alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

Merge pull request #180747 from alyssais/hardened-dhcpcd

Browse source 
nixosTests.hardened: disable dhcpcd privsep
This commit is contained in:
Robert Hensing 2022-07-10 12:40:38 +02:00 committed by GitHub
parent c7512caee3 a14da86f2c
commit 97d5a1a591
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
nixos/tests/hardened.nix
View file

@ -12,6 +12,11 @@ import ./make-test-python.nix ({ pkgs, ... } : {
imports = [ ../modules/profiles/hardened.nix ];
environment.memoryAllocator.provider = "graphene-hardened";
nix.settings.sandbox = false;
nixpkgs.overlays = [
(final: super: {
dhcpcd = super.dhcpcd.override { enablePrivSep = false; };
})
];
virtualisation.emptyDiskImages = [ 4096 ];
boot.initrd.postDeviceCommands = ''
${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
@ -85,8 +90,8 @@ import ./make-test-python.nix ({ pkgs, ... } : {
# Test Nix dæmon usage
with subtest("nix-daemon cannot be used by all users"):
machine.fail("su -l nobody -s /bin/sh -c 'nix ping-store'")
machine.succeed("su -l alice -c 'nix ping-store'")
machine.fail("su -l nobody -s /bin/sh -c 'nix --extra-experimental-features nix-command ping-store'")
machine.succeed("su -l alice -c 'nix --extra-experimental-features nix-command ping-store'")
# Test kernel image protection