search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
python310Packages.pydeconz: 104 -> 105
[NixPkgs.git] / nixos / tests / apparmor.nix
blobf85bff0295e7162af79290a1e7585dfdea3130d5
1 import ./make-test-python.nix ({ pkgs, ... } : {
2   name = "apparmor";
3   meta = with pkgs.lib.maintainers; {
4     maintainers = [ julm ];
5   };
6
7   nodes.machine =
8     { lib, pkgs, config, ... }:
9     with lib;
10     {
11       security.apparmor.enable = mkDefault true;
12     };
13
14   testScript =
15     ''
16       machine.wait_for_unit("multi-user.target")
17
18       with subtest("AppArmor profiles are loaded"):
19           machine.succeed("systemctl status apparmor.service")
20
21       # AppArmor securityfs
22       with subtest("AppArmor securityfs is mounted"):
23           machine.succeed("mountpoint -q /sys/kernel/security")
24           machine.succeed("cat /sys/kernel/security/apparmor/profiles")
25
26       # Test apparmorRulesFromClosure by:
27       # 1. Prepending a string of the relevant packages' name and version on each line.
28       # 2. Sorting according to those strings.
29       # 3. Removing those prepended strings.
30       # 4. Using `diff` against the expected output.
31       with subtest("apparmorRulesFromClosure"):
32           machine.succeed(
33               "${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" ''
34                   mr ${pkgs.bash}/lib/**.so*,
35                   r ${pkgs.bash},
36                   r ${pkgs.bash}/etc/**,
37                   r ${pkgs.bash}/lib/**,
38                   r ${pkgs.bash}/share/**,
39                   x ${pkgs.bash}/foo/**,
40                   mr ${pkgs.glibc}/lib/**.so*,
41                   r ${pkgs.glibc},
42                   r ${pkgs.glibc}/etc/**,
43                   r ${pkgs.glibc}/lib/**,
44                   r ${pkgs.glibc}/share/**,
45                   x ${pkgs.glibc}/foo/**,
46                   mr ${pkgs.libcap}/lib/**.so*,
47                   r ${pkgs.libcap},
48                   r ${pkgs.libcap}/etc/**,
49                   r ${pkgs.libcap}/lib/**,
50                   r ${pkgs.libcap}/share/**,
51                   x ${pkgs.libcap}/foo/**,
52                   mr ${pkgs.libcap.lib}/lib/**.so*,
53                   r ${pkgs.libcap.lib},
54                   r ${pkgs.libcap.lib}/etc/**,
55                   r ${pkgs.libcap.lib}/lib/**,
56                   r ${pkgs.libcap.lib}/share/**,
57                   x ${pkgs.libcap.lib}/foo/**,
58                   mr ${pkgs.libidn2.out}/lib/**.so*,
59                   r ${pkgs.libidn2.out},
60                   r ${pkgs.libidn2.out}/etc/**,
61                   r ${pkgs.libidn2.out}/lib/**,
62                   r ${pkgs.libidn2.out}/share/**,
63                   x ${pkgs.libidn2.out}/foo/**,
64                   mr ${pkgs.libunistring}/lib/**.so*,
65                   r ${pkgs.libunistring},
66                   r ${pkgs.libunistring}/etc/**,
67                   r ${pkgs.libunistring}/lib/**,
68                   r ${pkgs.libunistring}/share/**,
69                   x ${pkgs.libunistring}/foo/**,
70               ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
71                   ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
72                       pkgs.apparmorRulesFromClosure {
73                         name = "ping";
74                         additionalRules = ["x $path/foo/**"];
75                       } [ pkgs.libcap ]
76                   } |
77                   ${pkgs.coreutils}/bin/sort -n -k1 |
78                   ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
79               ''}"
80           )
81     '';
82 })
Nix packages repository - mirror of https://github.com/NixOS/nixpkgs