I’m a little bit confused to hear these two things in the same blog post:
- “Principle of simplicity”
My hope is, that we can maybe get a seccomp based Haskell library for controlling capabilities, similar to e.g. sydbox. But I haven’t found anything definite, except some low-level bindings: https://hackage.haskell.org/package/hsseccomp
While I agree
nix-build is not “simple” for me, I believe the “simplicity” we’re talking about is:
Tests should be written with the least number of required capabilities.
nix-build is just the author’s chosen tool for implementing the framework.
I will use nix as an example system that you can use to minimise the provided capabilities You can use any such system
As I read the post, I hear: Your tests should be written with the least number of required capabilities.
I do not hear: you should use
nix-build to make your tests simple.
I read the post, that’s why I provided an alternative.
It can already be totally used to test your binaries. E.g. if you wanted to test that your binary doesn’t do network calls, you do:
syd -E LC_ALL=POSIX \ --syd core/sandbox/read:deny \ --syd core/sandbox/write:deny \ --syd 'core/sandbox/network:deny' \ --syd 'allowlist/read+/lib64/***' \ --syd 'allowlist/write+/home/hasufell/.ghcup/***' \ --syd 'allowlist/write+/tmp/***' \ --syd 'core/violation/decision:killall' \ -- ghcup --offline list
However, it would be nicer to have access to this functionality via a library, so you can:
- restrict your binary from doing unexpected things (e.g. you don’t trust the RTS or libraries)
- use this directly in your test suite
I wasn’t speaking to that as much as calling out the difference between a framework for implementation, and the focus of the “simplicity principal”.
I’m all for the pledge-style definition of capabilities, that’s great and I am not disagreeing with you.
Unrelated to the actual advice, I find it SO funny that this executable is called syd (because my name is Syd), and it’s about being extra annoying by reducing capabilities
I was a bit confused whether there was a connection!