diff options
Diffstat (limited to 'nixpkgs/nixos/tests/hardened.nix')
| -rw-r--r-- | nixpkgs/nixos/tests/hardened.nix | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/nixpkgs/nixos/tests/hardened.nix b/nixpkgs/nixos/tests/hardened.nix index dc455f971f5c..ccb858168547 100644 --- a/nixpkgs/nixos/tests/hardened.nix +++ b/nixpkgs/nixos/tests/hardened.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, ... } : { maintainers = [ joachifm ]; }; - machine = + nodes.machine = { lib, pkgs, config, ... }: with lib; { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; @@ -12,6 +12,11 @@ import ./make-test-python.nix ({ pkgs, ... } : { imports = [ ../modules/profiles/hardened.nix ]; environment.memoryAllocator.provider = "graphene-hardened"; nix.settings.sandbox = false; + nixpkgs.overlays = [ + (final: super: { + dhcpcd = super.dhcpcd.override { enablePrivSep = false; }; + }) + ]; virtualisation.emptyDiskImages = [ 4096 ]; boot.initrd.postDeviceCommands = '' ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb @@ -85,8 +90,8 @@ import ./make-test-python.nix ({ pkgs, ... } : { # Test Nix dæmon usage with subtest("nix-daemon cannot be used by all users"): - machine.fail("su -l nobody -s /bin/sh -c 'nix ping-store'") - machine.succeed("su -l alice -c 'nix ping-store'") + machine.fail("su -l nobody -s /bin/sh -c 'nix --extra-experimental-features nix-command ping-store'") + machine.succeed("su -l alice -c 'nix --extra-experimental-features nix-command ping-store'") # Test kernel image protection |