a432668acf
The priviledge separation mode has several downsides: - it's incompatible with alternative memory allocators, including graphene-hardened; - it needs an unreleased patch to fix a crash; - it results in none less than 6 subprocesses running at any time, increasing the memory usage; - the privileged process (albeit not doing any networking related tasks) is still running as root, so it has complete access to the system. Let's disable this by default and instead run dhcpcd as an unpriviledge user with only the necessary capabilities.
29 lines
746 B
Nix
29 lines
746 B
Nix
import ./make-test-python.nix ({ lib, ... }:
|
|
{
|
|
name = "chrony";
|
|
|
|
meta = {
|
|
maintainers = with lib.maintainers; [ fpletz ];
|
|
};
|
|
|
|
nodes = {
|
|
machine = {
|
|
services.chrony.enable = true;
|
|
|
|
specialisation.hardened.configuration = {
|
|
services.chrony.enableMemoryLocking = true;
|
|
environment.memoryAllocator.provider = "graphene-hardened";
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
machine.start()
|
|
machine.wait_for_unit('multi-user.target')
|
|
machine.succeed('systemctl is-active chronyd.service')
|
|
machine.succeed('/run/booted-system/specialisation/hardened/bin/switch-to-configuration test')
|
|
machine.succeed('systemctl restart chronyd.service')
|
|
machine.wait_for_unit('chronyd.service')
|
|
'';
|
|
})
|