nixos/tests/hardened.nix at 22.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / hardened.nix
at 22.05-pre 3.3 kB view raw
  1import ./make-test-python.nix ({ pkgs, ... } : {
  2  name = "hardened";
  3  meta = with pkgs.lib.maintainers; {
  4    maintainers = [ joachifm ];
  5  };
  6
  7  machine =
  8    { lib, pkgs, config, ... }:
  9    with lib;
 10    { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
 11      users.users.sybil = { isNormalUser = true; group = "wheel"; };
 12      imports = [ ../modules/profiles/hardened.nix ];
 13      environment.memoryAllocator.provider = "graphene-hardened";
 14      nix.useSandbox = false;
 15      virtualisation.emptyDiskImages = [ 4096 ];
 16      boot.initrd.postDeviceCommands = ''
 17        ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
 18      '';
 19      virtualisation.fileSystems = {
 20        "/efi" = {
 21          device = "/dev/disk/by-label/EFISYS";
 22          fsType = "vfat";
 23          options = [ "noauto" ];
 24        };
 25      };
 26      boot.extraModulePackages =
 27        optional (versionOlder config.boot.kernelPackages.kernel.version "5.6")
 28          config.boot.kernelPackages.wireguard;
 29      boot.kernelModules = [ "wireguard" ];
 30    };
 31
 32  testScript =
 33    let
 34      hardened-malloc-tests = pkgs.graphene-hardened-malloc.ld-preload-tests;
 35    in
 36    ''
 37      machine.wait_for_unit("multi-user.target")
 38
 39
 40      with subtest("AppArmor profiles are loaded"):
 41          machine.succeed("systemctl status apparmor.service")
 42
 43
 44      # AppArmor securityfs
 45      with subtest("AppArmor securityfs is mounted"):
 46          machine.succeed("mountpoint -q /sys/kernel/security")
 47          machine.succeed("cat /sys/kernel/security/apparmor/profiles")
 48
 49
 50      # Test loading out-of-tree modules
 51      with subtest("Out-of-tree modules can be loaded"):
 52          machine.succeed("grep -Fq wireguard /proc/modules")
 53
 54
 55      # Test kernel module hardening
 56      with subtest("No more kernel modules can be loaded"):
 57          # note: this better a be module we normally wouldn't load ...
 58          machine.wait_for_unit("disable-kernel-module-loading.service")
 59          machine.fail("modprobe dccp")
 60
 61
 62      # Test userns
 63      with subtest("User namespaces are restricted"):
 64          machine.succeed("unshare --user true")
 65          machine.fail("su -l alice -c 'unshare --user true'")
 66
 67
 68      # Test dmesg restriction
 69      with subtest("Regular users cannot access dmesg"):
 70          machine.fail("su -l alice -c dmesg")
 71
 72
 73      # Test access to kcore
 74      with subtest("Kcore is inaccessible as root"):
 75          machine.fail("cat /proc/kcore")
 76
 77
 78      # Test deferred mount
 79      with subtest("Deferred mounts work"):
 80          machine.fail("mountpoint -q /efi")  # was deferred
 81          machine.execute("mkdir -p /efi")
 82          machine.succeed("mount /dev/disk/by-label/EFISYS /efi")
 83          machine.succeed("mountpoint -q /efi")  # now mounted
 84
 85
 86      # Test Nix dæmon usage
 87      with subtest("nix-daemon cannot be used by all users"):
 88          machine.fail("su -l nobody -s /bin/sh -c 'nix ping-store'")
 89          machine.succeed("su -l alice -c 'nix ping-store'")
 90
 91
 92      # Test kernel image protection
 93      with subtest("The kernel image is protected"):
 94          machine.fail("systemctl hibernate")
 95          machine.fail("systemctl kexec")
 96
 97
 98      with subtest("The hardened memory allocator works"):
 99          machine.succeed("${hardened-malloc-tests}/bin/run-tests")
100    '';
101})