---
Function {
 argument: Destructured {
  identifier: None,
  arguments: [
   DestructuredArgument {
    identifier: "config",
    default: None,
   },
   DestructuredArgument {
    identifier: "lib",
    default: None,
   },
   DestructuredArgument {
    identifier: "pkgs",
    default: None,
   },
  ],
  ellipsis: true,
 },
 definition: LetIn {
  bindings: [
   Inherit {
    from: Some(
     PropertyAccess {
      expression: Variable {
       identifier: "config",
       position: (4, 12),
      },
      attribute_path: AttributePath {
       parts: [
        Raw {
         content: "security",
         position: (4, 19),
        },
       ],
      },
      default: None,
     },
    ),
    attributes: [
     Raw {
      content: "wrapperDir",
      position: (4, 29),
     },
     Raw {
      content: "wrappers",
      position: (4, 40),
     },
    ],
   },
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "parentWrapperDir",
       position: (6, 3),
      },
     ],
    },
    to: FunctionApplication {
     function: Variable {
      identifier: "dirOf",
      position: (6, 22),
     },
     arguments: [
      Variable {
       identifier: "wrapperDir",
       position: (6, 28),
      },
     ],
    },
   },
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "securityWrapper",
       position: (8, 3),
      },
     ],
    },
    to: FunctionApplication {
     function: PropertyAccess {
      expression: Variable {
       identifier: "pkgs",
       position: (8, 21),
      },
      attribute_path: AttributePath {
       parts: [
        Raw {
         content: "callPackage",
         position: (8, 26),
        },
       ],
      },
      default: None,
     },
     arguments: [
      Path {
       parts: [
        Raw {
         content: "./wrapper.nix",
         position: (8, 38),
        },
       ],
       position: (8, 38),
      },
      Map {
       bindings: [
        Inherit {
         from: None,
         attributes: [
          Raw {
           content: "parentWrapperDir",
           position: (9, 13),
          },
         ],
        },
       ],
       recursive: false,
       position: (8, 52),
      },
     ],
    },
   },
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "fileModeType",
       position: (12, 3),
      },
     ],
    },
    to: LetIn {
     bindings: [
      Binding {
       from: AttributePath {
        parts: [
         Raw {
          content: "symbolic",
          position: (15, 7),
         },
        ],
       },
       to: String {
        parts: [
         Raw {
          content: "[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+",
          position: (15, 19),
         },
        ],
        position: (15, 18),
       },
      },
      Binding {
       from: AttributePath {
        parts: [
         Raw {
          content: "numeric",
          position: (16, 7),
         },
        ],
       },
       to: String {
        parts: [
         Raw {
          content: "[-+=]?[0-7]{0,4}",
          position: (16, 18),
         },
        ],
        position: (16, 17),
       },
      },
      Binding {
       from: AttributePath {
        parts: [
         Raw {
          content: "mode",
          position: (17, 7),
         },
        ],
       },
       to: String {
        parts: [
         Raw {
          content: "((",
          position: (17, 15),
         },
         Expression {
          expression: Variable {
           identifier: "symbolic",
           position: (17, 19),
          },
         },
         Raw {
          content: ")(,",
          position: (17, 28),
         },
         Expression {
          expression: Variable {
           identifier: "symbolic",
           position: (17, 33),
          },
         },
         Raw {
          content: ")*)|(",
          position: (17, 42),
         },
         Expression {
          expression: Variable {
           identifier: "numeric",
           position: (17, 49),
          },
         },
         Raw {
          content: ")",
          position: (17, 57),
         },
        ],
        position: (17, 14),
       },
      },
     ],
     target: BinaryOperation {
      operator: Update,
      operands: [
       FunctionApplication {
        function: PropertyAccess {
         expression: Variable {
          identifier: "lib",
          position: (19, 6),
         },
         attribute_path: AttributePath {
          parts: [
           Raw {
            content: "types",
            position: (19, 10),
           },
           Raw {
            content: "strMatching",
            position: (19, 16),
           },
          ],
         },
         default: None,
        },
        arguments: [
         Variable {
          identifier: "mode",
          position: (19, 28),
         },
        ],
       },
       Map {
        bindings: [
         Binding {
          from: AttributePath {
           parts: [
            Raw {
             content: "description",
             position: (20, 11),
            },
           ],
          },
          to: String {
           parts: [
            Raw {
             content: "file mode string",
             position: (20, 26),
            },
           ],
           position: (20, 25),
          },
         },
        ],
        recursive: false,
        position: (20, 9),
       },
      ],
      position: (20, 6),
     },
     position: (13, 5),
    },
   },
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "wrapperType",
       position: (22, 3),
      },
     ],
    },
    to: FunctionApplication {
     function: PropertyAccess {
      expression: Variable {
       identifier: "lib",
       position: (22, 17),
      },
      attribute_path: AttributePath {
       parts: [
        Raw {
         content: "types",
         position: (22, 21),
        },
        Raw {
         content: "submodule",
         position: (22, 27),
        },
       ],
      },
      default: None,
     },
     arguments: [
      Parentheses {
       expression: Function {
        argument: Destructured {
         identifier: None,
         arguments: [
          DestructuredArgument {
           identifier: "name",
           default: None,
          },
          DestructuredArgument {
           identifier: "config",
           default: None,
          },
         ],
         ellipsis: true,
        },
        definition: Map {
         bindings: [
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (23, 5),
             },
             Raw {
              content: "source",
              position: (23, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (23, 22),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (23, 26),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (24, 9),
                  },
                 ],
                },
                to: PropertyAccess {
                 expression: Variable {
                  identifier: "lib",
                  position: (24, 16),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "types",
                    position: (24, 20),
                   },
                   Raw {
                    content: "path",
                    position: (24, 26),
                   },
                  ],
                 },
                 default: None,
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (25, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "The absolute path to the program to be wrapped.",
                   position: (25, 24),
                  },
                 ],
                 position: (25, 23),
                },
               },
              ],
              recursive: false,
              position: (24, 7),
             },
            ],
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (27, 5),
             },
             Raw {
              content: "program",
              position: (27, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (27, 23),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (27, 27),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (28, 9),
                  },
                 ],
                },
                to: With {
                 expression: PropertyAccess {
                  expression: Variable {
                   identifier: "lib",
                   position: (28, 21),
                  },
                  attribute_path: AttributePath {
                   parts: [
                    Raw {
                     content: "types",
                     position: (28, 25),
                    },
                   ],
                  },
                  default: None,
                 },
                 target: FunctionApplication {
                  function: Variable {
                   identifier: "nullOr",
                   position: (28, 32),
                  },
                  arguments: [
                   Variable {
                    identifier: "str",
                    position: (28, 39),
                   },
                  ],
                 },
                 position: (28, 16),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "default",
                   position: (29, 9),
                  },
                 ],
                },
                to: Variable {
                 identifier: "name",
                 position: (29, 19),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (30, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "The name of the wrapper program. Defaults to the attribute name.\n",
                   position: (31, 1),
                  },
                 ],
                 position: (30, 23),
                },
               },
              ],
              recursive: false,
              position: (28, 7),
             },
            ],
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (34, 5),
             },
             Raw {
              content: "owner",
              position: (34, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (34, 21),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (34, 25),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (35, 9),
                  },
                 ],
                },
                to: PropertyAccess {
                 expression: Variable {
                  identifier: "lib",
                  position: (35, 16),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "types",
                    position: (35, 20),
                   },
                   Raw {
                    content: "str",
                    position: (35, 26),
                   },
                  ],
                 },
                 default: None,
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (36, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "The owner of the wrapper program.",
                   position: (36, 24),
                  },
                 ],
                 position: (36, 23),
                },
               },
              ],
              recursive: false,
              position: (35, 7),
             },
            ],
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (38, 5),
             },
             Raw {
              content: "group",
              position: (38, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (38, 21),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (38, 25),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (39, 9),
                  },
                 ],
                },
                to: PropertyAccess {
                 expression: Variable {
                  identifier: "lib",
                  position: (39, 16),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "types",
                    position: (39, 20),
                   },
                   Raw {
                    content: "str",
                    position: (39, 26),
                   },
                  ],
                 },
                 default: None,
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (40, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "The group of the wrapper program.",
                   position: (40, 24),
                  },
                 ],
                 position: (40, 23),
                },
               },
              ],
              recursive: false,
              position: (39, 7),
             },
            ],
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (42, 5),
             },
             Raw {
              content: "permissions",
              position: (42, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (42, 27),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (42, 31),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (43, 9),
                  },
                 ],
                },
                to: Variable {
                 identifier: "fileModeType",
                 position: (43, 16),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "default",
                   position: (44, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "u+rx,g+x,o+x",
                   position: (44, 21),
                  },
                 ],
                 position: (44, 20),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "example",
                   position: (45, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "a+rx",
                   position: (45, 20),
                  },
                 ],
                 position: (45, 19),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (46, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "The permissions of the wrapper program. The format is that of a\nsymbolic or numeric file mode understood by <command>chmod</command>.\n",
                   position: (47, 1),
                  },
                 ],
                 position: (46, 23),
                },
               },
              ],
              recursive: false,
              position: (43, 7),
             },
            ],
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (51, 5),
             },
             Raw {
              content: "capabilities",
              position: (51, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (51, 28),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (51, 32),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (52, 9),
                  },
                 ],
                },
                to: PropertyAccess {
                 expression: Variable {
                  identifier: "lib",
                  position: (52, 16),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "types",
                    position: (52, 20),
                   },
                   Raw {
                    content: "commas",
                    position: (52, 26),
                   },
                  ],
                 },
                 default: None,
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "default",
                   position: (53, 9),
                  },
                 ],
                },
                to: String {
                 parts: [],
                 position: (53, 19),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (54, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "A comma-separated list of capabilities to be given to the wrapper\nprogram. For capabilities supported by the system check the\n<citerefentry>\n  <refentrytitle>capabilities</refentrytitle>\n  <manvolnum>7</manvolnum>\n</citerefentry>\nmanual page.\n\n<note><para>\n  <literal>cap_setpcap</literal>, which is required for the wrapper\n  program to be able to raise caps into the Ambient set is NOT raised\n  to the Ambient set so that the real program cannot modify its own\n  capabilities!! This may be too restrictive for cases in which the\n  real program needs cap_setpcap but it at least leans on the side\n  security paranoid vs. too relaxed.\n</para></note>\n",
                   position: (55, 1),
                  },
                 ],
                 position: (54, 23),
                },
               },
              ],
              recursive: false,
              position: (52, 7),
             },
            ],
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (73, 5),
             },
             Raw {
              content: "setuid",
              position: (73, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (73, 22),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (73, 26),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (74, 9),
                  },
                 ],
                },
                to: PropertyAccess {
                 expression: Variable {
                  identifier: "lib",
                  position: (74, 16),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "types",
                    position: (74, 20),
                   },
                   Raw {
                    content: "bool",
                    position: (74, 26),
                   },
                  ],
                 },
                 default: None,
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "default",
                   position: (75, 9),
                  },
                 ],
                },
                to: Variable {
                 identifier: "false",
                 position: (75, 19),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (76, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "Whether to add the setuid bit the wrapper program.",
                   position: (76, 24),
                  },
                 ],
                 position: (76, 23),
                },
               },
              ],
              recursive: false,
              position: (74, 7),
             },
            ],
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (78, 5),
             },
             Raw {
              content: "setgid",
              position: (78, 13),
             },
            ],
           },
           to: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "lib",
              position: (78, 22),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "mkOption",
                position: (78, 26),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "type",
                   position: (79, 9),
                  },
                 ],
                },
                to: PropertyAccess {
                 expression: Variable {
                  identifier: "lib",
                  position: (79, 16),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "types",
                    position: (79, 20),
                   },
                   Raw {
                    content: "bool",
                    position: (79, 26),
                   },
                  ],
                 },
                 default: None,
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "default",
                   position: (80, 9),
                  },
                 ],
                },
                to: Variable {
                 identifier: "false",
                 position: (80, 19),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "description",
                   position: (81, 9),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "Whether to add the setgid bit the wrapper program.",
                   position: (81, 24),
                  },
                 ],
                 position: (81, 23),
                },
               },
              ],
              recursive: false,
              position: (79, 7),
             },
            ],
           },
          },
         ],
         recursive: false,
         position: (22, 61),
        },
        position: (22, 38),
       },
       position: (22, 37),
      },
     ],
    },
   },
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "mkSetcapProgram",
       position: (86, 3),
      },
     ],
    },
    to: Function {
     argument: Destructured {
      identifier: None,
      arguments: [
       DestructuredArgument {
        identifier: "program",
        default: None,
       },
       DestructuredArgument {
        identifier: "capabilities",
        default: None,
       },
       DestructuredArgument {
        identifier: "source",
        default: None,
       },
       DestructuredArgument {
        identifier: "owner",
        default: None,
       },
       DestructuredArgument {
        identifier: "group",
        default: None,
       },
       DestructuredArgument {
        identifier: "permissions",
        default: None,
       },
      ],
      ellipsis: true,
     },
     definition: String {
      parts: [
       Raw {
        content: "cp ",
        position: (96, 1),
       },
       Expression {
        expression: Variable {
         identifier: "securityWrapper",
         position: (96, 12),
        },
       },
       Raw {
        content: "/bin/security-wrapper \"$wrapperDir/",
        position: (96, 28),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (96, 65),
        },
       },
       Raw {
        content: "\"\necho -n \"",
        position: (96, 73),
       },
       Expression {
        expression: Variable {
         identifier: "source",
         position: (97, 18),
        },
       },
       Raw {
        content: "\" > \"$wrapperDir/",
        position: (97, 25),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (97, 44),
        },
       },
       Raw {
        content: ".real\"\n\n# Prevent races\nchmod 0000 \"$wrapperDir/",
        position: (97, 52),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (100, 33),
        },
       },
       Raw {
        content: "\"\nchown ",
        position: (100, 41),
       },
       Expression {
        expression: Variable {
         identifier: "owner",
         position: (101, 15),
        },
       },
       Raw {
        content: ".",
        position: (101, 21),
       },
       Expression {
        expression: Variable {
         identifier: "group",
         position: (101, 24),
        },
       },
       Raw {
        content: " \"$wrapperDir/",
        position: (101, 30),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (101, 46),
        },
       },
       Raw {
        content: "\"\n\n# Set desired capabilities on the file plus cap_setpcap so\n# the wrapper program can elevate the capabilities set on\n# its file into the Ambient set.\n",
        position: (101, 54),
       },
       Expression {
        expression: PropertyAccess {
         expression: Variable {
          identifier: "pkgs",
          position: (106, 9),
         },
         attribute_path: AttributePath {
          parts: [
           Raw {
            content: "libcap",
            position: (106, 14),
           },
           Raw {
            content: "out",
            position: (106, 21),
           },
          ],
         },
         default: None,
        },
       },
       Raw {
        content: "/bin/setcap \"cap_setpcap,",
        position: (106, 25),
       },
       Expression {
        expression: Variable {
         identifier: "capabilities",
         position: (106, 52),
        },
       },
       Raw {
        content: "\" \"$wrapperDir/",
        position: (106, 65),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (106, 82),
        },
       },
       Raw {
        content: "\"\n\n# Set the executable bit\nchmod ",
        position: (106, 90),
       },
       Expression {
        expression: Variable {
         identifier: "permissions",
         position: (109, 15),
        },
       },
       Raw {
        content: " \"$wrapperDir/",
        position: (109, 27),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (109, 43),
        },
       },
       Raw {
        content: "\"\n",
        position: (109, 51),
       },
      ],
      position: (95, 5),
     },
     position: (87, 5),
    },
   },
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "mkSetuidProgram",
       position: (113, 3),
      },
     ],
    },
    to: Function {
     argument: Destructured {
      identifier: None,
      arguments: [
       DestructuredArgument {
        identifier: "program",
        default: None,
       },
       DestructuredArgument {
        identifier: "source",
        default: None,
       },
       DestructuredArgument {
        identifier: "owner",
        default: None,
       },
       DestructuredArgument {
        identifier: "group",
        default: None,
       },
       DestructuredArgument {
        identifier: "setuid",
        default: None,
       },
       DestructuredArgument {
        identifier: "setgid",
        default: None,
       },
       DestructuredArgument {
        identifier: "permissions",
        default: None,
       },
      ],
      ellipsis: true,
     },
     definition: String {
      parts: [
       Raw {
        content: "cp ",
        position: (124, 1),
       },
       Expression {
        expression: Variable {
         identifier: "securityWrapper",
         position: (124, 12),
        },
       },
       Raw {
        content: "/bin/security-wrapper \"$wrapperDir/",
        position: (124, 28),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (124, 65),
        },
       },
       Raw {
        content: "\"\necho -n \"",
        position: (124, 73),
       },
       Expression {
        expression: Variable {
         identifier: "source",
         position: (125, 18),
        },
       },
       Raw {
        content: "\" > \"$wrapperDir/",
        position: (125, 25),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (125, 44),
        },
       },
       Raw {
        content: ".real\"\n\n# Prevent races\nchmod 0000 \"$wrapperDir/",
        position: (125, 52),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (128, 33),
        },
       },
       Raw {
        content: "\"\nchown ",
        position: (128, 41),
       },
       Expression {
        expression: Variable {
         identifier: "owner",
         position: (129, 15),
        },
       },
       Raw {
        content: ".",
        position: (129, 21),
       },
       Expression {
        expression: Variable {
         identifier: "group",
         position: (129, 24),
        },
       },
       Raw {
        content: " \"$wrapperDir/",
        position: (129, 30),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (129, 46),
        },
       },
       Raw {
        content: "\"\n\nchmod \"u",
        position: (129, 54),
       },
       Expression {
        expression: IfThenElse {
         predicate: Variable {
          identifier: "setuid",
          position: (131, 20),
         },
         then: String {
          parts: [
           Raw {
            content: "+",
            position: (131, 33),
           },
          ],
          position: (131, 32),
         },
         else_: String {
          parts: [
           Raw {
            content: "-",
            position: (131, 42),
           },
          ],
          position: (131, 41),
         },
         position: (131, 17),
        },
       },
       Raw {
        content: "s,g",
        position: (131, 45),
       },
       Expression {
        expression: IfThenElse {
         predicate: Variable {
          identifier: "setgid",
          position: (131, 53),
         },
         then: String {
          parts: [
           Raw {
            content: "+",
            position: (131, 66),
           },
          ],
          position: (131, 65),
         },
         else_: String {
          parts: [
           Raw {
            content: "-",
            position: (131, 75),
           },
          ],
          position: (131, 74),
         },
         position: (131, 50),
        },
       },
       Raw {
        content: "s,",
        position: (131, 78),
       },
       Expression {
        expression: Variable {
         identifier: "permissions",
         position: (131, 82),
        },
       },
       Raw {
        content: "\" \"$wrapperDir/",
        position: (131, 94),
       },
       Expression {
        expression: Variable {
         identifier: "program",
         position: (131, 111),
        },
       },
       Raw {
        content: "\"\n",
        position: (131, 119),
       },
      ],
      position: (123, 5),
     },
     position: (114, 5),
    },
   },
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "mkWrappedPrograms",
       position: (134, 3),
      },
     ],
    },
    to: FunctionApplication {
     function: PropertyAccess {
      expression: Variable {
       identifier: "builtins",
       position: (135, 5),
      },
      attribute_path: AttributePath {
       parts: [
        Raw {
         content: "map",
         position: (135, 14),
        },
       ],
      },
      default: None,
     },
     arguments: [
      Parentheses {
       expression: Function {
        argument: Simple {
         identifier: "opts",
        },
        definition: IfThenElse {
         predicate: BinaryOperation {
          operator: NotEqualTo,
          operands: [
           PropertyAccess {
            expression: Variable {
             identifier: "opts",
             position: (137, 12),
            },
            attribute_path: AttributePath {
             parts: [
              Raw {
               content: "capabilities",
               position: (137, 17),
              },
             ],
            },
            default: None,
           },
           String {
            parts: [],
            position: (137, 33),
           },
          ],
          position: (137, 30),
         },
         then: FunctionApplication {
          function: Variable {
           identifier: "mkSetcapProgram",
           position: (138, 14),
          },
          arguments: [
           Variable {
            identifier: "opts",
            position: (138, 30),
           },
          ],
         },
         else_: FunctionApplication {
          function: Variable {
           identifier: "mkSetuidProgram",
           position: (139, 14),
          },
          arguments: [
           Variable {
            identifier: "opts",
            position: (139, 30),
           },
          ],
         },
         position: (137, 9),
        },
        position: (136, 8),
       },
       position: (136, 7),
      },
      Parentheses {
       expression: FunctionApplication {
        function: PropertyAccess {
         expression: Variable {
          identifier: "lib",
          position: (140, 10),
         },
         attribute_path: AttributePath {
          parts: [
           Raw {
            content: "attrValues",
            position: (140, 14),
           },
          ],
         },
         default: None,
        },
        arguments: [
         Variable {
          identifier: "wrappers",
          position: (140, 25),
         },
        ],
       },
       position: (140, 9),
      },
     ],
    },
   },
  ],
  target: Map {
   bindings: [
    Binding {
     from: AttributePath {
      parts: [
       Raw {
        content: "imports",
        position: (143, 3),
       },
      ],
     },
     to: List {
      elements: [
       Parentheses {
        expression: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (144, 6),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "mkRemovedOptionModule",
             position: (144, 10),
            },
           ],
          },
          default: None,
         },
         arguments: [
          List {
           elements: [
            String {
             parts: [
              Raw {
               content: "security",
               position: (144, 35),
              },
             ],
             position: (144, 34),
            },
            String {
             parts: [
              Raw {
               content: "setuidOwners",
               position: (144, 46),
              },
             ],
             position: (144, 45),
            },
           ],
           position: (144, 32),
          },
          String {
           parts: [
            Raw {
             content: "Use security.wrappers instead",
             position: (144, 63),
            },
           ],
           position: (144, 62),
          },
         ],
        },
        position: (144, 5),
       },
       Parentheses {
        expression: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (145, 6),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "mkRemovedOptionModule",
             position: (145, 10),
            },
           ],
          },
          default: None,
         },
         arguments: [
          List {
           elements: [
            String {
             parts: [
              Raw {
               content: "security",
               position: (145, 35),
              },
             ],
             position: (145, 34),
            },
            String {
             parts: [
              Raw {
               content: "setuidPrograms",
               position: (145, 46),
              },
             ],
             position: (145, 45),
            },
           ],
           position: (145, 32),
          },
          String {
           parts: [
            Raw {
             content: "Use security.wrappers instead",
             position: (145, 65),
            },
           ],
           position: (145, 64),
          },
         ],
        },
        position: (145, 5),
       },
      ],
      position: (143, 13),
     },
    },
    Binding {
     from: AttributePath {
      parts: [
       Raw {
        content: "options",
        position: (150, 3),
       },
      ],
     },
     to: Map {
      bindings: [
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "security",
           position: (151, 5),
          },
          Raw {
           content: "wrappers",
           position: (151, 14),
          },
         ],
        },
        to: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (151, 25),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "mkOption",
             position: (151, 29),
            },
           ],
          },
          default: None,
         },
         arguments: [
          Map {
           bindings: [
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "type",
                position: (152, 7),
               },
              ],
             },
             to: FunctionApplication {
              function: PropertyAccess {
               expression: Variable {
                identifier: "lib",
                position: (152, 14),
               },
               attribute_path: AttributePath {
                parts: [
                 Raw {
                  content: "types",
                  position: (152, 18),
                 },
                 Raw {
                  content: "attrsOf",
                  position: (152, 24),
                 },
                ],
               },
               default: None,
              },
              arguments: [
               Variable {
                identifier: "wrapperType",
                position: (152, 32),
               },
              ],
             },
            },
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "default",
                position: (153, 7),
               },
              ],
             },
             to: Map {
              bindings: [],
              recursive: false,
              position: (153, 17),
             },
            },
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "example",
                position: (154, 7),
               },
              ],
             },
             to: FunctionApplication {
              function: PropertyAccess {
               expression: Variable {
                identifier: "lib",
                position: (154, 17),
               },
               attribute_path: AttributePath {
                parts: [
                 Raw {
                  content: "literalExpression",
                  position: (154, 21),
                 },
                ],
               },
               default: None,
              },
              arguments: [
               String {
                parts: [
                 Raw {
                  content: "{\n  # a setuid root program\n  doas =\n    { setuid = true;\n      owner = \"root\";\n      group = \"root\";\n      source = \"",
                  position: (156, 1),
                 },
                 Raw {
                  content: "$",
                  position: (162, 27),
                 },
                 Raw {
                  content: "{pkgs.doas}/bin/doas\";\n    };\n\n  # a setgid program\n  locate =\n    { setgid = true;\n      owner = \"root\";\n      group = \"mlocate\";\n      source = \"",
                  position: (162, 30),
                 },
                 Raw {
                  content: "$",
                  position: (170, 27),
                 },
                 Raw {
                  content: "{pkgs.locate}/bin/locate\";\n    };\n\n  # a program with the CAP_NET_RAW capability\n  ping =\n    { owner = \"root\";\n      group = \"root\";\n      capabilities = \"cap_net_raw+ep\";\n      source = \"",
                  position: (170, 30),
                 },
                 Raw {
                  content: "$",
                  position: (178, 27),
                 },
                 Raw {
                  content: "{pkgs.iputils.out}/bin/ping\";\n    };\n}\n",
                  position: (178, 30),
                 },
                ],
                position: (155, 9),
               },
              ],
             },
            },
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "description",
                position: (182, 7),
               },
              ],
             },
             to: String {
              parts: [
               Raw {
                content: "This option effectively allows adding setuid/setgid bits, capabilities,\nchanging file ownership and permissions of a program without directly\nmodifying it. This works by creating a wrapper program under the\n<option>security.wrapperDir</option> directory, which is then added to\nthe shell <literal>PATH</literal>.\n",
                position: (183, 1),
               },
              ],
              position: (182, 21),
             },
            },
           ],
           recursive: false,
           position: (151, 38),
          },
         ],
        },
       },
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "security",
           position: (191, 5),
          },
          Raw {
           content: "wrapperDir",
           position: (191, 14),
          },
         ],
        },
        to: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (191, 27),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "mkOption",
             position: (191, 31),
            },
           ],
          },
          default: None,
         },
         arguments: [
          Map {
           bindings: [
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "type",
                position: (192, 7),
               },
              ],
             },
             to: PropertyAccess {
              expression: Variable {
               identifier: "lib",
               position: (192, 21),
              },
              attribute_path: AttributePath {
               parts: [
                Raw {
                 content: "types",
                 position: (192, 25),
                },
                Raw {
                 content: "path",
                 position: (192, 31),
                },
               ],
              },
              default: None,
             },
            },
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "default",
                position: (193, 7),
               },
              ],
             },
             to: String {
              parts: [
               Raw {
                content: "/run/wrappers/bin",
                position: (193, 22),
               },
              ],
              position: (193, 21),
             },
            },
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "internal",
                position: (194, 7),
               },
              ],
             },
             to: Variable {
              identifier: "true",
              position: (194, 21),
             },
            },
            Binding {
             from: AttributePath {
              parts: [
               Raw {
                content: "description",
                position: (195, 7),
               },
              ],
             },
             to: String {
              parts: [
               Raw {
                content: "This option defines the path to the wrapper programs. It\nshould not be overriden.\n",
                position: (196, 1),
               },
              ],
              position: (195, 21),
             },
            },
           ],
           recursive: false,
           position: (191, 40),
          },
         ],
        },
       },
      ],
      recursive: false,
      position: (150, 13),
     },
    },
    Binding {
     from: AttributePath {
      parts: [
       Raw {
        content: "config",
        position: (203, 3),
       },
      ],
     },
     to: Map {
      bindings: [
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "assertions",
           position: (205, 5),
          },
         ],
        },
        to: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (205, 18),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "mapAttrsToList",
             position: (205, 22),
            },
           ],
          },
          default: None,
         },
         arguments: [
          Parentheses {
           expression: Function {
            argument: Simple {
             identifier: "name",
            },
            definition: Function {
             argument: Simple {
              identifier: "opts",
             },
             definition: Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "assertion",
                   position: (207, 11),
                  },
                 ],
                },
                to: BinaryOperation {
                 operator: Implication,
                 operands: [
                  BinaryOperation {
                   operator: LogicalOr,
                   operands: [
                    PropertyAccess {
                     expression: Variable {
                      identifier: "opts",
                      position: (207, 23),
                     },
                     attribute_path: AttributePath {
                      parts: [
                       Raw {
                        content: "setuid",
                        position: (207, 28),
                       },
                      ],
                     },
                     default: None,
                    },
                    PropertyAccess {
                     expression: Variable {
                      identifier: "opts",
                      position: (207, 38),
                     },
                     attribute_path: AttributePath {
                      parts: [
                       Raw {
                        content: "setgid",
                        position: (207, 43),
                       },
                      ],
                     },
                     default: None,
                    },
                   ],
                   position: (207, 35),
                  },
                  BinaryOperation {
                   operator: EqualTo,
                   operands: [
                    PropertyAccess {
                     expression: Variable {
                      identifier: "opts",
                      position: (207, 53),
                     },
                     attribute_path: AttributePath {
                      parts: [
                       Raw {
                        content: "capabilities",
                        position: (207, 58),
                       },
                      ],
                     },
                     default: None,
                    },
                    String {
                     parts: [],
                     position: (207, 74),
                    },
                   ],
                   position: (207, 71),
                  },
                 ],
                 position: (207, 50),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "message",
                   position: (208, 11),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "The security.wrappers.",
                   position: (209, 1),
                  },
                  Expression {
                   expression: Variable {
                    identifier: "name",
                    position: (209, 37),
                   },
                  },
                  Raw {
                   content: " wrapper is not valid:\n    setuid/setgid and capabilities are mutually exclusive.\n",
                   position: (209, 42),
                  },
                 ],
                 position: (208, 21),
                },
               },
              ],
              recursive: false,
              position: (207, 9),
             },
             position: (206, 14),
            },
            position: (206, 8),
           },
           position: (206, 7),
          },
          Variable {
           identifier: "wrappers",
           position: (213, 9),
          },
         ],
        },
       },
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "security",
           position: (215, 5),
          },
          Raw {
           content: "wrappers",
           position: (215, 14),
          },
         ],
        },
        to: LetIn {
         bindings: [
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "mkSetuidRoot",
              position: (217, 9),
             },
            ],
           },
           to: Function {
            argument: Simple {
             identifier: "source",
            },
            definition: Map {
             bindings: [
              Binding {
               from: AttributePath {
                parts: [
                 Raw {
                  content: "setuid",
                  position: (218, 13),
                 },
                ],
               },
               to: Variable {
                identifier: "true",
                position: (218, 22),
               },
              },
              Binding {
               from: AttributePath {
                parts: [
                 Raw {
                  content: "owner",
                  position: (219, 13),
                 },
                ],
               },
               to: String {
                parts: [
                 Raw {
                  content: "root",
                  position: (219, 22),
                 },
                ],
                position: (219, 21),
               },
              },
              Binding {
               from: AttributePath {
                parts: [
                 Raw {
                  content: "group",
                  position: (220, 13),
                 },
                ],
               },
               to: String {
                parts: [
                 Raw {
                  content: "root",
                  position: (220, 22),
                 },
                ],
                position: (220, 21),
               },
              },
              Inherit {
               from: None,
               attributes: [
                Raw {
                 content: "source",
                 position: (221, 21),
                },
               ],
              },
             ],
             recursive: false,
             position: (218, 11),
            },
            position: (217, 24),
           },
          },
         ],
         target: Map {
          bindings: [
           Binding {
            from: AttributePath {
             parts: [
              Raw {
               content: "fusermount",
               position: (225, 9),
              },
             ],
            },
            to: FunctionApplication {
             function: Variable {
              identifier: "mkSetuidRoot",
              position: (225, 23),
             },
             arguments: [
              String {
               parts: [
                Expression {
                 expression: PropertyAccess {
                  expression: Variable {
                   identifier: "pkgs",
                   position: (225, 39),
                  },
                  attribute_path: AttributePath {
                   parts: [
                    Raw {
                     content: "fuse",
                     position: (225, 44),
                    },
                   ],
                  },
                  default: None,
                 },
                },
                Raw {
                 content: "/bin/fusermount",
                 position: (225, 49),
                },
               ],
               position: (225, 36),
              },
             ],
            },
           },
           Binding {
            from: AttributePath {
             parts: [
              Raw {
               content: "fusermount3",
               position: (226, 9),
              },
             ],
            },
            to: FunctionApplication {
             function: Variable {
              identifier: "mkSetuidRoot",
              position: (226, 23),
             },
             arguments: [
              String {
               parts: [
                Expression {
                 expression: PropertyAccess {
                  expression: Variable {
                   identifier: "pkgs",
                   position: (226, 39),
                  },
                  attribute_path: AttributePath {
                   parts: [
                    Raw {
                     content: "fuse3",
                     position: (226, 44),
                    },
                   ],
                  },
                  default: None,
                 },
                },
                Raw {
                 content: "/bin/fusermount3",
                 position: (226, 50),
                },
               ],
               position: (226, 36),
              },
             ],
            },
           },
           Binding {
            from: AttributePath {
             parts: [
              Raw {
               content: "mount",
               position: (227, 9),
              },
             ],
            },
            to: FunctionApplication {
             function: Variable {
              identifier: "mkSetuidRoot",
              position: (227, 18),
             },
             arguments: [
              String {
               parts: [
                Expression {
                 expression: FunctionApplication {
                  function: PropertyAccess {
                   expression: Variable {
                    identifier: "lib",
                    position: (227, 34),
                   },
                   attribute_path: AttributePath {
                    parts: [
                     Raw {
                      content: "getBin",
                      position: (227, 38),
                     },
                    ],
                   },
                   default: None,
                  },
                  arguments: [
                   PropertyAccess {
                    expression: Variable {
                     identifier: "pkgs",
                     position: (227, 45),
                    },
                    attribute_path: AttributePath {
                     parts: [
                      Raw {
                       content: "util-linux",
                       position: (227, 50),
                      },
                     ],
                    },
                    default: None,
                   },
                  ],
                 },
                },
                Raw {
                 content: "/bin/mount",
                 position: (227, 61),
                },
               ],
               position: (227, 31),
              },
             ],
            },
           },
           Binding {
            from: AttributePath {
             parts: [
              Raw {
               content: "umount",
               position: (228, 9),
              },
             ],
            },
            to: FunctionApplication {
             function: Variable {
              identifier: "mkSetuidRoot",
              position: (228, 18),
             },
             arguments: [
              String {
               parts: [
                Expression {
                 expression: FunctionApplication {
                  function: PropertyAccess {
                   expression: Variable {
                    identifier: "lib",
                    position: (228, 34),
                   },
                   attribute_path: AttributePath {
                    parts: [
                     Raw {
                      content: "getBin",
                      position: (228, 38),
                     },
                    ],
                   },
                   default: None,
                  },
                  arguments: [
                   PropertyAccess {
                    expression: Variable {
                     identifier: "pkgs",
                     position: (228, 45),
                    },
                    attribute_path: AttributePath {
                     parts: [
                      Raw {
                       content: "util-linux",
                       position: (228, 50),
                      },
                     ],
                    },
                    default: None,
                   },
                  ],
                 },
                },
                Raw {
                 content: "/bin/umount",
                 position: (228, 61),
                },
               ],
               position: (228, 31),
              },
             ],
            },
           },
          ],
          recursive: false,
          position: (224, 7),
         },
         position: (216, 7),
        },
       },
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "boot",
           position: (231, 5),
          },
          Raw {
           content: "specialFileSystems",
           position: (231, 10),
          },
          Expression {
           expression: Variable {
            identifier: "parentWrapperDir",
            position: (231, 31),
           },
          },
         ],
        },
        to: Map {
         bindings: [
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "fsType",
              position: (232, 7),
             },
            ],
           },
           to: String {
            parts: [
             Raw {
              content: "tmpfs",
              position: (232, 17),
             },
            ],
            position: (232, 16),
           },
          },
          Binding {
           from: AttributePath {
            parts: [
             Raw {
              content: "options",
              position: (233, 7),
             },
            ],
           },
           to: List {
            elements: [
             String {
              parts: [
               Raw {
                content: "nodev",
                position: (233, 20),
               },
              ],
              position: (233, 19),
             },
             String {
              parts: [
               Raw {
                content: "mode=755",
                position: (233, 28),
               },
              ],
              position: (233, 27),
             },
            ],
            position: (233, 17),
           },
          },
         ],
         recursive: false,
         position: (231, 51),
        },
       },
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "environment",
           position: (238, 5),
          },
          Raw {
           content: "extraInit",
           position: (238, 17),
          },
         ],
        },
        to: String {
         parts: [
          Raw {
           content: "# Wrappers override other bin directories.\nexport PATH=\"",
           position: (239, 1),
          },
          Expression {
           expression: Variable {
            identifier: "wrapperDir",
            position: (240, 22),
           },
          },
          Raw {
           content: ":$PATH\"\n",
           position: (240, 33),
          },
         ],
         position: (238, 29),
        },
       },
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "security",
           position: (243, 5),
          },
          Raw {
           content: "apparmor",
           position: (243, 14),
          },
          Raw {
           content: "includes",
           position: (243, 23),
          },
          Expression {
           expression: String {
            parts: [
             Raw {
              content: "nixos/security.wrappers",
              position: (243, 33),
             },
            ],
            position: (243, 32),
           },
          },
         ],
        },
        to: String {
         parts: [
          Raw {
           content: "include \"",
           position: (244, 1),
          },
          Expression {
           expression: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "pkgs",
              position: (244, 18),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "apparmorRulesFromClosure",
                position: (244, 23),
               },
              ],
             },
             default: None,
            },
            arguments: [
             Map {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "name",
                   position: (244, 50),
                  },
                 ],
                },
                to: String {
                 parts: [
                  Raw {
                   content: "security.wrappers",
                   position: (244, 56),
                  },
                 ],
                 position: (244, 55),
                },
               },
              ],
              recursive: false,
              position: (244, 48),
             },
             List {
              elements: [
               Variable {
                identifier: "securityWrapper",
                position: (245, 9),
               },
              ],
              position: (244, 78),
             },
            ],
           },
          },
          Raw {
           content: "\"\n",
           position: (246, 9),
          },
         ],
         position: (243, 60),
        },
       },
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "system",
           position: (250, 5),
          },
          Raw {
           content: "activationScripts",
           position: (250, 12),
          },
          Raw {
           content: "wrappers",
           position: (250, 30),
          },
         ],
        },
        to: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (251, 7),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "stringAfter",
             position: (251, 11),
            },
           ],
          },
          default: None,
         },
         arguments: [
          List {
           elements: [
            String {
             parts: [
              Raw {
               content: "specialfs",
               position: (251, 26),
              },
             ],
             position: (251, 25),
            },
            String {
             parts: [
              Raw {
               content: "users",
               position: (251, 38),
              },
             ],
             position: (251, 37),
            },
           ],
           position: (251, 23),
          },
          String {
           parts: [
            Raw {
             content: "chmod 755 \"",
             position: (253, 1),
            },
            Expression {
             expression: Variable {
              identifier: "parentWrapperDir",
              position: (253, 24),
             },
            },
            Raw {
             content: "\"\n\n# We want to place the tmpdirs for the wrappers to the parent dir.\nwrapperDir=$(mktemp --directory --tmpdir=\"",
             position: (253, 41),
            },
            Expression {
             expression: Variable {
              identifier: "parentWrapperDir",
              position: (256, 55),
             },
            },
            Raw {
             content: "\" wrappers.XXXXXXXXXX)\nchmod a+rx \"$wrapperDir\"\n\n",
             position: (256, 72),
            },
            Expression {
             expression: FunctionApplication {
              function: PropertyAccess {
               expression: Variable {
                identifier: "lib",
                position: (259, 13),
               },
               attribute_path: AttributePath {
                parts: [
                 Raw {
                  content: "concatStringsSep",
                  position: (259, 17),
                 },
                ],
               },
               default: None,
              },
              arguments: [
               String {
                parts: [
                 Raw {
                  content: "\n",
                  position: (259, 35),
                 },
                ],
                position: (259, 34),
               },
               Variable {
                identifier: "mkWrappedPrograms",
                position: (259, 39),
               },
              ],
             },
            },
            Raw {
             content: "\n\nif [ -L ",
             position: (259, 57),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (261, 21),
             },
            },
            Raw {
             content: " ]; then\n  # Atomically replace the symlink\n  # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/\n  old=$(readlink -f ",
             position: (261, 32),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (264, 33),
             },
            },
            Raw {
             content: ")\n  if [ -e \"",
             position: (264, 44),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (265, 24),
             },
            },
            Raw {
             content: "-tmp\" ]; then\n    rm --force --recursive \"",
             position: (265, 35),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (266, 41),
             },
            },
            Raw {
             content: "-tmp\"\n  fi\n  ln --symbolic --force --no-dereference \"$wrapperDir\" \"",
             position: (266, 52),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (268, 69),
             },
            },
            Raw {
             content: "-tmp\"\n  mv --no-target-directory \"",
             position: (268, 80),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (269, 41),
             },
            },
            Raw {
             content: "-tmp\" \"",
             position: (269, 52),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (269, 61),
             },
            },
            Raw {
             content: "\"\n  rm --force --recursive \"$old\"\nelse\n  # For initial setup\n  ln --symbolic \"$wrapperDir\" \"",
             position: (269, 72),
            },
            Expression {
             expression: Variable {
              identifier: "wrapperDir",
              position: (273, 44),
             },
            },
            Raw {
             content: "\"\nfi\n",
             position: (273, 55),
            },
           ],
           position: (252, 9),
          },
         ],
        },
       },
       Binding {
        from: AttributePath {
         parts: [
          Raw {
           content: "system",
           position: (278, 5),
          },
          Raw {
           content: "extraDependencies",
           position: (278, 12),
          },
         ],
        },
        to: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (278, 32),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "singleton",
             position: (278, 36),
            },
           ],
          },
          default: None,
         },
         arguments: [
          Parentheses {
           expression: FunctionApplication {
            function: PropertyAccess {
             expression: Variable {
              identifier: "pkgs",
              position: (278, 47),
             },
             attribute_path: AttributePath {
              parts: [
               Raw {
                content: "runCommandLocal",
                position: (278, 52),
               },
              ],
             },
             default: None,
            },
            arguments: [
             String {
              parts: [
               Raw {
                content: "ensure-all-wrappers-paths-exist",
                position: (279, 8),
               },
              ],
              position: (279, 7),
             },
             Map {
              bindings: [],
              recursive: false,
              position: (279, 41),
             },
             String {
              parts: [
               Raw {
                content: "# make sure we produce output\nmkdir -p $out\n\necho -n \"Checking that Nix store paths of all wrapped programs exist... \"\n\ndeclare -A wrappers\n",
                position: (281, 1),
               },
               Expression {
                expression: FunctionApplication {
                 function: PropertyAccess {
                  expression: Variable {
                   identifier: "lib",
                   position: (287, 11),
                  },
                  attribute_path: AttributePath {
                   parts: [
                    Raw {
                     content: "concatStringsSep",
                     position: (287, 15),
                    },
                   ],
                  },
                  default: None,
                 },
                 arguments: [
                  String {
                   parts: [
                    Raw {
                     content: "\n",
                     position: (287, 33),
                    },
                   ],
                   position: (287, 32),
                  },
                  Parentheses {
                   expression: FunctionApplication {
                    function: PropertyAccess {
                     expression: Variable {
                      identifier: "lib",
                      position: (287, 38),
                     },
                     attribute_path: AttributePath {
                      parts: [
                       Raw {
                        content: "mapAttrsToList",
                        position: (287, 42),
                       },
                      ],
                     },
                     default: None,
                    },
                    arguments: [
                     Parentheses {
                      expression: Function {
                       argument: Simple {
                        identifier: "n",
                       },
                       definition: Function {
                        argument: Simple {
                         identifier: "v",
                        },
                        definition: String {
                         parts: [
                          Raw {
                           content: "wrappers['",
                           position: (288, 12),
                          },
                          Expression {
                           expression: Variable {
                            identifier: "n",
                            position: (288, 24),
                           },
                          },
                          Raw {
                           content: "']='",
                           position: (288, 26),
                          },
                          Expression {
                           expression: PropertyAccess {
                            expression: Variable {
                             identifier: "v",
                             position: (288, 32),
                            },
                            attribute_path: AttributePath {
                             parts: [
                              Raw {
                               content: "source",
                               position: (288, 34),
                              },
                             ],
                            },
                            default: None,
                           },
                          },
                          Raw {
                           content: "'",
                           position: (288, 41),
                          },
                         ],
                         position: (288, 11),
                        },
                        position: (287, 61),
                       },
                       position: (287, 58),
                      },
                      position: (287, 57),
                     },
                     Variable {
                      identifier: "wrappers",
                      position: (288, 45),
                     },
                    ],
                   },
                   position: (287, 37),
                  },
                 ],
                },
               },
               Raw {
                content: "\n\nfor name in \"",
                position: (288, 55),
               },
               Raw {
                content: "$",
                position: (290, 22),
               },
               Raw {
                content: "{!wrappers[@]}\"; do\n  path=\"",
                position: (290, 25),
               },
               Raw {
                content: "$",
                position: (291, 17),
               },
               Raw {
                content: "{wrappers[$name]}\"\n  if [[ \"$path\" =~ /nix/store ]] && [ ! -e \"$path\" ]; then\n    test -t 1 && echo -ne '\\033[1;31m'\n    echo \"FAIL\"\n    echo \"The path $path does not exist!\"\n    echo 'Please, check the value of `security.wrappers.\"",
                position: (291, 20),
               },
               Raw {
                content: "'",
                position: (296, 66),
               },
               Raw {
                content: "$name'\".source`.'\n    test -t 1 && echo -ne '\\033[0m'\n    exit 1\n  fi\ndone\n\necho \"OK\"\n",
                position: (296, 67),
               },
              ],
              position: (280, 7),
             },
            ],
           },
           position: (278, 46),
          },
         ],
        },
       },
      ],
      recursive: false,
      position: (203, 12),
     },
    },
   ],
   recursive: false,
   position: (142, 1),
  },
  position: (2, 1),
 },
 position: (1, 1),
}