nixos apparmor test uses the overlay too

LordGrimmauld · Dec 21, 2024 · 3890a37 · 3890a37
1 parent 725880e
commit 3890a37
Showing 1 changed file with 49 additions and 23 deletions.
diff --git a/flake.nix b/flake.nix
@@ -28,9 +28,10 @@
           apparmor-parser
           apparmor-pam
           apparmor-profiles
-          apparmor-kernel-patches 
-          apparmor-regression-test;
-        };
+          apparmor-kernel-patches
+          apparmor-regression-test
+          ;
+      };
     in
     (flake-utils.lib.eachSystem [ "aarch64-linux" "x86_64-linux" ] (
       system:
@@ -42,29 +43,54 @@
       in
       {
         packages = aa_pkgs;
-        checks = let
-          overlayed = pkgs.extend self.overlays.default;
-        in aa_pkgs // {
-          apparmor-nixpkgs-test = overlayed.nixosTests.apparmor // { nodes.machine.nixpkgs.overlays = [ self.overlays.default ]; }; # fixme: figure out overlay here
-          apparmor-regression-test = nixos-lib.runTest {
-            hostPkgs = overlayed;
-            imports = lib.singleton {
-              name = "appaarmor-regression-test-vm";
-              nodes.test = {
-                security.apparmor.enable = true;
-                security.apparmor.enableCache = true; # e2e tess expects caches
-                security.auditd.enable = true;
-                nixpkgs.overlays = [ self.overlays.default ];
+        checks =
+          let
+            overlayed = pkgs.extend self.overlays.default;
+            aa-nixos-test-config = overlayed.nixosTests.apparmor.config;
+          in
+          aa_pkgs
+          // {
+            apparmor-nixpkgs-test = nixos-lib.runTest {
+              hostPkgs = overlayed;
+
+              imports = lib.singleton {
+                inherit (aa-nixos-test-config) name;
+                nodes.machine = {
+                  # cursed stuff to make the overlay actually apply with all the reimports of nixpkgs
+                  security.apparmor = {
+                    inherit (aa-nixos-test-config.nodes.machine.security.apparmor) enable policies;
+                  };
+                  security.apparmor.includes."abstractions/base" = ''
+                    /nix/store/*/bin/** mr,
+                    /nix/store/*/lib/** mr,
+                    /nix/store/** r,
+                  '';
+                  nixpkgs.overlays = [ self.overlays.default ];
+                };
+              };
+
+              inherit (aa-nixos-test-config) testScript;
+            };
+
+            apparmor-regression-test = nixos-lib.runTest {
+              hostPkgs = overlayed;
+              imports = lib.singleton {
+                name = "appaarmor-regression-test-vm";
+                nodes.test = {
+                  security.apparmor.enable = true;
+                  security.apparmor.enableCache = true; # e2e tess expects caches
+                  security.auditd.enable = true;
+                  nixpkgs.overlays = [ self.overlays.default ];
+                };
               };
+              testScript = ''
+                print("Starting VM test...")
+                machine.wait_for_unit("default.target")
+                machine.succeed("journalctl -u apparmor -b 0")
+                machine.succeed("${lib.getExe aa_pkgs.apparmor-regression-test}")
+              '';
             };
-            testScript = ''
-              print("Starting VM test...")
-              machine.wait_for_unit("default.target")
-              machine.succeed("journalctl -u apparmor -b 0")
-              machine.succeed("${lib.getExe aa_pkgs.apparmor-regression-test}")
-            '';
           };
-        };
         lib = {
           apparmorRulesFromClosure = pkgs.callPackage ./nix/apparmorRulesFromClosure.nix { };
         };