| 27 Jul 2025 |
 raitobezarius | In reply to @emilazy:matrix.org
why does that sound like it's going to get assigned to me? :) I doubt :P | 16:08:36 |
| raitobezarius | Root access to the CI builders is not a simple decision | 16:08:46 |
 emily | frankly, I am not sure what the actual desired threat model is so I'm not sure what the requirements would be to have Darwin sandbox testing without breaking it | 16:08:50 |
| emily | (I'm not even sure if running CI requires manual approval) | 16:09:18 |
| raitobezarius | What I'm planning to do to our CI builders is to have go through reinitialization daily or something | 16:09:21 |
| raitobezarius | So I am not afraid of about an attacker getting persistence | 16:09:44 |
| raitobezarius | Network isolation should be fine as well | 16:09:51 |
| emily | you could just have a macOS host that only runs a macOS VM and restores it to a snapshot before every build | 16:09:54 |
| raitobezarius | The only thing I am not sure about is abuse | 16:09:55 |
| emily | and EULA says you can run two of these at a time | 16:09:57 |
| emily | then compromise of the builder VM should be low impact | 16:10:08 |
| raitobezarius | how is the performance penalty of macOS virtualization on macOS? | 16:10:26 |
| emily | (but I don't know what the current concurrency is) | 16:10:29 |
| raitobezarius | we have 2 job slots for macOS right now | 16:10:39 |
| raitobezarius | it's our slowest machine type | 16:10:44 |
| raitobezarius | i have 2 more M2 in the pipeline | 16:10:48 |
| emily | I have not measured it. I think it's not optimal but it's much better than in the pre-Apple Silicon days or on non-macOS hosts | 16:10:53 |
| raitobezarius | but I didn't set them up because Darwin sysadmin is not yet pleasant to me | 16:10:56 |
| raitobezarius | But also I can just have MDM on them | 16:11:07 |
| raitobezarius | So maybe it's fine to just reinit them daily or something? | 16:11:17 |
| raitobezarius | Thoug | 16:11:28 |
| raitobezarius | h | 16:11:29 |
| raitobezarius | The most most most important thing is abuse vector | 16:11:34 |
| raitobezarius | If we disable the sandbox and someone writes something in a test that will respawn a new task and DoS something | 16:11:54 |
| raitobezarius | it's annoying | 16:11:56 |
| raitobezarius | I guess, the VM technique here would close this down | 16:12:11 |
| emily | with _NIX_TEST_NO_SANDBOX=1 you allow setuid bits in builds again | 16:12:27 |
| emily | compared to even --option sandbox false | 16:12:32 |
| emily | that's basically the only change | 16:12:40 |
| raitobezarius | So, a VM is absolutely necessary in fact | 16:12:47 |
