nixos/tests/hardened: fix test (#40745)
failed because `pgrep -u` segfaults when accesss to proc info is denied on a hardened system.
This commit is contained in:
parent
93a5152c82
commit
301072dc27
@ -25,16 +25,18 @@ import ./make-test.nix ({ pkgs, ...} : {
|
|||||||
|
|
||||||
testScript =
|
testScript =
|
||||||
''
|
''
|
||||||
|
$machine->waitForUnit("multi-user.target");
|
||||||
|
|
||||||
# Test hidepid
|
# Test hidepid
|
||||||
subtest "hidepid", sub {
|
subtest "hidepid", sub {
|
||||||
$machine->succeed("grep -Fq hidepid=2 /proc/mounts");
|
$machine->succeed("grep -Fq hidepid=2 /proc/mounts");
|
||||||
$machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]");
|
# cannot use pgrep -u here, it segfaults when access to process info is denied
|
||||||
$machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]");
|
$machine->succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]");
|
||||||
|
$machine->succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]");
|
||||||
};
|
};
|
||||||
|
|
||||||
# Test kernel module hardening
|
# Test kernel module hardening
|
||||||
subtest "lock-modules", sub {
|
subtest "lock-modules", sub {
|
||||||
$machine->waitForUnit("multi-user.target");
|
|
||||||
# note: this better a be module we normally wouldn't load ...
|
# note: this better a be module we normally wouldn't load ...
|
||||||
$machine->fail("modprobe dccp");
|
$machine->fail("modprobe dccp");
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user