diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix
index 391e9b42b45..4c7a82f7dd0 100644
--- a/nixos/tests/wrappers.nix
+++ b/nixos/tests/wrappers.nix
@@ -21,6 +21,8 @@ in
       };
     };
 
+    security.apparmor.enable = true;
+
     security.wrappers = {
       suidRoot = {
         owner = "root";
@@ -96,5 +98,11 @@ in
 
       machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox")
       machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u"))
+
+      # Test that the only user of apparmor policy includes generated by
+      # wrappers works. Ideally this'd be located in a test for the module that
+      # actually makes the apparmor policy for ping, but there's no convenient
+      # test for that one.
+      machine.succeed("ping -c 1 127.0.0.1")
     '';
 })