nixos/tests/hardened.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / tests / hardened.nix

at 17.09-beta 1.1 kB view raw

 1import ./make-test.nix ({ pkgs, ...} : {
 2  name = "hardened";
 3  meta = with pkgs.stdenv.lib.maintainers; {
 4    maintainers = [ joachifm ];
 5  };
 6
 7  machine =
 8    { config, lib, pkgs, ... }:
 9    with lib;
10    { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
11      users.users.sybil = { isNormalUser = true; group = "wheel"; };
12      imports = [ ../modules/profiles/hardened.nix ];
13    };
14
15  testScript =
16    ''
17      # Test hidepid
18      subtest "hidepid", sub {
19          $machine->succeed("grep -Fq hidepid=2 /proc/mounts");
20          $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]");
21          $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]");
22      };
23
24      # Test kernel module hardening
25      subtest "lock-modules", sub {
26          $machine->waitForUnit("multi-user.target");
27          # note: this better a be module we normally wouldn't load ...
28          $machine->fail("modprobe dccp");
29      };
30
31      # Test userns
32      subtest "userns", sub {
33          $machine->fail("unshare --user");
34      };
35    '';
36})