From d440cc931eea01c3237a9a470c9dc1a695684988 Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Fri, 8 Jul 2022 16:48:51 +0000
Subject: [PATCH 1/2] nixosTests.hardened: disable dhcpcd privsep

Since 831024e2b93 ("nixos/dhcpcd: assert if privSep && alternative
malloc"), this test has an assertion failure because dhcpcd (with
privsep enabled) is not compatible with the allocator used by the
hardened profile.

Since it's unclear[1] what to do about this for the hardened profile,
I propose doing the simplest thing possible to make the test eval,
which is to just disable dhcpcd privsep.  It's very inconvenient when
trying to refactor the NixOS test infrastructure to have a test that
doesn't evaluate.  Once the correct solution is found for using dhcpcd
with privsep with the hardened profile, this patch can be reverted.

[1]: https://github.com/NixOS/nixpkgs/pull/157430
---
 nixos/tests/hardened.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
index 3afa8ebf2b5f..4e2ca4f273a7 100644
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@@ -12,6 +12,11 @@ import ./make-test-python.nix ({ pkgs, ... } : {
       imports = [ ../modules/profiles/hardened.nix ];
       environment.memoryAllocator.provider = "graphene-hardened";
       nix.settings.sandbox = false;
+      nixpkgs.overlays = [
+        (final: super: {
+          dhcpcd = super.dhcpcd.override { enablePrivSep = false; };
+        })
+      ];
       virtualisation.emptyDiskImages = [ 4096 ];
       boot.initrd.postDeviceCommands = ''
         ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb

From a14da86f2cfe5038ed84d3db5663c5138839fa97 Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Fri, 8 Jul 2022 17:01:41 +0000
Subject: [PATCH 2/2] nixosTests.hardened: fix for recent Nix

As far as I know, there's no stable equivalent of nix ping-store.
---
 nixos/tests/hardened.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
index 4e2ca4f273a7..ccb858168547 100644
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@@ -90,8 +90,8 @@ import ./make-test-python.nix ({ pkgs, ... } : {
 
       # Test Nix dæmon usage
       with subtest("nix-daemon cannot be used by all users"):
-          machine.fail("su -l nobody -s /bin/sh -c 'nix ping-store'")
-          machine.succeed("su -l alice -c 'nix ping-store'")
+          machine.fail("su -l nobody -s /bin/sh -c 'nix --extra-experimental-features nix-command ping-store'")
+          machine.succeed("su -l alice -c 'nix --extra-experimental-features nix-command ping-store'")
 
 
       # Test kernel image protection