mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-26 08:53:21 +00:00
nixos/tests/wrappers: test apparmor configuration
Wrappers generate pieces of apparmor policies for inclusion, which are used only in a single place in nixpkgs, for `ping`. They are built only if apparmor is enabled. This change causes the test to test: - that the apparmor includes can be generated, - that `ping` works with apparmor enabled (as the only policy that references these includes). Ideally there would be some other NixOS test that verifies that `ping` specifically works. Sadly, there isn't one.
This commit is contained in:
parent
94d494b2f6
commit
c0e607da61
@ -21,6 +21,8 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
security.apparmor.enable = true;
|
||||
|
||||
security.wrappers = {
|
||||
suidRoot = {
|
||||
owner = "root";
|
||||
@ -96,5 +98,11 @@ in
|
||||
|
||||
machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox")
|
||||
machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u"))
|
||||
|
||||
# Test that the only user of apparmor policy includes generated by
|
||||
# wrappers works. Ideally this'd be located in a test for the module that
|
||||
# actually makes the apparmor policy for ping, but there's no convenient
|
||||
# test for that one.
|
||||
machine.succeed("ping -c 1 127.0.0.1")
|
||||
'';
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user