| 18 Nov 2025 |
 raitobezarius | but it's good that c-ares is enabled | 14:53:49 |
| raitobezarius | glibc resolver is turbo bad | 14:53:59 |
 WeetHet | I should go through nixpkgs -> rust full bootstrap and see what doesn't build with full sandbox | 14:56:51 |
| WeetHet | I'm gonna do it on Christmas probably since I won't have my uni to worry about | 14:57:33 |
| WeetHet | For now I'll collect patches to submit them at once | 14:58:04 |
| WeetHet | Okay this is enough:
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 15:04:06 |
| WeetHet | * Okay this is enough:
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 15:04:11 |
 Randy Eckenrode | We should not be introducing default impurities. | 15:10:06 |
| Randy Eckenrode | I wish we could block that stuff even when sandboxing is disabled. 😕 | 15:10:58 |
| Randy Eckenrode | But also, we need to define what the actual purpose of the sandbox is supposed to be. | 15:12:29 |
| Randy Eckenrode | Is this a MitM issue? What does NixOS do? | 15:13:02 |
| Randy Eckenrode | * | 15:13:13 |
| Randy Eckenrode | Or nixpkgs on other Linux. | 15:13:26 |
| WeetHet | Is native TLS an impurity? | 15:50:17 |
| WeetHet | NixOS only has openssl certs but macOS has system certs as well | 15:50:50 |
| WeetHet | I don't know if not having access to com.apple.SecurityServer is a purity issue | 15:51:27 |
 K900 | FWIW on Linux Nix will copy system certs to the sandbox | 15:51:27 |
| WeetHet | This issue occurs because the package tries to use certs from the Keychain | 15:52:07 |
| WeetHet | You can't copy it | 15:52:17 |
| WeetHet | And I think that not having access to it is a bug | 15:52:30 |
| K900 | OK that's above my pay grade | 15:53:27 |
| WeetHet | It's not even an impurity since FODs still have a hash to verify that the output doesn't change | 15:53:59 |
| WeetHet | Why does it matter if they have access to the system Keychain | 15:54:09 |
| WeetHet | Minimized patch just adds (allow mach-lookup (global-name "com.apple.SecurityServer")) | 15:54:43 |
| WeetHet | Which should be fine TM | 15:54:52 |
| Randy Eckenrode | So, e.g., on Debian it would copy from wherever Debian keeps its certs? | 18:13:15 |
| K900 | Yes | 18:13:32 |
| Randy Eckenrode | Yes. Things that access Keychain will get different certs than those that don’t. | 18:13:43 |
| Randy Eckenrode | If Nix on Linux copies from the system, so should Nix on Darwin. | 18:14:18 |
| WeetHet | You can't copy those you need to give access to the security server | 18:14:54 |
