| 14 Oct 2024 |
 @jade_:matrix.org | well yeah we know it is macOS specific stuff, sandbox_init is a thingy that does macOS sandboxing that is "deprecated" with no replacement (and used extensively by browsers so like, lolz) | 20:31:26 |
 puck | i suspect you can't nest sandbox invocations | 20:31:43 |
| @jade_:matrix.org | In reply to @puck:puck.moe
i suspect you can't nest sandbox invocations this is my suspicion as well | 20:31:55 |
| @jade_:matrix.org | but the fact that it regressed is surprising | 20:32:01 |
| @jade_:matrix.org | surely someone would have noticed this | 20:32:04 |
| @jade_:matrix.org | and so i wonder if it borked in an apple update | 20:32:33 |
 Ross A. Baker | I'm still on MacOS 13.7. I don't know if I'm in trouble by being behind? | 20:33:04 |
| Ross A. Baker | I'm still completely flummoxed by what that nixpkgs commit has to do with lowdown. It's bumping an IDE that doesn't appear to be in the picture anywhere. | 20:33:39 |
| puck | ...well | 20:34:16 |
| puck | there's a possibility here | 20:34:32 |
| puck | hahahah yeah | 20:36:12 |
| puck | between those two commits, lowdown's behavior got changed | 20:36:38 |
| @jade_:matrix.org | jade@darwin01 ~ % sandbox-exec -f wat.sb echo 1
sandbox-exec: execvp() of 'echo' failed: Operation not permitted
well this is also interesting
| 20:37:47 |
| @jade_:matrix.org | jade@darwin01 ~ % sw_vers
ProductName: macOS
ProductVersion: 14.7
BuildVersion: 23H124
| 20:38:00 |
| puck | what's in wat.sb? | 20:38:02 |
| puck | https://github.com/nixos/nixpkgs/commit/dc32d18e521e75f5be833bf5e8e5d980bb5211a3 there's this commit | 20:38:05 |
| @jade_:matrix.org | jade@darwin01 ~ % cat wat.sb
(version 1)
;; Disallow everything by default
(deny default)
;;
;; This system profile grants access to a number of things, such as:
;;
;; - locale info
;; - system libraries (/System/Library, /usr/lib, etc)
;; - access to to basic tools (/etc, /dev/urandom, etc)
;; - Apple services (com.apple.system, com.apple.dyld, etc)
;;
;; and more, see bsd.sb and system.sb in the corresponding directory.
;;
(import "/System/Library/Sandbox/Profiles/bsd.sb")
| 20:38:21 |
| puck | ..does that profile give you access to wherever echo is? | 20:38:49 |
| @jade_:matrix.org | literally trying to copy paste a sandbox profile from the internet that does anything at all | 20:38:58 |
| puck | note it's the execvp that failed, not the sandbox_init | 20:39:18 |
| @jade_:matrix.org | okay yes that is the likely cause | 20:39:19 |
| @jade_:matrix.org | jade@darwin01 ~ % sandbox-exec -f wat.sb sandbox-exec -f wat.sb echo 1
sandbox-exec: sandbox_apply: Operation not permitted
clearly,
| 20:39:44 |
| puck | In reply to @puck:puck.moe
https://github.com/nixos/nixpkgs/commit/dc32d18e521e75f5be833bf5e8e5d980bb5211a3 there's this commit (i'm a bit unsure if this is the right move! lowdown's status on whether it is compiled with or without sandbox is now entirely dependent on whether it is built inside a sandbox or not?) | 20:40:15 |
| @jade_:matrix.org | i put allow default in there | 20:40:23 |
| @jade_:matrix.org | In reply to @puck:puck.moe
(i'm a bit unsure if this is the right move! lowdown's status on whether it is compiled with or without sandbox is now entirely dependent on whether it is built inside a sandbox or not?) what ze fuck | 20:40:29 |
| puck | i think? | 20:40:53 |
| @jade_:matrix.org | well, i guess we get to feature detect nixpkgs harder | 20:40:58 |
| @jade_:matrix.org | but this kind of sucks | 20:41:04 |
| @jade_:matrix.org | technically we run user input through lowdown too but not that spicily | 20:41:20 |
| puck | actually, looks like it might be okay | 20:41:21 |
