00:11
supersandro2000 has quit [Disconnected by services]
00:11
supersandro2000 has joined #nixos-security
00:25
kalbasit has quit [Ping timeout: 264 seconds]
00:35
rajivr has joined #nixos-security
00:59
kalbasit has joined #nixos-security
01:15
tilpner has quit [Remote host closed the connection]
01:28
tilpner has joined #nixos-security
01:33
kalbasit has quit [Ping timeout: 240 seconds]
01:52
kalbasit has joined #nixos-security
01:54
tilpner_ has joined #nixos-security
01:57
tilpner has quit [Ping timeout: 272 seconds]
01:57
tilpner_ is now known as tilpner
02:29
kalbasit has quit [Ping timeout: 246 seconds]
02:38
kalbasit has joined #nixos-security
03:36
stigo has quit [Remote host closed the connection]
03:41
stigo has joined #nixos-security
03:48
andi- has quit [Remote host closed the connection]
03:52
andi- has joined #nixos-security
04:00
stigo has quit [Remote host closed the connection]
04:01
blueberrypie has joined #nixos-security
04:05
red_ is now known as
__red__
04:07
stigo has joined #nixos-security
04:46
zarel has quit [Ping timeout: 256 seconds]
04:52
maljub01 has quit [Quit: maljub01]
04:56
maljub01 has joined #nixos-security
05:11
zarel has joined #nixos-security
07:10
cole-h has quit [Quit: Goodbye]
08:35
MichaelRaskin has joined #nixos-security
10:29
MichaelRaskin has quit [Ping timeout: 256 seconds]
11:05
tilpner has quit [Remote host closed the connection]
11:05
tilpner has joined #nixos-security
11:06
kalbasit has quit [Ping timeout: 260 seconds]
11:09
kalbasit has joined #nixos-security
13:01
ehmry has quit [Read error: Connection reset by peer]
13:08
justanotheruser has quit [Ping timeout: 272 seconds]
13:14
ehmry has joined #nixos-security
13:20
xavier__ has joined #nixos-security
13:21
xavier__ has quit [Client Quit]
13:37
MichaelRaskin has joined #nixos-security
14:31
justanotheruser has joined #nixos-security
14:44
elvishjerricco has quit [Ping timeout: 260 seconds]
14:45
globin_ has quit [Quit: o/]
14:45
globin has joined #nixos-security
14:45
ckauhaus has joined #nixos-security
14:45
globin has joined #nixos-security
14:45
globin has quit [Changing host]
14:46
elvishjerricco has joined #nixos-security
16:29
<
andi- >
anyone working on dovecot patches yet?
16:32
<
andi- >
In any case I've started working on that
16:41
<
andi- >
#108404 & #108405
17:49
rajivr has quit [Quit: Connection closed for inactivity]
19:35
cole-h has joined #nixos-security
20:20
<
bbigras >
Is it recommended trying to use systemd's sandoxing for all our services? or maybe use apparmor?
20:39
<
andi- >
I'd say sanbox services with systemd.
20:39
<
andi- >
Apparmor on nixos is exactly a great story.
20:39
<
andi- >
Not sure if anyone is actually writing those files. Especially since they are not part of the service definition makes them potentially less maintained.
20:42
<
bbigras >
but maybe sometimes upstream will provide a "hardened" systemd .service file.
20:42
<
andi- >
I actually believe that upstream units are worse most of the time.
20:42
<
andi- >
There are probably good examples but often they just "work" and that is good enough for upstream.
20:43
<
andi- >
e.g. unbound upstream provides untested .socket files and the .service units are just not really ideomatic on how you would write them..
20:45
<
lukegb >
Also sometimes upstream is actively against sandboxing in their service units
*cough*
20:47
<
lukegb >
In some cases it's fair: they invoke arbitrary other programs and they don't know what they'll do
20:47
<
lukegb >
So they're reluctant to accidentally break them (e.g. you've written some mail filter that spins up a VM that...)
20:48
<
andi- >
if you start a VM to filter mails you are not sane.
20:48
<
andi- >
like as part of another software.. :D
20:48
<
andi- >
spawn the VM first before touching the mail!
21:13
ckauhaus has quit [Quit: WeeChat 2.7.1]
23:23
kalbasit has quit [Ping timeout: 240 seconds]