nixos/tests/hardened.nix at devShellTools-shell

tjh.dev / nixpkgs
fork atom
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / nixos / tests / hardened.nix
at devShellTools-shell 111 lines 3.4 kB view raw
wrap content
  1{ pkgs, ... }:
  2{
  3  name = "hardened";
  4  meta = with pkgs.lib.maintainers; {
  5    maintainers = [ joachifm ];
  6  };
  7
  8  nodes.machine =
  9    {
 10      lib,
 11      pkgs,
 12      config,
 13      ...
 14    }:
 15    {
 16      users.users.alice = {
 17        isNormalUser = true;
 18        extraGroups = [ "proc" ];
 19      };
 20      users.users.sybil = {
 21        isNormalUser = true;
 22        group = "wheel";
 23      };
 24      imports = [ ../modules/profiles/hardened.nix ];
 25      environment.memoryAllocator.provider = "graphene-hardened";
 26      nix.settings.sandbox = false;
 27      virtualisation.emptyDiskImages = [ 4096 ];
 28      boot.initrd.postDeviceCommands = ''
 29        ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
 30      '';
 31      virtualisation.fileSystems = {
 32        "/efi" = {
 33          device = "/dev/disk/by-label/EFISYS";
 34          fsType = "vfat";
 35          options = [ "noauto" ];
 36        };
 37      };
 38      boot.extraModulePackages = pkgs.lib.optional (pkgs.lib.versionOlder config.boot.kernelPackages.kernel.version "5.6") config.boot.kernelPackages.wireguard;
 39      boot.kernelModules = [ "wireguard" ];
 40    };
 41
 42  testScript =
 43    let
 44      hardened-malloc-tests = pkgs.graphene-hardened-malloc.ld-preload-tests;
 45    in
 46    ''
 47      machine.wait_for_unit("multi-user.target")
 48
 49
 50      with subtest("AppArmor profiles are loaded"):
 51          machine.succeed("systemctl status apparmor.service")
 52
 53
 54      # AppArmor securityfs
 55      with subtest("AppArmor securityfs is mounted"):
 56          machine.succeed("mountpoint -q /sys/kernel/security")
 57          machine.succeed("cat /sys/kernel/security/apparmor/profiles")
 58
 59
 60      # Test loading out-of-tree modules
 61      with subtest("Out-of-tree modules can be loaded"):
 62          machine.succeed("grep -Fq wireguard /proc/modules")
 63
 64
 65      # Test kernel module hardening
 66      with subtest("No more kernel modules can be loaded"):
 67          # note: this better a be module we normally wouldn't load ...
 68          machine.wait_for_unit("disable-kernel-module-loading.service")
 69          machine.fail("modprobe dccp")
 70
 71
 72      # Test userns
 73      with subtest("User namespaces are restricted"):
 74          machine.succeed("unshare --user true")
 75          machine.fail("su -l alice -c 'unshare --user true'")
 76
 77
 78      # Test dmesg restriction
 79      with subtest("Regular users cannot access dmesg"):
 80          machine.fail("su -l alice -c dmesg")
 81
 82
 83      # Test access to kcore
 84      with subtest("Kcore is inaccessible as root"):
 85          machine.fail("cat /proc/kcore")
 86
 87
 88      # Test deferred mount
 89      with subtest("Deferred mounts work"):
 90          machine.fail("mountpoint -q /efi")  # was deferred
 91          machine.execute("mkdir -p /efi")
 92          machine.succeed("mount /dev/disk/by-label/EFISYS /efi")
 93          machine.succeed("mountpoint -q /efi")  # now mounted
 94
 95
 96      # Test Nix dæmon usage
 97      with subtest("nix-daemon cannot be used by all users"):
 98          machine.fail("su -l nobody -s /bin/sh -c 'nix --extra-experimental-features nix-command ping-store'")
 99          machine.succeed("su -l alice -c 'nix --extra-experimental-features nix-command ping-store'")
100
101
102      # Test kernel image protection
103      with subtest("The kernel image is protected"):
104          machine.fail("systemctl hibernate")
105          machine.fail("systemctl kexec")
106
107
108      with subtest("The hardened memory allocator works"):
109          machine.succeed("${hardened-malloc-tests}/bin/run-tests")
110    '';
111}