nixos/tests/usbguard.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / usbguard.nix
at 25.11-pre 2.5 kB view raw
 1import ./make-test-python.nix (
 2  { pkgs, ... }:
 3  {
 4    name = "usbguard";
 5    meta = with pkgs.lib.maintainers; {
 6      maintainers = [ tnias ];
 7    };
 8
 9    nodes.machine =
10      { ... }:
11      {
12        services.usbguard = {
13          enable = true;
14          IPCAllowedUsers = [
15            "alice"
16            "root"
17          ];
18
19          # As virtual USB devices get attached to the "QEMU USB Hub" we need to
20          # allow Hubs. Otherwise we would have to explicitly allow them too.
21          rules = ''
22            allow with-interface equals { 09:00:00 }
23          '';
24        };
25        imports = [ ./common/user-account.nix ];
26      };
27
28    testScript = ''
29      # create a blank disk image for our fake USB stick
30      with open(machine.state_dir / "usbstick.img", "wb") as stick:
31          stick.write(b"\x00" * (1024 * 1024))
32
33      # wait for machine to have started and the usbguard service to be up
34      machine.wait_for_unit("usbguard.service")
35
36      with subtest("IPC access control"):
37          # User "alice" is allowed to access the IPC interface
38          machine.succeed("su alice -c 'usbguard list-devices'")
39
40          # User "bob" is not allowed to access the IPC interface
41          machine.fail("su bob -c 'usbguard list-devices'")
42
43      with subtest("check basic functionality"):
44          # at this point we expect that no USB HDD is connected
45          machine.fail("usbguard list-devices | grep -E 'QEMU USB HARDDRIVE'")
46
47          # insert usb device
48          machine.send_monitor_command(
49              f"drive_add 0 id=stick,if=none,file={stick.name},format=raw"
50          )
51          machine.send_monitor_command("device_add usb-storage,id=stick,drive=stick")
52
53          # the attached USB HDD should show up after a short while
54          machine.wait_until_succeeds("usbguard list-devices | grep -E 'QEMU USB HARDDRIVE'")
55
56          # at this point there should be a **blocked** USB HDD
57          machine.succeed("usbguard list-devices | grep -E 'block.*QEMU USB HARDDRIVE'")
58          machine.fail("usbguard list-devices | grep -E ' allow .*QEMU USB HARDDRIVE'")
59
60          # allow storage devices
61          machine.succeed("usbguard allow-device 'with-interface { 08:*:* }'")
62
63          # at this point there should be an **allowed** USB HDD
64          machine.succeed("usbguard list-devices | grep -E ' allow .*QEMU USB HARDDRIVE'")
65          machine.fail("usbguard list-devices | grep -E ' block .*QEMU USB HARDDRIVE'")
66    '';
67  }
68)