I see there there is many references of pkgs.apparmorRulesFromClosure in apparmor profiles. Can any body tell me about these rules? I couldn’t find any documentation.
apparmorRulesFromClosure generates a file containing rules necessary to run a given derivation.
You use it like this:
pkgs.apparmorRulesFromClosure {name = "name";} [pkgs.name];
For example, here is my policy for the dig package (no this is not from nixpkgs):
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = ${lib.getExe pkgs.dig}
profile dig @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include "${pkgs.apparmorRulesFromClosure {name = "dig";} [pkgs.dig]}"
capability dac_override,
capability dac_read_search,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
owner @{HOME}/.digrc r,
owner @{HOME}/batch_mode.dig r,
owner @{HOME}/tsig.key r,
/tmp/batch_mode.dig r,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
}
On the line that calls apparmorRulesFromClosure, it inlines a reference to a file in the Nix store with the following content.
/nix/store/0ydfciyip85mra9cgxz9pg9a5am1igw7-apparmor-closure-rules-dig
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12,
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/etc/**,
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/share/**,
mr /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/lib/**.so*,
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/lib/**,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/etc/**,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/share/**,
mr /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/lib/**.so*,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/lib/**,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/etc/**,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/share/**,
mr /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/lib/**.so*,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/lib/**,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/etc/**,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/share/**,
mr /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/lib/**.so*,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/lib/**,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/etc/**,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/share/**,
mr /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/lib/**.so*,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/lib/**,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/etc/**,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/share/**,
mr /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/lib/**.so*,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/lib/**,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/etc/**,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/share/**,
mr /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/lib/**.so*,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/lib/**,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/etc/**,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/share/**,
mr /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/lib/**.so*,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/lib/**,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/etc/**,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/share/**,
mr /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/lib/**.so*,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/lib/**,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/etc/**,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/share/**,
mr /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/lib/**.so*,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/lib/**,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/etc/**,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/share/**,
mr /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/lib/**.so*,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/lib/**,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/etc/**,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/share/**,
mr /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/lib/**.so*,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/lib/**,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/etc/**,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/share/**,
mr /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/lib/**.so*,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/lib/**,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/etc/**,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/share/**,
mr /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/lib/**.so*,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/lib/**,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/etc/**,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/share/**,
mr /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/lib/**.so*,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/lib/**,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/etc/**,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/share/**,
mr /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/lib/**.so*,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/lib/**,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/etc/**,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/share/**,
mr /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/lib/**.so*,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/lib/**,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/etc/**,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/share/**,
mr /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/lib/**.so*,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/lib/**,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/etc/**,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/share/**,
mr /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/lib/**.so*,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/lib/**,
TL;DR it generates the rules necessary to run a binary that is built by Nix. Now, you will still need additional policies to actually let the program run, but you shouldn’t run into any violations when the binary needs to access some of it’s dependencies from the Nix store.