diff options
author | Philipp Bartsch <phil@grmr.de> | 2023-07-08 02:18:34 +0200 |
---|---|---|
committer | Philipp Bartsch <phil@grmr.de> | 2023-07-13 11:10:39 +0200 |
commit | ced170c030a409f8e21a7c1e20bced6a9397c1d2 (patch) | |
tree | 98a0fbf0e24e20b801115a4d4a6869e7e84ca173 /nixos/tests/miniflux.nix | |
parent | 125617826334fbf6be4f4f0e312f40b137bcb932 (diff) |
nixos/miniflux: add apparmor policy
This change also extends the test to ensure that normal operations aren't denied.
Diffstat (limited to 'nixos/tests/miniflux.nix')
-rw-r--r-- | nixos/tests/miniflux.nix | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix index be3e7abb6abd4..a3af53db0e7a1 100644 --- a/nixos/tests/miniflux.nix +++ b/nixos/tests/miniflux.nix @@ -25,6 +25,7 @@ in default = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; @@ -34,6 +35,7 @@ in withoutSudo = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; @@ -44,6 +46,7 @@ in customized = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; config = { @@ -63,6 +66,7 @@ in default.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') withoutSudo.wait_for_unit("miniflux.service") withoutSudo.wait_for_open_port(${toString defaultPort}) @@ -70,6 +74,7 @@ in withoutSudo.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') customized.wait_for_unit("miniflux.service") customized.wait_for_open_port(${toString port}) @@ -77,5 +82,6 @@ in customized.succeed( "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; }) |