nixos/tests/wrappers: test apparmor configuration

Wrappers generate pieces of apparmor policies for inclusion, which are used only in a single place in nixpkgs, for `ping`. They are built only if apparmor is enabled. This change causes the test to test: - that the apparmor includes can be generated, - that `ping` works with apparmor enabled (as the only policy that references these includes). Ideally there would be some other NixOS test that verifies that `ping` specifically works. Sadly, there isn't one.
2023-08-25 21:51:27 +02:00 · 2023-08-25 21:51:27 +02:00 · c0e607da61
parent 94d494b2f6
commit c0e607da61
1 changed files with 8 additions and 0 deletions
--- a/nixos/tests/wrappers.nix
+++ b/nixos/tests/wrappers.nix
@ -21,6 +21,8 @@ in
      };
    };

+    security.apparmor.enable = true;
+
    security.wrappers = {
      suidRoot = {
        owner = "root";
@ -96,5 +98,11 @@ in

      machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox")
      machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u"))
+
+      # Test that the only user of apparmor policy includes generated by
+      # wrappers works. Ideally this'd be located in a test for the module that
+      # actually makes the apparmor policy for ping, but there's no convenient
+      # test for that one.
+      machine.succeed("ping -c 1 127.0.0.1")
    '';
 })