nixpkgs/nixos/tests/hardened.nix

import ./make-test.nix ({ pkgs, ...} : {
  name = "hardened";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ joachifm ];
  };

  machine =
    { lib, pkgs, ... }:
    with lib;
    { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
      users.users.sybil = { isNormalUser = true; group = "wheel"; };
      imports = [ ../modules/profiles/hardened.nix ];
      virtualisation.emptyDiskImages = [ 4096 ];
      boot.initrd.postDeviceCommands = ''
        ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
      '';
      fileSystems = lib.mkVMOverride {
        "/efi" = {
          device = "/dev/disk/by-label/EFISYS";
          fsType = "vfat";
          options = [ "noauto" ];
        };
      };
    };

  testScript =
    ''
      $machine->waitForUnit("multi-user.target");

      # Test hidepid
      subtest "hidepid", sub {
          $machine->succeed("grep -Fq hidepid=2 /proc/mounts");
          # cannot use pgrep -u here, it segfaults when access to process info is denied
          $machine->succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]");
          $machine->succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]");
      };

      # Test kernel module hardening
      subtest "lock-modules", sub {
          # note: this better a be module we normally wouldn't load ...
          $machine->fail("modprobe dccp");
      };

      # Test userns
      subtest "userns", sub {
          $machine->fail("unshare --user");
      };

      # Test dmesg restriction
      subtest "dmesg", sub {
          $machine->fail("su -l alice -c dmesg");
      };

      # Test access to kcore
      subtest "kcore", sub {
          $machine->fail("cat /proc/kcore");
      };

      # Test deferred mount
      subtest "mount", sub {
        $machine->fail("mountpoint -q /efi"); # was deferred
        $machine->execute("mkdir -p /efi");
        $machine->succeed("mount /dev/disk/by-label/EFISYS /efi");
        $machine->succeed("mountpoint -q /efi"); # now mounted
      };
    '';
})
nixos/tests: add tests for exercising various hardening features This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration. 2017-04-30 08:38:47 +02:00			`import ./make-test.nix ({ pkgs, ...} : {`
			`name = "hardened";`
			`meta = with pkgs.stdenv.lib.maintainers; {`
			`maintainers = [ joachifm ];`
			`};`

			`machine =`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ lib, pkgs, ... }:`
nixos/tests: add tests for exercising various hardening features This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration. 2017-04-30 08:38:47 +02:00			`with lib;`
			`{ users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };`
			`users.users.sybil = { isNormalUser = true; group = "wheel"; };`
			`imports = [ ../modules/profiles/hardened.nix ];`
nixos/hardened test: add failing test-case for deferred mounts 2017-09-22 23:20:42 +02:00			`virtualisation.emptyDiskImages = [ 4096 ];`
			`boot.initrd.postDeviceCommands = ''`
			`${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb`
			`'';`
			`fileSystems = lib.mkVMOverride {`
			`"/efi" = {`
			`device = "/dev/disk/by-label/EFISYS";`
			`fsType = "vfat";`
			`options = [ "noauto" ];`
			`};`
			`};`
nixos/tests: add tests for exercising various hardening features This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration. 2017-04-30 08:38:47 +02:00			`};`

			`testScript =`
			`''`
nixos/tests/hardened: fix test (#40745) failed because `pgrep -u` segfaults when accesss to proc info is denied on a hardened system. 2018-05-19 08:42:15 +02:00			`$machine->waitForUnit("multi-user.target");`

nixos/tests: add tests for exercising various hardening features This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration. 2017-04-30 08:38:47 +02:00			`# Test hidepid`
			`subtest "hidepid", sub {`
			`$machine->succeed("grep -Fq hidepid=2 /proc/mounts");`
nixos/tests/hardened: fix test (#40745) failed because `pgrep -u` segfaults when accesss to proc info is denied on a hardened system. 2018-05-19 08:42:15 +02:00			`# cannot use pgrep -u here, it segfaults when access to process info is denied`
			$machine->succeed("[ `su - sybil -c 'ps --no-headers --user root \| wc -l'` = 0 ]");
			$machine->succeed("[ `su - alice -c 'ps --no-headers --user root \| wc -l'` != 0 ]");
nixos/tests: add tests for exercising various hardening features This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration. 2017-04-30 08:38:47 +02:00			`};`

			`# Test kernel module hardening`
			`subtest "lock-modules", sub {`
			`# note: this better a be module we normally wouldn't load ...`
			`$machine->fail("modprobe dccp");`
			`};`
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 14:41:56 +02:00
			`# Test userns`
			`subtest "userns", sub {`
			`$machine->fail("unshare --user");`
			`};`
nixos/tests: expand hardened tests 2017-09-16 11:46:26 +02:00
			`# Test dmesg restriction`
			`subtest "dmesg", sub {`
			`$machine->fail("su -l alice -c dmesg");`
			`};`

			`# Test access to kcore`
			`subtest "kcore", sub {`
			`$machine->fail("cat /proc/kcore");`
			`};`
nixos/hardened test: add failing test-case for deferred mounts 2017-09-22 23:20:42 +02:00
			`# Test deferred mount`
			`subtest "mount", sub {`
			`$machine->fail("mountpoint -q /efi"); # was deferred`
			`$machine->execute("mkdir -p /efi");`
			`$machine->succeed("mount /dev/disk/by-label/EFISYS /efi");`
			`$machine->succeed("mountpoint -q /efi"); # now mounted`
			`};`
nixos/tests: add tests for exercising various hardening features This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration. 2017-04-30 08:38:47 +02:00			`'';`
			`})`