diff options
Diffstat (limited to 'nixos/tests/hardened.nix')
| -rw-r--r-- | nixos/tests/hardened.nix | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix new file mode 100644 index 000000000000..1d9a9043e03a --- /dev/null +++ b/nixos/tests/hardened.nix @@ -0,0 +1,36 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "hardened"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ joachifm ]; + }; + + machine = + { config, lib, pkgs, ... }: + with lib; + { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; + users.users.sybil = { isNormalUser = true; group = "wheel"; }; + imports = [ ../modules/profiles/hardened.nix ]; + }; + + testScript = + '' + # Test hidepid + subtest "hidepid", sub { + $machine->succeed("grep -Fq hidepid=2 /proc/mounts"); + $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]"); + $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]"); + }; + + # Test kernel module hardening + subtest "lock-modules", sub { + $machine->waitForUnit("multi-user.target"); + # note: this better a be module we normally wouldn't load ... + $machine->fail("modprobe dccp"); + }; + + # Test userns + subtest "userns", sub { + $machine->fail("unshare --user"); + }; + ''; +}) |