nixos/lock-kernel-modules: reorder before/after

Moving the service before multi-user.target (so the `hardened` test continue to work the way it did before) can result in locking the kernel too early. It's better to lock it a bit later and changing the test to wait specifically for the disable-kernel-module-loading.service.
author: rnhmjoj <rnhmjoj@inventati.org> 2021-09-19 12:02:24 +0200
committer: rnhmjoj <rnhmjoj@inventati.org> 2021-09-19 12:06:00 +0200
commit: 1bd7260adb4233816cc33ef6e7da667aee1c0a79 (patch)
tree: 2222ee3466c25de558fa8d53efbef20bdcdcdf91 /nixos/tests/hardened.nix
parent: 5aef5e8d1ed1d75eb3aed18133be26404d0ed433 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
index a0b629086b5ad..b76ae83a32874 100644
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@@ -57,6 +57,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
       # Test kernel module hardening
       with subtest("No more kernel modules can be loaded"):
           # note: this better a be module we normally wouldn't load ...
+          machine.wait_for_unit("disable-kernel-module-loading.service")
           machine.fail("modprobe dccp")
author	rnhmjoj <rnhmjoj@inventati.org>	2021-09-19 12:02:24 +0200
committer	rnhmjoj <rnhmjoj@inventati.org>	2021-09-19 12:06:00 +0200
commit	1bd7260adb4233816cc33ef6e7da667aee1c0a79 (patch)
tree	2222ee3466c25de558fa8d53efbef20bdcdcdf91 /nixos/tests/hardened.nix
parent	5aef5e8d1ed1d75eb3aed18133be26404d0ed433 (diff)