diff options
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/grsecurity.nix | 46 | ||||
-rw-r--r-- | nixos/tests/hardened.nix | 36 | ||||
-rw-r--r-- | nixos/tests/misc.nix | 9 | ||||
-rw-r--r-- | nixos/tests/mysql-replication.nix | 10 | ||||
-rw-r--r-- | nixos/tests/radicale.nix | 80 | ||||
-rw-r--r-- | nixos/tests/slim.nix | 66 | ||||
-rw-r--r-- | nixos/tests/xrdp.nix | 45 |
7 files changed, 236 insertions, 56 deletions
diff --git a/nixos/tests/grsecurity.nix b/nixos/tests/grsecurity.nix deleted file mode 100644 index d4a419fd0e39..000000000000 --- a/nixos/tests/grsecurity.nix +++ /dev/null @@ -1,46 +0,0 @@ -# Basic test to make sure grsecurity works - -import ./make-test.nix ({ pkgs, ...} : { - name = "grsecurity"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ copumpkin joachifm ]; - }; - - machine = { config, pkgs, ... }: - { security.grsecurity.enable = true; - boot.kernel.sysctl."kernel.grsecurity.audit_mount" = 0; - boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0; - networking.useDHCP = false; - }; - - testScript = '' - subtest "grsec-lock", sub { - $machine->succeed("systemctl is-active grsec-lock"); - $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock"); - $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock"); - }; - - subtest "paxtest", sub { - # TODO: running paxtest blackhat hangs the vm - my @pax_mustkill = ( - "anonmap", "execbss", "execdata", "execheap", "execstack", - "mprotanon", "mprotbss", "mprotdata", "mprotheap", "mprotstack", - ); - foreach my $name (@pax_mustkill) { - my $paxtest = "${pkgs.paxtest}/lib/paxtest/" . $name; - $machine->succeed($paxtest) =~ /Killed/ or die - } - }; - - # tcc -run executes run-time generated code and so allows us to test whether - # paxmark actually works (otherwise, the process should be terminated) - subtest "tcc", sub { - $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c"); - $machine->succeed("${pkgs.tinycc}/bin/tcc -run main.c"); - }; - - subtest "RBAC", sub { - $machine->succeed("[ -c /dev/grsec ]"); - }; - ''; -}) diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix new file mode 100644 index 000000000000..1d9a9043e03a --- /dev/null +++ b/nixos/tests/hardened.nix @@ -0,0 +1,36 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "hardened"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ joachifm ]; + }; + + machine = + { config, lib, pkgs, ... }: + with lib; + { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; + users.users.sybil = { isNormalUser = true; group = "wheel"; }; + imports = [ ../modules/profiles/hardened.nix ]; + }; + + testScript = + '' + # Test hidepid + subtest "hidepid", sub { + $machine->succeed("grep -Fq hidepid=2 /proc/mounts"); + $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]"); + $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]"); + }; + + # Test kernel module hardening + subtest "lock-modules", sub { + $machine->waitForUnit("multi-user.target"); + # note: this better a be module we normally wouldn't load ... + $machine->fail("modprobe dccp"); + }; + + # Test userns + subtest "userns", sub { + $machine->fail("unshare --user"); + }; + ''; +}) diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index cd4086cb8f62..b926a62194b4 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -25,8 +25,6 @@ import ./make-test.nix ({ pkgs, ...} : { }; users.users.sybil = { isNormalUser = true; group = "wheel"; }; security.sudo = { enable = true; wheelNeedsPassword = false; }; - security.hideProcessInformation = true; - users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; }; testScript = @@ -119,12 +117,5 @@ import ./make-test.nix ({ pkgs, ...} : { subtest "sudo", sub { $machine->succeed("su - sybil -c 'sudo true'"); }; - - # Test hidepid - subtest "hidepid", sub { - $machine->succeed("grep -Fq hidepid=2 /etc/mtab"); - $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]"); - $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]"); - }; ''; }) diff --git a/nixos/tests/mysql-replication.nix b/nixos/tests/mysql-replication.nix index b20bce8edce6..75c6d793febc 100644 --- a/nixos/tests/mysql-replication.nix +++ b/nixos/tests/mysql-replication.nix @@ -56,11 +56,19 @@ in testScript = '' $master->start; $master->waitForUnit("mysql"); + $master->waitForOpenPort(3306); $slave1->start; $slave2->start; $slave1->waitForUnit("mysql"); + $slave1->waitForOpenPort(3306); $slave2->waitForUnit("mysql"); - $slave2->sleep(100); # Hopefully this is long enough!! + $slave2->waitForOpenPort(3306); $slave2->succeed("echo 'use testdb; select * from tests' | mysql -u root -N | grep 4"); + $slave2->succeed("systemctl stop mysql"); + $master->succeed("echo 'insert into testdb.tests values (123, 456);' | mysql -u root -N"); + $slave2->succeed("systemctl start mysql"); + $slave2->waitForUnit("mysql"); + $slave2->waitForOpenPort(3306); + $slave2->succeed("echo 'select * from testdb.tests where Id = 123;' | mysql -u root -N | grep 456"); ''; }) diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix new file mode 100644 index 000000000000..4c2ed8456ddd --- /dev/null +++ b/nixos/tests/radicale.nix @@ -0,0 +1,80 @@ +let + port = 5232; + radicaleOverlay = self: super: { + radicale = super.radicale.overrideAttrs (oldAttrs: { + propagatedBuildInputs = with self.pythonPackages; + (oldAttrs.propagatedBuildInputs or []) ++ [ + passlib + ]; + }); + }; + common = { config, pkgs, ...}: { + services.radicale = { + enable = true; + config = let home = config.users.extraUsers.radicale.home; in '' + [server] + hosts = 127.0.0.1:${builtins.toString port} + daemon = False + [encoding] + [well-known] + [auth] + type = htpasswd + htpasswd_filename = /etc/radicale/htpasswd + htpasswd_encryption = bcrypt + [git] + [rights] + [storage] + type = filesystem + filesystem_folder = ${home}/collections + [logging] + [headers] + ''; + }; + # WARNING: DON'T DO THIS IN PRODUCTION! + # This puts secrets (albeit hashed) directly into the Nix store for ease of testing. + environment.etc."radicale/htpasswd".source = with pkgs; let + py = python.withPackages(ps: with ps; [ passlib ]); + in runCommand "htpasswd" {} '' + ${py}/bin/python -c " +from passlib.apache import HtpasswdFile +ht = HtpasswdFile( + '$out', + new=True, + default_scheme='bcrypt' +) +ht.set_password('someuser', 'really_secret_password') +ht.save() +" + ''; + }; + +in import ./make-test.nix ({ lib, ... }: { + name = "radicale"; + meta.maintainers = with lib.maintainers; [ aneeshusa ]; + + # Test radicale with bcrypt-based htpasswd authentication + nodes = { + py2 = { config, pkgs, ... }@args: (common args) // { + nixpkgs.overlays = [ + radicaleOverlay + ]; + }; + py3 = { config, pkgs, ... }@args: (common args) // { + nixpkgs.overlays = [ + (self: super: { + python = self.python3; + pythonPackages = self.python3.pkgs; + }) + radicaleOverlay + ]; + }; + }; + + testScript = '' + for my $machine ($py2, $py3) { + $machine->waitForUnit('radicale.service'); + $machine->waitForOpenPort(${builtins.toString port}); + $machine->succeed('curl -s http://someuser:really_secret_password@127.0.0.1:${builtins.toString port}/someuser/calendar.ics/'); + } + ''; +}) diff --git a/nixos/tests/slim.nix b/nixos/tests/slim.nix new file mode 100644 index 000000000000..7b939d836381 --- /dev/null +++ b/nixos/tests/slim.nix @@ -0,0 +1,66 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "slim"; + + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ aszlig ]; + }; + + machine = { pkgs, lib, ... }: { + imports = [ ./common/user-account.nix ]; + services.xserver.enable = true; + services.xserver.windowManager.default = "icewm"; + services.xserver.windowManager.icewm.enable = true; + services.xserver.desktopManager.default = "none"; + services.xserver.displayManager.slim = { + enable = true; + + # Use a custom theme in order to get best OCR results + theme = pkgs.runCommand "slim-theme-ocr" { + nativeBuildInputs = [ pkgs.imagemagick ]; + } '' + mkdir "$out" + convert -size 1x1 xc:white "$out/background.jpg" + convert -size 200x100 xc:white "$out/panel.jpg" + cat > "$out/slim.theme" <<EOF + background_color #ffffff + background_style tile + + input_fgcolor #000000 + msg_color #000000 + + session_color #000000 + session_font Verdana:size=16:bold + + username_msg Username: + username_font Verdana:size=16:bold + username_color #000000 + username_x 50% + username_y 40% + + password_msg Password: + password_x 50% + password_y 40% + EOF + ''; + }; + }; + + enableOCR = true; + + testScript = { nodes, ... }: let + user = nodes.machine.config.users.extraUsers.alice; + in '' + startAll; + $machine->waitForText(qr/Username:/); + $machine->sendChars("${user.name}\n"); + $machine->waitForText(qr/Password:/); + $machine->sendChars("${user.password}\n"); + + $machine->waitForFile('${user.home}/.Xauthority'); + $machine->succeed('xauth merge ${user.home}/.Xauthority'); + $machine->waitForWindow('^IceWM '); + + # Make sure SLiM doesn't create a log file + $machine->fail('test -e /var/log/slim.log'); + ''; +}) diff --git a/nixos/tests/xrdp.nix b/nixos/tests/xrdp.nix new file mode 100644 index 000000000000..c997e36cc442 --- /dev/null +++ b/nixos/tests/xrdp.nix @@ -0,0 +1,45 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "xrdp"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ volth ]; + }; + + nodes = { + server = { lib, pkgs, ... }: { + imports = [ ./common/user-account.nix ]; + services.xrdp.enable = true; + services.xrdp.defaultWindowManager = "${pkgs.xterm}/bin/xterm"; + networking.firewall.allowedTCPPorts = [ 3389 ]; + }; + + client = { lib, pkgs, ... }: { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + services.xserver.displayManager.auto.user = "alice"; + environment.systemPackages = [ pkgs.freerdp ]; + services.xrdp.enable = true; + services.xrdp.defaultWindowManager = "${pkgs.icewm}/bin/icewm"; + }; + }; + + testScript = { nodes, ... }: '' + startAll; + + $client->waitForX; + $client->waitForFile("/home/alice/.Xauthority"); + $client->succeed("xauth merge ~alice/.Xauthority"); + + $client->sleep(5); + + $client->execute("xterm &"); + $client->sleep(1); + $client->sendChars("xfreerdp /cert-tofu /w:640 /h:480 /v:127.0.0.1 /u:alice /p:foobar\n"); + $client->sleep(5); + $client->screenshot("localrdp"); + + $client->execute("xterm &"); + $client->sleep(1); + $client->sendChars("xfreerdp /cert-tofu /w:640 /h:480 /v:server /u:alice /p:foobar\n"); + $client->sleep(5); + $client->screenshot("remoterdp"); + ''; +}) |