pyrox.dev
1# Basic test to make sure grsecurity works
2
3import ./make-test.nix ({ pkgs, ...} : {
4 name = "grsecurity";
5 meta = with pkgs.stdenv.lib.maintainers; {
6 maintainers = [ copumpkin joachifm ];
7 };
8
9 machine = { config, pkgs, ... }:
10 { security.grsecurity.enable = true;
11 boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;
12 };
13
14 testScript = ''
15 subtest "grsec-lock", sub {
16 $machine->succeed("systemctl is-active grsec-lock");
17 $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");
18 $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");
19 };
20
21 subtest "paxtest", sub {
22 # TODO: running paxtest blackhat hangs the vm
23 $machine->succeed("${pkgs.paxtest}/lib/paxtest/anonmap") =~ /Killed/ or die;
24 $machine->succeed("${pkgs.paxtest}/lib/paxtest/execbss") =~ /Killed/ or die;
25 $machine->succeed("${pkgs.paxtest}/lib/paxtest/execdata") =~ /Killed/ or die;
26 $machine->succeed("${pkgs.paxtest}/lib/paxtest/execheap") =~ /Killed/ or die;
27 $machine->succeed("${pkgs.paxtest}/lib/paxtest/execstack") =~ /Killed/ or die;
28 $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotanon") =~ /Killed/ or die;
29 $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotbss") =~ /Killed/ or die;
30 $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotdata") =~ /Killed/ or die;
31 $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotheap") =~ /Killed/ or die;
32 $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotstack") =~ /Killed/ or die;
33 };
34
35 # tcc -run executes run-time generated code and so allows us to test whether
36 # paxmark actually works (otherwise, the process should be terminated)
37 subtest "tcc", sub {
38 $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");
39 $machine->succeed("${pkgs.tinycc.bin}/bin/tcc -run main.c");
40 };
41
42 subtest "RBAC", sub {
43 $machine->succeed("[ -c /dev/grsec ]");
44 };
45 '';
46})