pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / hardened.nix
at 18.09-beta 2.1 kB view raw
1import ./make-test.nix ({ pkgs, ...} : { 2 name = "hardened"; 3 meta = with pkgs.stdenv.lib.maintainers; { 4 maintainers = [ joachifm ]; 5 }; 6 7 machine = 8 { lib, pkgs, ... }: 9 with lib; 10 { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; 11 users.users.sybil = { isNormalUser = true; group = "wheel"; }; 12 imports = [ ../modules/profiles/hardened.nix ]; 13 virtualisation.emptyDiskImages = [ 4096 ]; 14 boot.initrd.postDeviceCommands = '' 15 ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb 16 ''; 17 fileSystems = lib.mkVMOverride { 18 "/efi" = { 19 device = "/dev/disk/by-label/EFISYS"; 20 fsType = "vfat"; 21 options = [ "noauto" ]; 22 }; 23 }; 24 }; 25 26 testScript = 27 '' 28 $machine->waitForUnit("multi-user.target"); 29 30 # Test hidepid 31 subtest "hidepid", sub { 32 $machine->succeed("grep -Fq hidepid=2 /proc/mounts"); 33 # cannot use pgrep -u here, it segfaults when access to process info is denied 34 $machine->succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]"); 35 $machine->succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]"); 36 }; 37 38 # Test kernel module hardening 39 subtest "lock-modules", sub { 40 # note: this better a be module we normally wouldn't load ... 41 $machine->fail("modprobe dccp"); 42 }; 43 44 # Test userns 45 subtest "userns", sub { 46 $machine->fail("unshare --user"); 47 }; 48 49 # Test dmesg restriction 50 subtest "dmesg", sub { 51 $machine->fail("su -l alice -c dmesg"); 52 }; 53 54 # Test access to kcore 55 subtest "kcore", sub { 56 $machine->fail("cat /proc/kcore"); 57 }; 58 59 # Test deferred mount 60 subtest "mount", sub { 61 $machine->fail("mountpoint -q /efi"); # was deferred 62 $machine->execute("mkdir -p /efi"); 63 $machine->succeed("mount /dev/disk/by-label/EFISYS /efi"); 64 $machine->succeed("mountpoint -q /efi"); # now mounted 65 }; 66 ''; 67})