| 1 Apr 2025 |
 jade_ | I DONT KNOW BUT I DO KNOW HOW MANY CVES THIS FUCKIN THING HAS CAUSED | 23:33:11 |
| jade_ | did you know they are isolated by network namespace on linux??? infinite CVEs in container runtimes... | 23:33:30 |
 artemist | if you're forced to have them then network namespace feels like the least bad place to isolate them, but oh god | 23:34:05 |
| jade_ | no it's not | 23:34:13 |
| artemist | oh, mount namespace? | 23:34:35 |
| jade_ | host netns allowing containers to send each other fds is how you get CVE-2024-27297 | 23:34:45 |
| jade_ | among also docker ones | 23:34:51 |
| artemist | network namespace is where i would expect them to go | 23:35:03 |
| jade_ | CVE-2020-15257 lol | 23:35:14 |
| jade_ | but unix sockets exist as a fd passing primitive and secondarily as a network feature, in my view :) | 23:35:42 |
| jade_ | the fact that you have to shove containers into a netns with NAT if you don't want them sending each other fds is a hilarious linux moment | 23:36:14 |
| artemist | Yeah, that's not the worst interpretation. It makes me think of how systemd is a database for file descriptors | 23:36:49 |
| artemist | sending file descriptors between mount namespaces at all feels sus | 23:37:15 |
| jade_ | it combines somewhat poorly with the userspace nat implementations being all kind of annoying. pasta, slirp4netns, etc | 23:37:17 |
| jade_ | it's ... well. i can see the use case for it in container setup, but it is pretty sketchy | 23:37:42 |
| jade_ | (and i think that it really should only be allowed on inherited fds) | 23:38:06 |
| artemist | I wonder how much would break if I patched linux to disallow abstract sockets | 23:39:28 |
| jade_ | they can be disabled via apparmor and other LSMs | 23:40:22 |
| artemist | sounds boring, i should just use a bpf lsm | 23:40:59 |
 rhelmot | it sounds like the basic consideration is that root-in-jail is the basic ingredient for privesc, though it can be mitigated away. might be something we want to enable with an option only exposed to trusted users | 23:44:32 |
| artemist | Yeah, that's probably a reasonable explanation. There's a lot of weird edge cases to deal with if you have untrusted root | 23:46:33 |
| jade_ | yeah, linux has had infinite kernel bugs because userns root is kind of a security model break, but it's too useful to get rid of | 23:47:03 |
| rhelmot | u_u | 23:47:24 |
| rhelmot | what a world | 23:47:27 |
 KFears (burning out) | It's almost like Linux has never had a good security model... | 23:51:07 |
| jade_ | more congealed than designed | 23:51:32 |
| KFears (burning out) | Pretty much, yeah | 23:51:57 |
| 2 Apr 2025 |
| KFears (burning out) | Does anyone use (or wants to use) Forgejo milestones and Projects for like tracking stuff and visibility? | 00:17:16 |
 just1602 | In reply to @kfears:matrix.org
Does anyone use (or wants to use) Forgejo milestones and Projects for like tracking stuff and visibility? They're already use from what I understand! If you check the milestone to remove regex ans other stuff like that | 00:18:43 |
| KFears (burning out) | Yeah there is some stuff, particularly in Projects, but milestones seem quite unused, and Projects are very basic "TODO/Done" | 00:19:48 |
