nixos/dnscrypt-proxy: fix apparmor profile and test

Test failed because of an incomplete apparmor profile. - fix apparmor profile - improve test timing, prevent non-deterministic failure
2018-05-20 02:24:12 +02:00 · 2018-05-20 02:24:12 +02:00 · 8dbd8f4d69
commit 8dbd8f4d69
parent 8bcec815bd
2 changed files with 6 additions and 1 deletions
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@ -192,6 +192,7 @@ in
    security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" ''
      ${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy {
        /dev/null rw,
+        /dev/random r,
        /dev/urandom r,

        /etc/passwd r,
@ -211,6 +212,9 @@ in
        ${getLib pkgs.gcc.cc}/lib/libssp.so.* mr,
        ${getLib pkgs.libsodium}/lib/libsodium.so.* mr,
        ${getLib pkgs.systemd}/lib/libsystemd.so.* mr,
+        ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so.* mr,
+        ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so.* mr,
+        ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so.* mr,
        ${getLib pkgs.xz}/lib/liblzma.so.* mr,
        ${getLib pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
        ${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
--- a/nixos/tests/dnscrypt-proxy.nix
+++ b/nixos/tests/dnscrypt-proxy.nix
@ -26,7 +26,8 @@ import ./make-test.nix ({ pkgs, ... }: {
    $client->waitForUnit("dnsmasq");

    # The daemon is socket activated; sending a single ping should activate it.
+    $client->fail("systemctl is-active dnscrypt-proxy");
    $client->execute("${pkgs.iputils}/bin/ping -c1 example.com");
-    $client->succeed("systemctl is-active dnscrypt-proxy");
+    $client->waitUntilSucceeds("systemctl is-active dnscrypt-proxy");
  '';
 })