| 1 Apr 2025 |
 jade_ | (we might want to survey github for other usages tho) | 20:37:51 |
| jade_ | nixbase32 to SRI, but honestly we should just fix npins instead | 20:45:41 |
| jade_ | horrifying realization: builtins.getEnv works on NIX_CONFIG | 21:26:21 |
| jade_ | I hope nobody is doing that | 21:26:31 |
 Winter | In reply to @lily:lily.flowers
(prior art: https://gerrit.lix.systems/c/lix/+/2248) oh! | 21:31:03 |
 rhelmot | can any core devs suggest what sort of testing might be appropriate for marking https://gerrit.lix.systems/c/lix/+/1663 and https://gerrit.lix.systems/c/lix/+/2863 as ready for review? | 21:42:31 |
| jade_ | hm. does freebsd support nested jails/does freebsd let you do jails unprivileged? | 23:11:04 |
| rhelmot | nested jails are a thing, I think you have to be root in the jail to do a child jail though | 23:11:55 |
| jade_ | hm | 23:12:36 |
| jade_ | then i would suggest figuring out how you can actually structure testing nested builds, if it is even possible.
or figuring out some way to have tests that are root in a jail or ... idk | 23:13:15 |
| jade_ | having just one of those tests would help a lot with confidence in the feature; though i will also say that my view of freebsd is that y'all maintain it and we don't look too hard at it. | 23:14:08 |
| rhelmot | that sounds fun | 23:14:57 |
| rhelmot | ok, will look into it | 23:15:04 |
| jade_ | (and i am as much speaking from the perspective of wanting to make your life maintaining it easier as anything! the first test in a new methodology is always really hard to write, and then it gets easier from there) | 23:15:40 |
| jade_ | if you wind up having to use a VM test or nixos test style thing or something, it would be unfortunate, but it could be done, I think? | 23:16:07 |
| rhelmot | yeah, agreed. ideally, the standard nested build tests shouuuuuuld Just Work since you have to run nix-daemon as root anyway, right? | 23:16:24 |
| jade_ | but the nested builds tests aren't run as root inside the sandbox right? | 23:16:41 |
| rhelmot | hm | 23:17:03 |
| rhelmot | what are the security implications of letting you set a flag to be root inside the sandbox? | 23:17:16 |
| jade_ | that's a great question lmfao | 23:17:27 |
| jade_ | who do you appear as to the outer system? | 23:17:47 |
| rhelmot | users in freebsd are a tuple (uid, jid) iirc | 23:18:01 |
 artemist | I think my devfs rules patch is by devfs mount, so I have to set a devfs ID for the jail as well. I didn't do that because passing the ID to the right part of the code was a pain | 23:18:37 |
| artemist | We should also set a securelevel for the jail | 23:20:06 |
| jade_ | the reason i ask is that sometimes unix socket services (like nix) can give you root if you are root to the rest of the system | 23:20:06 |
| artemist | Oh, yeah, so you're asking how we would appear to peercred? | 23:20:39 |
| jade_ | yes | 23:21:27 |
| artemist | Seems like the easiest way to figure that out will be to try it, i'll do that | 23:25:36 |
| rhelmot | my guess is that software which isn't explicitly checking for "am I communicating with a jailed user" will think you are the real actual root | 23:27:25 |
| artemist | the main page for LOCAL_PEERCRED doesn't have jid, just "effective user id" | 23:27:51 |
