diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-16 10:37:36 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-27 15:00:47 +0100 |
commit | 84fb8820db6226a6e5333813d47da6d876243064 (patch) | |
tree | e213da41f9e8d4e974fe71e724442b8155578bd5 /nixos/tests/hardened.nix | |
parent | 9db84f6fcdb2616471abb6a427a2b21fe8a8255f (diff) |
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
Diffstat (limited to 'nixos/tests/hardened.nix')
-rw-r--r-- | nixos/tests/hardened.nix | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index e10a6363164ac..683f56c45af4a 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'"); $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK"; }; + + # Test kernel image protection + subtest "kernelimage", sub { + $machine->fail("systemctl hibernate"); + $machine->fail("systemctl kexec"); + }; ''; }) |