···

       
35
       
35
       
 
       
      wants = [ "systemd-udevd.service" ];

     

       
36
       
36
       
 
       
      wantedBy = [ config.systemd.defaultUnit ];

     

       
37
       
37
       
 
       


     

       
38
       
38
       
-
       
      before = [ config.systemd.defaultUnit ];

     

       
39
       
38
       
 
       
      after =

     

       
40
       
39
       
 
       
        [ "firewall.service"

     

       
41
       
40
       
 
       
          "systemd-modules-load.service"

     

       
41
       
41
       
+
       
           config.systemd.defaultUnit

     

       
42
       
42
       
 
       
        ];

     

       
43
       
43
       
 
       


     

       
44
       
44
       
 
       
      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";

     

···

       
57
       
57
       
 
       
      # Test kernel module hardening

     

       
58
       
58
       
 
       
      with subtest("No more kernel modules can be loaded"):

     

       
59
       
59
       
 
       
          # note: this better a be module we normally wouldn't load ...

     

       
60
       
60
       
+
       
          machine.wait_for_unit("disable-kernel-module-loading.service")

     

       
60
       
61
       
 
       
          machine.fail("modprobe dccp")

     

       
61
       
62
       
 
       


     

       
62
       
63