2017-04-30 07:38:47 +01:00
|
|
|
import ./make-test.nix ({ pkgs, ...} : {
|
|
|
|
name = "hardened";
|
|
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
|
|
maintainers = [ joachifm ];
|
|
|
|
};
|
|
|
|
|
|
|
|
machine =
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
{ users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
|
|
|
|
users.users.sybil = { isNormalUser = true; group = "wheel"; };
|
|
|
|
imports = [ ../modules/profiles/hardened.nix ];
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript =
|
|
|
|
''
|
|
|
|
# Test hidepid
|
|
|
|
subtest "hidepid", sub {
|
|
|
|
$machine->succeed("grep -Fq hidepid=2 /proc/mounts");
|
|
|
|
$machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]");
|
|
|
|
$machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]");
|
|
|
|
};
|
|
|
|
|
|
|
|
# Test kernel module hardening
|
|
|
|
subtest "lock-modules", sub {
|
|
|
|
$machine->waitForUnit("multi-user.target");
|
|
|
|
# note: this better a be module we normally wouldn't load ...
|
|
|
|
$machine->fail("modprobe dccp");
|
|
|
|
};
|
2017-04-30 13:41:56 +01:00
|
|
|
|
|
|
|
# Test userns
|
|
|
|
subtest "userns", sub {
|
|
|
|
$machine->fail("unshare --user");
|
|
|
|
};
|
2017-04-30 07:38:47 +01:00
|
|
|
'';
|
|
|
|
})
|