mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-17 10:24:07 +00:00
4f0dadbf38
After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-builda08b3a4d19
.tar.gz \ --argstr baseRevb32a094368
result/bin/apply-formatting $NIXPKGS_PATH
69 lines
2.4 KiB
Nix
69 lines
2.4 KiB
Nix
import ./make-test-python.nix (
|
|
{ pkgs, ... }:
|
|
{
|
|
name = "usbguard";
|
|
meta = with pkgs.lib.maintainers; {
|
|
maintainers = [ tnias ];
|
|
};
|
|
|
|
nodes.machine =
|
|
{ ... }:
|
|
{
|
|
services.usbguard = {
|
|
enable = true;
|
|
IPCAllowedUsers = [
|
|
"alice"
|
|
"root"
|
|
];
|
|
|
|
# As virtual USB devices get attached to the "QEMU USB Hub" we need to
|
|
# allow Hubs. Otherwise we would have to explicitly allow them too.
|
|
rules = ''
|
|
allow with-interface equals { 09:00:00 }
|
|
'';
|
|
};
|
|
imports = [ ./common/user-account.nix ];
|
|
};
|
|
|
|
testScript = ''
|
|
# create a blank disk image for our fake USB stick
|
|
with open(machine.state_dir / "usbstick.img", "wb") as stick:
|
|
stick.write(b"\x00" * (1024 * 1024))
|
|
|
|
# wait for machine to have started and the usbguard service to be up
|
|
machine.wait_for_unit("usbguard.service")
|
|
|
|
with subtest("IPC access control"):
|
|
# User "alice" is allowed to access the IPC interface
|
|
machine.succeed("su alice -c 'usbguard list-devices'")
|
|
|
|
# User "bob" is not allowed to access the IPC interface
|
|
machine.fail("su bob -c 'usbguard list-devices'")
|
|
|
|
with subtest("check basic functionality"):
|
|
# at this point we expect that no USB HDD is connected
|
|
machine.fail("usbguard list-devices | grep -E 'QEMU USB HARDDRIVE'")
|
|
|
|
# insert usb device
|
|
machine.send_monitor_command(
|
|
f"drive_add 0 id=stick,if=none,file={stick.name},format=raw"
|
|
)
|
|
machine.send_monitor_command("device_add usb-storage,id=stick,drive=stick")
|
|
|
|
# the attached USB HDD should show up after a short while
|
|
machine.wait_until_succeeds("usbguard list-devices | grep -E 'QEMU USB HARDDRIVE'")
|
|
|
|
# at this point there should be a **blocked** USB HDD
|
|
machine.succeed("usbguard list-devices | grep -E 'block.*QEMU USB HARDDRIVE'")
|
|
machine.fail("usbguard list-devices | grep -E ' allow .*QEMU USB HARDDRIVE'")
|
|
|
|
# allow storage devices
|
|
machine.succeed("usbguard allow-device 'with-interface { 08:*:* }'")
|
|
|
|
# at this point there should be an **allowed** USB HDD
|
|
machine.succeed("usbguard list-devices | grep -E ' allow .*QEMU USB HARDDRIVE'")
|
|
machine.fail("usbguard list-devices | grep -E ' block .*QEMU USB HARDDRIVE'")
|
|
'';
|
|
}
|
|
)
|