nixos/tests/wrappers: test apparmor configuration

Wrappers generate pieces of apparmor policies for inclusion, which are used only in a single place in nixpkgs, for `ping`. They are built only if apparmor is enabled. This change causes the test to test: - that the apparmor includes can be generated, - that `ping` works with apparmor enabled (as the only policy that references these includes). Ideally there would be some other NixOS test that verifies that `ping` specifically works. Sadly, there isn't one.
author: Robert Obryk <robryk@gmail.com> 2023-08-25 21:51:27 +0200
committer: Robert Obryk <robryk@gmail.com> 2023-08-27 14:09:57 +0200
commit: c0e607da612b0203a5357cadb9b345c7c321c163 (patch)
tree: 87684c5d9cbf6d179f1eb5d5c57c8fb2878da4fd /nixos/tests/wrappers.nix
parent: 94d494b2f667a9c910582e1ba9648babd63550bf (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix
index 391e9b42b45bd..4c7a82f7dd005 100644
--- a/nixos/tests/wrappers.nix
+++ b/nixos/tests/wrappers.nix
@@ -21,6 +21,8 @@ in
       };
     };
 
+    security.apparmor.enable = true;
+
     security.wrappers = {
       suidRoot = {
         owner = "root";
@@ -96,5 +98,11 @@ in
 
       machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox")
       machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u"))
+
+      # Test that the only user of apparmor policy includes generated by
+      # wrappers works. Ideally this'd be located in a test for the module that
+      # actually makes the apparmor policy for ping, but there's no convenient
+      # test for that one.
+      machine.succeed("ping -c 1 127.0.0.1")
     '';
 })
author	Robert Obryk <robryk@gmail.com>	2023-08-25 21:51:27 +0200
committer	Robert Obryk <robryk@gmail.com>	2023-08-27 14:09:57 +0200
commit	c0e607da612b0203a5357cadb9b345c7c321c163 (patch)
tree	87684c5d9cbf6d179f1eb5d5c57c8fb2878da4fd /nixos/tests/wrappers.nix
parent	94d494b2f667a9c910582e1ba9648babd63550bf (diff)