| 18 Nov 2025 |
 WeetHet | Randy Eckenrode, I think they are trying to use native macOS certificates and failing because we don't have enough of an access | 14:22:18 |
| WeetHet | Not sure though | 14:22:21 |
| WeetHet | Yep, oxhttp = { version = "0.3.0", default-features = false, features = ["client", "native-tls"] } | 14:23:06 |
| WeetHet | This patch helps
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,11 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow file-read-metadata
+ (literal "/System/Cryptexes/OS")
+ (literal "/System/Cryptexes/App"))
+(allow file-read-data (literal "/System/Library/Preferences/Logging/Subsystems/com.apple.securityd.plist"))
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 14:52:04 |
 raitobezarius | i was worried there we merged something bad | 14:53:40 |
| WeetHet | Let's see if I can make it smaller | 14:53:02 |
| raitobezarius | i don't care that c-ares is disabled again | 14:53:46 |
| raitobezarius | but it's good that c-ares is enabled | 14:53:49 |
| raitobezarius | glibc resolver is turbo bad | 14:53:59 |
| WeetHet | I should go through nixpkgs -> rust full bootstrap and see what doesn't build with full sandbox | 14:56:51 |
| WeetHet | I'm gonna do it on Christmas probably since I won't have my uni to worry about | 14:57:33 |
| WeetHet | For now I'll collect patches to submit them at once | 14:58:04 |
| WeetHet | Okay this is enough:
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 15:04:06 |
| WeetHet | * Okay this is enough:
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 15:04:11 |
 Randy Eckenrode | We should not be introducing default impurities. | 15:10:06 |
| Randy Eckenrode | I wish we could block that stuff even when sandboxing is disabled. ๐ | 15:10:58 |
| Randy Eckenrode | But also, we need to define what the actual purpose of the sandbox is supposed to be. | 15:12:29 |
| Randy Eckenrode | Is this a MitM issue? What does NixOS do? | 15:13:02 |
| Randy Eckenrode | * | 15:13:13 |
| Randy Eckenrode | Or nixpkgs on other Linux. | 15:13:26 |
| WeetHet | Is native TLS an impurity? | 15:50:17 |
| WeetHet | NixOS only has openssl certs but macOS has system certs as well | 15:50:50 |
| WeetHet | I don't know if not having access to com.apple.SecurityServer is a purity issue | 15:51:27 |
 K900 | FWIW on Linux Nix will copy system certs to the sandbox | 15:51:27 |
| WeetHet | This issue occurs because the package tries to use certs from the Keychain | 15:52:07 |
| WeetHet | You can't copy it | 15:52:17 |
| WeetHet | And I think that not having access to it is a bug | 15:52:30 |
| K900 | OK that's above my pay grade | 15:53:27 |
| WeetHet | It's not even an impurity since FODs still have a hash to verify that the output doesn't change | 15:53:59 |
| WeetHet | Why does it matter if they have access to the system Keychain | 15:54:09 |
