<Foxboron> gchristensen: that is a very nice list honestly
erictape1 has joined #nixos-security
erictapen has quit [Ping timeout: 240 seconds]
<andi-> very nice list, yet another time I am reminded of our lack of apparmor/selinux/… profiles :/
<gchristensen> :)
<gchristensen> we will always be imperfect it is the state of the w orld
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
pie___ has joined #nixos-security
pie__ has quit [Ping timeout: 240 seconds]
MichaelRaskin has joined #nixos-security
erictape1 has quit [Ping timeout: 240 seconds]
erictapen has joined #nixos-security
ckauhaus has joined #nixos-security
<ckauhaus> vulnix-1.8.0 is out
<ckauhaus> contains a few bug fixes and builds on master
<ckauhaus> preparing a PR to update vulnix on master
<pie___> \o/
<andi-> in case someone wants to read a nice recap of the runc/proc/self/exe issue. LWN published an article on it:
ekleog has quit [Quit: back soon]
ekleog has joined #nixos-security
<ckauhaus> is there anything we can do to mitigate this problem on behalf of NixOS?
<andi-> there is no problem for us since the binary is read-only
<andi-> I have a PoC (Actually two versions) here that closely follows either of the linked apporaches and fail to exploit the issue on my NixOS machiens.
<ckauhaus> :-)
<andi-> i believe graham also did some testing and came to the same conclusion.
<pie____> are contianers basically a theoretically worse microkernels
<pie____> *containers
<MichaelRaskin> Just no
<MichaelRaskin> FUSE/CUSE seems somewhat closer to microkernelisation
<ckauhaus> MichaelRaskin: thanks for merging btw
erictapen has quit [Ping timeout: 246 seconds]
erictapen has joined #nixos-security
erictapen has quit [Ping timeout: 240 seconds]
<ckauhaus> Quite a bit of stuff this time - I've started to include 19.03
ckauhaus has quit [Quit: WeeChat 2.2]
erictapen has joined #nixos-security