| 23 Jun 2025 |
 lon | (I've never contributed to nixpkgs, so I'm not sure how high quality is this) | 08:59:15 |
| lon | The interesting part is
MemoryDenyWriteExecute = false; # Needed for CUDA/PyTorch JIT
PrivateDevices = false; # Needed for GPU access
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK"];
DevicePolicy = "closed"; # Only allow the following devices, based on strace usage:
DeviceAllow = lib.flatten [
# Basic devices
"/dev/null rw"
"/dev/urandom r"
"/dev/tty rw"
# NVIDIA control devices
"/dev/nvidiactl rw"
"/dev/nvidia-modeset rw"
"/dev/nvidia-uvm rw"
"/dev/nvidia-uvm-tools rw"
(builtins.map (i: "/dev/nvidia${builtins.toString i} rw") (lib.splitString " " cfg.cudaDevices))
# NVIDIA capability devices
"/dev/nvidia-caps/nvidia-cap1 r"
"/dev/nvidia-caps/nvidia-cap2 r"
];
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
UMask = "0077";
CapabilityBoundingSet = ["CAP_SYS_NICE"];
AmbientCapabilities = ["CAP_SYS_NICE"];
| 09:06:10 |
 connor (burnt/out) (UTC-8) | Two things I've promised to look at today:
- Bumping the version of protobuf used by OpenCV, which hasn't been updated in a while (need to backport to 25.05 as well).
- Figuring out how to revert https://github.com/NixOS/nixpkgs/pull/414647 in a way that doesn't break consumers of OpenCV -- really don't want
cudatoolkit propagated to all consumers of OpenCV.
| 17:30:42 |
| 24 Jun 2025 |
| connor (burnt/out) (UTC-8) | :L | 23:45:47 |
