MFC r342849: libbe(3): Don't allow bootfs to be destroyed

Previously, the following sequence of events was feasible under some circumstance: bectl create test bectl activate test # the test BE dataset gets promoted and set as bootfs bectl destroy test I was unable to reproduce the destroy succeeding, but we should be rejecting this before it even gets to libzfs because it would leave the system in an inconsistent state. Forcing the user to be explicit as to which environment should be activated instead is much better.
HardenedBSD · Jan 15, 2019 · 43c0259 · 43c0259
1 parent 43d929c
commit 43c0259
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/libbe/be.c b/lib/libbe/be.c
@@ -211,7 +211,8 @@ be_destroy(libbe_handle_t *lbh, const char *name, int options)
 		if (!zfs_dataset_exists(lbh->lzh, path, ZFS_TYPE_FILESYSTEM))
 			return (set_error(lbh, BE_ERR_NOENT));
 
-		if (strcmp(path, lbh->rootfs) == 0)
+		if (strcmp(path, lbh->rootfs) == 0 ||
+		    strcmp(path, lbh->bootfs) == 0)
 			return (set_error(lbh, BE_ERR_DESTROYACT));
 
 		fs = zfs_open(lbh->lzh, p, ZFS_TYPE_FILESYSTEM);