···
1
+
import ./make-test-python.nix ({ pkgs, ... } : {
3
+
meta = with pkgs.lib.maintainers; {
4
+
maintainers = [ julm ];
8
+
{ lib, pkgs, config, ... }:
11
+
security.apparmor.enable = mkDefault true;
16
+
machine.wait_for_unit("multi-user.target")
18
+
with subtest("AppArmor profiles are loaded"):
19
+
machine.succeed("systemctl status apparmor.service")
21
+
# AppArmor securityfs
22
+
with subtest("AppArmor securityfs is mounted"):
23
+
machine.succeed("mountpoint -q /sys/kernel/security")
24
+
machine.succeed("cat /sys/kernel/security/apparmor/profiles")
26
+
# Test apparmorRulesFromClosure by:
27
+
# 1. Prepending a string of the relevant packages' name and version on each line.
28
+
# 2. Sorting according to those strings.
29
+
# 3. Removing those prepended strings.
30
+
# 4. Using `diff` against the expected output.
31
+
with subtest("apparmorRulesFromClosure"):
33
+
"${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" ''
34
+
mr ${pkgs.bash}/lib/**.so*,
36
+
r ${pkgs.bash}/etc/**,
37
+
r ${pkgs.bash}/lib/**,
38
+
r ${pkgs.bash}/share/**,
39
+
x ${pkgs.bash}/foo/**,
40
+
mr ${pkgs.glibc}/lib/**.so*,
42
+
r ${pkgs.glibc}/etc/**,
43
+
r ${pkgs.glibc}/lib/**,
44
+
r ${pkgs.glibc}/share/**,
45
+
x ${pkgs.glibc}/foo/**,
46
+
mr ${pkgs.libcap}/lib/**.so*,
48
+
r ${pkgs.libcap}/etc/**,
49
+
r ${pkgs.libcap}/lib/**,
50
+
r ${pkgs.libcap}/share/**,
51
+
x ${pkgs.libcap}/foo/**,
52
+
mr ${pkgs.libcap.lib}/lib/**.so*,
53
+
r ${pkgs.libcap.lib},
54
+
r ${pkgs.libcap.lib}/etc/**,
55
+
r ${pkgs.libcap.lib}/lib/**,
56
+
r ${pkgs.libcap.lib}/share/**,
57
+
x ${pkgs.libcap.lib}/foo/**,
58
+
mr ${pkgs.libidn2.out}/lib/**.so*,
59
+
r ${pkgs.libidn2.out},
60
+
r ${pkgs.libidn2.out}/etc/**,
61
+
r ${pkgs.libidn2.out}/lib/**,
62
+
r ${pkgs.libidn2.out}/share/**,
63
+
x ${pkgs.libidn2.out}/foo/**,
64
+
mr ${pkgs.libunistring}/lib/**.so*,
65
+
r ${pkgs.libunistring},
66
+
r ${pkgs.libunistring}/etc/**,
67
+
r ${pkgs.libunistring}/lib/**,
68
+
r ${pkgs.libunistring}/share/**,
69
+
x ${pkgs.libunistring}/foo/**,
70
+
''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
71
+
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
72
+
pkgs.apparmorRulesFromClosure {
74
+
additionalRules = ["x $path/foo/**"];
77
+
${pkgs.coreutils}/bin/sort -n -k1 |
78
+
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
pyrox.dev