| 31 Mar 2025 |
 @loupbw:matrix.org | Wow | 13:53:26 |
| @loupbw:matrix.org left the room. | 13:53:44 |
 Charles | well played | 15:23:05 |
|  Cat joined the room. | 15:59:03 |
|  Find me at aleksana:qaq.li joined the room. | 15:59:16 |
|  Arian joined the room. | 16:29:31 |
 antifuchs | huh, I have a rust program that uses the compio runtime backed by io-uring on linux, failing tests when nix build'ing because the runtime can't be created with this error: cannot create runtime: Os { code: 38, kind: Unsupported, message: "Function not implemented" }. It can be compiled and passes tests when I run cargo test on the commandline. is this a sandbox issue? | 17:01:14 |
 K900 | Yes | 17:01:45 |
| K900 | The sandbox bans io_uring | 17:01:48 |
| K900 | Because there's no good way to actually sandbox the thing | 17:01:56 |
| antifuchs | haha, that would do it | 17:01:57 |
| antifuchs | guess I'll just disable checks, then | 17:02:36 |
|  lassulus joined the room. | 18:45:30 |
|  @federicodschonborn:matrix.org joined the room. | 19:54:18 |
 @r522:matrix.org | how does the sandbox work, eBPF filter? | 20:30:57 |
 niko ⚡️ | seccomp and namespaces | 20:35:24 |
| @r522:matrix.org | ah, seems to be namespacing?
i... don't think that breaks under io_uring? | 20:35:28 |
| @r522:matrix.org | seccomp would | 20:35:30 |
| niko ⚡️ | Nix has an explicit allow-list of syscalls | 20:35:49 |
| niko ⚡️ | nothing from io_uring family is on that list | 20:35:59 |
| niko ⚡️ | By design | 20:36:02 |
| @r522:matrix.org | i'm looking at https://github.com/NixOS/nix/blob/5a8dedc45cc04a207917316c245e4993234bfbe0/src/libstore/unix/build/local-derivation-goal.cc and i don't see an allow list?
... i also don't see where io_uring is blocked though | 20:38:17 |
| @r522:matrix.org | * i'm looking at https://github.com/NixOS/nix/blob/5a8dedc45cc04a207917316c245e4993234bfbe0/src/libstore/unix/build/local-derivation-goal.cc#L1774 and i don't see an allow list?
... i also don't see where io_uring is blocked though | 20:39:05 |
| @r522:matrix.org | so i guess that's not what sets up the build sandbox | 20:39:17 |
| niko ⚡️ | No, you're right, I'm too Lix-brained, Lix has an explicit syscall list, CppNix uses (for the most part) the default seccomp profile | 20:45:13 |
| @r522:matrix.org | mhm
i will go look in lix to see where they do it then | 20:46:48 |
| @r522:matrix.org | right, yeah, they do | 20:47:22 |
| @r522:matrix.org | that being said, they don't seem to care about the exact path used for opens | 20:48:08 |
| @r522:matrix.org | so it's seccomp but not in a way that inspects paths
actually, you can't do that anyways | 20:48:35 |
| @r522:matrix.org | * so it's seccomp but not in a way that inspects paths
actually, you can't do that anyways with seccomp | 20:48:38 |
