ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-09-21 04:28:40 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #180747 from alyssais/hardened-dhcpcd

Browse Source 
nixosTests.hardened: disable dhcpcd privsep
This commit is contained in:
Robert Hensing 2022-07-10 12:40:38 +02:00 committed by GitHub
commit 97d5a1a591
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/tests/hardened.nix
View File

@ -12,6 +12,11 @@ import ./make-test-python.nix ({ pkgs, ... } : {
imports = [ ../modules/profiles/hardened.nix ];
environment.memoryAllocator.provider = "graphene-hardened";
nix.settings.sandbox = false;
nixpkgs.overlays = [
(final: super: {
dhcpcd = super.dhcpcd.override { enablePrivSep = false; };
})
];
virtualisation.emptyDiskImages = [ 4096 ];
boot.initrd.postDeviceCommands = ''
${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
@ -85,8 +90,8 @@ import ./make-test-python.nix ({ pkgs, ... } : {
# Test Nix dæmon usage
with subtest("nix-daemon cannot be used by all users"):
machine.fail("su -l nobody -s /bin/sh -c 'nix ping-store'")
machine.succeed("su -l alice -c 'nix ping-store'")
machine.fail("su -l nobody -s /bin/sh -c 'nix --extra-experimental-features nix-command ping-store'")
machine.succeed("su -l alice -c 'nix --extra-experimental-features nix-command ping-store'")
# Test kernel image protection