apparmorRulesFromClosure generates a file containing rules necessary to run a given derivation.
You use it like this:
pkgs.apparmorRulesFromClosure {name = "name";} [pkgs.name];
For example, here is my policy for the dig package (no this is not from nixpkgs):
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = ${lib.getExe pkgs.dig}
profile dig @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include "${pkgs.apparmorRulesFromClosure {name = "dig";} [pkgs.dig]}"
capability dac_override,
capability dac_read_search,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
owner @{HOME}/.digrc r,
owner @{HOME}/batch_mode.dig r,
owner @{HOME}/tsig.key r,
/tmp/batch_mode.dig r,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
}
On the line that calls apparmorRulesFromClosure, it inlines a reference to a file in the Nix store with the following content.
/nix/store/0ydfciyip85mra9cgxz9pg9a5am1igw7-apparmor-closure-rules-dig
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12,
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/etc/**,
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/share/**,
mr /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/lib/**.so*,
r /nix/store/1l3a02nqq5b5v7rhchj89hi7plmbza5r-openssl-3.0.12/lib/**,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/etc/**,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/share/**,
mr /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/lib/**.so*,
r /nix/store/3xpj9qm4d01xnrwkmalwiwdykganq845-bind-9.18.21/lib/**,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/etc/**,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/share/**,
mr /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/lib/**.so*,
r /nix/store/4z9wwg9lgdy30drvizy891zisj2makq4-nghttp2-1.57.0-lib/lib/**,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/etc/**,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/share/**,
mr /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/lib/**.so*,
r /nix/store/4znq11s8j9d29kj2l4qivl5pyhbbzy8q-zlib-1.3/lib/**,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/etc/**,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/share/**,
mr /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/lib/**.so*,
r /nix/store/6cs25bzy29gilhwwv2wwy0pj2pisvcf1-libcap-2.69-lib/lib/**,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/etc/**,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/share/**,
mr /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/lib/**.so*,
r /nix/store/6czin0a2djhmkssv8fjwqzmc3d8w53lz-libxml2-2.12.3-unstable-2023-12-14/lib/**,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/etc/**,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/share/**,
mr /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/lib/**.so*,
r /nix/store/7jiqcrg061xi5clniy7z5pvkc4jiaqav-glibc-2.38-27/lib/**,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/etc/**,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/share/**,
mr /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/lib/**.so*,
r /nix/store/81vj0jxlwh20i1w3n99n1zs1a1pz8y1d-bind-9.18.21-lib/lib/**,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/etc/**,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/share/**,
mr /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/lib/**.so*,
r /nix/store/bncqz1jnd3mkssg2rbx3qgqy55bi0m7g-xgcc-13.2.0-libgcc/lib/**,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/etc/**,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/share/**,
mr /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/lib/**.so*,
r /nix/store/cjbyb45nxiqidj95c4k1mh65azn1x896-bash-5.2-p21/lib/**,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/etc/**,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/share/**,
mr /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/lib/**.so*,
r /nix/store/d3jhphmgval3c9hhvmz04qj3qavy8hns-keyutils-1.6.3-lib/lib/**,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/etc/**,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/share/**,
mr /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/lib/**.so*,
r /nix/store/dxhjc3714nb4jra150jchrk207zzgj6y-bind-9.18.21-dnsutils/lib/**,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/etc/**,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/share/**,
mr /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/lib/**.so*,
r /nix/store/hqa0xrsld8spmnkjnzpbbgd4mznlhavx-jemalloc-5.3.0/lib/**,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/etc/**,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/share/**,
mr /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/lib/**.so*,
r /nix/store/jqcm3z315k4dx4qqdcvvs3b80fganpbr-libkrb5-1.21.2/lib/**,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/etc/**,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/share/**,
mr /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/lib/**.so*,
r /nix/store/kbsb6s8djydiawgswnm8j5bwn1yxaqb7-gcc-13.2.0-libgcc/lib/**,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/etc/**,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/share/**,
mr /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/lib/**.so*,
r /nix/store/mgkvalznvc8ik2r9p93445vjbd80ax00-libunistring-1.1/lib/**,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/etc/**,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/share/**,
mr /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/lib/**.so*,
r /nix/store/np3cndfk53miqg2cilv7vfdxckga665h-gcc-13.2.0-lib/lib/**,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/etc/**,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/share/**,
mr /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/lib/**.so*,
r /nix/store/x3wc0s3165pfcakkbbc22j7k5hndc73k-libidn2-2.3.4/lib/**,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/etc/**,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/share/**,
mr /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/lib/**.so*,
r /nix/store/xxyz1rbm7x30xrpcm6c3q9in6z8p7w70-libuv-1.47.0/lib/**,
TL;DR it generates the rules necessary to run a binary that is built by Nix. Now, you will still need additional policies to actually let the program run, but you shouldn’t run into any violations when the binary needs to access some of it’s dependencies from the Nix store.