(void *))
3207 			    ddi_modsym(nfs_mod,
3208 			    "nfs_export", &error)) == NULL)) {
3209 				mutex_exit(&zfs_share_lock);
3210 				return (ENOSYS);
3211 			}
3212 			error = zfs_init_sharefs();
3213 			if (error) {
3214 				mutex_exit(&zfs_share_lock);
3215 				return (ENOSYS);
3216 			}
3217 			zfs_nfsshare_inited = 1;
3218 			mutex_exit(&zfs_share_lock);
3219 		}
3220 		break;
3221 	case ZFS_SHARE_SMB:
3222 	case ZFS_UNSHARE_SMB:
3223 		if (zfs_smbshare_inited == 0) {
3224 			mutex_enter(&zfs_share_lock);
3225 			if (smbsrv_mod == NULL && ((smbsrv_mod =
3226 			    ddi_modopen("drv/smbsrv",
3227 			    KRTLD_MODE_FIRST, &error)) == NULL)) {
3228 				mutex_exit(&zfs_share_lock);
3229 				return (ENOSYS);
3230 			}
3231 			if (zsmbexport_fs == NULL && ((zsmbexport_fs =
3232 			    (int (*)(void *, boolean_t))ddi_modsym(smbsrv_mod,
3233 			    "smb_server_share", &error)) == NULL)) {
3234 				mutex_exit(&zfs_share_lock);
3235 				return (ENOSYS);
3236 			}
3237 			error = zfs_init_sharefs();
3238 			if (error) {
3239 				mutex_exit(&zfs_share_lock);
3240 				return (ENOSYS);
3241 			}
3242 			zfs_smbshare_inited = 1;
3243 			mutex_exit(&zfs_share_lock);
3244 		}
3245 		break;
3246 	default:
3247 		return (EINVAL);
3248 	}
3249 
3250 	switch (zc->zc_share.z_sharetype) {
3251 	case ZFS_SHARE_NFS:
3252 	case ZFS_UNSHARE_NFS:
3253 		if (error =
3254 		    znfsexport_fs((void *)
3255 		    (uintptr_t)zc->zc_share.z_exportdata))
3256 			return (error);
3257 		break;
3258 	case ZFS_SHARE_SMB:
3259 	case ZFS_UNSHARE_SMB:
3260 		if (error = zsmbexport_fs((void *)
3261 		    (uintptr_t)zc->zc_share.z_exportdata,
3262 		    zc->zc_share.z_sharetype == ZFS_SHARE_SMB ?
3263 		    B_TRUE: B_FALSE)) {
3264 			return (error);
3265 		}
3266 		break;
3267 	}
3268 
3269 	opcode = (zc->zc_share.z_sharetype == ZFS_SHARE_NFS ||
3270 	    zc->zc_share.z_sharetype == ZFS_SHARE_SMB) ?
3271 	    SHAREFS_ADD : SHAREFS_REMOVE;
3272 
3273 	/*
3274 	 * Add or remove share from sharetab
3275 	 */
3276 	error = zshare_fs(opcode,
3277 	    (void *)(uintptr_t)zc->zc_share.z_sharedata,
3278 	    zc->zc_share.z_sharemax);
3279 
3280 	return (error);
3281 
3282 }
3283 
3284 ace_t full_access[] = {
3285 	{(uid_t)-1, ACE_ALL_PERMS, ACE_EVERYONE, 0}
3286 };
3287 
3288 /*
3289  * Remove all ACL files in shares dir
3290  */
3291 static int
3292 zfs_smb_acl_purge(znode_t *dzp)
3293 {
3294 	zap_cursor_t	zc;
3295 	zap_attribute_t	zap;
3296 	zfsvfs_t *zfsvfs = dzp->z_zfsvfs;
3297 	int error;
3298 
3299 	for (zap_cursor_init(&zc, zfsvfs->z_os, dzp->z_id);
3300 	    (error = zap_cursor_retrieve(&zc, &zap)) == 0;
3301 	    zap_cursor_advance(&zc)) {
3302 		if ((error = VOP_REMOVE(ZTOV(dzp), zap.za_name, kcred,
3303 		    NULL, 0)) != 0)
3304 			break;
3305 	}
3306 	zap_cursor_fini(&zc);
3307 	return (error);
3308 }
3309 
3310 static int
3311 zfs_ioc_smb_acl(zfs_cmd_t *zc)
3312 {
3313 	vnode_t *vp;
3314 	znode_t *dzp;
3315 	vnode_t *resourcevp = NULL;
3316 	znode_t *sharedir;
3317 	zfsvfs_t *zfsvfs;
3318 	nvlist_t *nvlist;
3319 	char *src, *target;
3320 	vattr_t vattr;
3321 	vsecattr_t vsec;
3322 	int error = 0;
3323 
3324 	if ((error = lookupname(zc->zc_value, UIO_SYSSPACE,
3325 	    NO_FOLLOW, NULL, &vp)) != 0)
3326 		return (error);
3327 
3328 	/* Now make sure mntpnt and dataset are ZFS */
3329 
3330 	if (vp->v_vfsp->vfs_fstype != zfsfstype ||
3331 	    (strcmp((char *)refstr_value(vp->v_vfsp->vfs_resource),
3332 	    zc->zc_name) != 0)) {
3333 		VN_RELE(vp);
3334 		return (EINVAL);
3335 	}
3336 
3337 	dzp = VTOZ(vp);
3338 	zfsvfs = dzp->z_zfsvfs;
3339 	ZFS_ENTER(zfsvfs);
3340 
3341 	/*
3342 	 * Create share dir if its missing.
3343 	 */
3344 	mutex_enter(&zfsvfs->z_lock);
3345 	if (zfsvfs->z_shares_dir == 0) {
3346 		dmu_tx_t *tx;
3347 
3348 		tx = dmu_tx_create(zfsvfs->z_os);
3349 		dmu_tx_hold_zap(tx, MASTER_NODE_OBJ, TRUE,
3350 		    ZFS_SHARES_DIR);
3351 		dmu_tx_hold_zap(tx, DMU_NEW_OBJECT, FALSE, NULL);
3352 		error = dmu_tx_assign(tx, TXG_WAIT);
3353 		if (error) {
3354 			dmu_tx_abort(tx);
3355 		} else {
3356 			error = zfs_create_share_dir(zfsvfs, tx);
3357 			dmu_tx_commit(tx);
3358 		}
3359 		if (error) {
3360 			mutex_exit(&zfsvfs->z_lock);
3361 			VN_RELE(vp);
3362 			ZFS_EXIT(zfsvfs);
3363 			return (error);
3364 		}
3365 	}
3366 	mutex_exit(&zfsvfs->z_lock);
3367 
3368 	ASSERT(zfsvfs->z_shares_dir);
3369 	if ((error = zfs_zget(zfsvfs, zfsvfs->z_shares_dir, &sharedir)) != 0) {
3370 		VN_RELE(vp);
3371 		ZFS_EXIT(zfsvfs);
3372 		return (error);
3373 	}
3374 
3375 	switch (zc->zc_cookie) {
3376 	case ZFS_SMB_ACL_ADD:
3377 		vattr.va_mask = AT_MODE|AT_UID|AT_GID|AT_TYPE;
3378 		vattr.va_type = VREG;
3379 		vattr.va_mode = S_IFREG|0777;
3380 		vattr.va_uid = 0;
3381 		vattr.va_gid = 0;
3382 
3383 		vsec.vsa_mask = VSA_ACE;
3384 		vsec.vsa_aclentp = &full_access;
3385 		vsec.vsa_aclentsz = sizeof (full_access);
3386 		vsec.vsa_aclcnt = 1;
3387 
3388 		error = VOP_CREATE(ZTOV(sharedir), zc->zc_string,
3389 		    &vattr, EXCL, 0, &resourcevp, kcred, 0, NULL, &vsec);
3390 		if (resourcevp)
3391 			VN_RELE(resourcevp);
3392 		break;
3393 
3394 	case ZFS_SMB_ACL_REMOVE:
3395 		error = VOP_REMOVE(ZTOV(sharedir), zc->zc_string, kcred,
3396 		    NULL, 0);
3397 		break;
3398 
3399 	case ZFS_SMB_ACL_RENAME:
3400 		if ((error = get_nvlist(zc->zc_nvlist_src,
3401 		    zc->zc_nvlist_src_size, zc->zc_iflags, &nvlist)) != 0) {
3402 			VN_RELE(vp);
3403 			ZFS_EXIT(zfsvfs);
3404 			return (error);
3405 		}
3406 		if (nvlist_lookup_string(nvlist, ZFS_SMB_ACL_SRC, &src) ||
3407 		    nvlist_lookup_string(nvlist, ZFS_SMB_ACL_TARGET,
3408 		    &target)) {
3409 			VN_RELE(vp);
3410 			VN_RELE(ZTOV(sharedir));
3411 			ZFS_EXIT(zfsvfs);
3412 			return (error);
3413 		}
3414 		error = VOP_RENAME(ZTOV(sharedir), src, ZTOV(sharedir), target,
3415 		    kcred, NULL, 0);
3416 		nvlist_free(nvlist);
3417 		break;
3418 
3419 	case ZFS_SMB_ACL_PURGE:
3420 		error = zfs_smb_acl_purge(sharedir);
3421 		break;
3422 
3423 	default:
3424 		error = EINVAL;
3425 		break;
3426 	}
3427 
3428 	VN_RELE(vp);
3429 	VN_RELE(ZTOV(sharedir));
3430 
3431 	ZFS_EXIT(zfsvfs);
3432 
3433 	return (error);
3434 }
3435 
3436 /*
3437  * inputs:
3438  * zc_name	name of filesystem
3439  * zc_value	short name of snap
3440  * zc_string	user-supplied tag for this reference
3441  * zc_cookie	recursive flag
3442  * zc_temphold	set if hold is temporary
3443  *
3444  * outputs:		none
3445  */
3446 static int
3447 zfs_ioc_hold(zfs_cmd_t *zc)
3448 {
3449 	boolean_t recursive = zc->zc_cookie;
3450 
3451 	if (snapshot_namecheck(zc->zc_value, NULL, NULL) != 0)
3452 		return (EINVAL);
3453 
3454 	return (dsl_dataset_user_hold(zc->zc_name, zc->zc_value,
3455 	    zc->zc_string, recursive, zc->zc_temphold));
3456 }
3457 
3458 /*
3459  * inputs:
3460  * zc_name	name of dataset from which we're releasing a user reference
3461  * zc_value	short name of snap
3462  * zc_string	user-supplied tag for this reference
3463  * zc_cookie	recursive flag
3464  *
3465  * outputs:		none
3466  */
3467 static int
3468 zfs_ioc_release(zfs_cmd_t *zc)
3469 {
3470 	boolean_t recursive = zc->zc_cookie;
3471 
3472 	if (snapshot_namecheck(zc->zc_value, NULL, NULL) != 0)
3473 		return (EINVAL);
3474 
3475 	return (dsl_dataset_user_release(zc->zc_name, zc->zc_value,
3476 	    zc->zc_string, recursive));
3477 }
3478 
3479 /*
3480  * inputs:
3481  * zc_name		name of filesystem
3482  *
3483  * outputs:
3484  * zc_nvlist_src{_size}	nvlist of snapshot holds
3485  */
3486 static int
3487 zfs_ioc_get_holds(zfs_cmd_t *zc)
3488 {
3489 	nvlist_t *nvp;
3490 	int error;
3491 
3492 	if ((error = dsl_dataset_get_holds(zc->zc_name, &nvp)) == 0) {
3493 		error = put_nvlist(zc, nvp);
3494 		nvlist_free(nvp);
3495 	}
3496 
3497 	return (error);
3498 }
3499 
3500 /*
3501  * pool create, destroy, and export don't log the history as part of
3502  * zfsdev_ioctl, but rather zfs_ioc_pool_create, and zfs_ioc_pool_export
3503  * do the logging of those commands.
3504  */
3505 static zfs_ioc_vec_t zfs_ioc_vec[] = {
3506 	{ zfs_ioc_pool_create, zfs_secpolicy_config, POOL_NAME, B_FALSE,
3507 	    B_FALSE },
3508 	{ zfs_ioc_pool_destroy,	zfs_secpolicy_config, POOL_NAME, B_FALSE,
3509 	    B_FALSE },
3510 	{ zfs_ioc_pool_import, zfs_secpolicy_config, POOL_NAME, B_TRUE,
3511 	    B_FALSE },
3512 	{ zfs_ioc_pool_export, zfs_secpolicy_config, POOL_NAME, B_FALSE,
3513 	    B_FALSE },
3514 	{ zfs_ioc_pool_configs,	zfs_secpolicy_none, NO_NAME, B_FALSE,
3515 	    B_FALSE },
3516 	{ zfs_ioc_pool_stats, zfs_secpolicy_read, POOL_NAME, B_FALSE,
3517 	    B_FALSE },
3518 	{ zfs_ioc_pool_tryimport, zfs_secpolicy_config, NO_NAME, B_FALSE,
3519 	    B_FALSE },
3520 	{ zfs_ioc_pool_scrub, zfs_secpolicy_config, POOL_NAME, B_TRUE,
3521 	    B_TRUE },
3522 	{ zfs_ioc_pool_freeze, zfs_secpolicy_config, NO_NAME, B_FALSE,
3523 	    B_FALSE },
3524 	{ zfs_ioc_pool_upgrade,	zfs_secpolicy_config, POOL_NAME, B_TRUE,
3525 	    B_TRUE },
3526 	{ zfs_ioc_pool_get_history, zfs_secpolicy_config, POOL_NAME, B_FALSE,
3527 	    B_FALSE },
3528 	{ zfs_ioc_vdev_add, zfs_secpolicy_config, POOL_NAME, B_TRUE,
3529 	    B_TRUE },
3530 	{ zfs_ioc_vdev_remove, zfs_secpolicy_config, POOL_NAME, B_TRUE,
3531 	    B_TRUE },
3532 	{ zfs_ioc_vdev_set_state, zfs_secpolicy_config,	POOL_NAME, B_TRUE,
3533 	    B_FALSE },
3534 	{ zfs_ioc_vdev_attach, zfs_secpolicy_config, POOL_NAME, B_TRUE,
3535 	    B_TRUE },
3536 	{ zfs_ioc_vdev_detach, zfs_secpolicy_config, POOL_NAME, B_TRUE,
3537 	    B_TRUE },
3538 	{ zfs_ioc_vdev_setpath,	zfs_secpolicy_config, POOL_NAME, B_FALSE,
3539 	    B_TRUE },
3540 	{ zfs_ioc_vdev_setfru,	zfs_secpolicy_config, POOL_NAME, B_FALSE,
3541 	    B_TRUE },
3542 	{ zfs_ioc_objset_stats,	zfs_secpolicy_read, DATASET_NAME, B_FALSE,
3543 	    B_FALSE },
3544 	{ zfs_ioc_objset_zplprops, zfs_secpolicy_read, DATASET_NAME, B_FALSE,
3545 	    B_FALSE },
3546 	{ zfs_ioc_dataset_list_next, zfs_secpolicy_read, DATASET_NAME, B_FALSE,
3547 	    B_FALSE },
3548 	{ zfs_ioc_snapshot_list_next, zfs_secpolicy_read, DATASET_NAME, B_FALSE,
3549 	    B_FALSE },
3550 	{ zfs_ioc_set_prop, zfs_secpolicy_none, DATASET_NAME, B_TRUE, B_TRUE },
3551 	{ zfs_ioc_create, zfs_secpolicy_create, DATASET_NAME, B_TRUE, B_TRUE },
3552 	{ zfs_ioc_destroy, zfs_secpolicy_destroy, DATASET_NAME, B_TRUE,
3553 	    B_TRUE},
3554 	{ zfs_ioc_rollback, zfs_secpolicy_rollback, DATASET_NAME, B_TRUE,
3555 	    B_TRUE },
3556 	{ zfs_ioc_rename, zfs_secpolicy_rename,	DATASET_NAME, B_TRUE, B_TRUE },
3557 	{ zfs_ioc_recv, zfs_secpolicy_receive, DATASET_NAME, B_TRUE, B_TRUE },
3558 	{ zfs_ioc_send, zfs_secpolicy_send, DATASET_NAME, B_TRUE, B_FALSE },
3559 	{ zfs_ioc_inject_fault,	zfs_secpolicy_inject, NO_NAME, B_FALSE,
3560 	    B_FALSE },
3561 	{ zfs_ioc_clear_fault, zfs_secpolicy_inject, NO_NAME, B_FALSE,
3562 	    B_FALSE },
3563 	{ zfs_ioc_inject_list_next, zfs_secpolicy_inject, NO_NAME, B_FALSE,
3564 	    B_FALSE },
3565 	{ zfs_ioc_error_log, zfs_secpolicy_inject, POOL_NAME, B_FALSE,
3566 	    B_FALSE },
3567 	{ zfs_ioc_clear, zfs_secpolicy_config, POOL_NAME, B_TRUE, B_FALSE },
3568 	{ zfs_ioc_promote, zfs_secpolicy_promote, DATASET_NAME, B_TRUE,
3569 	    B_TRUE },
3570 	{ zfs_ioc_destroy_snaps, zfs_secpolicy_destroy,	DATASET_NAME, B_TRUE,
3571 	    B_TRUE },
3572 	{ zfs_ioc_snapshot, zfs_secpolicy_snapshot, DATASET_NAME, B_TRUE,
3573 	    B_TRUE },
3574 	{ zfs_ioc_dsobj_to_dsname, zfs_secpolicy_config, POOL_NAME, B_FALSE,
3575 	    B_FALSE },
3576 	{ zfs_ioc_obj_to_path, zfs_secpolicy_config, DATASET_NAME, B_FALSE,
3577 	    B_TRUE },
3578 	{ zfs_ioc_pool_set_props, zfs_secpolicy_config,	POOL_NAME, B_TRUE,
3579 	    B_TRUE },
3580 	{ zfs_ioc_pool_get_props, zfs_secpolicy_read, POOL_NAME, B_FALSE,
3581 	    B_FALSE },
3582 	{ zfs_ioc_set_fsacl, zfs_secpolicy_fsacl, DATASET_NAME, B_TRUE,
3583 	    B_TRUE },
3584 	{ zfs_ioc_get_fsacl, zfs_secpolicy_read, DATASET_NAME, B_FALSE,
3585 	    B_FALSE },
3586 	{ zfs_ioc_iscsi_perm_check, zfs_secpolicy_iscsi, DATASET_NAME, B_FALSE,
3587 	    B_FALSE },
3588 	{ zfs_ioc_share, zfs_secpolicy_share, DATASET_NAME, B_FALSE, B_FALSE },
3589 	{ zfs_ioc_inherit_prop, zfs_secpolicy_inherit, DATASET_NAME, B_TRUE,
3590 	    B_TRUE },
3591 	{ zfs_ioc_smb_acl, zfs_secpolicy_smb_acl, DATASET_NAME, B_FALSE,
3592 	    B_FALSE },
3593 	{ zfs_ioc_userspace_one, zfs_secpolicy_userspace_one,
3594 	    DATASET_NAME, B_FALSE, B_FALSE },
3595 	{ zfs_ioc_userspace_many, zfs_secpolicy_userspace_many,
3596 	    DATASET_NAME, B_FALSE, B_FALSE },
3597 	{ zfs_ioc_userspace_upgrade, zfs_secpolicy_userspace_upgrade,
3598 	    DATASET_NAME, B_FALSE, B_TRUE },
3599 	{ zfs_ioc_hold, zfs_secpolicy_hold, DATASET_NAME, B_TRUE, B_TRUE },
3600 	{ zfs_ioc_release, zfs_secpolicy_release, DATASET_NAME, B_TRUE,
3601 	    B_TRUE },
3602 	{ zfs_ioc_get_holds, zfs_secpolicy_read, DATASET_NAME, B_FALSE,
3603 	    B_TRUE }
3604 };
3605 
3606 int
3607 pool_status_check(const char *name, zfs_ioc_namecheck_t type)
3608 {
3609 	spa_t *spa;
3610 	int error;
3611 
3612 	ASSERT(type == POOL_NAME || type == DATASET_NAME);
3613 
3614 	error = spa_open(name, &spa, FTAG);
3615 	if (error == 0) {
3616 		if (spa_suspended(spa))
3617 			error = EAGAIN;
3618 		spa_close(spa, FTAG);
3619 	}
3620 	return (error);
3621 }
3622 
3623 static int
3624 zfsdev_ioctl(dev_t dev, int cmd, intptr_t arg, int flag, cred_t *cr, int *rvalp)
3625 {
3626 	zfs_cmd_t *zc;
3627 	uint_t vec;
3628 	int error, rc;
3629 
3630 	if (getminor(dev) != 0)
3631 		return (zvol_ioctl(dev, cmd, arg, flag, cr, rvalp));
3632 
3633 	vec = cmd - ZFS_IOC;
3634 	ASSERT3U(getmajor(dev), ==, ddi_driver_major(zfs_dip));
3635 
3636 	if (vec >= sizeof (zfs_ioc_vec) / sizeof (zfs_ioc_vec[0]))
3637 		return (EINVAL);
3638 
3639 	zc = kmem_zalloc(sizeof (zfs_cmd_t), KM_SLEEP);
3640 
3641 	error = ddi_copyin((void *)arg, zc, sizeof (zfs_cmd_t), flag);
3642 
3643 	if ((error == 0) && !(flag & FKIOCTL))
3644 		error = zfs_ioc_vec[vec].zvec_secpolicy(zc, cr);
3645 
3646 	/*
3647 	 * Ensure that all pool/dataset names are valid before we pass down to
3648 	 * the lower layers.
3649 	 */
3650 	if (error == 0) {
3651 		zc->zc_name[sizeof (zc->zc_name) - 1] = '\0';
3652 		zc->zc_iflags = flag & FKIOCTL;
3653 		switch (zfs_ioc_vec[vec].zvec_namecheck) {
3654 		case POOL_NAME:
3655 			if (pool_namecheck(zc->zc_name, NULL, NULL) != 0)
3656 				error = EINVAL;
3657 			if (zfs_ioc_vec[vec].zvec_pool_check)
3658 				error = pool_status_check(zc->zc_name,
3659 				    zfs_ioc_vec[vec].zvec_namecheck);
3660 			break;
3661 
3662 		case DATASET_NAME:
3663 			if (dataset_namecheck(zc->zc_name, NULL, NULL) != 0)
3664 				error = EINVAL;
3665 			if (zfs_ioc_vec[vec].zvec_pool_check)
3666 				error = pool_status_check(zc->zc_name,
3667 				    zfs_ioc_vec[vec].zvec_namecheck);
3668 			break;
3669 
3670 		case NO_NAME:
3671 			break;
3672 		}
3673 	}
3674 
3675 	if (error == 0)
3676 		error = zfs_ioc_vec[vec].zvec_func(zc);
3677 
3678 	rc = ddi_copyout(zc, (void *)arg, sizeof (zfs_cmd_t), flag);
3679 	if (error == 0) {
3680 		error = rc;
3681 		if (zfs_ioc_vec[vec].zvec_his_log)
3682 			zfs_log_history(zc);
3683 	}
3684 
3685 	kmem_free(zc, sizeof (zfs_cmd_t));
3686 	return (error);
3687 }
3688 
3689 static int
3690 zfs_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
3691 {
3692 	if (cmd != DDI_ATTACH)
3693 		return (DDI_FAILURE);
3694 
3695 	if (ddi_create_minor_node(dip, "zfs", S_IFCHR, 0,
3696 	    DDI_PSEUDO, 0) == DDI_FAILURE)
3697 		return (DDI_FAILURE);
3698 
3699 	zfs_dip = dip;
3700 
3701 	ddi_report_dev(dip);
3702 
3703 	return (DDI_SUCCESS);
3704 }
3705 
3706 static int
3707 zfs_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
3708 {
3709 	if (spa_busy() || zfs_busy() || zvol_busy())
3710 		return (DDI_FAILURE);
3711 
3712 	if (cmd != DDI_DETACH)
3713 		return (DDI_FAILURE);
3714 
3715 	zfs_dip = NULL;
3716 
3717 	ddi_prop_remove_all(dip);
3718 	ddi_remove_minor_node(dip, NULL);
3719 
3720 	return (DDI_SUCCESS);
3721 }
3722 
3723 /*ARGSUSED*/
3724 static int
3725 zfs_info(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg, void **result)
3726 {
3727 	switch (infocmd) {
3728 	case DDI_INFO_DEVT2DEVINFO:
3729 		*result = zfs_dip;
3730 		return (DDI_SUCCESS);
3731 
3732 	case DDI_INFO_DEVT2INSTANCE:
3733 		*result = (void *)0;
3734 		return (DDI_SUCCESS);
3735 	}
3736 
3737 	return (DDI_FAILURE);
3738 }
3739 
3740 /*
3741  * OK, so this is a little weird.
3742  *
3743  * /dev/zfs is the control node, i.e. minor 0.
3744  * /dev/zvol/[r]dsk/pool/dataset are the zvols, minor > 0.
3745  *
3746  * /dev/zfs has basically nothing to do except serve up ioctls,
3747  * so most of the standard driver entry points are in zvol.c.
3748  */
3749 static struct cb_ops zfs_cb_ops = {
3750 	zvol_open,	/* open */
3751 	zvol_close,	/* close */
3752 	zvol_strategy,	/* strategy */
3753 	nodev,		/* print */
3754 	zvol_dump,	/* dump */
3755 	zvol_read,	/* read */
3756 	zvol_write,	/* write */
3757 	zfsdev_ioctl,	/* ioctl */
3758 	nodev,		/* devmap */
3759 	nodev,		/* mmap */
3760 	nodev,		/* segmap */
3761 	nochpoll,	/* poll */
3762 	ddi_prop_op,	/* prop_op */
3763 	NULL,		/* streamtab */
3764 	D_NEW | D_MP | D_64BIT,		/* Driver compatibility flag */
3765 	CB_REV,		/* version */
3766 	nodev,		/* async read */
3767 	nodev,		/* async write */
3768 };
3769 
3770 static struct dev_ops zfs_dev_ops = {
3771 	DEVO_REV,	/* version */
3772 	0,		/* refcnt */
3773 	zfs_info,	/* info */
3774 	nulldev,	/* identify */
3775 	nulldev,	/* probe */
3776 	zfs_attach,	/* attach */
3777 	zfs_detach,	/* detach */
3778 	nodev,		/* reset */
3779 	&zfs_cb_ops,	/* driver operations */
3780 	NULL,		/* no bus operations */
3781 	NULL,		/* power */
3782 	ddi_quiesce_not_needed,	/* quiesce */
3783 };
3784 
3785 static struct modldrv zfs_modldrv = {
3786 	&mod_driverops,
3787 	"ZFS storage pool",
3788 	&zfs_dev_ops
3789 };
3790 
3791 static struct modlinkage modlinkage = {
3792 	MODREV_1,
3793 	(void *)&zfs_modlfs,
3794 	(void *)&zfs_modldrv,
3795 	NULL
3796 };
3797 
3798 
3799 uint_t zfs_fsyncer_key;
3800 extern uint_t rrw_tsd_key;
3801 
3802 int
3803 _init(void)
3804 {
3805 	int error;
3806 
3807 	spa_init(FREAD | FWRITE);
3808 	zfs_init();
3809 	zvol_init();
3810 
3811 	if ((error = mod_install(&modlinkage)) != 0) {
3812 		zvol_fini();
3813 		zfs_fini();
3814 		spa_fini();
3815 		return (error);
3816 	}
3817 
3818 	tsd_create(&zfs_fsyncer_key, NULL);
3819 	tsd_create(&rrw_tsd_key, NULL);
3820 
3821 	error = ldi_ident_from_mod(&modlinkage, &zfs_li);
3822 	ASSERT(error == 0);
3823 	mutex_init(&zfs_share_lock, NULL, MUTEX_DEFAULT, NULL);
3824 
3825 	return (0);
3826 }
3827 
3828 int
3829 _fini(void)
3830 {
3831 	int error;
3832 
3833 	if (spa_busy() || zfs_busy() || zvol_busy() || zio_injection_enabled)
3834 		return (EBUSY);
3835 
3836 	if ((error = mod_remove(&modlinkage)) != 0)
3837 		return (error);
3838 
3839 	zvol_fini();
3840 	zfs_fini();
3841 	spa_fini();
3842 	if (zfs_nfsshare_inited)
3843 		(void) ddi_modclose(nfs_mod);
3844 	if (zfs_smbshare_inited)
3845 		(void) ddi_modclose(smbsrv_mod);
3846 	if (zfs_nfsshare_inited || zfs_smbshare_inited)
3847 		(void) ddi_modclose(sharefs_mod);
3848 
3849 	tsd_destroy(&zfs_fsyncer_key);
3850 	ldi_ident_release(zfs_li);
3851 	zfs_li = NULL;
3852 	mutex_destroy(&zfs_share_lock);
3853 
3854 	return (error);
3855 }
3856 
3857 int
3858 _info(struct modinfo *modinfop)
3859 {
3860 	return (mod_info(&modlinkage, modinfop));
3861 }
3862