| 9 Jan 2022 |
 Janne Heß | Relevant part of that module:
config = mkMerge [
(mkIf (config.sandbox >= 2) {
serviceConfig = mapAttrs (_: mkDefaulter) {
# Filesystem stuff
ProtectSystem = "strict"; # Prevent writing to most of /
ProtectHome = true; # Prevent accessing /home and /root
PrivateTmp = true; # Give an own directory under /tmp
PrivateDevices = true; # Deny access to most of /dev
ProtectKernelTunables = true; # Protect some parts of /sys
ProtectControlGroups = true; # Remount cgroups read-only
RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files
PrivateMounts = true; # Give an own mount namespace
RemoveIPC = true;
UMask = "0077";
# Capabilities
CapabilityBoundingSet = ""; # Allow no capabilities at all
NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options.
# Kernel stuff
ProtectKernelModules = true; # Prevent loading of kernel modules
SystemCallArchitectures = "native"; # Usually no need to disable this
ProtectKernelLogs = true; # Prevent access to kernel logs
ProtectClock = true; # Prevent setting the RTC
# Networking
RestrictAddressFamilies = ""; # Example: "AF_UNIX AF_INET AF_INET6"
PrivateNetwork = true; # Isolate the entire network
# Misc
LockPersonality = true; # Prevent change of the personality
ProtectHostname = true; # Give an own UTS namespace
RestrictRealtime = true; # Prevent switching to RT scheduling
MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python
PrivateUsers = true; # If anything randomly breaks, it's mostly because of this
RestrictNamespaces = true;
};
})
];
| 14:31:20 |
| Janne Heß | The sandbox module is basically the opt-out approach to sandboxing that hifi was talking about | 14:32:55 |
 piegames | Thank you, I'll have a look later | 17:38:17 |
| piegames | In reply to @janne.hess:helsinki-systems.de
The sandbox module is basically the opt-out approach to sandboxing that hifi was talking about This is funny, because I'm pretty certain that andi also built something like that. | 17:40:23 |
| 13 Jan 2022 |
| piegames | Anybody in here wants to be added as a Codeowner for your preferred Matrix packages? https://github.com/NixOS/nixpkgs/pull/154074 | 22:39:51 |
| 14 Jan 2022 |
|  Chuck Winter changed their display name from Rev. CornWallace III (novus ordo seclorum) to coilWinder. | 04:39:26 |
| Chuck Winter changed their display name from coilWinder to CoilWinder (novus ordo seclorum). | 04:41:39 |
 philipp | piegames: Would you add me to the conduit stuff? | 10:04:24 |
| 15 Jan 2022 |
|  JulianF joined the room. | 10:54:38 |
| 16 Jan 2022 |
|  kraem set a profile picture. | 09:54:32 |
| 17 Jan 2022 |
 Sumner Evans | https://github.com/NixOS/nixpkgs/pull/153279 would be great to get merged | 19:26:06 |
| 18 Jan 2022 |
| Janne Heß | In reply to @sumner:nevarro.space
https://github.com/NixOS/nixpkgs/pull/153279 would be great to get merged DId you test this? | 14:22:27 |
| Janne Heß | I'm not using the desktop app, but the code looks legit. If you (or anyone else) tested it, I'll just hit the magic button | 14:22:50 |
| Janne Heß | * I'm not using the desktop app, but the code in combination with the linked resources looks legit. If you (or anyone else) tested it, I'll just hit the magic button | 14:23:03 |
| Sumner Evans | In reply to @janne.hess:helsinki-systems.de
DId you test this? yes, added screenshot. Also using analogous fix in my home-manager config: https://github.com/sumnerevans/home-manager-config/blob/master/modules/communication.nix#L5 and that works fine | 14:27:32 |
| Janne Heß | Thanks! | 14:28:21 |
| Janne Heß | In reply to @sumner:nevarro.space
yes, added screenshot. Also using analogous fix in my home-manager config: https://github.com/sumnerevans/home-manager-config/blob/master/modules/communication.nix#L5 and that works fine Looks like adding the backport label after merging doesn't do anything :( | 14:34:48 |
| Sumner Evans | In reply to @janne.hess:helsinki-systems.de
Looks like adding the backport label after merging doesn't do anything :( I'm pretty sure it's supposed to, maybe it's just slow? | 14:35:55 |
| Sumner Evans | In reply to @sumner:nevarro.space
I'm pretty sure it's supposed to, maybe it's just slow? there, it just did it https://github.com/NixOS/nixpkgs/pull/155480 | 14:40:03 |
| Sumner Evans | Any chance I can get some eyes on this PR? https://github.com/NixOS/nixpkgs/pull/155398 | 14:46:30 |
| Sumner Evans | Also, https://github.com/NixOS/nixpkgs/pull/155064 is ready | 14:51:35 |
| Sumner Evans | Just updated that PR to 1.50.1 due to bugfix release | 17:34:14 |
| 19 Jan 2022 |
 Dandellion | https://github.com/NixOS/nixpkgs/pull/155703 | 18:56:42 |
| 20 Jan 2022 |
|  andi- left the room. | 00:14:32 |
| 21 Jan 2022 |
 ma27 | would like to get some feedback on https://github.com/NixOS/nixpkgs/pull/156099 (especially the backport topic) | 21:42:19 |
| 24 Jan 2022 |
| ma27 | Sumner Evans: are you updating synapse to https://github.com/matrix-org/synapse/releases/tag/v1.50.2 already? Otherwise I'd do it later :) | 14:53:36 |
| Sumner Evans | In reply to @ma27:nicht-so.sexy
Sumner Evans: are you updating synapse to https://github.com/matrix-org/synapse/releases/tag/v1.50.2 already? Otherwise I'd do it later :) I'll do that right now | 15:06:15 |
| Sumner Evans | In reply to @sumner:nevarro.space
I'll do that right now https://github.com/NixOS/nixpkgs/pull/156553 | 16:32:28 |
| 25 Jan 2022 |
| Dandellion | In reply to @dandellion:dodsorf.as
https://github.com/NixOS/nixpkgs/pull/155703 webclient is now being deprecated in 1.51, so might as well remove from the config now. | 14:19:51 |
| Dandellion | (Note: its being removed in 1.53, its only marked as deprecated in 1.51) | 14:23:12 |
