nixos/tests/apparmor.nix

   1 import ./make-test-python.nix ({ pkgs, lib, ... } : {
   2   name = "apparmor";
   3   meta.maintainers = with lib.maintainers; [ julm ];
   4
   5   nodes.machine =
   6     { lib, pkgs, config, ... }:
   7     {
   8       security.apparmor.enable = lib.mkDefault true;
   9     };
  10
  11   testScript =
  12     ''
  13       machine.wait_for_unit("multi-user.target")
  14
  15       with subtest("AppArmor profiles are loaded"):
  16           machine.succeed("systemctl status apparmor.service")
  17
  18       # AppArmor securityfs
  19       with subtest("AppArmor securityfs is mounted"):
  20           machine.succeed("mountpoint -q /sys/kernel/security")
  21           machine.succeed("cat /sys/kernel/security/apparmor/profiles")
  22
  23       # Test apparmorRulesFromClosure by:
  24       # 1. Prepending a string of the relevant packages' name and version on each line.
  25       # 2. Sorting according to those strings.
  26       # 3. Removing those prepended strings.
  27       # 4. Using `diff` against the expected output.
  28       with subtest("apparmorRulesFromClosure"):
  29           machine.succeed(
  30               "${pkgs.diffutils}/bin/diff -u ${pkgs.writeText "expected.rules" ''
  31                   mr ${pkgs.bash}/lib/**.so*,
  32                   r ${pkgs.bash},
  33                   r ${pkgs.bash}/etc/**,
  34                   r ${pkgs.bash}/lib/**,
  35                   r ${pkgs.bash}/share/**,
  36                   x ${pkgs.bash}/foo/**,
  37                   mr ${pkgs.glibc}/lib/**.so*,
  38                   r ${pkgs.glibc},
  39                   r ${pkgs.glibc}/etc/**,
  40                   r ${pkgs.glibc}/lib/**,
  41                   r ${pkgs.glibc}/share/**,
  42                   x ${pkgs.glibc}/foo/**,
  43                   mr ${pkgs.libcap}/lib/**.so*,
  44                   r ${pkgs.libcap},
  45                   r ${pkgs.libcap}/etc/**,
  46                   r ${pkgs.libcap}/lib/**,
  47                   r ${pkgs.libcap}/share/**,
  48                   x ${pkgs.libcap}/foo/**,
  49                   mr ${pkgs.libcap.lib}/lib/**.so*,
  50                   r ${pkgs.libcap.lib},
  51                   r ${pkgs.libcap.lib}/etc/**,
  52                   r ${pkgs.libcap.lib}/lib/**,
  53                   r ${pkgs.libcap.lib}/share/**,
  54                   x ${pkgs.libcap.lib}/foo/**,
  55                   mr ${pkgs.libidn2.out}/lib/**.so*,
  56                   r ${pkgs.libidn2.out},
  57                   r ${pkgs.libidn2.out}/etc/**,
  58                   r ${pkgs.libidn2.out}/lib/**,
  59                   r ${pkgs.libidn2.out}/share/**,
  60                   x ${pkgs.libidn2.out}/foo/**,
  61                   mr ${pkgs.libunistring}/lib/**.so*,
  62                   r ${pkgs.libunistring},
  63                   r ${pkgs.libunistring}/etc/**,
  64                   r ${pkgs.libunistring}/lib/**,
  65                   r ${pkgs.libunistring}/share/**,
  66                   x ${pkgs.libunistring}/foo/**,
  67                   mr ${pkgs.glibc.libgcc}/lib/**.so*,
  68                   r ${pkgs.glibc.libgcc},
  69                   r ${pkgs.glibc.libgcc}/etc/**,
  70                   r ${pkgs.glibc.libgcc}/lib/**,
  71                   r ${pkgs.glibc.libgcc}/share/**,
  72                   x ${pkgs.glibc.libgcc}/foo/**,
  73               ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
  74                   ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
  75                       pkgs.apparmorRulesFromClosure {
  76                         name = "ping";
  77                         additionalRules = ["x $path/foo/**"];
  78                       } [ pkgs.libcap ]
  79                   } |
  80                   ${pkgs.coreutils}/bin/sort -n -k1 |
  81                   ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
  82               ''}"
  83           )
  84     '';
  85 })