07:31 <qyliss> will do! I'm going to write something today or tomorrow about what my initial steps will be.

09:56 <tazjin> TIL that crosvm (ChromeOS's container VM) uses 9P for file-sharing with the host

09:56 <tazjin> there's a bunch of interesting tooling here: https://chromium.googlesource.com/chromiumos/platform2/+/master/vm_tools

09:57 <tazjin> particularly sommelier (which does wayland / X11 forwarding to the host desktop environment): https://chromium.googlesource.com/chromiumos/platform2/+/master/vm_tools/sommelier/

09:57 <tazjin> and garcon (which provides desktop feature integration such as URL handlers): https://chromium.googlesource.com/chromiumos/platform2/+/master/vm_tools/garcon/

11:42 <hyperfekt> I've packaged crosvm already, there's a PR somewhere. virtfs would be awesome instead of disk images or network mounting.

12:04 <tazjin> for reference: https://github.com/NixOS/nixpkgs/pull/52352

12:04 <tazjin> hyperfekt: did you also poke any of the other tooling they have?

12:40 <hyperfekt> tazjin: I did not, most of it seems super ChromiumOS-specific and container-oriented.

12:42 <hyperfekt> But the ones you linked definitely seem very interesting.

12:54 <hyperfekt> After using Qubes, where I basically had one domain for private keys and one for all other because the friction is so insanely high I've been meaning for a while ot build a system that hooks the exec syscall to put every process into its own VM and connects open file descriptors to channels that tunnel between them. That'd even give you intra-application isolation.

13:12 <tazjin> hyperfekt: were you at camp btw? I didn't really manage to establish a decent face-to-face->name mapping for the people I spoke to

14:24 <qyliss> For people who weren’t, we talked about crosvm and virtfs, and I will switch focus to those.

14:24 <qyliss> hyperfekt: if you already have it packaged, that would be super helpful

15:02 <hyperfekt_> Currently at the lake, still haven't connected my phone to my bouncer.

15:03 <hyperfekt_> I wasn't at camp unfortunately, couldn't really afford it. I saw there was a session, is there a writeup somewhere?

15:06 <hyperfekt_> Yeah, as I said it's packaged. That PR works at least well enough that a Linux booted in a VM can complain about not having paravirtualized drivers.

16:03 <tazjin> hyperfekt: there were two sessions, though the second one (by far the more interesting one) wasn't written up :/

16:04 <tazjin> the first session was more focused on Qubes + Nix, notes from that are here: https://hackmd.shackspace.de/qubes-nixos

16:09 <tazjin> hyperfekt: I think one of the more interesting realisations from the second session was that additional package installations could be controlled from outside of a guest, i.e. if the user wants an additional package on a running guest they can indicate so in some tool on the host

16:09 <tazjin> this way Nix wouldn't be required inside of the guests and the design of Nix would work if additional store paths just "appeared" in whatever way the /nix/store is shared to the guest

16:13 <tazjin> ("more interesting" above is subjective, might've missed some stuff because I wasn't exactly sober)

19:04 <hyperfekt> So the intent is to emulate domains like in Qubes instead of application isolation à la SELinux/AppArmor?

20:02 <tazjin> I'm just a spectrum-spectator and can't speak for qyliss, but to me that makes sense. Domains with (a lot) less friction