philr has quit [Ping timeout: 258 seconds]
trcc has joined #nix-darwin
trcc has quit [Remote host closed the connection]
trcc has joined #nix-darwin
trcc has quit [Ping timeout: 245 seconds]
qyliss^work_ has joined #nix-darwin
qyliss^work has quit [Ping timeout: 246 seconds]
jonge has quit [Ping timeout: 246 seconds]
Enzime has quit [Ping timeout: 246 seconds]
qyliss^work_ is now known as qyliss^work
LnL has quit [Ping timeout: 245 seconds]
Nikita has joined #nix-darwin
Nikita is now known as Guest14639
nikivi has quit [Ping timeout: 257 seconds]
Guest14639 is now known as nikivi
ambrosia has quit [Ping timeout: 264 seconds]
yastero has quit [Ping timeout: 250 seconds]
Guest34980 has joined #nix-darwin
Guest34980 is now known as LnL
<gchristensen> oh incredible
ambrosia has joined #nix-darwin
<LnL> getting the closure in pretty easy if you have a list of derivations (string context would need an extra step)
<LnL> awww, you can't allow sugid in a sandbox
<clever> LnL: there was an issue with nix, where a nix build could make a setgid nixbld or setuid nixbld1 binary, and leave it somewhere nix wont immediately clean up
<clever> LnL: and then you could use that to mutate a future build
<clever> but at least on linux, a policy has been added to entirely block that
<LnL> yeah I know, that's a different thing
<LnL> we disallow file-write-setugid
<LnL> was playing with the idea of running my entire shell/tmux session inside sandbox-exec to make the store and other things readonly
<LnL> eg. sudo sandbox-exec -f /etc/nix/sandbox.sb touch /nix/foo #=> touch: /nix/foo: Operation not permitted
<LnL> but things like sudo and traceroute also break, so that makes it less useful
<clever> /usr/bin/xdg-open: line 880: w3m: command not found
<clever> xdg-open: no method available for opening '/home/clever/.local/share/Steam/userdata/8297027/760/remote/361420/screenshots/'
<clever> LnL: that reminds me, steam is entirely unable to open links or directories
<clever> because the sandbox lacks a browser (both file and net)
<clever> LnL: https://github.com/matthewbauer/nix-bundle/pull/41 something like this may be required
<{^_^}> matthewbauer/nix-bundle#41 (by cleverca22, 17 weeks ago, merged): add an escape-hatch option to allow things like xdg-open to work inside the sandbox
<clever> that allows the sandbox to run a command outside of the sandbox
ij has joined #nix-darwin
ij has quit [Ping timeout: 246 seconds]
ij has joined #nix-darwin
ij has quit [Ping timeout: 255 seconds]