pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / hardened.nix
at 18.03-beta 2.0 kB view raw
1import ./make-test.nix ({ pkgs, ...} : { 2 name = "hardened"; 3 meta = with pkgs.stdenv.lib.maintainers; { 4 maintainers = [ joachifm ]; 5 }; 6 7 machine = 8 { config, lib, pkgs, ... }: 9 with lib; 10 { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; 11 users.users.sybil = { isNormalUser = true; group = "wheel"; }; 12 imports = [ ../modules/profiles/hardened.nix ]; 13 virtualisation.emptyDiskImages = [ 4096 ]; 14 boot.initrd.postDeviceCommands = '' 15 ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb 16 ''; 17 fileSystems = lib.mkVMOverride { 18 "/efi" = { 19 device = "/dev/disk/by-label/EFISYS"; 20 fsType = "vfat"; 21 options = [ "noauto" ]; 22 }; 23 }; 24 }; 25 26 testScript = 27 '' 28 # Test hidepid 29 subtest "hidepid", sub { 30 $machine->succeed("grep -Fq hidepid=2 /proc/mounts"); 31 $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]"); 32 $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]"); 33 }; 34 35 # Test kernel module hardening 36 subtest "lock-modules", sub { 37 $machine->waitForUnit("multi-user.target"); 38 # note: this better a be module we normally wouldn't load ... 39 $machine->fail("modprobe dccp"); 40 }; 41 42 # Test userns 43 subtest "userns", sub { 44 $machine->fail("unshare --user"); 45 }; 46 47 # Test dmesg restriction 48 subtest "dmesg", sub { 49 $machine->fail("su -l alice -c dmesg"); 50 }; 51 52 # Test access to kcore 53 subtest "kcore", sub { 54 $machine->fail("cat /proc/kcore"); 55 }; 56 57 # Test deferred mount 58 subtest "mount", sub { 59 $machine->fail("mountpoint -q /efi"); # was deferred 60 $machine->execute("mkdir -p /efi"); 61 $machine->succeed("mount /dev/disk/by-label/EFISYS /efi"); 62 $machine->succeed("mountpoint -q /efi"); # now mounted 63 }; 64 ''; 65})