646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
36 lines
905 B
Nix
36 lines
905 B
Nix
{
|
|
runCommand,
|
|
closureInfo,
|
|
lib,
|
|
}:
|
|
{
|
|
# The store path of the derivation is given in $path
|
|
additionalRules ? [ ],
|
|
# TODO: factorize here some other common paths
|
|
# that may emerge from use cases.
|
|
baseRules ? [
|
|
"r $path"
|
|
"r $path/etc/**"
|
|
"mr $path/share/**"
|
|
# Note that not all libraries are prefixed with "lib",
|
|
# eg. glibc-2.30/lib/ld-2.30.so
|
|
"mr $path/lib/**.so*"
|
|
"mr $path/lib64/**.so*"
|
|
# eg. glibc-2.30/lib/gconv/gconv-modules
|
|
"r $path/lib/**"
|
|
"r $path/lib64/**"
|
|
# Internal executables
|
|
"ixr $path/libexec/**"
|
|
],
|
|
name ? "",
|
|
}:
|
|
rootPaths:
|
|
runCommand ("apparmor-closure-rules" + lib.optionalString (name != "") "-${name}") { } ''
|
|
touch $out
|
|
while read -r path
|
|
do printf >>$out "%s,\n" ${
|
|
lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)
|
|
}
|
|
done <${closureInfo { inherit rootPaths; }}/store-paths
|
|
''
|