pyrox.dev / nixpkgs
lol
fork atom

nixos/tests/apparmor: move to folder, refactor, improve coverage

- nixfmt on apparmor test
- move apparmor test to nixos/tests/apparmor directory
- expected profile contents are now generated in its own file to make the test file less confusing and hard to maintain
- enforce/complain is now being tested via diff of expected against aa-status
- path is now tested against diff+file checking symlink target of /etc/static/apparmor.d/<name>
- profile is now checked by diff of /etc/static/apparmor.d/<name> against original string added in nix config
- test still successfully passes
- added test for confined hello to succeed
- added test for confined hexdump on denied path to fail

Grimmauld b27f064b e87b9b1f

options
unified split
Changed files
+202 -119
nixos
tests
all-tests.nix
apparmor
default.nix
makeExpectedPolicies.nix
sl_profile
apparmor.nix
+1 -1
nixos/tests/all-tests.nix 
···

       
131

       
131

       
 

       
  apfs = runTest ./apfs.nix;


     

       
132

       
132

       
 

       
  appliance-repart-image = runTest ./appliance-repart-image.nix;


     

       
133

       
133

       
 

       
  appliance-repart-image-verity-store = runTest ./appliance-repart-image-verity-store.nix;


     

       
134

       

       
-

       
  apparmor = handleTest ./apparmor.nix {};


     

       

       
134

       
+

       
  apparmor = handleTest ./apparmor {};


     

       
135

       
135

       
 

       
  archi = handleTest ./archi.nix {};


     

       
136

       
136

       
 

       
  aria2 = handleTest ./aria2.nix {};


     

       
137

       
137

       
 

       
  armagetronad = handleTest ./armagetronad.nix {};
-118
nixos/tests/apparmor.nix 
···

       
1

       

       
-

       
import ./make-test-python.nix (


     

       
2

       

       
-

       
  { pkgs, lib, ... }:


     

       
3

       

       
-

       
  {


     

       
4

       

       
-

       
    name = "apparmor";


     

       
5

       

       
-

       
    meta.maintainers = with lib.maintainers; [


     

       
6

       

       
-

       
      julm


     

       
7

       

       
-

       
      grimmauld


     

       
8

       

       
-

       
    ];


     

       
9

       

       
-

       



     

       
10

       

       
-

       
    nodes.machine =


     

       
11

       

       
-

       
      {


     

       
12

       

       
-

       
        lib,


     

       
13

       

       
-

       
        pkgs,


     

       
14

       

       
-

       
        config,


     

       
15

       

       
-

       
        ...


     

       
16

       

       
-

       
      }:


     

       
17

       

       
-

       
      {


     

       
18

       

       
-

       
        security.apparmor.enable = lib.mkDefault true;


     

       
19

       

       
-

       
      };


     

       
20

       

       
-

       



     

       
21

       

       
-

       
    testScript = ''


     

       
22

       

       
-

       
      machine.wait_for_unit("multi-user.target")


     

       
23

       

       
-

       



     

       
24

       

       
-

       
      with subtest("AppArmor profiles are loaded"):


     

       
25

       

       
-

       
          machine.succeed("systemctl status apparmor.service")


     

       
26

       

       
-

       



     

       
27

       

       
-

       
      # AppArmor securityfs


     

       
28

       

       
-

       
      with subtest("AppArmor securityfs is mounted"):


     

       
29

       

       
-

       
          machine.succeed("mountpoint -q /sys/kernel/security")


     

       
30

       

       
-

       
          machine.succeed("cat /sys/kernel/security/apparmor/profiles")


     

       
31

       

       
-

       



     

       
32

       

       
-

       
      # Test apparmorRulesFromClosure by:


     

       
33

       

       
-

       
      # 1. Prepending a string of the relevant packages' name and version on each line.


     

       
34

       

       
-

       
      # 2. Sorting according to those strings.


     

       
35

       

       
-

       
      # 3. Removing those prepended strings.


     

       
36

       

       
-

       
      # 4. Using `diff` against the expected output.


     

       
37

       

       
-

       
      with subtest("apparmorRulesFromClosure"):


     

       
38

       

       
-

       
          machine.succeed(


     

       
39

       

       
-

       
              "${pkgs.diffutils}/bin/diff -u ${pkgs.writeText "expected.rules" ''


     

       
40

       

       
-

       
                ixr ${pkgs.bash}/libexec/**,


     

       
41

       

       
-

       
                mr ${pkgs.bash}/lib/**.so*,


     

       
42

       

       
-

       
                mr ${pkgs.bash}/lib64/**.so*,


     

       
43

       

       
-

       
                mr ${pkgs.bash}/share/**,


     

       
44

       

       
-

       
                r ${pkgs.bash},


     

       
45

       

       
-

       
                r ${pkgs.bash}/etc/**,


     

       
46

       

       
-

       
                r ${pkgs.bash}/lib/**,


     

       
47

       

       
-

       
                r ${pkgs.bash}/lib64/**,


     

       
48

       

       
-

       
                x ${pkgs.bash}/foo/**,


     

       
49

       

       
-

       
                ixr ${pkgs.glibc}/libexec/**,


     

       
50

       

       
-

       
                mr ${pkgs.glibc}/lib/**.so*,


     

       
51

       

       
-

       
                mr ${pkgs.glibc}/lib64/**.so*,


     

       
52

       

       
-

       
                mr ${pkgs.glibc}/share/**,


     

       
53

       

       
-

       
                r ${pkgs.glibc},


     

       
54

       

       
-

       
                r ${pkgs.glibc}/etc/**,


     

       
55

       

       
-

       
                r ${pkgs.glibc}/lib/**,


     

       
56

       

       
-

       
                r ${pkgs.glibc}/lib64/**,


     

       
57

       

       
-

       
                x ${pkgs.glibc}/foo/**,


     

       
58

       

       
-

       
                ixr ${pkgs.libcap}/libexec/**,


     

       
59

       

       
-

       
                mr ${pkgs.libcap}/lib/**.so*,


     

       
60

       

       
-

       
                mr ${pkgs.libcap}/lib64/**.so*,


     

       
61

       

       
-

       
                mr ${pkgs.libcap}/share/**,


     

       
62

       

       
-

       
                r ${pkgs.libcap},


     

       
63

       

       
-

       
                r ${pkgs.libcap}/etc/**,


     

       
64

       

       
-

       
                r ${pkgs.libcap}/lib/**,


     

       
65

       

       
-

       
                r ${pkgs.libcap}/lib64/**,


     

       
66

       

       
-

       
                x ${pkgs.libcap}/foo/**,


     

       
67

       

       
-

       
                ixr ${pkgs.libcap.lib}/libexec/**,


     

       
68

       

       
-

       
                mr ${pkgs.libcap.lib}/lib/**.so*,


     

       
69

       

       
-

       
                mr ${pkgs.libcap.lib}/lib64/**.so*,


     

       
70

       

       
-

       
                mr ${pkgs.libcap.lib}/share/**,


     

       
71

       

       
-

       
                r ${pkgs.libcap.lib},


     

       
72

       

       
-

       
                r ${pkgs.libcap.lib}/etc/**,


     

       
73

       

       
-

       
                r ${pkgs.libcap.lib}/lib/**,


     

       
74

       

       
-

       
                r ${pkgs.libcap.lib}/lib64/**,


     

       
75

       

       
-

       
                x ${pkgs.libcap.lib}/foo/**,


     

       
76

       

       
-

       
                ixr ${pkgs.libidn2.out}/libexec/**,


     

       
77

       

       
-

       
                mr ${pkgs.libidn2.out}/lib/**.so*,


     

       
78

       

       
-

       
                mr ${pkgs.libidn2.out}/lib64/**.so*,


     

       
79

       

       
-

       
                mr ${pkgs.libidn2.out}/share/**,


     

       
80

       

       
-

       
                r ${pkgs.libidn2.out},


     

       
81

       

       
-

       
                r ${pkgs.libidn2.out}/etc/**,


     

       
82

       

       
-

       
                r ${pkgs.libidn2.out}/lib/**,


     

       
83

       

       
-

       
                r ${pkgs.libidn2.out}/lib64/**,


     

       
84

       

       
-

       
                x ${pkgs.libidn2.out}/foo/**,


     

       
85

       

       
-

       
                ixr ${pkgs.libunistring}/libexec/**,


     

       
86

       

       
-

       
                mr ${pkgs.libunistring}/lib/**.so*,


     

       
87

       

       
-

       
                mr ${pkgs.libunistring}/lib64/**.so*,


     

       
88

       

       
-

       
                mr ${pkgs.libunistring}/share/**,


     

       
89

       

       
-

       
                r ${pkgs.libunistring},


     

       
90

       

       
-

       
                r ${pkgs.libunistring}/etc/**,


     

       
91

       

       
-

       
                r ${pkgs.libunistring}/lib/**,


     

       
92

       

       
-

       
                r ${pkgs.libunistring}/lib64/**,


     

       
93

       

       
-

       
                x ${pkgs.libunistring}/foo/**,


     

       
94

       

       
-

       
                ixr ${pkgs.glibc.libgcc}/libexec/**,


     

       
95

       

       
-

       
                mr ${pkgs.glibc.libgcc}/lib/**.so*,


     

       
96

       

       
-

       
                mr ${pkgs.glibc.libgcc}/lib64/**.so*,


     

       
97

       

       
-

       
                mr ${pkgs.glibc.libgcc}/share/**,


     

       
98

       

       
-

       
                r ${pkgs.glibc.libgcc},


     

       
99

       

       
-

       
                r ${pkgs.glibc.libgcc}/etc/**,


     

       
100

       

       
-

       
                r ${pkgs.glibc.libgcc}/lib/**,


     

       
101

       

       
-

       
                r ${pkgs.glibc.libgcc}/lib64/**,


     

       
102

       

       
-

       
                x ${pkgs.glibc.libgcc}/foo/**,


     

       
103

       

       
-

       
              ''} ${


     

       
104

       

       
-

       
                pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''


     

       
105

       

       
-

       
                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${


     

       
106

       

       
-

       
                    pkgs.apparmorRulesFromClosure {


     

       
107

       

       
-

       
                      name = "ping";


     

       
108

       

       
-

       
                      additionalRules = [ "x $path/foo/**" ];


     

       
109

       

       
-

       
                    } [ pkgs.libcap ]


     

       
110

       

       
-

       
                  } |


     

       
111

       

       
-

       
                  ${pkgs.coreutils}/bin/sort -n -k1 |


     

       
112

       

       
-

       
                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out


     

       
113

       

       
-

       
                ''


     

       
114

       

       
-

       
              }"


     

       
115

       

       
-

       
          )


     

       
116

       

       
-

       
    '';


     

       
117

       

       
-

       
  }


     

       
118

       

       
-

       
)
+130
nixos/tests/apparmor/default.nix 
···

       

       
1

       
+

       
import ../make-test-python.nix (


     

       

       
2

       
+

       
  { pkgs, lib, ... }:


     

       

       
3

       
+

       
  let


     

       

       
4

       
+

       
    helloProfileContents = ''


     

       

       
5

       
+

       
      abi <abi/4.0>,


     

       

       
6

       
+

       
      include <tunables/global>


     

       

       
7

       
+

       
      profile hello ${lib.getExe pkgs.hello} {


     

       

       
8

       
+

       
        include <abstractions/base>


     

       

       
9

       
+

       
      }


     

       

       
10

       
+

       
    '';


     

       

       
11

       
+

       
  in


     

       

       
12

       
+

       
  {


     

       

       
13

       
+

       
    name = "apparmor";


     

       

       
14

       
+

       
    meta.maintainers = with lib.maintainers; [


     

       

       
15

       
+

       
      julm


     

       

       
16

       
+

       
      grimmauld


     

       

       
17

       
+

       
    ];


     

       

       
18

       
+

       



     

       

       
19

       
+

       
    nodes.machine =


     

       

       
20

       
+

       
      {


     

       

       
21

       
+

       
        lib,


     

       

       
22

       
+

       
        pkgs,


     

       

       
23

       
+

       
        config,


     

       

       
24

       
+

       
        ...


     

       

       
25

       
+

       
      }:


     

       

       
26

       
+

       
      {


     

       

       
27

       
+

       
        security.apparmor = {


     

       

       
28

       
+

       
          enable = lib.mkDefault true;


     

       

       
29

       
+

       



     

       

       
30

       
+

       
          policies.hello = {


     

       

       
31

       
+

       
            # test profile enforce and content definition


     

       

       
32

       
+

       
            state = "enforce";


     

       

       
33

       
+

       
            profile = helloProfileContents;


     

       

       
34

       
+

       
          };


     

       

       
35

       
+

       



     

       

       
36

       
+

       
          policies.sl = {


     

       

       
37

       
+

       
            # test profile complain and path definition


     

       

       
38

       
+

       
            state = "complain";


     

       

       
39

       
+

       
            path = ./sl_profile;


     

       

       
40

       
+

       
          };


     

       

       
41

       
+

       



     

       

       
42

       
+

       
          policies.hexdump = {


     

       

       
43

       
+

       
            # test profile complain and path definition


     

       

       
44

       
+

       
            state = "enforce";


     

       

       
45

       
+

       
            profile = ''


     

       

       
46

       
+

       
              abi <abi/4.0>,


     

       

       
47

       
+

       
              include <tunables/global>


     

       

       
48

       
+

       
              profile hexdump /nix/store/*/bin/hexdump {


     

       

       
49

       
+

       
                include <abstractions/base>


     

       

       
50

       
+

       
                deny /tmp/** r,


     

       

       
51

       
+

       
              }


     

       

       
52

       
+

       
            '';


     

       

       
53

       
+

       
          };


     

       

       
54

       
+

       



     

       

       
55

       
+

       
          includes."abstractions/base" = ''


     

       

       
56

       
+

       
            /nix/store/*/bin/** mr,


     

       

       
57

       
+

       
            /nix/store/*/lib/** mr,


     

       

       
58

       
+

       
            /nix/store/** r,


     

       

       
59

       
+

       
          '';


     

       

       
60

       
+

       
        };


     

       

       
61

       
+

       
      };


     

       

       
62

       
+

       



     

       

       
63

       
+

       
    testScript =


     

       

       
64

       
+

       
      let


     

       

       
65

       
+

       
        inherit (lib) getExe getExe';


     

       

       
66

       
+

       
      in


     

       

       
67

       
+

       
      ''


     

       

       
68

       
+

       
        machine.wait_for_unit("multi-user.target")


     

       

       
69

       
+

       



     

       

       
70

       
+

       
        with subtest("AppArmor profiles are loaded"):


     

       

       
71

       
+

       
            machine.succeed("systemctl status apparmor.service")


     

       

       
72

       
+

       



     

       

       
73

       
+

       
        # AppArmor securityfs


     

       

       
74

       
+

       
        with subtest("AppArmor securityfs is mounted"):


     

       

       
75

       
+

       
            machine.succeed("mountpoint -q /sys/kernel/security")


     

       

       
76

       
+

       
            machine.succeed("cat /sys/kernel/security/apparmor/profiles")


     

       

       
77

       
+

       



     

       

       
78

       
+

       
        # Test apparmorRulesFromClosure by:


     

       

       
79

       
+

       
        # 1. Prepending a string of the relevant packages' name and version on each line.


     

       

       
80

       
+

       
        # 2. Sorting according to those strings.


     

       

       
81

       
+

       
        # 3. Removing those prepended strings.


     

       

       
82

       
+

       
        # 4. Using `diff` against the expected output.


     

       

       
83

       
+

       
        with subtest("apparmorRulesFromClosure"):


     

       

       
84

       
+

       
            machine.succeed(


     

       

       
85

       
+

       
                "${getExe' pkgs.diffutils "diff"} -u ${


     

       

       
86

       
+

       
                  pkgs.writeText "expected.rules" (import ./makeExpectedPolicies.nix { inherit pkgs; })


     

       

       
87

       
+

       
                } ${


     

       

       
88

       
+

       
                  pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''


     

       

       
89

       
+

       
                    ${getExe pkgs.gnused} -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${


     

       

       
90

       
+

       
                      pkgs.apparmorRulesFromClosure {


     

       

       
91

       
+

       
                        name = "ping";


     

       

       
92

       
+

       
                        additionalRules = [ "x $path/foo/**" ];


     

       

       
93

       
+

       
                      } [ pkgs.libcap ]


     

       

       
94

       
+

       
                    } |


     

       

       
95

       
+

       
                    ${getExe' pkgs.coreutils "sort"} -n -k1 |


     

       

       
96

       
+

       
                    ${getExe pkgs.gnused} -e 's:^[^ ]* ::' >$out


     

       

       
97

       
+

       
                  ''


     

       

       
98

       
+

       
                }"


     

       

       
99

       
+

       
            )


     

       

       
100

       
+

       



     

       

       
101

       
+

       
        # Test apparmor profile states by using `diff` against `aa-status`


     

       

       
102

       
+

       
        with subtest("apparmorProfileStates"):


     

       

       
103

       
+

       
            machine.succeed("${getExe' pkgs.diffutils "diff"} -u \


     

       

       
104

       
+

       
              <(${getExe' pkgs.apparmor-bin-utils "aa-status"} --json | ${getExe pkgs.jq} --sort-keys . ) \


     

       

       
105

       
+

       
              <(${getExe pkgs.jq} --sort-keys . ${


     

       

       
106

       
+

       
                pkgs.writers.writeJSON "expectedStates.json" {


     

       

       
107

       
+

       
                  version = "2";


     

       

       
108

       
+

       
                  processes = { };


     

       

       
109

       
+

       
                  profiles = {


     

       

       
110

       
+

       
                    hexdump = "enforce";


     

       

       
111

       
+

       
                    hello = "enforce";


     

       

       
112

       
+

       
                    sl = "complain";


     

       

       
113

       
+

       
                  };


     

       

       
114

       
+

       
                }


     

       

       
115

       
+

       
              })")


     

       

       
116

       
+

       



     

       

       
117

       
+

       
        # Test apparmor profile files in /etc/apparmor.d/<name> to be either a correct symlink (sl) or have the right file contents (hello)


     

       

       
118

       
+

       
        with subtest("apparmorProfileTargets"):


     

       

       
119

       
+

       
            machine.succeed("${getExe' pkgs.diffutils "diff"} -u <(${getExe pkgs.file} /etc/static/apparmor.d/sl) ${pkgs.writeText "expected.link" ''


     

       

       
120

       
+

       
              /etc/static/apparmor.d/sl: symbolic link to ${./sl_profile}


     

       

       
121

       
+

       
            ''}")


     

       

       
122

       
+

       
            machine.succeed("${getExe' pkgs.diffutils "diff"} -u /etc/static/apparmor.d/hello ${pkgs.writeText "expected.content" helloProfileContents}")


     

       

       
123

       
+

       



     

       

       
124

       
+

       



     

       

       
125

       
+

       
        with subtest("apparmorProfileEnforce"):


     

       

       
126

       
+

       
            machine.succeed("${getExe pkgs.hello} 1> /tmp/test-file")


     

       

       
127

       
+

       
            machine.fail("${lib.getExe' pkgs.util-linux "hexdump"} /tmp/test-file") # no access to /tmp/test-file granted by apparmor


     

       

       
128

       
+

       
      '';


     

       

       
129

       
+

       
  }


     

       

       
130

       
+

       
)
+66
nixos/tests/apparmor/makeExpectedPolicies.nix 
···

       

       
1

       
+

       
{ pkgs }:


     

       

       
2

       
+

       
''


     

       

       
3

       
+

       
  ixr ${pkgs.bash}/libexec/**,


     

       

       
4

       
+

       
  mr ${pkgs.bash}/lib/**.so*,


     

       

       
5

       
+

       
  mr ${pkgs.bash}/lib64/**.so*,


     

       

       
6

       
+

       
  mr ${pkgs.bash}/share/**,


     

       

       
7

       
+

       
  r ${pkgs.bash},


     

       

       
8

       
+

       
  r ${pkgs.bash}/etc/**,


     

       

       
9

       
+

       
  r ${pkgs.bash}/lib/**,


     

       

       
10

       
+

       
  r ${pkgs.bash}/lib64/**,


     

       

       
11

       
+

       
  x ${pkgs.bash}/foo/**,


     

       

       
12

       
+

       
  ixr ${pkgs.glibc}/libexec/**,


     

       

       
13

       
+

       
  mr ${pkgs.glibc}/lib/**.so*,


     

       

       
14

       
+

       
  mr ${pkgs.glibc}/lib64/**.so*,


     

       

       
15

       
+

       
  mr ${pkgs.glibc}/share/**,


     

       

       
16

       
+

       
  r ${pkgs.glibc},


     

       

       
17

       
+

       
  r ${pkgs.glibc}/etc/**,


     

       

       
18

       
+

       
  r ${pkgs.glibc}/lib/**,


     

       

       
19

       
+

       
  r ${pkgs.glibc}/lib64/**,


     

       

       
20

       
+

       
  x ${pkgs.glibc}/foo/**,


     

       

       
21

       
+

       
  ixr ${pkgs.libcap}/libexec/**,


     

       

       
22

       
+

       
  mr ${pkgs.libcap}/lib/**.so*,


     

       

       
23

       
+

       
  mr ${pkgs.libcap}/lib64/**.so*,


     

       

       
24

       
+

       
  mr ${pkgs.libcap}/share/**,


     

       

       
25

       
+

       
  r ${pkgs.libcap},


     

       

       
26

       
+

       
  r ${pkgs.libcap}/etc/**,


     

       

       
27

       
+

       
  r ${pkgs.libcap}/lib/**,


     

       

       
28

       
+

       
  r ${pkgs.libcap}/lib64/**,


     

       

       
29

       
+

       
  x ${pkgs.libcap}/foo/**,


     

       

       
30

       
+

       
  ixr ${pkgs.libcap.lib}/libexec/**,


     

       

       
31

       
+

       
  mr ${pkgs.libcap.lib}/lib/**.so*,


     

       

       
32

       
+

       
  mr ${pkgs.libcap.lib}/lib64/**.so*,


     

       

       
33

       
+

       
  mr ${pkgs.libcap.lib}/share/**,


     

       

       
34

       
+

       
  r ${pkgs.libcap.lib},


     

       

       
35

       
+

       
  r ${pkgs.libcap.lib}/etc/**,


     

       

       
36

       
+

       
  r ${pkgs.libcap.lib}/lib/**,


     

       

       
37

       
+

       
  r ${pkgs.libcap.lib}/lib64/**,


     

       

       
38

       
+

       
  x ${pkgs.libcap.lib}/foo/**,


     

       

       
39

       
+

       
  ixr ${pkgs.libidn2.out}/libexec/**,


     

       

       
40

       
+

       
  mr ${pkgs.libidn2.out}/lib/**.so*,


     

       

       
41

       
+

       
  mr ${pkgs.libidn2.out}/lib64/**.so*,


     

       

       
42

       
+

       
  mr ${pkgs.libidn2.out}/share/**,


     

       

       
43

       
+

       
  r ${pkgs.libidn2.out},


     

       

       
44

       
+

       
  r ${pkgs.libidn2.out}/etc/**,


     

       

       
45

       
+

       
  r ${pkgs.libidn2.out}/lib/**,


     

       

       
46

       
+

       
  r ${pkgs.libidn2.out}/lib64/**,


     

       

       
47

       
+

       
  x ${pkgs.libidn2.out}/foo/**,


     

       

       
48

       
+

       
  ixr ${pkgs.libunistring}/libexec/**,


     

       

       
49

       
+

       
  mr ${pkgs.libunistring}/lib/**.so*,


     

       

       
50

       
+

       
  mr ${pkgs.libunistring}/lib64/**.so*,


     

       

       
51

       
+

       
  mr ${pkgs.libunistring}/share/**,


     

       

       
52

       
+

       
  r ${pkgs.libunistring},


     

       

       
53

       
+

       
  r ${pkgs.libunistring}/etc/**,


     

       

       
54

       
+

       
  r ${pkgs.libunistring}/lib/**,


     

       

       
55

       
+

       
  r ${pkgs.libunistring}/lib64/**,


     

       

       
56

       
+

       
  x ${pkgs.libunistring}/foo/**,


     

       

       
57

       
+

       
  ixr ${pkgs.glibc.libgcc}/libexec/**,


     

       

       
58

       
+

       
  mr ${pkgs.glibc.libgcc}/lib/**.so*,


     

       

       
59

       
+

       
  mr ${pkgs.glibc.libgcc}/lib64/**.so*,


     

       

       
60

       
+

       
  mr ${pkgs.glibc.libgcc}/share/**,


     

       

       
61

       
+

       
  r ${pkgs.glibc.libgcc},


     

       

       
62

       
+

       
  r ${pkgs.glibc.libgcc}/etc/**,


     

       

       
63

       
+

       
  r ${pkgs.glibc.libgcc}/lib/**,


     

       

       
64

       
+

       
  r ${pkgs.glibc.libgcc}/lib64/**,


     

       

       
65

       
+

       
  x ${pkgs.glibc.libgcc}/foo/**,


     

       

       
66

       
+

       
''
+5
nixos/tests/apparmor/sl_profile 
···

       

       
1

       
+

       
abi <abi/4.0>,


     

       

       
2

       
+

       
include <tunables/global>


     

       

       
3

       
+

       
profile sl /bin/sl {


     

       

       
4

       
+

       
  include <abstractions/base>


     

       

       
5

       
+

       
}