nixos/clamav: add a test

2025-10-06 13:58:49 +01:00
parent 25a7883585
commit ab9fb88c9d
2 changed files with 46 additions and 0 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -345,6 +345,7 @@ in
  cinnamon = runTest ./cinnamon.nix;
  cinnamon-wayland = runTest ./cinnamon-wayland.nix;
  cjdns = runTest ./cjdns.nix;
+  clamav = runTest ./clamav.nix;
  clatd = runTest ./clatd.nix;
  clickhouse = import ./clickhouse {
    inherit runTest;
--- a/nixos/tests/clamav.nix
+++ b/nixos/tests/clamav.nix
@@ -0,0 +1,45 @@
+# Test ClamAV.
+
+{ lib, pkgs, ... }:
+{
+  name = "clamav";
+  nodes = {
+    machine = {
+      services.clamav = {
+        daemon.enable = true;
+        clamonacc.enable = true;
+
+        daemon.settings = {
+          OnAccessPrevention = true;
+          OnAccessIncludePath = "/opt";
+        };
+      };
+
+      # Add the definition for our test file.
+      # We cannot download definitions from Internet using freshclam in sandboxed test.
+      systemd.tmpfiles.settings."10-eicar"."/var/lib/clamav/test.hdb".L.argument = "${pkgs.runCommand
+        "test.hdb"
+        { }
+        ''
+          echo CLAMAVTEST > testfile
+          ${lib.getExe' pkgs.clamav "sigtool"} --sha256 testfile > $out
+        ''
+      }";
+
+      # Test using /opt as the ClamAV on-access scanner-protected directory.
+      systemd.tmpfiles.settings."10-testdir"."/opt".d = { };
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("default.target")
+
+    # Write test file into the test directory.
+    # This won't trigger ClamAV as it scans on file open.
+    machine.succeed("echo CLAMAVTEST > /opt/testfile")
+
+    machine.fail("cat /opt/testfile")
+  '';
+}