14 Oct 2024 |
Ross A. Baker | Hasn't changed in eight years, but that definitely lines up with the error. 🤔 | 20:30:00 |
@jade_:matrix.org | well what i think happened here is apple changed the behaviour lol | 20:30:41 |
@jade_:matrix.org | given that we are well aligned with a major macOS release date | 20:30:51 |
Ross A. Baker | And "#if HAVE_SANDBOX_INIT" is on commit "proper compilation on MacOS"... we're zeroing in on the OS variance, at least! | 20:30:55 |
@jade_:matrix.org | well yeah we know it is macOS specific stuff, sandbox_init is a thingy that does macOS sandboxing that is "deprecated" with no replacement (and used extensively by browsers so like, lolz) | 20:31:26 |
puck | i suspect you can't nest sandbox invocations | 20:31:43 |
@jade_:matrix.org | In reply to @puck:puck.moe i suspect you can't nest sandbox invocations this is my suspicion as well | 20:31:55 |
@jade_:matrix.org | but the fact that it regressed is surprising | 20:32:01 |
@jade_:matrix.org | surely someone would have noticed this | 20:32:04 |
@jade_:matrix.org | and so i wonder if it borked in an apple update | 20:32:33 |
Ross A. Baker | I'm still on MacOS 13.7. I don't know if I'm in trouble by being behind? | 20:33:04 |
Ross A. Baker | I'm still completely flummoxed by what that nixpkgs commit has to do with lowdown. It's bumping an IDE that doesn't appear to be in the picture anywhere. | 20:33:39 |
puck | ...well | 20:34:16 |
puck | there's a possibility here | 20:34:32 |
puck | hahahah yeah | 20:36:12 |
puck | between those two commits, lowdown's behavior got changed | 20:36:38 |
@jade_:matrix.org | jade@darwin01 ~ % sandbox-exec -f wat.sb echo 1
sandbox-exec: execvp() of 'echo' failed: Operation not permitted
well this is also interesting
| 20:37:47 |
@jade_:matrix.org | jade@darwin01 ~ % sw_vers
ProductName: macOS
ProductVersion: 14.7
BuildVersion: 23H124
| 20:38:00 |
puck | what's in wat.sb? | 20:38:02 |
puck | https://github.com/nixos/nixpkgs/commit/dc32d18e521e75f5be833bf5e8e5d980bb5211a3 there's this commit | 20:38:05 |
@jade_:matrix.org | jade@darwin01 ~ % cat wat.sb
(version 1)
;; Disallow everything by default
(deny default)
;;
;; This system profile grants access to a number of things, such as:
;;
;; - locale info
;; - system libraries (/System/Library, /usr/lib, etc)
;; - access to to basic tools (/etc, /dev/urandom, etc)
;; - Apple services (com.apple.system, com.apple.dyld, etc)
;;
;; and more, see bsd.sb and system.sb in the corresponding directory.
;;
(import "/System/Library/Sandbox/Profiles/bsd.sb")
| 20:38:21 |
puck | ..does that profile give you access to wherever echo is? | 20:38:49 |
@jade_:matrix.org | literally trying to copy paste a sandbox profile from the internet that does anything at all | 20:38:58 |
puck | note it's the execvp that failed, not the sandbox_init | 20:39:18 |
@jade_:matrix.org | okay yes that is the likely cause | 20:39:19 |
@jade_:matrix.org | jade@darwin01 ~ % sandbox-exec -f wat.sb sandbox-exec -f wat.sb echo 1
sandbox-exec: sandbox_apply: Operation not permitted
clearly,
| 20:39:44 |
puck | In reply to @puck:puck.moe https://github.com/nixos/nixpkgs/commit/dc32d18e521e75f5be833bf5e8e5d980bb5211a3 there's this commit (i'm a bit unsure if this is the right move! lowdown's status on whether it is compiled with or without sandbox is now entirely dependent on whether it is built inside a sandbox or not?) | 20:40:15 |
@jade_:matrix.org | i put allow default in there | 20:40:23 |
@jade_:matrix.org | In reply to @puck:puck.moe (i'm a bit unsure if this is the right move! lowdown's status on whether it is compiled with or without sandbox is now entirely dependent on whether it is built inside a sandbox or not?) what ze fuck | 20:40:29 |
puck | i think? | 20:40:53 |