From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hi@alyssa.is>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS11403 66.111.4.0/24
X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,
	SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 275EB1F4BF
	for <meta@public-inbox.org>; Thu,  3 Oct 2019 00:46:40 +0000 (UTC)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
	by mailout.nyi.internal (Postfix) with ESMTP id 2A16321EEB;
	Wed,  2 Oct 2019 20:46:39 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute7.internal (MEProxy); Wed, 02 Oct 2019 20:46:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=
	from:to:cc:subject:in-reply-to:references:date:message-id
	:mime-version:content-type; s=fm1; bh=47HInxwh5mgrRg5REVmaBKwVgG
	Z2nISUwjH9iy7j7Q8=; b=W23vw5Fb5QxWtn3T+2tgtna0Gkaf05a1ElSjB+tc/j
	H7voWHP//n2xuO1lj2M1rk2wLUGVOjx0pkYghEFxTEHhwWCMUS/by1GCJKNQOy0X
	UhExeRru8No0hTfJho6FIUcAtBl/vh1p4E5Dg6WFieWdbr/1JR8BHCn07QqmESwX
	8XHqSCUQsanesU9rE9vpeT8StOAkGEjOwX8kjQIy1waePBCrzTxwiQSAxiCaXqs/
	GvfnXvbpLBE4zbr4BEuI53Zo8nQqcp3qjBOdgNUPWIvEXDfiTESJigw851gc5ITC
	rprEzf0cPYuDHjuPfd/akoMUpfbVZJoBuIWR2ubJxYdA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=47HInx
	wh5mgrRg5REVmaBKwVgGZ2nISUwjH9iy7j7Q8=; b=CIjHbKfVSGwJ0Ie2gIUqES
	tg3iabj5qei/2AwPM6IurQEHEFqxIfiI5Y2zH37KfXEg0RSUjcyhBnnxa+hU5Ndh
	3OPIcgfKw1/JY6mguOnOTwhGuvzQzdDjw/fiWzZkVQNSZr4l2es24TqhQkHpX2fJ
	ZWjU+08Mhak00bDBLnmgyLj+8cIx40DVIogkuaAFD3+ipB8c71iQaMnjGzaTA2Dl
	DIdXtdpUWwRuQojLGMdaO/8WB3wmtp0C9CoqP2Vs+p5ZUrTONCsg4TvTWQSftNxv
	nUXIaMqrs0yOHKkoVW3sBLT0HhUI67mR4UMTeQiq0xf0DAkuEN6vcv+BfN83Q+gw
	==
X-ME-Sender: <xms:7kSVXcgZvJllZMT7-YHV_3WZgPMuXjNWqI-5HPYdkppMXAwWNYgHNw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrgeejgdefiecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecunecujfgurhephffvufgjfhffkfggtgesghdtreertd
    dttdenucfhrhhomheptehlhihsshgrucftohhsshcuoehhihesrghlhihsshgrrdhisheq
    necuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepkeegrddukeegrddvvdegrd
    duhedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishenucev
    lhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:7kSVXQt6Q7XkaOiLz8-m8G5w3MF3ZX99zGgKb-Mbs3yeR9bWjdmxrA>
    <xmx:7kSVXewxzXUCk4PKF-TkO5-r21A1oxFZwFFsbfycQrGGKqPiQEz45Q>
    <xmx:7kSVXeOQ8v7pjUUmbLNauGNYK5_ssYr-mKNdPc78JKyqW-QkdVNGfQ>
    <xmx:70SVXVxZM4PCyRtNi5qHck-lktEF2s933nT2CyBPKj18h8TOUvUlpw>
Received: from localhost (p54b8e096.dip0.t-ipconnect.de [84.184.224.150])
	by mail.messagingengine.com (Postfix) with ESMTPA id 7D67DD6005B;
	Wed,  2 Oct 2019 20:46:38 -0400 (EDT)
From: Alyssa Ross <hi@alyssa.is>
To: Eric Wong <e@80x24.org>
Cc: meta@public-inbox.org
Subject: Re: Test failures in build sandbox
In-Reply-To: <87bluyhguc.fsf@alyssa.is>
References: <20190915134819.1406-1-hi@alyssa.is> <20190915185519.GA4891@dcvr> <87zhiu4hxl.fsf@alyssa.is> <20190924040123.6jbtvpadnk6negox@whir> <87r245tkbz.fsf@alyssa.is> <20190926084431.ukv53sfskk7qvere@dcvr> <87bluyhguc.fsf@alyssa.is>
Date: Thu, 03 Oct 2019 00:46:31 +0000
Message-ID: <878sq2hd08.fsf@alyssa.is>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
List-Id: <meta.public-inbox.org>

--=-=-=
Content-Type: text/plain

Alyssa Ross <hi@alyssa.is> writes:

> After some rather extensive debugging, I've determined that most of
> these are to do with not being able to set the setgid bit.  If I mask it
> off in git's adjust_shared_perm function, I get down to two failures.  I
> don't know enough about filesystem permissions to know why this wouldn't
> be allowed inside the sandbox if it is allowed normally, though.

Aha!  setuid and setgid permissions are disallowed in Nix builds using
seccomp[1].

So, I suppose it would be reasonable for us to either disable the test
suite, or try to disable just the tests that try to create setgid
things, unless you're open to adding a check for such a restriction and
skipping tests if so.  More than reasonable not to, though -- seccomp is
a nightmare and next to impossible to reasonably support as upstream.

[1]: https://github.com/NixOS/nix/blob/5038e1bec43a71c97ae7f8be07218a8a2edbb6a1/src/libstore/build.cc#L2678

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAl2VROcACgkQ+dvtSFmy
ccAmDBAAglPpKfq0ZaCnKfouMU7Tq8rqD45GRWVorCFlwIKkBDWXoxMqAURORhop
7gPTPaLz/HgRnpVoIssNEGjmnOOscLhpnnVKVSd2MwnfeXScnv3nqqkl/YipOZaw
aNwHWE4A2Hg4pBEmv7jAaLNi1oX5E5RTI8GsmEgpinpDAZo6NGiWI4/2f3DREwIj
k9jE2y3djZkKkNX84hKvd3cLnpMYQtUySrQzhQSHHfDYT53lmx+JrA+SNV0zCqig
mQmphK5xw2KKaTj07NbM+mm4XS9AnXJmkO7ikrWDHYEemhA84SfdZEi+H+iSDYcu
VaG28uJWHNeM70QUiWDg6IvZ9ussRNkqg/UDhZB+UhDXuSkQOMOGKbkyR7waztTv
hcVuEKzIcsD0blVRsiuhUlY7MAFiQMjwzkVTVmCa/yq9y6pxeem/mGHyFqogvQ3E
/lGy3gpvhVbcPoWEJITmoZdpnTuSGI6Yg8UVK4W3Han3uAuXp807SUp3crzaazxA
SJ8EKoBrp4pM5pdOHjeoEw1gKLFLdON0tBYaHIJP1x6ITtuSENMD7nnUZ9SLDtOm
TEbP7G2M270QlA0CedFhiiQRlwN7PqoF30O6uEKRlnIP//jC0Rp3l+LvE4F48465
9oz3pdT65SCCPJ9IboeQ43zzq4ys0eZmE9UMokVr9Ua+dTOxT44=
=I34y
-----END PGP SIGNATURE-----
--=-=-=--