services: Add opensnitch-service.

* gnu/services/opensnitch.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add reference to it. * doc/guix.texi (Miscellaneous Services, Security): Document it. * gnu/tests/security.scm (%test-opensnitch): New variable. Change-Id: I63d1b6636b3aaecf399664ec97383d82ff1391d1
2026-04-06 21:20:33 +02:00 · 2025-12-18 00:54:21 +01:00
parent 5dca6d6643
commit ac92638bce
4 changed files with 439 additions and 1 deletions
--- a/gnu/tests/security.scm
+++ b/gnu/tests/security.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2022 muradm <mail@muradm.net>
+;;; Copyright © 2025 Danny Milosavljevic <dannym@friendly-machines.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -19,8 +20,10 @@
 (define-module (gnu tests security)
  #:use-module (guix gexp)
  #:use-module (gnu packages admin)
+  #:use-module (gnu packages linux)
  #:use-module (gnu services)
  #:use-module (gnu services base)
+  #:use-module (gnu services opensnitch)
  #:use-module (gnu services security)
  #:use-module (gnu services ssh)
  #:use-module (gnu system)
@@ -28,7 +31,8 @@
  #:use-module (gnu tests)
  #:export (%test-fail2ban-basic
            %test-fail2ban-extension
-            %test-fail2ban-simple))
+            %test-fail2ban-simple
+            %test-opensnitch))


 ;;;
@@ -238,3 +242,85 @@
   (name "fail2ban-extension")
   (description "Test extension fail2ban running capability.")
   (value (run-fail2ban-extension-test))))
+
+
+;;;
+;;; OpenSnitch tests
+;;;
+
+(define (run-opensnitch-test)
+  (define os
+    (marionette-operating-system
+     (simple-operating-system
+      (service opensnitch-service-type)
+      (service static-networking-service-type
+               (list %qemu-static-networking)))
+     #:imported-modules '((gnu services herd))))
+
+  (define vm
+    (virtual-machine
+     (operating-system os)
+     (port-forwardings '())))
+
+  (define test
+    (with-imported-modules '((gnu build marionette)
+                             (guix build utils))
+      #~(begin
+          (use-modules (srfi srfi-64)
+                       (gnu build marionette))
+
+          (define marionette (make-marionette (list #$vm)))
+
+          (test-runner-current (system-test-runner #$output))
+          (test-begin "opensnitch")
+
+          (test-assert "opensnitch running"
+            (marionette-eval
+             '(begin
+                (use-modules (gnu services herd))
+                (start-service 'opensnitch))
+             marionette))
+
+          (test-assert "opensnitch log file"
+            (marionette-eval
+             '(file-exists? "/var/log/opensnitchd.log")
+             marionette))
+
+          (test-assert "opensnitch rules directory"
+            (marionette-eval
+             '(file-exists? "/etc/opensnitchd/rules")
+             marionette))
+
+          (test-assert "opensnitch process running"
+            (marionette-eval
+             `(zero? (system* ,#$(file-append procps "/bin/pgrep")
+                              "-x" "opensnitchd"))
+             marionette))
+
+          (test-assert "opensnitch running after restart"
+            (marionette-eval
+             '(begin
+                (use-modules (gnu services herd))
+                (restart-service 'opensnitch))
+             marionette))
+
+          (test-assert "opensnitch process running after restart"
+            (marionette-eval
+             `(let loop ((tries 0))
+                (if (zero? (system* ,#$(file-append procps "/bin/pgrep")
+                                    "-x" "opensnitchd"))
+                    #t
+                    (if (< tries 30)
+                        (begin (sleep 1) (loop (+ tries 1)))
+                        #f)))
+             marionette))
+
+          (test-end))))
+
+  (gexp->derivation "opensnitch-test" test))
+
+(define %test-opensnitch
+  (system-test
+   (name "opensnitch")
+   (description "Test OpenSnitch application firewall daemon.")
+   (value (run-opensnitch-test))))