0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 14:10:33 +03:00
nixpkgs/nixos/tests/apparmor.nix
Silvan Mosberger 14182c1970 treewide: Format all Nix files
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:

  nix-build ci -A fmt.check

This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).

This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).

Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).

If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.

(branch-equivalent to commit 374e6bcc40)
2025-04-01 20:11:51 +02:00

94 lines
3.5 KiB
Nix

import ./make-test-python.nix (
{ pkgs, lib, ... }:
{
name = "apparmor";
meta.maintainers = with lib.maintainers; [ julm ];
nodes.machine =
{
lib,
pkgs,
config,
...
}:
{
security.apparmor.enable = lib.mkDefault true;
};
testScript = ''
machine.wait_for_unit("multi-user.target")
with subtest("AppArmor profiles are loaded"):
machine.succeed("systemctl status apparmor.service")
# AppArmor securityfs
with subtest("AppArmor securityfs is mounted"):
machine.succeed("mountpoint -q /sys/kernel/security")
machine.succeed("cat /sys/kernel/security/apparmor/profiles")
# Test apparmorRulesFromClosure by:
# 1. Prepending a string of the relevant packages' name and version on each line.
# 2. Sorting according to those strings.
# 3. Removing those prepended strings.
# 4. Using `diff` against the expected output.
with subtest("apparmorRulesFromClosure"):
machine.succeed(
"${pkgs.diffutils}/bin/diff -u ${pkgs.writeText "expected.rules" ''
mr ${pkgs.bash}/lib/**.so*,
r ${pkgs.bash},
r ${pkgs.bash}/etc/**,
r ${pkgs.bash}/lib/**,
r ${pkgs.bash}/share/**,
x ${pkgs.bash}/foo/**,
mr ${pkgs.glibc}/lib/**.so*,
r ${pkgs.glibc},
r ${pkgs.glibc}/etc/**,
r ${pkgs.glibc}/lib/**,
r ${pkgs.glibc}/share/**,
x ${pkgs.glibc}/foo/**,
mr ${pkgs.libcap}/lib/**.so*,
r ${pkgs.libcap},
r ${pkgs.libcap}/etc/**,
r ${pkgs.libcap}/lib/**,
r ${pkgs.libcap}/share/**,
x ${pkgs.libcap}/foo/**,
mr ${pkgs.libcap.lib}/lib/**.so*,
r ${pkgs.libcap.lib},
r ${pkgs.libcap.lib}/etc/**,
r ${pkgs.libcap.lib}/lib/**,
r ${pkgs.libcap.lib}/share/**,
x ${pkgs.libcap.lib}/foo/**,
mr ${pkgs.libidn2.out}/lib/**.so*,
r ${pkgs.libidn2.out},
r ${pkgs.libidn2.out}/etc/**,
r ${pkgs.libidn2.out}/lib/**,
r ${pkgs.libidn2.out}/share/**,
x ${pkgs.libidn2.out}/foo/**,
mr ${pkgs.libunistring}/lib/**.so*,
r ${pkgs.libunistring},
r ${pkgs.libunistring}/etc/**,
r ${pkgs.libunistring}/lib/**,
r ${pkgs.libunistring}/share/**,
x ${pkgs.libunistring}/foo/**,
mr ${pkgs.glibc.libgcc}/lib/**.so*,
r ${pkgs.glibc.libgcc},
r ${pkgs.glibc.libgcc}/etc/**,
r ${pkgs.glibc.libgcc}/lib/**,
r ${pkgs.glibc.libgcc}/share/**,
x ${pkgs.glibc.libgcc}/foo/**,
''} ${
pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
pkgs.apparmorRulesFromClosure {
name = "ping";
additionalRules = [ "x $path/foo/**" ];
} [ pkgs.libcap ]
} |
${pkgs.coreutils}/bin/sort -n -k1 |
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
''
}"
)
'';
}
)