From c0e607da612b0203a5357cadb9b345c7c321c163 Mon Sep 17 00:00:00 2001
From: Robert Obryk <robryk@gmail.com>
Date: Fri, 25 Aug 2023 21:51:27 +0200
Subject: [PATCH] nixos/tests/wrappers: test apparmor configuration

Wrappers generate pieces of apparmor policies for inclusion, which are
used only in a single place in nixpkgs, for `ping`. They are built only
if apparmor is enabled.

This change causes the test to test:
 - that the apparmor includes can be generated,
 - that `ping` works with apparmor enabled (as the only policy that
   references these includes).

Ideally there would be some other NixOS test that verifies that `ping`
specifically works. Sadly, there isn't one.
---
 nixos/tests/wrappers.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix
index 391e9b42b45..4c7a82f7dd0 100644
--- a/nixos/tests/wrappers.nix
+++ b/nixos/tests/wrappers.nix
@@ -21,6 +21,8 @@ in
       };
     };
 
+    security.apparmor.enable = true;
+
     security.wrappers = {
       suidRoot = {
         owner = "root";
@@ -96,5 +98,11 @@ in
 
       machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox")
       machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u"))
+
+      # Test that the only user of apparmor policy includes generated by
+      # wrappers works. Ideally this'd be located in a test for the module that
+      # actually makes the apparmor policy for ping, but there's no convenient
+      # test for that one.
+      machine.succeed("ping -c 1 127.0.0.1")
     '';
 })