diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2016-06-09 20:14:42 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-06-14 03:38:18 +0200 |
| commit | 09cf92ccee755bb67ecbf1b5928ef58eb43016f7 (patch) | |
| tree | 021386373b306ccb26036e1e165c4872bbd26f91 /nixos/tests/grsecurity.nix | |
| parent | a53452f3e12f4feb76a5169149d93c3bd5359363 (diff) | |
| download | nixlib-09cf92ccee755bb67ecbf1b5928ef58eb43016f7.tar nixlib-09cf92ccee755bb67ecbf1b5928ef58eb43016f7.tar.gz nixlib-09cf92ccee755bb67ecbf1b5928ef58eb43016f7.tar.bz2 nixlib-09cf92ccee755bb67ecbf1b5928ef58eb43016f7.tar.lz nixlib-09cf92ccee755bb67ecbf1b5928ef58eb43016f7.tar.xz nixlib-09cf92ccee755bb67ecbf1b5928ef58eb43016f7.tar.zst nixlib-09cf92ccee755bb67ecbf1b5928ef58eb43016f7.zip | |
nixos: flesh out the grsecurity test suite
I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality.
Diffstat (limited to 'nixos/tests/grsecurity.nix')
| -rw-r--r-- | nixos/tests/grsecurity.nix | 40 |
1 files changed, 31 insertions, 9 deletions
diff --git a/nixos/tests/grsecurity.nix b/nixos/tests/grsecurity.nix index 14f1aa9ff885..aadbfd8371ff 100644 --- a/nixos/tests/grsecurity.nix +++ b/nixos/tests/grsecurity.nix @@ -3,17 +3,39 @@ import ./make-test.nix ({ pkgs, ...} : { name = "grsecurity"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ copumpkin ]; + maintainers = [ copumpkin joachifm ]; }; machine = { config, pkgs, ... }: - { boot.kernelPackages = pkgs.linuxPackages_grsec_testing_server; }; + { security.grsecurity.enable = true; + boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0; + security.apparmor.enable = true; + }; - testScript = - '' - $machine->succeed("uname -a") =~ /grsec/; - # FIXME: this seems to hang the whole test. Unclear why, but let's fix it - # $machine->succeed("${pkgs.paxtest}/bin/paxtest blackhat"); - ''; -}) + testScript = '' + subtest "grsec-lock", sub { + $machine->succeed("systemctl is-active grsec-lock"); + $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock"); + $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock"); + }; + + subtest "paxtest", sub { + # TODO: running paxtest blackhat hangs the vm + $machine->succeed("${pkgs.paxtest}/lib/paxtest/anonmap") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execbss") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execdata") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execheap") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/execstack") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotanon") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotbss") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotdata") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotheap") =~ /Killed/ or die; + $machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotstack") =~ /Killed/ or die; + }; + subtest "tcc", sub { + $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c"); + $machine->succeed("${pkgs.tinycc.bin}/bin/tcc -run main.c"); + }; + ''; +}) |