diff options
Diffstat (limited to 'nixpkgs/nixos/tests/hardened.nix')
| -rw-r--r-- | nixpkgs/nixos/tests/hardened.nix | 13 |
1 files changed, 1 insertions, 12 deletions
diff --git a/nixpkgs/nixos/tests/hardened.nix b/nixpkgs/nixos/tests/hardened.nix index d3f1f3172965..485efc0fb78c 100644 --- a/nixpkgs/nixos/tests/hardened.nix +++ b/nixpkgs/nixos/tests/hardened.nix @@ -18,7 +18,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { boot.initrd.postDeviceCommands = '' ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb ''; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/efi" = { device = "/dev/disk/by-label/EFISYS"; fsType = "vfat"; @@ -65,17 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { machine.succeed("grep -Fq wireguard /proc/modules") - # Test hidepid - with subtest("hidepid=2 option is applied and works"): - # Linux >= 5.8 shows "invisible" - machine.succeed( - "grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts" - ) - # cannot use pgrep -u here, it segfaults when access to process info is denied - machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]") - machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]") - - # Test kernel module hardening with subtest("No more kernel modules can be loaded"): # note: this better a be module we normally wouldn't load ... |