Add receive:append permission for limited receive

[shodanshok]

Force receive (zfs receive -F) can rollback or destroy snapshots and file systems that do not exist on the sending side (see zfs-receive man page). This means an user having the receive permission can effectively delete data on receiving side, even if such user does not have explicit rollback or destroy permissions.

This patch adds the append permission, which only permits limited, non-forced receive. Behavior for users with full receive permission is not changed in any way.

Fixes #16943

Motivation and Context

Description

How Has This Been Tested?

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[amotin]

I don't think I like the permission named just "append", not some "receive:append" or something like that, what is allowed by the command syntax. Also as I have told before, it would be nice to investigate other related cases, like receive with rollback to the last snapshot, and think about similar permissions for the rollback command.

[shodanshok]

I don't think I like the permission named just "append", not some "receive:append" or something like that, what is allowed by the command syntax.

I changed the permission name to receive:append as suggested, thanks.

Also as I have told before, it would be nice to investigate other related cases, like receive with rollback to the last snapshot, and think about similar permissions for the rollback command.

While true, I feel this would significantly increase the scope of this patch, which really is about providing a simple solution to the security issue we have now (and between a module tunable and this new permission I prefer the latter).