docker: test for socket permissions

1 files changed, 17 insertions, 0 deletions

diff --git a/nixos/tests/docker.nix b/nixos/tests/docker.nix
index 1b57a94a05d4..9096a5868f6c 100644
--- a/nixos/tests/docker.nix
+++ b/nixos/tests/docker.nix
@@ -11,6 +11,21 @@ import ./make-test.nix ({ pkgs, ...} : {
       { config, pkgs, ... }:
         {
           virtualisation.docker.enable = true;
+
+          users.users = {
+            noprivs = {
+              isNormalUser = true;
+              description = "Can't access the docker daemon";
+              password = "foobar";
+            };
+
+            hasprivs = {
+              isNormalUser = true;
+              description = "Can access the docker daemon";
+              password = "foobar";
+              extraGroups = [ "docker" ];
+            };
+          };
         };
     };
 
@@ -21,6 +36,8 @@ import ./make-test.nix ({ pkgs, ...} : {
     $docker->succeed("tar cv --files-from /dev/null | docker import - scratchimg");
     $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10");
     $docker->succeed("docker ps | grep sleeping");
+    $docker->succeed("sudo -u hasprivs docker ps");
+    $docker->fail("sudo -u noprivs docker ps");
     $docker->succeed("docker stop sleeping");
   '';
 })