nixos/tests/hardened.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / hardened.nix
at master 3.4 kB view raw
  1{ pkgs, ... }:
  2{
  3  name = "hardened";
  4  meta = with pkgs.lib.maintainers; {
  5    maintainers = [ joachifm ];
  6  };
  7
  8  nodes.machine =
  9    {
 10      lib,
 11      pkgs,
 12      config,
 13      ...
 14    }:
 15    {
 16      users.users.alice = {
 17        isNormalUser = true;
 18        extraGroups = [ "proc" ];
 19      };
 20      users.users.sybil = {
 21        isNormalUser = true;
 22        group = "wheel";
 23      };
 24      imports = [ ../modules/profiles/hardened.nix ];
 25      environment.memoryAllocator.provider = "graphene-hardened";
 26      nix.settings.sandbox = false;
 27      virtualisation.emptyDiskImages = [
 28        {
 29          size = 4096;
 30          driveConfig.deviceExtraOpts.serial = "deferred";
 31        }
 32      ];
 33      virtualisation.fileSystems = {
 34        "/deferred" = {
 35          device = "/dev/disk/by-id/virtio-deferred";
 36          fsType = "vfat";
 37          autoFormat = true;
 38          options = [ "noauto" ];
 39        };
 40      };
 41      boot.extraModulePackages = pkgs.lib.optional (pkgs.lib.versionOlder config.boot.kernelPackages.kernel.version "5.6") config.boot.kernelPackages.wireguard;
 42      boot.kernelModules = [ "wireguard" ];
 43    };
 44
 45  testScript =
 46    let
 47      hardened-malloc-tests = pkgs.graphene-hardened-malloc.ld-preload-tests;
 48    in
 49    ''
 50      machine.wait_for_unit("multi-user.target")
 51
 52
 53      with subtest("AppArmor profiles are loaded"):
 54          machine.succeed("systemctl status apparmor.service")
 55
 56
 57      # AppArmor securityfs
 58      with subtest("AppArmor securityfs is mounted"):
 59          machine.succeed("mountpoint -q /sys/kernel/security")
 60          machine.succeed("cat /sys/kernel/security/apparmor/profiles")
 61
 62
 63      # Test loading out-of-tree modules
 64      with subtest("Out-of-tree modules can be loaded"):
 65          machine.succeed("grep -Fq wireguard /proc/modules")
 66
 67
 68      # Test kernel module hardening
 69      with subtest("No more kernel modules can be loaded"):
 70          # note: this better a be module we normally wouldn't load ...
 71          machine.wait_for_unit("disable-kernel-module-loading.service")
 72          machine.fail("modprobe dccp")
 73
 74
 75      # Test userns
 76      with subtest("User namespaces are restricted"):
 77          machine.succeed("unshare --user true")
 78          machine.fail("su -l alice -c 'unshare --user true'")
 79
 80
 81      # Test dmesg restriction
 82      with subtest("Regular users cannot access dmesg"):
 83          machine.fail("su -l alice -c dmesg")
 84
 85
 86      # Test access to kcore
 87      with subtest("Kcore is inaccessible as root"):
 88          machine.fail("cat /proc/kcore")
 89
 90
 91      # Test deferred mount
 92      with subtest("Deferred mounts work"):
 93          machine.fail("mountpoint -q /deferred")  # was deferred
 94          machine.systemctl("start deferred.mount")
 95          machine.succeed("mountpoint -q /deferred")  # now mounted
 96
 97
 98      # Test Nix dæmon usage
 99      with subtest("nix-daemon cannot be used by all users"):
100          machine.fail("su -l nobody -s /bin/sh -c 'nix --extra-experimental-features nix-command ping-store'")
101          machine.succeed("su -l alice -c 'nix --extra-experimental-features nix-command ping-store'")
102
103
104      # Test kernel image protection
105      with subtest("The kernel image is protected"):
106          machine.fail("systemctl hibernate")
107          machine.fail("systemctl kexec")
108
109
110      with subtest("The hardened memory allocator works"):
111          machine.succeed("${hardened-malloc-tests}/bin/run-tests")
112    '';
113}