blob: aadbfd8371ffc9ea37b6a553825b1f2a6bac5d05 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
# Basic test to make sure grsecurity works
import ./make-test.nix ({ pkgs, ...} : {
name = "grsecurity";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ copumpkin joachifm ];
};
machine = { config, pkgs, ... }:
{ security.grsecurity.enable = true;
boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;
security.apparmor.enable = true;
};
testScript = ''
subtest "grsec-lock", sub {
$machine->succeed("systemctl is-active grsec-lock");
$machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");
$machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");
};
subtest "paxtest", sub {
# TODO: running paxtest blackhat hangs the vm
$machine->succeed("${pkgs.paxtest}/lib/paxtest/anonmap") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/execbss") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/execdata") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/execheap") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/execstack") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotanon") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotbss") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotdata") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotheap") =~ /Killed/ or die;
$machine->succeed("${pkgs.paxtest}/lib/paxtest/mprotstack") =~ /Killed/ or die;
};
subtest "tcc", sub {
$machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");
$machine->succeed("${pkgs.tinycc.bin}/bin/tcc -run main.c");
};
'';
})
|