apparmorRulesFromClosure
pkgs.apparmorRulesFromClosure
Functor
Docs pulled from | This Revision | 10 minutes ago
include "${apparmorRulesFromClosure { } [ pkgs.hello ]}"
Noogle detected
This is a Functor
Learn about functors
Implementation
The following is the current implementation of this function.
apparmorRulesFromClosure =
{
# The store path of the derivation is given in $path
additionalRules ? [ ],
# TODO: factorize here some other common paths
# that may emerge from use cases.
baseRules ? [
"r $path"
"r $path/etc/**"
"mr $path/share/**"
# Note that not all libraries are prefixed with "lib",
# eg. glibc-2.30/lib/ld-2.30.so
"mr $path/lib/**.so*"
"mr $path/lib64/**.so*"
# eg. glibc-2.30/lib/gconv/gconv-modules
"r $path/lib/**"
"r $path/lib64/**"
# Internal executables
"ixr $path/libexec/**"
],
name ? "",
}:
rootPaths:
runCommand ("apparmor-closure-rules" + lib.optionalString (name != "") "-${name}") { } ''
touch $out
while read -r path
do printf >>$out "%s,\n" ${
lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)
}
done <${closureInfo { inherit rootPaths; }}/store-paths
'';