diff options
Diffstat (limited to 'nixos/tests/hardened.nix')
| -rw-r--r-- | nixos/tests/hardened.nix | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index 8d845de70e2..485efc0fb78 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -1,6 +1,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { name = "hardened"; - meta = with pkgs.stdenv.lib.maintainers; { + meta = with pkgs.lib.maintainers; { maintainers = [ joachifm ]; }; @@ -18,7 +18,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { boot.initrd.postDeviceCommands = '' ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb ''; - fileSystems = lib.mkVMOverride { + virtualisation.fileSystems = { "/efi" = { device = "/dev/disk/by-label/EFISYS"; fsType = "vfat"; @@ -65,14 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { machine.succeed("grep -Fq wireguard /proc/modules") - # Test hidepid - with subtest("hidepid=2 option is applied and works"): - machine.succeed("grep -Fq hidepid=2 /proc/mounts") - # cannot use pgrep -u here, it segfaults when access to process info is denied - machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]") - machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]") - - # Test kernel module hardening with subtest("No more kernel modules can be loaded"): # note: this better a be module we normally wouldn't load ... |