nixos/tests/opensnitch.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / opensnitch.nix
at master 2.9 kB view raw
 1{ pkgs, lib, ... }:
 2let
 3  monitorMethods = [
 4    "ebpf"
 5    "proc"
 6    "ftrace"
 7    "audit"
 8  ];
 9in
10{
11  name = "opensnitch";
12
13  meta = with pkgs.lib.maintainers; {
14    maintainers = [ onny ];
15  };
16
17  nodes = {
18    server = {
19      networking.firewall.allowedTCPPorts = [ 80 ];
20      services.caddy = {
21        enable = true;
22        virtualHosts."localhost".extraConfig = ''
23          respond "Hello, world!"
24        '';
25      };
26    };
27  }
28  // (lib.listToAttrs (
29    map (
30      m:
31      lib.nameValuePair "client_blocked_${m}" {
32        services.opensnitch = {
33          enable = true;
34          settings.DefaultAction = "deny";
35          settings.ProcMonitorMethod = m;
36          settings.LogLevel = 1;
37        };
38      }
39    ) monitorMethods
40  ))
41  // (lib.listToAttrs (
42    map (
43      m:
44      lib.nameValuePair "client_allowed_${m}" {
45        services.opensnitch = {
46          enable = true;
47          settings.DefaultAction = "deny";
48          settings.ProcMonitorMethod = m;
49          settings.LogLevel = 1;
50          rules = {
51            curl = {
52              name = "curl";
53              enabled = true;
54              action = "allow";
55              duration = "always";
56              operator = {
57                type = "simple";
58                sensitive = false;
59                operand = "process.path";
60                data = "${pkgs.curl}/bin/curl";
61              };
62            };
63          };
64        };
65      }
66    ) monitorMethods
67  ));
68
69  testScript = ''
70    start_all()
71    server.wait_for_unit("caddy.service")
72    server.wait_for_open_port(80)
73  ''
74  + (
75    lib.concatLines (
76      map (m: ''
77        client_blocked_${m}.wait_for_unit("opensnitchd.service")
78        client_blocked_${m}.fail("curl http://server")
79
80        client_allowed_${m}.wait_for_unit("opensnitchd.service")
81        client_allowed_${m}.succeed("curl http://server")
82      '') monitorMethods
83    )
84    + ''
85      # make sure the kernel modules were actually properly loaded
86      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch\.o'")
87      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-procs\.o'")
88      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-dns\.o'")
89      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch\.o'")
90      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-procs\.o'")
91      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-dns\.o'")
92    ''
93  );
94}