diff options
author | Robert Obryk <robryk@gmail.com> | 2023-08-25 21:51:27 +0200 |
---|---|---|
committer | Robert Obryk <robryk@gmail.com> | 2023-08-27 14:09:57 +0200 |
commit | c0e607da612b0203a5357cadb9b345c7c321c163 (patch) | |
tree | 87684c5d9cbf6d179f1eb5d5c57c8fb2878da4fd /nixos/tests/wrappers.nix | |
parent | 94d494b2f667a9c910582e1ba9648babd63550bf (diff) |
nixos/tests/wrappers: test apparmor configuration
Wrappers generate pieces of apparmor policies for inclusion, which are used only in a single place in nixpkgs, for `ping`. They are built only if apparmor is enabled. This change causes the test to test: - that the apparmor includes can be generated, - that `ping` works with apparmor enabled (as the only policy that references these includes). Ideally there would be some other NixOS test that verifies that `ping` specifically works. Sadly, there isn't one.
Diffstat (limited to 'nixos/tests/wrappers.nix')
-rw-r--r-- | nixos/tests/wrappers.nix | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix index 391e9b42b45bd..4c7a82f7dd005 100644 --- a/nixos/tests/wrappers.nix +++ b/nixos/tests/wrappers.nix @@ -21,6 +21,8 @@ in }; }; + security.apparmor.enable = true; + security.wrappers = { suidRoot = { owner = "root"; @@ -96,5 +98,11 @@ in machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox") machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u")) + + # Test that the only user of apparmor policy includes generated by + # wrappers works. Ideally this'd be located in a test for the module that + # actually makes the apparmor policy for ping, but there's no convenient + # test for that one. + machine.succeed("ping -c 1 127.0.0.1") ''; }) |