diff options
Diffstat (limited to 'nixos')
28 files changed, 350 insertions, 28 deletions
diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml index caba8fb1f4ad..fb3f1498a9b7 100644 --- a/nixos/doc/manual/configuration/configuration.xml +++ b/nixos/doc/manual/configuration/configuration.xml @@ -28,6 +28,7 @@ effect after you run <command>nixos-rebuild</command>.</para> <xi:include href="postgresql.xml" /> <xi:include href="gitlab.xml" /> <xi:include href="acme.xml" /> +<xi:include href="input-methods.xml" /> <!-- Apache; libvirtd virtualisation --> diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index b118c79985e5..69da1f948829 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -58,6 +58,7 @@ let cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml cp ${../../modules/services/misc/gitlab.xml} configuration/gitlab.xml cp ${../../modules/security/acme.xml} configuration/acme.xml + cp ${../../modules/i18n/input-method/default.xml} configuration/input-methods.xml ln -s ${optionsDocBook} options-db.xml echo "${version}" > version ''; diff --git a/nixos/doc/manual/release-notes/rl-1603.xml b/nixos/doc/manual/release-notes/rl-1603.xml index 1528c8a72463..620c3e362a65 100644 --- a/nixos/doc/manual/release-notes/rl-1603.xml +++ b/nixos/doc/manual/release-notes/rl-1603.xml @@ -63,11 +63,11 @@ has the following highlights:</para> <itemizedlist> <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem> <listitem><para><literal>hardware/video/webcam/facetimehd.nix</literal></para></listitem> - <listitem><para><literal>i18n/inputMethod/default.nix</literal></para></listitem> - <listitem><para><literal>i18n/inputMethod/fcitx.nix</literal></para></listitem> - <listitem><para><literal>i18n/inputMethod/ibus.nix</literal></para></listitem> - <listitem><para><literal>i18n/inputMethod/nabi.nix</literal></para></listitem> - <listitem><para><literal>i18n/inputMethod/uim.nix</literal></para></listitem> + <listitem><para><literal>i18n/input-method/default.nix</literal></para></listitem> + <listitem><para><literal>i18n/input-method/fcitx.nix</literal></para></listitem> + <listitem><para><literal>i18n/input-method/ibus.nix</literal></para></listitem> + <listitem><para><literal>i18n/input-method/nabi.nix</literal></para></listitem> + <listitem><para><literal>i18n/input-method/uim.nix</literal></para></listitem> <listitem><para><literal>programs/fish.nix</literal></para></listitem> <listitem><para><literal>security/acme.nix</literal></para></listitem> <listitem><para><literal>security/audit.nix</literal></para></listitem> diff --git a/nixos/lib/test-driver/Machine.pm b/nixos/lib/test-driver/Machine.pm index 8ac0a31f2875..37d6518fd8d7 100644 --- a/nixos/lib/test-driver/Machine.pm +++ b/nixos/lib/test-driver/Machine.pm @@ -543,7 +543,7 @@ sub waitForX { retry sub { my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'session opened'"); return 0 if $status != 0; - ($status, $out) = $self->execute("xwininfo -root > /dev/null 2>&1"); + ($status, $out) = $self->execute("[ -e /tmp/.X11-unix/X0 ]"); return 1 if $status == 0; } }); diff --git a/nixos/modules/i18n/inputMethod/default.nix b/nixos/modules/i18n/input-method/default.nix index 7e6a25bfb084..7e6a25bfb084 100644 --- a/nixos/modules/i18n/inputMethod/default.nix +++ b/nixos/modules/i18n/input-method/default.nix diff --git a/nixos/modules/i18n/input-method/default.xml b/nixos/modules/i18n/input-method/default.xml new file mode 100644 index 000000000000..c55ac1ec2456 --- /dev/null +++ b/nixos/modules/i18n/input-method/default.xml @@ -0,0 +1,131 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-input-methods"> + +<title>Input Methods</title> + +<para>Input methods are an operating system component that allows any data, such + as keyboard strokes or mouse movements, to be received as input. In this way + users can enter characters and symbols not found on their input devices. Using + an input method is obligatory for any language that has more graphemes than + there are keys on the keyboard.</para> + +<para>The following input methods are available in NixOS:</para> + +<itemizedlist> + <listitem><para>IBus: The intelligent input bus.</para></listitem> + <listitem><para>Fcitx: A customizable lightweight input + method.</para></listitem> + <listitem><para>Nabi: A Korean input method based on XIM.</para></listitem> + <listitem><para>Uim: The universal input method, is a library with a XIM + bridge.</para></listitem> +</itemizedlist> + +<section><title>IBus</title> + +<para>IBus is an Intelligent Input Bus. It provides full featured and user + friendly input method user interface.</para> + +<para>The following snippet can be used to configure IBus:</para> + +<programlisting> +i18n.inputMethod = { + enabled = "ibus"; + ibus.engines = with pkgs.ibus-engines; [ anthy hangul mozc ]; +}; +</programlisting> + +<para><literal>i18n.inputMethod.ibus.engines</literal> is optional and can be + used to add extra IBus engines.</para> + +<para>Available extra IBus engines are:</para> + +<itemizedlist> + <listitem><para>Anthy (<literal>ibus-engines.anthy</literal>): Anthy is a + system for Japanese input method. It converts Hiragana text to Kana Kanji + mixed text.</para></listitem> + <listitem><para>Hangul (<literal>ibus-engines.hangul</literal>): Korean input + method.</para></listitem> + <listitem><para>m17n (<literal>ibus-engines.m17n</literal>): m17n is an input + method that uses input methods and corresponding icons in the m17n + database.</para></listitem> + <listitem><para>mozc (<literal>ibus-engines.mozc</literal>): A Japanese input + method from Google.</para></listitem> + <listitem><para>Table (<literal>ibus-engines.table</literal>): An input method + that load tables of input methods.</para></listitem> + <listitem><para>table-others (<literal>ibus-engines.table-others</literal>): + Various table-based input methods.</para></listitem> +</itemizedlist> +</section> + +<section><title>Fcitx</title> + +<para>Fcitx is an input method framework with extension support. It has three + built-in Input Method Engine, Pinyin, QuWei and Table-based input + methods.</para> +<para>The following snippet can be used to configure Fcitx:</para> + +<programlisting> +i18n.inputMethod = { + enabled = "fcitx"; + fcitx.engines = with pkgs.fcitx-engines; [ mozc hangul m17n ]; +}; +</programlisting> + +<para><literal>i18n.inputMethod.fcitx.engines</literal> is optional and can be + used to add extra Fcitx engines.</para> + +<para>Available extra Fcitx engines are:</para> + +<itemizedlist> + <listitem><para>Anthy (<literal>fcitx-engines.anthy</literal>): Anthy is a + system for Japanese input method. It converts Hiragana text to Kana Kanji + mixed text.</para></listitem> + <listitem><para>Chewing (<literal>fcitx-engines.chewing</literal>): Chewing is + an intelligent Zhuyin input method. It is one of the most popular input + methods among Traditional Chinese Unix users.</para></listitem> + <listitem><para>Hangul (<literal>fcitx-engines.hangul</literal>): Korean input + method.</para></listitem> + <listitem><para>m17n (<literal>fcitx-engines.m17n</literal>): m17n is an input + method that uses input methods and corresponding icons in the m17n + database.</para></listitem> + <listitem><para>mozc (<literal>fcitx-engines.mozc</literal>): A Japanese input + method from Google.</para></listitem> + <listitem><para>table-others (<literal>fcitx-engines.table-others</literal>): + Various table-based input methods.</para></listitem> +</itemizedlist> +</section> + +<section><title>Nabi</title> + +<para>Nabi is an easy to use Korean X input method. It allows you to enter + phonetic Korean characters (hangul) and pictographic Korean characters + (hanja).</para> +<para>The following snippet can be used to configure Nabi:</para> + +<programlisting> +i18n.inputMethod = { + enabled = "nabi"; +}; +</programlisting> +</section> + +<section><title>Uim</title> + +<para>Uim (short for "universal input method") is a multilingual input method + framework. Applications can use it through so-called bridges.</para> +<para>The following snippet can be used to configure uim:</para> + +<programlisting> +i18n.inputMethod = { + enabled = "uim"; +}; +</programlisting> + +<para>Note: The <literal>i18n.inputMethod.uim.toolbar</literal> option can be + used to choose uim toolbar.</para> + +</section> +</chapter> diff --git a/nixos/modules/i18n/inputMethod/fcitx.nix b/nixos/modules/i18n/input-method/fcitx.nix index 8e31743504f1..8e31743504f1 100644 --- a/nixos/modules/i18n/inputMethod/fcitx.nix +++ b/nixos/modules/i18n/input-method/fcitx.nix diff --git a/nixos/modules/i18n/inputMethod/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index bb80f43634d3..bb80f43634d3 100644 --- a/nixos/modules/i18n/inputMethod/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix diff --git a/nixos/modules/i18n/inputMethod/nabi.nix b/nixos/modules/i18n/input-method/nabi.nix index c6708365effa..c6708365effa 100644 --- a/nixos/modules/i18n/inputMethod/nabi.nix +++ b/nixos/modules/i18n/input-method/nabi.nix diff --git a/nixos/modules/i18n/inputMethod/uim.nix b/nixos/modules/i18n/input-method/uim.nix index f8a3e560656d..f8a3e560656d 100644 --- a/nixos/modules/i18n/inputMethod/uim.nix +++ b/nixos/modules/i18n/input-method/uim.nix diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index d3005cdfd6f7..8e75f8d3c40a 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -474,7 +474,7 @@ my $hwConfig = <<EOF; boot.kernelModules = [$kernelModules ]; boot.extraModulePackages = [$modulePackages ]; $fsAndSwap - nix.maxJobs = $cpus; + nix.maxJobs = lib.mkDefault $cpus; ${\join "", (map { " $_\n" } (uniq @attrs))}} EOF diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1e14fe655fc0..c3bade2ee6b9 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -47,6 +47,7 @@ #floppy = 18; # unused #uucp = 19; # unused #lp = 20; # unused + #proc = 21; # unused pulseaudio = 22; # must match `pulseaudio' GID gpsd = 23; #cdrom = 24; # unused @@ -259,6 +260,7 @@ hydra-www = 236; syncthing = 237; mfi = 238; + caddy = 239; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -288,6 +290,7 @@ floppy = 18; uucp = 19; lp = 20; + proc = 21; pulseaudio = 22; # must match `pulseaudio' UID gpsd = 23; cdrom = 24; @@ -489,6 +492,7 @@ radicale = 234; syncthing = 237; #mfi = 238; # unused + caddy = 239; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 7bcc5b849417..a23e787bd08e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -41,11 +41,11 @@ ./hardware/video/nvidia.nix ./hardware/video/ati.nix ./hardware/video/webcam/facetimehd.nix - ./i18n/inputMethod/default.nix - ./i18n/inputMethod/fcitx.nix - ./i18n/inputMethod/ibus.nix - ./i18n/inputMethod/nabi.nix - ./i18n/inputMethod/uim.nix + ./i18n/input-method/default.nix + ./i18n/input-method/fcitx.nix + ./i18n/input-method/ibus.nix + ./i18n/input-method/nabi.nix + ./i18n/input-method/uim.nix ./installer/tools/auto-upgrade.nix ./installer/tools/nixos-checkout.nix ./installer/tools/tools.nix @@ -90,6 +90,7 @@ ./security/ca.nix ./security/duosec.nix ./security/grsecurity.nix + ./security/hidepid.nix ./security/oath.nix ./security/pam.nix ./security/pam_usb.nix @@ -433,6 +434,7 @@ ./services/ttys/kmscon.nix ./services/web-apps/pump.io.nix ./services/web-servers/apache-httpd/default.nix + ./services/web-servers/caddy.nix ./services/web-servers/fcgiwrap.nix ./services/web-servers/jboss/default.nix ./services/web-servers/lighttpd/cgit.nix diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix new file mode 100644 index 000000000000..8271578c55d6 --- /dev/null +++ b/nixos/modules/security/hidepid.nix @@ -0,0 +1,42 @@ +{ config, pkgs, lib, ... }: +with lib; + +{ + options = { + security.hideProcessInformation = mkEnableOption "" // { description = '' + Restrict access to process information to the owning user. Enabling + this option implies, among other things, that command-line arguments + remain private. This option is recommended for most systems, unless + there's a legitimate reason for allowing unprivileged users to inspect + the process information of other users. + + Members of the group "proc" are exempt from process information hiding. + To allow a service to run without process information hiding, add "proc" + to its supplementary groups via + <option>systemd.services.<name?>.serviceConfig.SupplementaryGroups</option>. + ''; }; + }; + + config = mkIf config.security.hideProcessInformation { + users.groups.proc.gid = config.ids.gids.proc; + + systemd.services.hidepid = { + wantedBy = [ "local-fs.target" ]; + after = [ "systemd-remount-fs.service" ]; + before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ]; + wants = [ "local-fs-pre.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc''; + ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc''; + }; + + unitConfig = { + DefaultDependencies = false; + Conflicts = "shutdown.target"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/shout.nix b/nixos/modules/services/networking/shout.nix index f069fe7bec96..3664c2857739 100644 --- a/nixos/modules/services/networking/shout.nix +++ b/nixos/modules/services/networking/shout.nix @@ -6,6 +6,21 @@ let cfg = config.services.shout; shoutHome = "/var/lib/shout"; + defaultConfig = pkgs.runCommand "config.js" {} '' + EDITOR=true ${pkgs.shout}/bin/shout config --home $PWD + mv config.js $out + ''; + + finalConfigFile = if (cfg.configFile != null) then cfg.configFile else '' + var _ = require('${pkgs.shout}/lib/node_modules/shout/node_modules/lodash') + + module.exports = _.merge( + {}, + require('${defaultConfig}'), + ${builtins.toJSON cfg.config} + ) + ''; + in { options.services.shout = { enable = mkEnableOption "Shout web IRC client"; @@ -35,8 +50,31 @@ in { type = types.nullOr types.lines; default = null; description = '' - Contents of Shout's <filename>config.js</filename> file. If left empty, - Shout will generate from its defaults at first startup. + Contents of Shout's <filename>config.js</filename> file. + + Used for backward compatibility, recommended way is now to use + the <literal>config</literal> option. + + Documentation: http://shout-irc.com/docs/server/configuration.html + ''; + }; + + config = mkOption { + default = {}; + type = types.attrs; + example = { + displayNetwork = false; + defaults = { + name = "Your Network"; + host = "localhost"; + port = 6697; + }; + }; + description = '' + Shout <filename>config.js</filename> contents as attribute set (will be + converted to JSON to generate the configuration file). + + The options defined here will be merged to the default configuration file. Documentation: http://shout-irc.com/docs/server/configuration.html ''; @@ -57,11 +95,7 @@ in { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; - preStart = if isNull cfg.configFile then "" - else '' - ln -sf ${pkgs.writeText "config.js" cfg.configFile} \ - ${shoutHome}/config.js - ''; + preStart = "ln -sf ${pkgs.writeText "config.js" finalConfigFile} ${shoutHome}/config.js"; script = concatStringsSep " " [ "${pkgs.shout}/bin/shout" (if cfg.private then "--private" else "--public") diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix new file mode 100644 index 000000000000..0d2612aaa66b --- /dev/null +++ b/nixos/modules/services/web-servers/caddy.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.caddy; + configFile = pkgs.writeText "Caddyfile" cfg.config; +in +{ + options.services.caddy = { + enable = mkEnableOption "Caddy web server"; + + config = mkOption { + description = "Verbatim Caddyfile to use"; + }; + + email = mkOption { + default = ""; + type = types.string; + description = "Email address (for Let's Encrypt certificate)"; + }; + + dataDir = mkOption { + default = "/var/lib/caddy"; + type = types.path; + description = "The data directory, for storing certificates."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.caddy = { + description = "Caddy web server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.caddy}/bin/caddy -conf=${configFile} -email=${cfg.email}"; + Type = "simple"; + User = "caddy"; + Group = "caddy"; + AmbientCapabilities = "cap_net_bind_service"; + }; + }; + + users.extraUsers.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = cfg.dataDir; + createHome = true; + }; + + users.extraGroups.caddy.gid = config.ids.uids.caddy; + }; +} diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index d03e8ec8b1ba..dcf9f820f59c 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -221,7 +221,7 @@ in dpi = mkOption { type = types.nullOr types.int; - default = 0; + default = null; description = "DPI resolution to use for X server."; }; @@ -466,6 +466,7 @@ in xorg.xsetroot xorg.xinput xorg.xprop + xorg.xauth pkgs.xterm pkgs.xdg_utils ] @@ -513,8 +514,7 @@ in }; services.xserver.displayManager.xserverArgs = - [ "-ac" - "-terminate" + [ "-terminate" "-config ${configFile}" "-xkbdir" "${cfg.xkbDir}" ] ++ optional (cfg.display != null) ":${toString cfg.display}" diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index a3c83521c354..3f497566ff11 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -472,6 +472,13 @@ in ''; }; + systemd.generator-packages = mkOption { + default = []; + type = types.listOf types.package; + example = literalExample "[ pkgs.systemd-cryptsetup-generator ]"; + description = "Packages providing systemd generators."; + }; + systemd.defaultUnit = mkOption { default = "multi-user.target"; type = types.str; @@ -628,7 +635,18 @@ in environment.systemPackages = [ systemd ]; - environment.etc = { + environment.etc = let + # generate contents for /etc/systemd/system-generators from + # systemd.generators and systemd.generator-packages + generators = pkgs.runCommand "system-generators" { packages = cfg.generator-packages; } '' + mkdir -p $out + for package in $packages + do + ln -s $package/lib/systemd/system-generators/* $out/ + done; + ${concatStrings (mapAttrsToList (generator: target: "ln -s ${target} $out/${generator};\n") cfg.generators)} + ''; + in ({ "systemd/system".source = generateUnits "system" cfg.units upstreamSystemUnits upstreamSystemWants; "systemd/user".source = generateUnits "user" cfg.user.units upstreamUserUnits []; @@ -667,7 +685,9 @@ in ${concatStringsSep "\n" cfg.tmpfiles.rules} ''; - } // mapAttrs' (n: v: nameValuePair "systemd/system-generators/${n}" {"source"=v;}) cfg.generators; + + "systemd/system-generators" = { source = generators; }; + }); system.activationScripts.systemd = stringAfter [ "groups" ] '' diff --git a/nixos/tests/common/user-account.nix b/nixos/tests/common/user-account.nix index ded8275000af..93aeb60e456a 100644 --- a/nixos/tests/common/user-account.nix +++ b/nixos/tests/common/user-account.nix @@ -1,9 +1,14 @@ { lib, ... }: -{ users.extraUsers = lib.singleton +{ users.extraUsers.alice = { isNormalUser = true; - name = "alice"; description = "Alice Foobar"; password = "foobar"; }; + + users.extraUsers.bob = + { isNormalUser = true; + description = "Bob Foobar"; + password = "foobar"; + }; } diff --git a/nixos/tests/gnome3-gdm.nix b/nixos/tests/gnome3-gdm.nix index 1c07ddf79c2e..42425b57ba33 100644 --- a/nixos/tests/gnome3-gdm.nix +++ b/nixos/tests/gnome3-gdm.nix @@ -32,6 +32,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow(qr/Terminal/); $machine->sleep(20); $machine->screenshot("screen"); diff --git a/nixos/tests/gnome3.nix b/nixos/tests/gnome3.nix index 714b35503706..50e7f4eace3b 100644 --- a/nixos/tests/gnome3.nix +++ b/nixos/tests/gnome3.nix @@ -27,6 +27,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow(qr/Terminal/); $machine->mustSucceed("timeout 900 bash -c 'journalctl -f|grep -m 1 \"GNOME Shell started\"'"); $machine->sleep(10); diff --git a/nixos/tests/i3wm.nix b/nixos/tests/i3wm.nix index 627a150f641b..4685992d7a05 100644 --- a/nixos/tests/i3wm.nix +++ b/nixos/tests/i3wm.nix @@ -13,6 +13,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = { nodes, ... }: '' $machine->waitForX; + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow(qr/first configuration/); $machine->sleep(1); $machine->screenshot("started"); diff --git a/nixos/tests/kde4.nix b/nixos/tests/kde4.nix index dc61658cd1c4..2693fb4fbf0a 100644 --- a/nixos/tests/kde4.nix +++ b/nixos/tests/kde4.nix @@ -41,11 +41,13 @@ import ./make-test.nix ({ pkgs, ... }: { pkgs.kde4.kdenetwork pkgs.kde4.kdetoys pkgs.kde4.kdewebdev + pkgs.xorg.xmessage ]; }; - testScript = '' + testScript = '' $machine->waitUntilSucceeds("pgrep plasma-desktop"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow(qr/plasma-desktop/); # Check that logging in has given the user ownership of devices. @@ -62,7 +64,7 @@ import ./make-test.nix ({ pkgs, ... }: { $machine->sleep(10); - $machine->screenshot("screen"); + $machine->screenshot("screen"); ''; }) diff --git a/nixos/tests/lightdm.nix b/nixos/tests/lightdm.nix index f30f9062dcde..97ec79406b88 100644 --- a/nixos/tests/lightdm.nix +++ b/nixos/tests/lightdm.nix @@ -22,6 +22,8 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->waitForText(qr/${user.description}/); $machine->screenshot("lightdm"); $machine->sendChars("${user.password}\n"); + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow("^IceWM "); ''; }) diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index b926a62194b4..cd4086cb8f62 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -25,6 +25,8 @@ import ./make-test.nix ({ pkgs, ...} : { }; users.users.sybil = { isNormalUser = true; group = "wheel"; }; security.sudo = { enable = true; wheelNeedsPassword = false; }; + security.hideProcessInformation = true; + users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; }; testScript = @@ -117,5 +119,12 @@ import ./make-test.nix ({ pkgs, ...} : { subtest "sudo", sub { $machine->succeed("su - sybil -c 'sudo true'"); }; + + # Test hidepid + subtest "hidepid", sub { + $machine->succeed("grep -Fq hidepid=2 /etc/mtab"); + $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]"); + $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]"); + }; ''; }) diff --git a/nixos/tests/sddm-kde5.nix b/nixos/tests/sddm-kde5.nix index 476cb732e252..f97a6d12b63c 100644 --- a/nixos/tests/sddm-kde5.nix +++ b/nixos/tests/sddm-kde5.nix @@ -24,6 +24,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = { nodes, ... }: '' startAll; + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow("^IceWM "); ''; }) diff --git a/nixos/tests/sddm.nix b/nixos/tests/sddm.nix index e11b5714d5c2..22a9e1bd2c7c 100644 --- a/nixos/tests/sddm.nix +++ b/nixos/tests/sddm.nix @@ -23,6 +23,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = { nodes, ... }: '' startAll; + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow("^IceWM "); ''; }) diff --git a/nixos/tests/xfce.nix b/nixos/tests/xfce.nix index c131ef7dc8cd..c8b18f122658 100644 --- a/nixos/tests/xfce.nix +++ b/nixos/tests/xfce.nix @@ -15,11 +15,15 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.displayManager.auto.user = "alice"; services.xserver.desktopManager.xfce.enable = true; + + environment.systemPackages = [ pkgs.xorg.xmessage ]; }; testScript = '' $machine->waitForX; + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow(qr/xfce4-panel/); $machine->sleep(10); @@ -30,5 +34,9 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->waitForWindow(qr/Terminal/); $machine->sleep(10); $machine->screenshot("screen"); + + # Ensure that the X server does proper access control. + $machine->mustFail("su - bob -c 'DISPLAY=:0.0 xmessage Foo'"); + $machine->mustFail("su - bob -c 'DISPLAY=:0 xmessage Foo'"); ''; }) |