1f38cb554SJohn Wren Kennedy#! /usr/bin/ksh -p
2f38cb554SJohn Wren Kennedy#
3f38cb554SJohn Wren Kennedy# CDDL HEADER START
4f38cb554SJohn Wren Kennedy#
5f38cb554SJohn Wren Kennedy# The contents of this file are subject to the terms of the
6f38cb554SJohn Wren Kennedy# Common Development and Distribution License (the "License").
7f38cb554SJohn Wren Kennedy# You may not use this file except in compliance with the License.
8f38cb554SJohn Wren Kennedy#
9f38cb554SJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10f38cb554SJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing.
11f38cb554SJohn Wren Kennedy# See the License for the specific language governing permissions
12f38cb554SJohn Wren Kennedy# and limitations under the License.
13f38cb554SJohn Wren Kennedy#
14f38cb554SJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each
15f38cb554SJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16f38cb554SJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the
17f38cb554SJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying
18f38cb554SJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner]
19f38cb554SJohn Wren Kennedy#
20f38cb554SJohn Wren Kennedy# CDDL HEADER END
21f38cb554SJohn Wren Kennedy#
22f38cb554SJohn Wren Kennedy
23f38cb554SJohn Wren Kennedy#
24f38cb554SJohn Wren Kennedy# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
25f38cb554SJohn Wren Kennedy# Use is subject to license terms.
26f38cb554SJohn Wren Kennedy#
27f38cb554SJohn Wren Kennedy
28f38cb554SJohn Wren Kennedy#
29*1d32ba66SJohn Wren Kennedy# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
30f38cb554SJohn Wren Kennedy#
31f38cb554SJohn Wren Kennedy
32f38cb554SJohn Wren Kennedy. $STF_SUITE/include/libtest.shlib
33f38cb554SJohn Wren Kennedy
34f38cb554SJohn Wren Kennedy#
35f38cb554SJohn Wren Kennedy# DESCRIPTION:
36f38cb554SJohn Wren Kennedy#
37f38cb554SJohn Wren Kennedy# The RBAC profile "ZFS File System Management" works
38f38cb554SJohn Wren Kennedy#
39f38cb554SJohn Wren Kennedy# STRATEGY:
40f38cb554SJohn Wren Kennedy#
41f38cb554SJohn Wren Kennedy#	The following actions are taken, both using profile execution (pfexec)
42f38cb554SJohn Wren Kennedy#	and without profile execution - we make sure that the latter should
43f38cb554SJohn Wren Kennedy#	always fail.
44f38cb554SJohn Wren Kennedy#
45f38cb554SJohn Wren Kennedy#	(create)
46f38cb554SJohn Wren Kennedy#	1. As a normal user, try to create a filesystem - which should fail.
47f38cb554SJohn Wren Kennedy#       2. Assign "ZFS File System Management" profile, try to create fs again,
48f38cb554SJohn Wren Kennedy#	   which should succeed.
49f38cb554SJohn Wren Kennedy#
50f38cb554SJohn Wren Kennedy#	(pools)
51f38cb554SJohn Wren Kennedy#	3. Ensure a user with this profile can't perform pool administration
52f38cb554SJohn Wren Kennedy#	   by attempting to destroy a pool.
53f38cb554SJohn Wren Kennedy#
54f38cb554SJohn Wren Kennedy#	(destroy)
55f38cb554SJohn Wren Kennedy#       5. Remove the FS profile, then attempt to destroy the fs, which
56f38cb554SJohn Wren Kennedy# 	   should fail.
57f38cb554SJohn Wren Kennedy#	6. Assign the FS profile, then attempt to destroy the fs, which
58f38cb554SJohn Wren Kennedy#	   should succeed.
59f38cb554SJohn Wren Kennedy#
60f38cb554SJohn Wren Kennedy
61f38cb554SJohn Wren Kennedyverify_runnable "both"
62f38cb554SJohn Wren Kennedy
63f38cb554SJohn Wren Kennedylog_assert "The RBAC profile \"ZFS File System Management\" works"
64f38cb554SJohn Wren Kennedy
65*1d32ba66SJohn Wren KennedyZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)
66f38cb554SJohn Wren Kennedy
67f38cb554SJohn Wren Kennedy# Set a $DATASET where we can create child files systems
68f38cb554SJohn Wren Kennedyif is_global_zone; then
69*1d32ba66SJohn Wren Kennedy	log_must zpool create -f $TESTPOOL $DISKS
70f38cb554SJohn Wren Kennedy	DATASET=$TESTPOOL
71f38cb554SJohn Wren Kennedyelse
72f38cb554SJohn Wren Kennedy	DATASET=zonepool/zonectr0
73f38cb554SJohn Wren Kennedyfi
74f38cb554SJohn Wren Kennedy
75f38cb554SJohn Wren Kennedy# A user shouldn't be able to create filesystems
76*1d32ba66SJohn Wren Kennedylog_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
77f38cb554SJohn Wren Kennedy
78f38cb554SJohn Wren Kennedy# Insist this invocation of usermod works
79*1d32ba66SJohn Wren Kennedylog_must usermod -P "ZFS File System Management" $ZFS_USER
80f38cb554SJohn Wren Kennedy
81f38cb554SJohn Wren Kennedy# Now try to create file systems as the user
82*1d32ba66SJohn Wren Kennedylog_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
83*1d32ba66SJohn Wren Kennedylog_must su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs"
84f38cb554SJohn Wren Kennedy
85f38cb554SJohn Wren Kennedy# Ensure the user can't do anything to pools in this state:
86*1d32ba66SJohn Wren Kennedylog_mustnot su $ZFS_USER -c "zpool destroy $DATASET"
87*1d32ba66SJohn Wren Kennedylog_mustnot su $ZFS_USER -c "pfexec zpool destroy $DATASET"
88f38cb554SJohn Wren Kennedy
89f38cb554SJohn Wren Kennedy# revoke File System Management profile
90*1d32ba66SJohn Wren Kennedyusermod -P, $ZFS_USER
91f38cb554SJohn Wren Kennedy
92f38cb554SJohn Wren Kennedy# Ensure the user can't create more filesystems
93*1d32ba66SJohn Wren Kennedylog_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs2"
94*1d32ba66SJohn Wren Kennedylog_mustnot su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs2"
95f38cb554SJohn Wren Kennedy
96f38cb554SJohn Wren Kennedy# assign the profile again and destroy the fs.
97*1d32ba66SJohn Wren Kennedyusermod -P "ZFS File System Management" $ZFS_USER
98*1d32ba66SJohn Wren Kennedylog_must su $ZFS_USER -c "pfexec zfs destroy $DATASET/zfsprivfs"
99*1d32ba66SJohn Wren Kennedyusermod -P, $ZFS_USER
100f38cb554SJohn Wren Kennedy
101f38cb554SJohn Wren Kennedylog_pass "The RBAC profile \"ZFS File System Management\" works"
102