<LnL>
getting the closure in pretty easy if you have a list of derivations (string context would need an extra step)
<LnL>
awww, you can't allow sugid in a sandbox
<clever>
LnL: there was an issue with nix, where a nix build could make a setgid nixbld or setuid nixbld1 binary, and leave it somewhere nix wont immediately clean up
<clever>
LnL: and then you could use that to mutate a future build
<clever>
but at least on linux, a policy has been added to entirely block that
<LnL>
yeah I know, that's a different thing
<LnL>
we disallow file-write-setugid
<LnL>
was playing with the idea of running my entire shell/tmux session inside sandbox-exec to make the store and other things readonly
<{^_^}>
matthewbauer/nix-bundle#41 (by cleverca22, 17 weeks ago, merged): add an escape-hatch option to allow things like xdg-open to work inside the sandbox
<clever>
that allows the sandbox to run a command outside of the sandbox