1 files changed, 194 insertions, 0 deletions
diff --git a/tests/zfs-tests/tests/functional/delegate/zfs_allow_010_pos.ksh b/tests/zfs-tests/tests/functional/delegate/zfs_allow_010_pos.ksh
new file mode 100755
index 000000000000..3a8ef5e6251b
--- /dev/null
+++ b/tests/zfs-tests/tests/functional/delegate/zfs_allow_010_pos.ksh
@@ -0,0 +1,194 @@
+#!/bin/ksh -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+#
+# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
+#
+
+. $STF_SUITE/tests/functional/delegate/delegate_common.kshlib
+
+#
+# DESCRIPTION:
+#	Scan the following permissions one by one to verify privileged user
+#	has correct permission delegation in datasets.
+#
+# STRATEGY:
+#	1. Delegate all the permission one by one to user on dataset.
+#	2. Verify privileged user has correct permission without any other
+#	   permissions allowed.
+#
+
+verify_runnable "both"
+
+log_assert "Verify privileged user has correct permissions once which was "\
+	"delegated to him in datasets"
+log_onexit restore_root_datasets
+
+if is_linux; then
+#
+#				Results in	Results in
+#		Permission	Filesystem	Volume
+#
+# Removed for Linux:
+# - mount	- mount(8) does not permit non-superuser mounts
+# - mountpoint	- mount(8) does not permit non-superuser mounts
+# - canmount	- mount(8) does not permit non-superuser mounts
+# - rename      - mount(8) does not permit non-superuser mounts
+# - zoned	- zones are not supported
+# - destroy     - umount(8) does not permit non-superuser umounts
+# - sharenfs	- sharing requires superuser privileges
+# - share	- sharing requires superuser privileges
+# - readonly	- mount(8) does not permit non-superuser remounts
+#
+set -A perms	create		true		false	\
+		snapshot	true		true	\
+		send		true		true	\
+		allow		true		true	\
+		quota		true		false	\
+		reservation	true		true	\
+		dnodesize	true		false	\
+		recordsize	true		false	\
+		checksum	true		true	\
+		compression	true		true	\
+		atime		true		false	\
+		devices		true		false	\
+		exec		true		false	\
+		volsize		false		true	\
+		setuid		true		false	\
+		snapdir		true		false	\
+		userprop	true		true	\
+		aclinherit	true		false	\
+		rollback	true		true	\
+		clone		true		true	\
+		promote		true		true	\
+		xattr		true		false	\
+		receive		true		false
+
+elif is_freebsd; then
+#				Results in	Results in
+#		Permission	Filesystem	Volume
+#
+# Removed for FreeBSD
+# - jailed	- jailing requires superuser privileges
+# - sharenfs	- sharing requires superuser privileges
+# - share	- sharing requires superuser privileges
+# - xattr	- Not supported on FreeBSD
+#
+set -A perms	create		true		false	\
+		snapshot	true		true	\
+		mount		true		false	\
+		send		true		true	\
+		allow		true		true	\
+		quota		true		false	\
+		reservation	true		true	\
+		dnodesize	true		false	\
+		recordsize	true		false	\
+		mountpoint	true		false	\
+		checksum	true		true	\
+		compression	true		true	\
+		canmount	true		false	\
+		atime		true		false	\
+		devices		true		false	\
+		exec		true		false	\
+		volsize		false		true	\
+		setuid		true		false	\
+		readonly	true		true	\
+		snapdir		true		false	\
+		userprop	true		true	\
+		aclmode		true		false	\
+		aclinherit	true		false	\
+		rollback	true		true	\
+		clone		true		true	\
+		rename		true		true	\
+		promote		true		true	\
+		receive		true		false   \
+		destroy		true		true
+
+else
+
+set -A perms	create		true		false	\
+		snapshot	true		true	\
+		mount		true		false	\
+		send		true		true	\
+		allow		true		true	\
+		quota		true		false	\
+		reservation	true		true	\
+		dnodesize	true		false	\
+		recordsize	true		false	\
+		mountpoint	true		false	\
+		checksum	true		true	\
+		compression	true		true	\
+		canmount	true		false	\
+		atime		true		false	\
+		devices		true		false	\
+		exec		true		false	\
+		volsize		false		true	\
+		setuid		true		false	\
+		readonly	true		true	\
+		snapdir		true		false	\
+		userprop	true		true	\
+		aclmode		true		false	\
+		aclinherit	true		false	\
+		rollback	true		true	\
+		clone		true		true	\
+		rename		true		true	\
+		promote		true		true	\
+		zoned		true		false	\
+		xattr		true		false	\
+		receive		true		false	\
+		destroy		true		true
+
+if is_global_zone; then
+	typeset -i n=${#perms[@]}
+	perms[((n))]="sharenfs"; perms[((n+1))]="true"; perms[((n+2))]="false"
+	perms[((n+3))]="share"; perms[((n+4))]="true"; perms[((n+5))]="false"
+fi
+fi
+
+for dtst in $DATASETS; do
+	typeset -i k=1
+	typeset type=$(get_prop type $dtst)
+	[[ $type == "volume" ]] && k=2
+
+	typeset -i i=0
+	while (( i < ${#perms[@]} )); do
+		log_must zfs allow $STAFF1 ${perms[$i]} $dtst
+
+		if [[ ${perms[((i+k))]} == "true" ]]; then
+			log_must verify_perm $dtst ${perms[$i]} $STAFF1
+		else
+			log_must verify_noperm $dtst ${perms[$i]} $STAFF1
+		fi
+
+		log_must restore_root_datasets
+
+		((i += 3))
+	done
+done
+
+log_pass "Verify privileged user has correct permissions " \
+	"in datasets passed."