nixos/tests/apparmor.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / apparmor.nix
at 23.11-beta 3.6 kB view raw
 1import ./make-test-python.nix ({ pkgs, lib, ... } : {
 2  name = "apparmor";
 3  meta.maintainers = with lib.maintainers; [ julm ];
 4
 5  nodes.machine =
 6    { lib, pkgs, config, ... }:
 7    {
 8      security.apparmor.enable = lib.mkDefault true;
 9    };
10
11  testScript =
12    ''
13      machine.wait_for_unit("multi-user.target")
14
15      with subtest("AppArmor profiles are loaded"):
16          machine.succeed("systemctl status apparmor.service")
17
18      # AppArmor securityfs
19      with subtest("AppArmor securityfs is mounted"):
20          machine.succeed("mountpoint -q /sys/kernel/security")
21          machine.succeed("cat /sys/kernel/security/apparmor/profiles")
22
23      # Test apparmorRulesFromClosure by:
24      # 1. Prepending a string of the relevant packages' name and version on each line.
25      # 2. Sorting according to those strings.
26      # 3. Removing those prepended strings.
27      # 4. Using `diff` against the expected output.
28      with subtest("apparmorRulesFromClosure"):
29          machine.succeed(
30              "${pkgs.diffutils}/bin/diff -u ${pkgs.writeText "expected.rules" ''
31                  mr ${pkgs.bash}/lib/**.so*,
32                  r ${pkgs.bash},
33                  r ${pkgs.bash}/etc/**,
34                  r ${pkgs.bash}/lib/**,
35                  r ${pkgs.bash}/share/**,
36                  x ${pkgs.bash}/foo/**,
37                  mr ${pkgs.glibc}/lib/**.so*,
38                  r ${pkgs.glibc},
39                  r ${pkgs.glibc}/etc/**,
40                  r ${pkgs.glibc}/lib/**,
41                  r ${pkgs.glibc}/share/**,
42                  x ${pkgs.glibc}/foo/**,
43                  mr ${pkgs.libcap}/lib/**.so*,
44                  r ${pkgs.libcap},
45                  r ${pkgs.libcap}/etc/**,
46                  r ${pkgs.libcap}/lib/**,
47                  r ${pkgs.libcap}/share/**,
48                  x ${pkgs.libcap}/foo/**,
49                  mr ${pkgs.libcap.lib}/lib/**.so*,
50                  r ${pkgs.libcap.lib},
51                  r ${pkgs.libcap.lib}/etc/**,
52                  r ${pkgs.libcap.lib}/lib/**,
53                  r ${pkgs.libcap.lib}/share/**,
54                  x ${pkgs.libcap.lib}/foo/**,
55                  mr ${pkgs.libidn2.out}/lib/**.so*,
56                  r ${pkgs.libidn2.out},
57                  r ${pkgs.libidn2.out}/etc/**,
58                  r ${pkgs.libidn2.out}/lib/**,
59                  r ${pkgs.libidn2.out}/share/**,
60                  x ${pkgs.libidn2.out}/foo/**,
61                  mr ${pkgs.libunistring}/lib/**.so*,
62                  r ${pkgs.libunistring},
63                  r ${pkgs.libunistring}/etc/**,
64                  r ${pkgs.libunistring}/lib/**,
65                  r ${pkgs.libunistring}/share/**,
66                  x ${pkgs.libunistring}/foo/**,
67                  mr ${pkgs.glibc.libgcc}/lib/**.so*,
68                  r ${pkgs.glibc.libgcc},
69                  r ${pkgs.glibc.libgcc}/etc/**,
70                  r ${pkgs.glibc.libgcc}/lib/**,
71                  r ${pkgs.glibc.libgcc}/share/**,
72                  x ${pkgs.glibc.libgcc}/foo/**,
73              ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
74                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
75                      pkgs.apparmorRulesFromClosure {
76                        name = "ping";
77                        additionalRules = ["x $path/foo/**"];
78                      } [ pkgs.libcap ]
79                  } |
80                  ${pkgs.coreutils}/bin/sort -n -k1 |
81                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
82              ''}"
83          )
84    '';
85})