| 1 Apr 2025 |
 jade_ | hm | 23:12:36 |
| jade_ | then i would suggest figuring out how you can actually structure testing nested builds, if it is even possible.
or figuring out some way to have tests that are root in a jail or ... idk | 23:13:15 |
| jade_ | having just one of those tests would help a lot with confidence in the feature; though i will also say that my view of freebsd is that y'all maintain it and we don't look too hard at it. | 23:14:08 |
 rhelmot | that sounds fun | 23:14:57 |
| rhelmot | ok, will look into it | 23:15:04 |
| jade_ | (and i am as much speaking from the perspective of wanting to make your life maintaining it easier as anything! the first test in a new methodology is always really hard to write, and then it gets easier from there) | 23:15:40 |
| jade_ | if you wind up having to use a VM test or nixos test style thing or something, it would be unfortunate, but it could be done, I think? | 23:16:07 |
| rhelmot | yeah, agreed. ideally, the standard nested build tests shouuuuuuld Just Work since you have to run nix-daemon as root anyway, right? | 23:16:24 |
| jade_ | but the nested builds tests aren't run as root inside the sandbox right? | 23:16:41 |
| rhelmot | hm | 23:17:03 |
| rhelmot | what are the security implications of letting you set a flag to be root inside the sandbox? | 23:17:16 |
| jade_ | that's a great question lmfao | 23:17:27 |
| jade_ | who do you appear as to the outer system? | 23:17:47 |
| rhelmot | users in freebsd are a tuple (uid, jid) iirc | 23:18:01 |
 artemist | I think my devfs rules patch is by devfs mount, so I have to set a devfs ID for the jail as well. I didn't do that because passing the ID to the right part of the code was a pain | 23:18:37 |
| artemist | We should also set a securelevel for the jail | 23:20:06 |
| jade_ | the reason i ask is that sometimes unix socket services (like nix) can give you root if you are root to the rest of the system | 23:20:06 |
| artemist | Oh, yeah, so you're asking how we would appear to peercred? | 23:20:39 |
| jade_ | yes | 23:21:27 |
| artemist | Seems like the easiest way to figure that out will be to try it, i'll do that | 23:25:36 |
| rhelmot | my guess is that software which isn't explicitly checking for "am I communicating with a jailed user" will think you are the real actual root | 23:27:25 |
| artemist | the main page for LOCAL_PEERCRED doesn't have jid, just "effective user id" | 23:27:51 |
| artemist | https://man.freebsd.org/cgi/man.cgi?query=unix&apropos=0&sektion=0&manpath=FreeBSD+13.1-RELEASE+and+Ports&arch=default&format=html | 23:27:51 |
| jade_ | of course the other interaction with this that might be hilarious is if freebsd has abstract domain unix sockets, which I think it does because they had to copy linux's bad features for the linux abi thing | 23:28:44 |
| artemist | FreeBSD has a linux compatibility layer so I wouldn't be surprised | 23:30:11 |
| artemist | like, it's sufficiently compatible to run commercial games and software | 23:30:52 |
| jade_ | https://lists.freebsd.org/archives/freebsd-hackers/2021-December/000636.html hm | 23:31:10 |
| jade_ | maybe they did not! | 23:31:13 |
| jade_ | at least it is good that they are proposing "having a security model" for this feature which is a walking CVE | 23:31:33 |
| artemist | ... who the hell thought this was a good idea | 23:32:58 |
