nixos/tests/hardened.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / hardened.nix
at 23.11-pre 3.5 kB view raw
  1import ./make-test-python.nix ({ pkgs, ... } : {
  2  name = "hardened";
  3  meta = with pkgs.lib.maintainers; {
  4    maintainers = [ joachifm ];
  5  };
  6
  7  nodes.machine =
  8    { lib, pkgs, config, ... }:
  9    { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
 10      users.users.sybil = { isNormalUser = true; group = "wheel"; };
 11      imports = [ ../modules/profiles/hardened.nix ];
 12      environment.memoryAllocator.provider = "graphene-hardened";
 13      nix.settings.sandbox = false;
 14      nixpkgs.overlays = [
 15        (final: super: {
 16          dhcpcd = super.dhcpcd.override { enablePrivSep = false; };
 17        })
 18      ];
 19      virtualisation.emptyDiskImages = [ 4096 ];
 20      boot.initrd.postDeviceCommands = ''
 21        ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
 22      '';
 23      virtualisation.fileSystems = {
 24        "/efi" = {
 25          device = "/dev/disk/by-label/EFISYS";
 26          fsType = "vfat";
 27          options = [ "noauto" ];
 28        };
 29      };
 30      boot.extraModulePackages =
 31        optional (versionOlder config.boot.kernelPackages.kernel.version "5.6")
 32          config.boot.kernelPackages.wireguard;
 33      boot.kernelModules = [ "wireguard" ];
 34    };
 35
 36  testScript =
 37    let
 38      hardened-malloc-tests = pkgs.graphene-hardened-malloc.ld-preload-tests;
 39    in
 40    ''
 41      machine.wait_for_unit("multi-user.target")
 42
 43
 44      with subtest("AppArmor profiles are loaded"):
 45          machine.succeed("systemctl status apparmor.service")
 46
 47
 48      # AppArmor securityfs
 49      with subtest("AppArmor securityfs is mounted"):
 50          machine.succeed("mountpoint -q /sys/kernel/security")
 51          machine.succeed("cat /sys/kernel/security/apparmor/profiles")
 52
 53
 54      # Test loading out-of-tree modules
 55      with subtest("Out-of-tree modules can be loaded"):
 56          machine.succeed("grep -Fq wireguard /proc/modules")
 57
 58
 59      # Test kernel module hardening
 60      with subtest("No more kernel modules can be loaded"):
 61          # note: this better a be module we normally wouldn't load ...
 62          machine.wait_for_unit("disable-kernel-module-loading.service")
 63          machine.fail("modprobe dccp")
 64
 65
 66      # Test userns
 67      with subtest("User namespaces are restricted"):
 68          machine.succeed("unshare --user true")
 69          machine.fail("su -l alice -c 'unshare --user true'")
 70
 71
 72      # Test dmesg restriction
 73      with subtest("Regular users cannot access dmesg"):
 74          machine.fail("su -l alice -c dmesg")
 75
 76
 77      # Test access to kcore
 78      with subtest("Kcore is inaccessible as root"):
 79          machine.fail("cat /proc/kcore")
 80
 81
 82      # Test deferred mount
 83      with subtest("Deferred mounts work"):
 84          machine.fail("mountpoint -q /efi")  # was deferred
 85          machine.execute("mkdir -p /efi")
 86          machine.succeed("mount /dev/disk/by-label/EFISYS /efi")
 87          machine.succeed("mountpoint -q /efi")  # now mounted
 88
 89
 90      # Test Nix dæmon usage
 91      with subtest("nix-daemon cannot be used by all users"):
 92          machine.fail("su -l nobody -s /bin/sh -c 'nix --extra-experimental-features nix-command ping-store'")
 93          machine.succeed("su -l alice -c 'nix --extra-experimental-features nix-command ping-store'")
 94
 95
 96      # Test kernel image protection
 97      with subtest("The kernel image is protected"):
 98          machine.fail("systemctl hibernate")
 99          machine.fail("systemctl kexec")
100
101
102      with subtest("The hardened memory allocator works"):
103          machine.succeed("${hardened-malloc-tests}/bin/run-tests")
104    '';
105})