#spectrum on 2021-05-04

03:45 <aaronjanse> Wow, crazy that the issue led to fixing a ZFS bug qyliss

04:31 <aaronjanse> Would there be some way to build Nix derivations within a VM? I assume a user would typically just install all software beforehand, but it could be cool to be able to do `nix shell` inside a VM

10:20 <qyliss> yeah, I think that would be good

10:20 <qyliss> the Nix part of Spectrum isn't very well thought through yet

10:21 <qyliss> that was in part because I wanted to fill this channel and the mailing list with as many Nix people as possible to provide input :P

10:25 <aaronjanse> Famous last works, but I don't think it would be too difficult to modify Nix to use crosvm as its build sandbox. I'm not sure if that would be useful at all

10:25 <qyliss> ideally I'd like Nix itself to run in a VM

10:26 <aaronjanse> Oh yep, that probably makes the most sense

10:26 <qyliss> have you looked at Nix's code? :P

10:26 <qyliss> but it could perhaps build in a different VM

10:26 <qyliss> one of my goals is to do as little on the host as possible

10:27 <qyliss> I don't even want it to know what networking is, ideally

10:27 <aaronjanse> I've looked at the Nix code. Its sandboxing code is fairly straightforward

10:27 <MichaelRaskin> Well, you will run the system built inside VM on the host anyway, but abusing that would require a targeted attack and then Sway is a cheaper target

10:29 <aaronjanse> I think it might make sense to have the build in a VM separate from Nix. That way, a chroot escape wouldn't mean compromising the integrity of the Nix daemon

10:29 <qyliss> yeah, although as MichaelRaskin says if you can produce malicious code that will be run as part of the built syste, it doesn't matter

10:30 <qyliss> but not every derivation produces code that will be run at runtime!

10:30 <MichaelRaskin> That's true…

10:30 <qyliss> so with a good sandbox, all your documentation and stuff is going to find it a lot harder to own your machine

10:30 <aaronjanse> I guess this all depends on whether dev VMs would build things inside the VM or send stuff to a daemon on the host machine

10:31 <qyliss> yeah

10:31 <aaronjanse> *"dev VMs" meaning VMs where the user is playing with Nix

10:31 <MichaelRaskin> Has anyone ever fuzzed the daemon connection

10:32 <qyliss> It's probably a good idea to keep the Nix that's responsible for building the whole system isolated, but I'm not sure

10:32 <aaronjanse> Not... yet!

10:33 <aaronjanse> MichaelRaskin: I might try that after exams next week. Last week I did a little fuzzing of Nix but didn't get far

10:33 <qyliss> my vision is increasingly of using Nix to build an immutable system image, that is small and rarely needs to change

10:33 <aaronjanse> qyliss: That makes sense

10:33 <qyliss> and in that model, it would make sense to use a totally different store and stuff from normal runtime Nix operations

10:33 <MichaelRaskin> > rarely needs to change > includes kernel, openssl, glibc, browser…

10:34 <MichaelRaskin> The host — maaaaybe

10:34 <qyliss> MichaelRaskin: I'm talking about the host

10:34 <MichaelRaskin> Soo, just KVM bugs to fix there?…

10:35 <qyliss> yeah

10:35 <qyliss> and VMM bugs

10:35 <qyliss> and then just bugs that would affect the bits of those systems we're using

10:36 <qyliss> dom0 in Qubes is usually very outdated, but it doesn't matter because it's not exposed to anything else, assuming there aren't any Xen escapes

11:34 <pie_> >w< cant wait for spectrum. maybe i can run discord without an immediate aneurism

11:38 <zgrep> qyliss: How often do they update Xen? :P

11:39 <zgrep> (I'd assume also infrequently, unless necessary.)

12:00 <qyliss> yeah

19:57 <qyliss> I present the strace mailing list archive for this month: https://lists.strace.io/pipermail/strace-devel/2021-May/thread.html

19:57 <qyliss> I still didn't do the thing I started working on strace to do, whoops

20:08 <samueldr> whoops!

20:12 <MichaelRaskin> Will the yaks fear the rainbows soon?

21:08 <qyliss> wow, the VFIO documentation is really good https://www.kernel.org/doc/html/latest/driver-api/vfio.html

21:08 <qyliss> which is surprising for Linux documentation

21:08 <qyliss> (except for the typo on the first line, which I sent a patch for already)

21:10 <cole-h> nice

21:11 <qyliss> was really helpful in figuring out what all the arguments to this ioctl QEMU is failing on are

21:13 <MichaelRaskin> I think when I needed something from in-tree Linux documentation to understand some command-line stuff use, the docs were pretty good.

21:13 <MichaelRaskin> Is it usually not so for ioctls?

21:15 <qyliss> often they're not even documented ime

21:15 <MichaelRaskin> Ah

21:15 <qyliss> ioctls are a bit of a mess in Linux

21:15 <qyliss> they're basically syscalls, but they receive _way_ less scrutiny

21:16 <MichaelRaskin> There are also /sys entries, I guess.

21:16 <MichaelRaskin> (But there I think even breaking userspace i permissible)

21:16 <qyliss> and you end up with e.g. two different filesystems implementing the same feature with two different ioctl APIs

21:16 <qyliss> hmm, I don't think it is?

21:17 <qyliss> but yeah, I suppose ioctls are at least not sysfs

21:21 <MichaelRaskin> I think BtrFS at some point tried to have … interesting opinions on what fallocate does

21:29 <MichaelRaskin> No ioctl's involved!

21:31 <MichaelRaskin> (fallocate on BtrFS was rounded up to a size divisible by a block, which makes sense, and then set file length to that rounded-up value — way less sensible. When I asked people shouldn't BtrFS do, erm, something compatible with POSIX fallocate definition, first question was whether this even talks about syscalls and not only libc functions)

21:31 <MichaelRaskin> (it got fixed later)

21:32 <qyliss> wow lol

21:37 <MichaelRaskin> It did get fixed and I can understand why it wasn't a top priority (it was annoying with Nix…), but the question impressed me

21:42 <qyliss> idk that strikes me as annoyingly pedantic

21:43 <qyliss> how would libc even work around that?

21:43 <MichaelRaskin> Well, worse than pedantic, because in what universe glibc could be plausibly expected to check which FS it even is

21:44 <qyliss> well, if there was an fallocate_shrink_a_bit syscall, glibc could just call that after every fallocate, on every filesystem!

21:44 <MichaelRaskin> I mean, a libc could in principle stat and ftruncate if needed, but…

21:45 <MichaelRaskin> I think it was even in Drepper's days. We know what he would reply to such an idea, and this one time I cannot say the substance would be wrong.

21:47 <qyliss> MichaelRaskin: wouldn't ftruncate just round again, though?

21:47 <qyliss> if it always rounds up, you can't just fix it up afterwards -- you'd just be repeating the same thing at all

21:47 <MichaelRaskin> Well, at least on BtrFS at that time, no.

21:47 <qyliss> oh, so it would only round up if the size was increasing or something?

21:48 <MichaelRaskin> It was possible to create a file with length not divisible by a block, after all!

21:48 <MichaelRaskin> It was specifically about fallocate

21:48 <qyliss> oh sorry I mixed up fallocate/ftruncate

21:48 <MichaelRaskin> Which is a bit vague-ish

21:48 <MichaelRaskin> Well, with ftruncate it would make so little sense they would notice it before releasing anything