Alois Wohlschlager
f047e4357b
Seccomp filtering and the no-new-privileges functionality improve the security
of the sandbox, and have been enabled by default for a long time. In
#265 it was decided that they
should be enabled unconditionally. Accordingly, remove the allow-new-privileges
(which had weird behavior anyway) and filter-syscall settings, and force the
security features on. Syscall filtering can still be enabled at build time to
support building on architectures libseccomp doesn't support.
Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb
194 lines
6.5 KiB
Nix
194 lines
6.5 KiB
Nix
{ lib, nixpkgs, nixpkgsFor }:
|
|
|
|
let
|
|
|
|
nixos-lib = import (nixpkgs + "/nixos/lib") { };
|
|
|
|
# https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
|
|
runNixOSTestFor = system: test:
|
|
(nixos-lib.runTest {
|
|
imports = [ test ];
|
|
hostPkgs = nixpkgsFor.${system}.native;
|
|
defaults = {
|
|
nixpkgs.pkgs = nixpkgsFor.${system}.native;
|
|
nix.checkAllErrors = false;
|
|
};
|
|
_module.args.nixpkgs = nixpkgs;
|
|
_module.args.system = system;
|
|
})
|
|
// {
|
|
# allow running tests against older nix versions via `nix eval --apply`
|
|
# Example:
|
|
# nix build "$(nix eval --raw --impure .#hydraJobs.tests.fetch-git --apply 't: (t.forNix "2.19.2").drvPath')^*"
|
|
forNix = nixVersion: runNixOSTestFor system {
|
|
imports = [test];
|
|
defaults.nixpkgs.overlays = [(curr: prev: {
|
|
nix = (builtins.getFlake "nix/${nixVersion}").packages.${system}.nix;
|
|
})];
|
|
};
|
|
};
|
|
|
|
# Checks that a NixOS configuration does not contain any references to our
|
|
# locally defined Nix version.
|
|
checkOverrideNixVersion = { pkgs, lib, ... }: {
|
|
# pkgs.nix: The new Nix in this repo
|
|
# We disallow it, to make sure we don't accidentally use it.
|
|
system.forbiddenDependenciesRegex = lib.strings.escapeRegex "nix-${pkgs.nix.version}";
|
|
};
|
|
in
|
|
|
|
{
|
|
authorization = runNixOSTestFor "x86_64-linux" ./authorization.nix;
|
|
|
|
remoteBuilds = runNixOSTestFor "x86_64-linux" ./remote-builds.nix;
|
|
|
|
# Test our Nix as a client against remotes that are older
|
|
|
|
remoteBuilds_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
|
name = "remoteBuilds_remote_2_3";
|
|
imports = [ ./remote-builds.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
};
|
|
|
|
remoteBuilds_remote_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_remote_2_13";
|
|
imports = [ ./remote-builds.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
|
};
|
|
});
|
|
|
|
remoteBuilds_remote_2_18 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_remote_2_18";
|
|
imports = [ ./remote-builds.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
};
|
|
});
|
|
|
|
# Test our Nix as a builder for clients that are older
|
|
|
|
remoteBuilds_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_local_2_3";
|
|
imports = [ ./remote-builds.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
});
|
|
|
|
remoteBuilds_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_local_2_13";
|
|
imports = [ ./remote-builds.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
|
};
|
|
});
|
|
|
|
remoteBuilds_local_2_18 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_local_2_18";
|
|
imports = [ ./remote-builds.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
};
|
|
});
|
|
|
|
# End remoteBuilds tests
|
|
|
|
remoteBuildsSshNg = runNixOSTestFor "x86_64-linux" ./remote-builds-ssh-ng.nix;
|
|
|
|
# Test our Nix as a client against remotes that are older
|
|
|
|
remoteBuildsSshNg_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
|
name = "remoteBuildsSshNg_remote_2_3";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
};
|
|
|
|
remoteBuildsSshNg_remote_2_13 = runNixOSTestFor "x86_64-linux" {
|
|
name = "remoteBuildsSshNg_remote_2_13";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
|
};
|
|
};
|
|
|
|
remoteBuildsSshNg_remote_2_18 = runNixOSTestFor "x86_64-linux" {
|
|
name = "remoteBuildsSshNg_remote_2_18";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
};
|
|
};
|
|
|
|
# Test our Nix as a builder for clients that are older
|
|
|
|
# FIXME: these tests don't work yet
|
|
/*
|
|
remoteBuildsSshNg_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuildsSshNg_local_2_3";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
});
|
|
|
|
remoteBuildsSshNg_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuildsSshNg_local_2_13";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
|
};
|
|
});
|
|
|
|
# TODO: (nixpkgs update) remoteBuildsSshNg_local_2_18 = ...
|
|
*/
|
|
|
|
nix-copy-closure = runNixOSTestFor "x86_64-linux" ./nix-copy-closure.nix;
|
|
|
|
nix-copy = runNixOSTestFor "x86_64-linux" ./nix-copy.nix;
|
|
|
|
nix-upgrade-nix = runNixOSTestFor "x86_64-linux" ./nix-upgrade-nix.nix;
|
|
|
|
nssPreload = runNixOSTestFor "x86_64-linux" ./nss-preload.nix;
|
|
|
|
githubFlakes = runNixOSTestFor "x86_64-linux" ./github-flakes.nix;
|
|
|
|
sourcehutFlakes = runNixOSTestFor "x86_64-linux" ./sourcehut-flakes.nix;
|
|
|
|
tarballFlakes = runNixOSTestFor "x86_64-linux" ./tarball-flakes.nix;
|
|
|
|
containers = runNixOSTestFor "x86_64-linux" ./containers/containers.nix;
|
|
|
|
setuid = lib.genAttrs
|
|
["i686-linux" "x86_64-linux"]
|
|
(system: runNixOSTestFor system ./setuid/setuid.nix);
|
|
|
|
ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
|
|
|
|
fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
|
|
|
|
symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
|
|
|
|
noNewPrivilegesInSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/sandbox.nix;
|
|
|
|
noNewPrivilegesOutsideSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/no-sandbox.nix;
|
|
|
|
broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
|
|
|
|
coredumps = runNixOSTestFor "x86_64-linux" ./coredumps;
|
|
}
|