Add zfs allow and zfs unallow support

ZFS allows for specific permissions to be delegated to normal users with the `zfs allow` and `zfs unallow` commands. In addition, non- privileged users should be able to run all of the following commands: * zpool [list | iostat | status | get] * zfs [list | get] Historically this functionality was not available on Linux. In order to add it the secpolicy_* functions needed to be implemented and mapped to the equivalent Linux capability. Only then could the permissions on the `/dev/zfs` be relaxed and the internal ZFS permission checks used. Even with this change some limitations remain. Under Linux only the root user is allowed to modify the namespace (unless it's a private namespace). This means the mount, mountpoint, canmount, unmount, and remount delegations cannot be supported with the existing code. It may be possible to add this functionality in the future. This functionality was validated with the cli_user and delegation test cases from the ZFS Test Suite. These tests exhaustively verify each of the supported permissions which can be delegated and ensures only an authorized user can perform it. Two minor bug fixes were required for test-running.py. First, the Timer() object cannot be safely created in a `try:` block when there is an unconditional `finally` block which references it. Second, when running as a normal user also check for scripts using the both the .ksh and .sh suffixes. Finally, existing users who are simulating delegations by setting group permissions on the /dev/zfs device should revert that customization when updating to a version with this change. Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Tony Hutter <hutter2@llnl.gov> Closes #362 Closes #434 Closes #4100 Closes #4394 Closes #4410 Closes #4487
2026-06-02 20:34:08 +03:00 · 2016-06-07 09:16:52 -07:00
parent 2627e75245
commit f74b821a66
78 changed files with 759 additions and 242 deletions
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 if poolexists $TESTPOOL.virt
 then
@@ -28,33 +28,59 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-# these are the set of setable ZFS properties
-PROP_NAMES="\
-	aclinherit	aclmode		atime		 \
-	checksum	compression			devices \
-	exec		mountpoint	quota		readonly \
-	recordsize	reservation	setuid		sharenfs \
-	snapdir"
+if is_linux; then
+	# these are the set of setable ZFS properties
+	PROP_NAMES="\
+		aclinherit	acltype		atime		 \
+		checksum	compression			devices \
+		exec		mountpoint	quota		readonly \
+		recordsize	reservation	setuid		 \
+		snapdir"

-# these are a set of values we apply, for use when testing the
-# zfs get/set subcommands - ordered as per the list above so we
-# can iterate over both sets in an array
-PROP_VALS="\
-	secure		discard		on		 \
-	fletcher2	on				on \
-	on		legacy		none		on \
-	128k		none		on		on \
-	visible"
+	# these are a set of values we apply, for use when testing the
+	# zfs get/set subcommands - ordered as per the list above so we
+	# can iterate over both sets in an array
+	PROP_VALS="\
+		secure		posixacl	on		 \
+		fletcher2	on				on \
+		on		legacy		none		on \
+		128k		none		on		 \
+		visible"

-# these are an alternate set of property values
-PROP_ALTVALS="\
-	noallow		groupmask	off		 \
-	fletcher4	lzjb				off \
-	off		/tmp/zfstest	100m		off \
-	512		10m		off		off \
-	hidden"
+	# these are an alternate set of property values
+	PROP_ALTVALS="\
+		noallow		noacl		off		 \
+		fletcher4	lzjb				off \
+		off		/tmp/zfstest	100m		off \
+		512		10m		off		 \
+		hidden"
+else
+	# these are the set of setable ZFS properties
+	PROP_NAMES="\
+		aclinherit	aclmode		atime		 \
+		checksum	compression			devices \
+		exec		mountpoint	quota		readonly \
+		recordsize	reservation	setuid		sharenfs \
+		snapdir"

+	# these are a set of values we apply, for use when testing the
+	# zfs get/set subcommands - ordered as per the list above so we
+	# can iterate over both sets in an array
+	PROP_VALS="\
+		secure		discard		on		 \
+		fletcher2	on				on \
+		on		legacy		none		on \
+		128k		none		on		on \
+		visible"

+	# these are an alternate set of property values
+	PROP_ALTVALS="\
+		noallow		noacl		off		 \
+		fletcher4	lzjb				off \
+		off		/tmp/zfstest	100m		off \
+		512		10m		off		off \
+		hidden"
+fi

 # additional properties to worry about: canmount copies xattr zoned version

@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 # This setup script is moderately complex, as it creates scenarios for all
 # of the tests included in this directory. Usually we'd want each test case
@@ -95,7 +95,7 @@ done
 log_must $ZFS create $TESTPOOL/$TESTFS/renameme


-if is_global_zone
+if is_global_zone && !is_linux
 then
 	# create a filesystem we can share
 	log_must $ZFS create $TESTPOOL/$TESTFS/unshared
@@ -153,7 +153,7 @@ then
 	done

 	# copy a v1 pool from cli_root
-	$CP $STF_SUITE/tests/functional/cli_root/zpool_upgrade/blockfiles/zfs-pool-v1.dat.bz2 \
+	$CP $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zfs-pool-v1.dat.bz2 \
 	    /$TESTDIR
 	log_must $BUNZIP2 /$TESTDIR/zfs-pool-v1.dat.bz2
 	log_must $ZPOOL import -d /$TESTDIR v1-pool
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -50,13 +50,21 @@ ADD_DISK="${ADD_DISK##* }"
 [[ -z $ADD_DISK ]] && \
        log_fail "No spare disks available."

-set -A args "add" "add -f" "add -n" \
-    "add $TESTPOOL" "add -f $TESTPOOL" "add -n $TESTPOOL" \
-    "add -fn $TESTPOOL" "add -nf $TESTPOOL" \
-    "add $TESTPOOL $ADD_DISK" "add -f $TESTPOOL $ADD_DISK" \
-    "add -n $TESTPOOL $ADD_DISK" \
-    "add -fn $TESTPOOL $ADD_DISK" \
-    "add -nf $TESTPOOL $ADD_DISK" \
+# Under Linux dry-run commands have no legitimate reason to fail.
+if is_linux; then
+	set -A args "add" "add -f" "add -n" \
+	    "add $TESTPOOL" "add -f $TESTPOOL" "add -n $TESTPOOL" \
+	    "add -fn $TESTPOOL" "add -nf $TESTPOOL" \
+	    "add $TESTPOOL $ADD_DISK" "add -f $TESTPOOL $ADD_DISK"
+else
+	set -A args "add" "add -f" "add -n" \
+	    "add $TESTPOOL" "add -f $TESTPOOL" "add -n $TESTPOOL" \
+	    "add -fn $TESTPOOL" "add -nf $TESTPOOL" \
+	    "add $TESTPOOL $ADD_DISK" "add -f $TESTPOOL $ADD_DISK" \
+	    "add -n $TESTPOOL $ADD_DISK" \
+	    "add -fn $TESTPOOL $ADD_DISK" \
+	    "add -nf $TESTPOOL $ADD_DISK"
+fi

 log_assert "zpool add [-fn] pool_name vdev"

@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -50,13 +50,21 @@ ADD_DISK="${ADD_DISK##* }"
 [[ -z $ADD_DISK ]] && \
        log_fail "No spare disks available."

-set -A args "create" "create -f" "create -n" \
-    "create $TESTPOOL" "create -f $TESTPOOL" "create -n $TESTPOOL" \
-    "create -fn $TESTPOOL" "create -nf $TESTPOOL" \
-    "create $TESTPOOL $ADD_DISK" "create -f $TESTPOOL $ADD_DISK" \
-    "create -n $TESTPOOL $ADD_DISK" \
-    "create -fn $TESTPOOL $ADD_DISK" \
-    "create -nf $TESTPOOL $ADD_DISK"
+# Under Linux dry-run commands have no legitimate reason to fail.
+if is_linux; then
+	set -A args "create" "create -f" "create -n" \
+	    "create $TESTPOOL" "create -f $TESTPOOL" "create -n $TESTPOOL" \
+	    "create -fn $TESTPOOL" "create -nf $TESTPOOL" \
+	    "create $TESTPOOL $ADD_DISK" "create -f $TESTPOOL $ADD_DISK"
+else
+	set -A args "create" "create -f" "create -n" \
+	    "create $TESTPOOL" "create -f $TESTPOOL" "create -n $TESTPOOL" \
+	    "create -fn $TESTPOOL" "create -nf $TESTPOOL" \
+	    "create $TESTPOOL $ADD_DISK" "create -f $TESTPOOL $ADD_DISK" \
+	    "create -n $TESTPOOL $ADD_DISK" \
+	    "create -fn $TESTPOOL $ADD_DISK" \
+	    "create -nf $TESTPOOL $ADD_DISK"
+fi

 log_assert "zpool create [-fn] pool_name vdev"

@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION:
@@ -29,8 +29,8 @@
 # Copyright (c) 2013 by Delphix. All rights reserved.
 #

-. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg
 . $STF_SUITE/include/libtest.shlib
+. $STF_SUITE/tests/functional/cli_user/misc/misc.cfg

 #
 # DESCRIPTION: