#nix-darwin on 2019-02-16

03:40 philr has quit [Ping timeout: 258 seconds]

04:35 trcc has joined #nix-darwin

04:59 trcc has quit [Remote host closed the connection]

05:00 trcc has joined #nix-darwin

05:04 trcc has quit [Ping timeout: 245 seconds]

05:37 qyliss^work_ has joined #nix-darwin

05:41 qyliss^work has quit [Ping timeout: 246 seconds]

05:41 jonge has quit [Ping timeout: 246 seconds]

05:41 Enzime has quit [Ping timeout: 246 seconds]

05:41 qyliss^work_ is now known as qyliss^work

05:48 LnL has quit [Ping timeout: 245 seconds]

06:00 Nikita has joined #nix-darwin

06:00 Nikita is now known as Guest14639

06:02 nikivi has quit [Ping timeout: 257 seconds]

06:02 Guest14639 is now known as nikivi

08:09 ambrosia has quit [Ping timeout: 264 seconds]

08:31 yastero has quit [Ping timeout: 250 seconds]

10:50 Guest34980 has joined #nix-darwin

12:09 Guest34980 is now known as LnL

16:51 <LnL> gchristensen: https://github.com/LnL7/nix-darwin/commit/1e67f6a2bc496cb5014915a71e323603e4b41662

17:11 <gchristensen> oh incredible

17:23 ambrosia has joined #nix-darwin

17:30 <LnL> getting the closure in pretty easy if you have a list of derivations (string context would need an extra step)

18:00 <LnL> awww, you can't allow sugid in a sandbox

18:38 <clever> LnL: there was an issue with nix, where a nix build could make a setgid nixbld or setuid nixbld1 binary, and leave it somewhere nix wont immediately clean up

18:38 <clever> LnL: and then you could use that to mutate a future build

18:38 <clever> but at least on linux, a policy has been added to entirely block that

18:39 <LnL> yeah I know, that's a different thing

18:39 <LnL> we disallow file-write-setugid

18:41 <LnL> was playing with the idea of running my entire shell/tmux session inside sandbox-exec to make the store and other things readonly

18:45 <LnL> eg. sudo sandbox-exec -f /etc/nix/sandbox.sb touch /nix/foo #=> touch: /nix/foo: Operation not permitted

18:46 <LnL> but things like sudo and traceroute also break, so that makes it less useful

18:47 <clever> /usr/bin/xdg-open: line 880: w3m: command not found

18:47 <clever> xdg-open: no method available for opening '/home/clever/.local/share/Steam/userdata/8297027/760/remote/361420/screenshots/'

18:47 <clever> LnL: that reminds me, steam is entirely unable to open links or directories

18:47 <clever> because the sandbox lacks a browser (both file and net)

18:48 <clever> LnL: https://github.com/matthewbauer/nix-bundle/pull/41 something like this may be required

18:48 <{^_^}> matthewbauer/nix-bundle#41 (by cleverca22, 17 weeks ago, merged): add an escape-hatch option to allow things like xdg-open to work inside the sandbox

18:49 <clever> that allows the sandbox to run a command outside of the sandbox

18:54 ij has joined #nix-darwin

19:57 ij has quit [Ping timeout: 246 seconds]

20:01 ij has joined #nix-darwin

20:29 ij has quit [Ping timeout: 255 seconds]