diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-30 08:38:47 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-30 12:05:42 +0200 |
commit | ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f (patch) | |
tree | ed3b52c1366fe757ac5ba9ff01f96100d9048654 | |
parent | ab4fa1cce4c3c536811d8d7ddfcad1a8310cfb90 (diff) | |
download | nixlib-ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f.tar nixlib-ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f.tar.gz nixlib-ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f.tar.bz2 nixlib-ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f.tar.lz nixlib-ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f.tar.xz nixlib-ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f.tar.zst nixlib-ffa83edf4a29b21f12eb96d5eb7b63e1ebae7a5f.zip |
nixos/tests: add tests for exercising various hardening features
This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration.
-rw-r--r-- | nixos/release.nix | 1 | ||||
-rw-r--r-- | nixos/tests/hardened.nix | 31 | ||||
-rw-r--r-- | nixos/tests/misc.nix | 9 |
3 files changed, 32 insertions, 9 deletions
diff --git a/nixos/release.nix b/nixos/release.nix index 1c282bfea4f5..aaf23d7ffb79 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -248,6 +248,7 @@ in rec { tests.gocd-server = callTest tests/gocd-server.nix {}; tests.gnome3 = callTest tests/gnome3.nix {}; tests.gnome3-gdm = callTest tests/gnome3-gdm.nix {}; + tests.hardened = callTest tests/hardened.nix { }; tests.hibernate = callTest tests/hibernate.nix {}; tests.hound = callTest tests/hound.nix {}; tests.i3wm = callTest tests/i3wm.nix {}; diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix new file mode 100644 index 000000000000..389d7ed7ffaa --- /dev/null +++ b/nixos/tests/hardened.nix @@ -0,0 +1,31 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "hardened"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ joachifm ]; + }; + + machine = + { config, lib, pkgs, ... }: + with lib; + { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; + users.users.sybil = { isNormalUser = true; group = "wheel"; }; + imports = [ ../modules/profiles/hardened.nix ]; + }; + + testScript = + '' + # Test hidepid + subtest "hidepid", sub { + $machine->succeed("grep -Fq hidepid=2 /proc/mounts"); + $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]"); + $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]"); + }; + + # Test kernel module hardening + subtest "lock-modules", sub { + $machine->waitForUnit("multi-user.target"); + # note: this better a be module we normally wouldn't load ... + $machine->fail("modprobe dccp"); + }; + ''; +}) diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index 0efa72823688..b926a62194b4 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -25,8 +25,6 @@ import ./make-test.nix ({ pkgs, ...} : { }; users.users.sybil = { isNormalUser = true; group = "wheel"; }; security.sudo = { enable = true; wheelNeedsPassword = false; }; - security.hideProcessInformation = true; - users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; }; testScript = @@ -119,12 +117,5 @@ import ./make-test.nix ({ pkgs, ...} : { subtest "sudo", sub { $machine->succeed("su - sybil -c 'sudo true'"); }; - - # Test hidepid - subtest "hidepid", sub { - $machine->succeed("grep -Fq hidepid=2 /proc/mounts"); - $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]"); - $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]"); - }; ''; }) |