nixos/opensnitch: various fixes (#438316)

nixos/modules/services/security/opensnitch.nix

@@ -197,10 +197,16 @@ in
       )
     );
 
+    security.auditd = lib.mkIf (cfg.settings.ProcMonitorMethod == "audit") {
+      enable = true;
+      plugins.af_unix.active = true;
+    };
+
     systemd = {
       packages = [ cfg.package ];
       services.opensnitchd = {
         wantedBy = [ "multi-user.target" ];
+        path = lib.optionals (cfg.settings.ProcMonitorMethod == "audit") [ pkgs.audit ];
         serviceConfig = {
           ExecStart =
             let
@@ -210,7 +216,7 @@ in
             in
             [
               ""
-              "${cfg.package}/bin/opensnitchd --config-file ${format.generate "default-config.json" preparedSettings}"
+              "${lib.getExe' cfg.package "opensnitchd"} --config-file ${format.generate "default-config.json" preparedSettings}"
             ];
         };
         preStart = lib.mkIf (cfg.rules != { }) (
@@ -251,5 +257,8 @@ in
 
   };
 
-  meta.maintainers = with lib.maintainers; [ onny ];
+  meta.maintainers = with lib.maintainers; [
+    onny
+    grimmauld
+  ];
 }

nixos/tests/opensnitch.nix

@@ -33,7 +33,7 @@ in
           enable = true;
           settings.DefaultAction = "deny";
           settings.ProcMonitorMethod = m;
-          settings.LogLevel = 0;
+          settings.LogLevel = 1;
         };
       }
     ) monitorMethods
@@ -46,7 +46,7 @@ in
           enable = true;
           settings.DefaultAction = "deny";
           settings.ProcMonitorMethod = m;
-          settings.LogLevel = 0;
+          settings.LogLevel = 1;
           rules = {
             curl = {
               name = "curl";
@@ -71,13 +71,24 @@ in
     server.wait_for_unit("caddy.service")
     server.wait_for_open_port(80)
   ''
-  + lib.concatLines (
-    map (m: ''
-      client_blocked_${m}.wait_for_unit("opensnitchd.service")
-      client_blocked_${m}.fail("curl http://server")
+  + (
+    lib.concatLines (
+      map (m: ''
+        client_blocked_${m}.wait_for_unit("opensnitchd.service")
+        client_blocked_${m}.fail("curl http://server")
 
-      client_allowed_${m}.wait_for_unit("opensnitchd.service")
-      client_allowed_${m}.succeed("curl http://server")
-    '') monitorMethods
+        client_allowed_${m}.wait_for_unit("opensnitchd.service")
+        client_allowed_${m}.succeed("curl http://server")
+      '') monitorMethods
+    )
+    + ''
+      # make sure the kernel modules were actually properly loaded
+      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch\.o'")
+      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-procs\.o'")
+      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-dns\.o'")
+      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch\.o'")
+      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-procs\.o'")
+      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-dns\.o'")
+    ''
   );
 }

pkgs/os-specific/linux/opensnitch-ebpf/default.nix

@@ -9,6 +9,7 @@
   bison,
   bc,
   opensnitch,
+  nixosTests,
 }:
 
 stdenv.mkDerivation rec {
@@ -58,11 +59,18 @@ stdenv.mkDerivation rec {
     done
   '';
 
+  passthru.tests = {
+    inherit (nixosTests) opensnitch;
+  };
+
   meta = with lib; {
     description = "eBPF process monitor module for OpenSnitch";
     homepage = "https://github.com/evilsocket/opensnitch";
     license = licenses.gpl3Only;
-    maintainers = with maintainers; [ onny ];
+    maintainers = with maintainers; [
+      onny
+      grimmauld
+    ];
     platforms = platforms.linux;
   };
 }