zfs_main: allow umount only on original mountpoint

[ixhamza]

Motivation and Context

Prevent silent unmount of the real mounpoint when running zfs umount on a binded mount.

Description

When “zfs umount” is run on a bind mount, it silently unmounts the real dataset and leaves the bind stale. Add a check so umount only succeeds if the path matches the original mountpoint; otherwise, print an error and abort to prevent accidental unmounts.

How Has This Been Tested?

Before

buildroot@root:~# zpool create -O mountpoint=/mnt/tank tank nvme0n1
buildroot@root:~# mkdir -p /mnt/tank-bind
buildroot@root:~# mount --bind /mnt/tank /mnt/tank-bind
buildroot@root:~# zfs umount /mnt/tank-bind
buildroot@root:~# mount | grep tank
tank on /mnt/tank-bind type zfs (rw,relatime,xattr,noacl,casesensitive)

After

buildroot@root:~# zpool create -O mountpoint=/mnt/tank tank nvme0n1
buildroot@root:~# mkdir -p /mnt/tank-bind
buildroot@root:~# mount --bind /mnt/tank /mnt/tank-bind
buildroot@root:~# zfs umount /mnt/tank-bind
cannot unmount '/mnt/tank-bind': not a original mountpoint
buildroot@root:~# mount | grep tank
tank on /mnt/tank type zfs (rw,relatime,xattr,noacl,casesensitive)
tank on /mnt/tank-bind type zfs (rw,relatime,xattr,noacl,casesensitive)
buildroot@root:~# umount /mnt/tank-bind
buildroot@root:~# mount | grep tank
tank on /mnt/tank type zfs (rw,relatime,xattr,noacl,casesensitive)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Quality assurance (non-breaking change which makes the code more robust against bugs)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[amotin]

While I understand there is a problem, I am not sure this solution is right. Please correct me if I am wrong, but looking on getextmntent() I see this comment:

 * Search for the path in /proc/self/mounts. Rather than looking for the
 * specific path, which can be fooled by non-standard paths (i.e. ".."
 * or "//"), we stat() the path and search for the corresponding
 * (major,minor) device pair.

, which makes me think the exactly path match is not required there.