diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1ce55e1eac4e..019b9c6223c4 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -25,6 +25,7 @@ in acme = handleTest ./acme.nix {}; agda = handleTest ./agda.nix {}; ammonite = handleTest ./ammonite.nix {}; + apparmor = handleTest ./apparmor.nix {}; atd = handleTest ./atd.nix {}; avahi = handleTest ./avahi.nix {}; avahi-with-resolved = handleTest ./avahi.nix { networkd = true; }; diff --git a/nixos/tests/apparmor.nix b/nixos/tests/apparmor.nix new file mode 100644 index 000000000000..c6daa8e67de3 --- /dev/null +++ b/nixos/tests/apparmor.nix @@ -0,0 +1,82 @@ +import ./make-test-python.nix ({ pkgs, ... } : { + name = "apparmor"; + meta = with pkgs.lib.maintainers; { + maintainers = [ julm ]; + }; + + machine = + { lib, pkgs, config, ... }: + with lib; + { + security.apparmor.enable = mkDefault true; + }; + + testScript = + '' + machine.wait_for_unit("multi-user.target") + + with subtest("AppArmor profiles are loaded"): + machine.succeed("systemctl status apparmor.service") + + # AppArmor securityfs + with subtest("AppArmor securityfs is mounted"): + machine.succeed("mountpoint -q /sys/kernel/security") + machine.succeed("cat /sys/kernel/security/apparmor/profiles") + + # Test apparmorRulesFromClosure by: + # 1. Prepending a string of the relevant packages' name and version on each line. + # 2. Sorting according to those strings. + # 3. Removing those prepended strings. + # 4. Using `diff` against the expected output. + with subtest("apparmorRulesFromClosure"): + machine.succeed( + "${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" '' + mr ${pkgs.bash}/lib/**.so*, + r ${pkgs.bash}, + r ${pkgs.bash}/etc/**, + r ${pkgs.bash}/lib/**, + r ${pkgs.bash}/share/**, + x ${pkgs.bash}/foo/**, + mr ${pkgs.glibc}/lib/**.so*, + r ${pkgs.glibc}, + r ${pkgs.glibc}/etc/**, + r ${pkgs.glibc}/lib/**, + r ${pkgs.glibc}/share/**, + x ${pkgs.glibc}/foo/**, + mr ${pkgs.libcap}/lib/**.so*, + r ${pkgs.libcap}, + r ${pkgs.libcap}/etc/**, + r ${pkgs.libcap}/lib/**, + r ${pkgs.libcap}/share/**, + x ${pkgs.libcap}/foo/**, + mr ${pkgs.libcap.lib}/lib/**.so*, + r ${pkgs.libcap.lib}, + r ${pkgs.libcap.lib}/etc/**, + r ${pkgs.libcap.lib}/lib/**, + r ${pkgs.libcap.lib}/share/**, + x ${pkgs.libcap.lib}/foo/**, + mr ${pkgs.libidn2.out}/lib/**.so*, + r ${pkgs.libidn2.out}, + r ${pkgs.libidn2.out}/etc/**, + r ${pkgs.libidn2.out}/lib/**, + r ${pkgs.libidn2.out}/share/**, + x ${pkgs.libidn2.out}/foo/**, + mr ${pkgs.libunistring}/lib/**.so*, + r ${pkgs.libunistring}, + r ${pkgs.libunistring}/etc/**, + r ${pkgs.libunistring}/lib/**, + r ${pkgs.libunistring}/share/**, + x ${pkgs.libunistring}/foo/**, + ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } '' + ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${ + pkgs.apparmorRulesFromClosure { + name = "ping"; + additionalRules = ["x $path/foo/**"]; + } [ pkgs.libcap ] + } | + ${pkgs.coreutils}/bin/sort -n -k1 | + ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out + ''}" + ) + ''; +})