nixos/tests/apparmor.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / apparmor.nix
at 23.05-pre 3.3 kB view raw
 1import ./make-test-python.nix ({ pkgs, ... } : {
 2  name = "apparmor";
 3  meta = with pkgs.lib.maintainers; {
 4    maintainers = [ julm ];
 5  };
 6
 7  nodes.machine =
 8    { lib, pkgs, config, ... }:
 9    with lib;
10    {
11      security.apparmor.enable = mkDefault true;
12    };
13
14  testScript =
15    ''
16      machine.wait_for_unit("multi-user.target")
17
18      with subtest("AppArmor profiles are loaded"):
19          machine.succeed("systemctl status apparmor.service")
20
21      # AppArmor securityfs
22      with subtest("AppArmor securityfs is mounted"):
23          machine.succeed("mountpoint -q /sys/kernel/security")
24          machine.succeed("cat /sys/kernel/security/apparmor/profiles")
25
26      # Test apparmorRulesFromClosure by:
27      # 1. Prepending a string of the relevant packages' name and version on each line.
28      # 2. Sorting according to those strings.
29      # 3. Removing those prepended strings.
30      # 4. Using `diff` against the expected output.
31      with subtest("apparmorRulesFromClosure"):
32          machine.succeed(
33              "${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" ''
34                  mr ${pkgs.bash}/lib/**.so*,
35                  r ${pkgs.bash},
36                  r ${pkgs.bash}/etc/**,
37                  r ${pkgs.bash}/lib/**,
38                  r ${pkgs.bash}/share/**,
39                  x ${pkgs.bash}/foo/**,
40                  mr ${pkgs.glibc}/lib/**.so*,
41                  r ${pkgs.glibc},
42                  r ${pkgs.glibc}/etc/**,
43                  r ${pkgs.glibc}/lib/**,
44                  r ${pkgs.glibc}/share/**,
45                  x ${pkgs.glibc}/foo/**,
46                  mr ${pkgs.libcap}/lib/**.so*,
47                  r ${pkgs.libcap},
48                  r ${pkgs.libcap}/etc/**,
49                  r ${pkgs.libcap}/lib/**,
50                  r ${pkgs.libcap}/share/**,
51                  x ${pkgs.libcap}/foo/**,
52                  mr ${pkgs.libcap.lib}/lib/**.so*,
53                  r ${pkgs.libcap.lib},
54                  r ${pkgs.libcap.lib}/etc/**,
55                  r ${pkgs.libcap.lib}/lib/**,
56                  r ${pkgs.libcap.lib}/share/**,
57                  x ${pkgs.libcap.lib}/foo/**,
58                  mr ${pkgs.libidn2.out}/lib/**.so*,
59                  r ${pkgs.libidn2.out},
60                  r ${pkgs.libidn2.out}/etc/**,
61                  r ${pkgs.libidn2.out}/lib/**,
62                  r ${pkgs.libidn2.out}/share/**,
63                  x ${pkgs.libidn2.out}/foo/**,
64                  mr ${pkgs.libunistring}/lib/**.so*,
65                  r ${pkgs.libunistring},
66                  r ${pkgs.libunistring}/etc/**,
67                  r ${pkgs.libunistring}/lib/**,
68                  r ${pkgs.libunistring}/share/**,
69                  x ${pkgs.libunistring}/foo/**,
70              ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
71                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
72                      pkgs.apparmorRulesFromClosure {
73                        name = "ping";
74                        additionalRules = ["x $path/foo/**"];
75                      } [ pkgs.libcap ]
76                  } |
77                  ${pkgs.coreutils}/bin/sort -n -k1 |
78                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
79              ''}"
80          )
81    '';
82})