qyliss changed the topic of #spectrum to: A compartmentalized operating system | https://spectrum-os.org/ | Logs: https://logs.nix.samueldr.com/spectrum/
<qyliss> will do! I'm going to write something today or tomorrow about what my initial steps will be.
tazjin has joined #spectrum
pie_ has quit [Ping timeout: 264 seconds]
<tazjin> TIL that crosvm (ChromeOS's container VM) uses 9P for file-sharing with the host
<tazjin> there's a bunch of interesting tooling here: https://chromium.googlesource.com/chromiumos/platform2/+/master/vm_tools
<tazjin> particularly sommelier (which does wayland / X11 forwarding to the host desktop environment): https://chromium.googlesource.com/chromiumos/platform2/+/master/vm_tools/sommelier/
<tazjin> and garcon (which provides desktop feature integration such as URL handlers): https://chromium.googlesource.com/chromiumos/platform2/+/master/vm_tools/garcon/
<hyperfekt> I've packaged crosvm already, there's a PR somewhere. virtfs would be awesome instead of disk images or network mounting.
<tazjin> hyperfekt: did you also poke any of the other tooling they have?
<hyperfekt> tazjin: I did not, most of it seems super ChromiumOS-specific and container-oriented.
<hyperfekt> But the ones you linked definitely seem very interesting.
<hyperfekt> After using Qubes, where I basically had one domain for private keys and one for all other because the friction is so insanely high I've been meaning for a while ot build a system that hooks the exec syscall to put every process into its own VM and connects open file descriptors to channels that tunnel between them. That'd even give you intra-application isolation.
<tazjin> hyperfekt: were you at camp btw? I didn't really manage to establish a decent face-to-face->name mapping for the people I spoke to
<qyliss> For people who weren’t, we talked about crosvm and virtfs, and I will switch focus to those.
<qyliss> hyperfekt: if you already have it packaged, that would be super helpful
hyperfekt_ has joined #spectrum
<hyperfekt_> Currently at the lake, still haven't connected my phone to my bouncer.
<hyperfekt_> I wasn't at camp unfortunately, couldn't really afford it. I saw there was a session, is there a writeup somewhere?
<hyperfekt_> Yeah, as I said it's packaged. That PR works at least well enough that a Linux booted in a VM can complain about not having paravirtualized drivers.
hyperfekt_ has quit [Remote host closed the connection]
<tazjin> hyperfekt: there were two sessions, though the second one (by far the more interesting one) wasn't written up :/
<tazjin> the first session was more focused on Qubes + Nix, notes from that are here: https://hackmd.shackspace.de/qubes-nixos
<tazjin> hyperfekt: I think one of the more interesting realisations from the second session was that additional package installations could be controlled from outside of a guest, i.e. if the user wants an additional package on a running guest they can indicate so in some tool on the host
<tazjin> this way Nix wouldn't be required inside of the guests and the design of Nix would work if additional store paths just "appeared" in whatever way the /nix/store is shared to the guest
<tazjin> ("more interesting" above is subjective, might've missed some stuff because I wasn't exactly sober)
multi has joined #spectrum
<hyperfekt> So the intent is to emulate domains like in Qubes instead of application isolation à la SELinux/AppArmor?
<tazjin> I'm just a spectrum-spectator and can't speak for qyliss, but to me that makes sense. Domains with (a lot) less friction
ddima has joined #spectrum
pie_ has joined #spectrum