query
On this page

pkgs.apparmorRulesFromClosure

apparmorRulesFromClosure

pkgs.apparmorRulesFromClosure

Functor
Docs pulled from | This Revision | 10 minutes ago

include "${apparmorRulesFromClosure { } [ pkgs.hello ]}"

Noogle detected

This is a Functor

Learn about functors

Implementation

The following is the current implementation of this function.

apparmorRulesFromClosure =
    {
      # The store path of the derivation is given in $path
      additionalRules ? [ ],
      # TODO: factorize here some other common paths
      # that may emerge from use cases.
      baseRules ? [
        "r $path"
        "r $path/etc/**"
        "mr $path/share/**"
        # Note that not all libraries are prefixed with "lib",
        # eg. glibc-2.30/lib/ld-2.30.so
        "mr $path/lib/**.so*"
        "mr $path/lib64/**.so*"
        # eg. glibc-2.30/lib/gconv/gconv-modules
        "r $path/lib/**"
        "r $path/lib64/**"
        # Internal executables
        "ixr $path/libexec/**"
      ],
      name ? "",
    }:
    rootPaths:
    runCommand ("apparmor-closure-rules" + lib.optionalString (name != "") "-${name}") { } ''
      touch $out
      while read -r path
      do printf >>$out "%s,\n" ${
        lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)
      }
      done <${closureInfo { inherit rootPaths; }}/store-paths
    '';