diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 84dda8cc64c2..30f5f96dc505 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -115,6 +115,7 @@ in rec { (all nixos.tests.sddm.default) (all nixos.tests.simple) (all nixos.tests.slim) + (all nixos.tests.sysctl) (all nixos.tests.udisks2) (all nixos.tests.xfce) diff --git a/nixos/release.nix b/nixos/release.nix index 59c269627f19..c557349a3264 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -309,6 +309,7 @@ in rec { tests.slim = callTest tests/slim.nix {}; tests.smokeping = callTest tests/smokeping.nix {}; tests.snapper = callTest tests/snapper.nix {}; + tests.sysctl = callTest tests/sysctl.nix {}; tests.taskserver = callTest tests/taskserver.nix {}; tests.tomcat = callTest tests/tomcat.nix {}; tests.udisks2 = callTest tests/udisks2.nix {}; diff --git a/nixos/tests/sysctl.nix b/nixos/tests/sysctl.nix new file mode 100644 index 000000000000..d7220cabb22c --- /dev/null +++ b/nixos/tests/sysctl.nix @@ -0,0 +1,25 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "sysctl"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ nequissimus ]; + }; + + machine = { config, lib, pkgs, ... }: + { + boot.kernelPackages = pkgs.linuxPackages; + boot.kernel.sysctl = { + "kernel.dmesg_restrict" = true; # Restrict dmesg access + "net.core.bpf_jit_enable" = false; # Turn off bpf JIT + "user.max_user_namespaces" = 0; # Disable user namespaces + "vm.swappiness" = 2; # Low swap usage + }; + }; + + testScript = + '' + $machine->succeed("sysctl kernel.dmesg_restrict | grep 'kernel.dmesg_restrict = 1'"); + $machine->succeed("sysctl net.core.bpf_jit_enable | grep 'net.core.bpf_jit_enable = 0'"); + $machine->succeed("sysctl user.max_user_namespaces | grep 'user.max_user_namespaces = 0'"); + $machine->succeed("sysctl vm.swappiness | grep 'vm.swappiness = 2'"); + ''; +})