zfs_namecheck.c revision 325910 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25/*
26 * Copyright (c) 2013 by Delphix. All rights reserved.
27 */
28
29/*
30 * Common name validation routines for ZFS.  These routines are shared by the
31 * userland code as well as the ioctl() layer to ensure that we don't
32 * inadvertently expose a hole through direct ioctl()s that never gets tested.
33 * In userland, however, we want significantly more information about _why_ the
34 * name is invalid.  In the kernel, we only care whether it's valid or not.
35 * Each routine therefore takes a 'namecheck_err_t' which describes exactly why
36 * the name failed to validate.
37 *
38 * Each function returns 0 on success, -1 on error.
39 */
40
41#if defined(_KERNEL)
42#include <sys/systm.h>
43#else
44#include <string.h>
45#endif
46
47#include <sys/dsl_dir.h>
48#include <sys/param.h>
49#include <sys/nvpair.h>
50#include "zfs_namecheck.h"
51#include "zfs_deleg.h"
52
53static int
54valid_char(char c)
55{
56	return ((c >= 'a' && c <= 'z') ||
57	    (c >= 'A' && c <= 'Z') ||
58	    (c >= '0' && c <= '9') ||
59	    c == '-' || c == '_' || c == '.' || c == ':' || c == ' ');
60}
61
62/*
63 * Snapshot names must be made up of alphanumeric characters plus the following
64 * characters:
65 *
66 * 	[-_.: ]
67 */
68int
69zfs_component_namecheck(const char *path, namecheck_err_t *why, char *what)
70{
71	const char *loc;
72
73	if (strlen(path) >= ZFS_MAX_DATASET_NAME_LEN) {
74		if (why)
75			*why = NAME_ERR_TOOLONG;
76		return (-1);
77	}
78
79	if (path[0] == '\0') {
80		if (why)
81			*why = NAME_ERR_EMPTY_COMPONENT;
82		return (-1);
83	}
84
85	for (loc = path; *loc; loc++) {
86		if (!valid_char(*loc)) {
87			if (why) {
88				*why = NAME_ERR_INVALCHAR;
89				*what = *loc;
90			}
91			return (-1);
92		}
93	}
94	return (0);
95}
96
97
98/*
99 * Permissions set name must start with the letter '@' followed by the
100 * same character restrictions as snapshot names, except that the name
101 * cannot exceed 64 characters.
102 */
103int
104permset_namecheck(const char *path, namecheck_err_t *why, char *what)
105{
106	if (strlen(path) >= ZFS_PERMSET_MAXLEN) {
107		if (why)
108			*why = NAME_ERR_TOOLONG;
109		return (-1);
110	}
111
112	if (path[0] != '@') {
113		if (why) {
114			*why = NAME_ERR_NO_AT;
115			*what = path[0];
116		}
117		return (-1);
118	}
119
120	return (zfs_component_namecheck(&path[1], why, what));
121}
122
123/*
124 * Dataset names must be of the following form:
125 *
126 * 	[component][/]*[component][@component]
127 *
128 * Where each component is made up of alphanumeric characters plus the following
129 * characters:
130 *
131 * 	[-_.:%]
132 *
133 * We allow '%' here as we use that character internally to create unique
134 * names for temporary clones (for online recv).
135 */
136int
137dataset_namecheck(const char *path, namecheck_err_t *why, char *what)
138{
139	const char *loc, *end;
140	int found_snapshot;
141
142	/*
143	 * Make sure the name is not too long.
144	 */
145
146	if (strlen(path) >= ZFS_MAX_DATASET_NAME_LEN) {
147		if (why)
148			*why = NAME_ERR_TOOLONG;
149		return (-1);
150	}
151
152	/* Explicitly check for a leading slash.  */
153	if (path[0] == '/') {
154		if (why)
155			*why = NAME_ERR_LEADING_SLASH;
156		return (-1);
157	}
158
159	if (path[0] == '\0') {
160		if (why)
161			*why = NAME_ERR_EMPTY_COMPONENT;
162		return (-1);
163	}
164
165	loc = path;
166	found_snapshot = 0;
167	for (;;) {
168		/* Find the end of this component */
169		end = loc;
170		while (*end != '/' && *end != '@' && *end != '\0')
171			end++;
172
173		if (*end == '\0' && end[-1] == '/') {
174			/* trailing slashes are not allowed */
175			if (why)
176				*why = NAME_ERR_TRAILING_SLASH;
177			return (-1);
178		}
179
180		/* Zero-length components are not allowed */
181		if (loc == end) {
182			if (why) {
183				/*
184				 * Make sure this is really a zero-length
185				 * component and not a '@@'.
186				 */
187				if (*end == '@' && found_snapshot) {
188					*why = NAME_ERR_MULTIPLE_AT;
189				} else {
190					*why = NAME_ERR_EMPTY_COMPONENT;
191				}
192			}
193
194			return (-1);
195		}
196
197		/* Validate the contents of this component */
198		while (loc != end) {
199			if (!valid_char(*loc) && *loc != '%') {
200				if (why) {
201					*why = NAME_ERR_INVALCHAR;
202					*what = *loc;
203				}
204				return (-1);
205			}
206			loc++;
207		}
208
209		/* If we've reached the end of the string, we're OK */
210		if (*end == '\0')
211			return (0);
212
213		if (*end == '@') {
214			/*
215			 * If we've found an @ symbol, indicate that we're in
216			 * the snapshot component, and report a second '@'
217			 * character as an error.
218			 */
219			if (found_snapshot) {
220				if (why)
221					*why = NAME_ERR_MULTIPLE_AT;
222				return (-1);
223			}
224
225			found_snapshot = 1;
226		}
227
228		/*
229		 * If there is a '/' in a snapshot name
230		 * then report an error
231		 */
232		if (*end == '/' && found_snapshot) {
233			if (why)
234				*why = NAME_ERR_TRAILING_SLASH;
235			return (-1);
236		}
237
238		/* Update to the next component */
239		loc = end + 1;
240	}
241}
242
243
244/*
245 * mountpoint names must be of the following form:
246 *
247 *	/[component][/]*[component][/]
248 */
249int
250mountpoint_namecheck(const char *path, namecheck_err_t *why)
251{
252	const char *start, *end;
253
254	/*
255	 * Make sure none of the mountpoint component names are too long.
256	 * If a component name is too long then the mkdir of the mountpoint
257	 * will fail but then the mountpoint property will be set to a value
258	 * that can never be mounted.  Better to fail before setting the prop.
259	 * Extra slashes are OK, they will be tossed by the mountpoint mkdir.
260	 */
261
262	if (path == NULL || *path != '/') {
263		if (why)
264			*why = NAME_ERR_LEADING_SLASH;
265		return (-1);
266	}
267
268	/* Skip leading slash  */
269	start = &path[1];
270	do {
271		end = start;
272		while (*end != '/' && *end != '\0')
273			end++;
274
275		if (end - start >= ZFS_MAX_DATASET_NAME_LEN) {
276			if (why)
277				*why = NAME_ERR_TOOLONG;
278			return (-1);
279		}
280		start = end + 1;
281
282	} while (*end != '\0');
283
284	return (0);
285}
286
287/*
288 * For pool names, we have the same set of valid characters as described in
289 * dataset names, with the additional restriction that the pool name must begin
290 * with a letter.  The pool names 'raidz' and 'mirror' are also reserved names
291 * that cannot be used.
292 */
293int
294pool_namecheck(const char *pool, namecheck_err_t *why, char *what)
295{
296	const char *c;
297
298	/*
299	 * Make sure the name is not too long.
300	 * If we're creating a pool with version >= SPA_VERSION_DSL_SCRUB (v11)
301	 * we need to account for additional space needed by the origin ds which
302	 * will also be snapshotted: "poolname"+"/"+"$ORIGIN"+"@"+"$ORIGIN".
303	 * Play it safe and enforce this limit even if the pool version is < 11
304	 * so it can be upgraded without issues.
305	 */
306	if (strlen(pool) >= (ZFS_MAX_DATASET_NAME_LEN - 2 -
307	    strlen(ORIGIN_DIR_NAME) * 2)) {
308		if (why)
309			*why = NAME_ERR_TOOLONG;
310		return (-1);
311	}
312
313	c = pool;
314	while (*c != '\0') {
315		if (!valid_char(*c)) {
316			if (why) {
317				*why = NAME_ERR_INVALCHAR;
318				*what = *c;
319			}
320			return (-1);
321		}
322		c++;
323	}
324
325	if (!(*pool >= 'a' && *pool <= 'z') &&
326	    !(*pool >= 'A' && *pool <= 'Z')) {
327		if (why)
328			*why = NAME_ERR_NOLETTER;
329		return (-1);
330	}
331
332	if (strcmp(pool, "mirror") == 0 || strcmp(pool, "raidz") == 0) {
333		if (why)
334			*why = NAME_ERR_RESERVED;
335		return (-1);
336	}
337
338	if (pool[0] == 'c' && (pool[1] >= '0' && pool[1] <= '9')) {
339		if (why)
340			*why = NAME_ERR_DISKLIKE;
341		return (-1);
342	}
343
344	return (0);
345}
346