Eugeni's blog

• Running kde4 inside virtualbox feels like running doom1 on 386 with 2MB RAM. It works and looks nice, but it is slow as hell. #

Powered by Twitter Tools.

One of most wanted features for new MSEC in Mandriva 2009.1 was the support for plugins. It is an interesting idea, as it allows to convert MSEC from a tool with fixed-and-controlled-by-msec-gods list of features into a utility that can be extended by anyone, adding their own functionality, or just implementing something specific to their organization, class, or environment.

Well, starting today, it is possible to do so . I just committed into cooker a new version of msec which supports plugins, and fully integrates them with other msec modules. I added a “sample” plugin (which will someday become the AppArmor plugin, but.. as it is still not working in cooker, I just added it to use as a proof-of-concept).

Plugins are automatically loaded by libmsec on startup, checking for all entries in config.PLUGINS_DIR configuration variable (which defaults to /usr/share/msec/plugins). For each file there, it is parsed as a python script, the plugin name is determined, and a plugin class is initialized with current msec settings (such as logging backend, chroot’ed configuration and list of modified system files). After that, the plugin is automatically added into the config.SETTINGS array, which correlates msec variables (such as ENABLE_APPARMOR) with corresponding callback function (libmsec.somefunction or, in our case, apparmor.enable_apparmor) and list of valid parameters (in our case, yes and no).

After that, everything continues normally. Msec processes the configuration parameters as usual, until it gets to the ENABLE_APPARMOR parameter. At this point, it detects that this functionality is provided by the apparmor plugin, and it is handled by enable_apparmor function. So it simply calls this function, in exactly the same way as any other libmsec element.

To show how simple a msec plugin can be, the following is the complete code of (not yet functional) AppArmor plugin:

#!/usr/bin/python
"""AppArmor plugin for msec """

# main plugin class name
PLUGIN = "apparmor"

# msec configuration
import config

class apparmor:
    def __init__(self, log=None, configfiles=None, root=None):
        """Initializes AppArmor plugin"""
        # initializing plugin with libmsec data
        self.log = log
        self.configfiles = configfiles
        self.root = root

        # configuring entry in global settings
        param = 'ENABLE_APPARMOR'
        callback = "%s.enable_apparmor" % PLUGIN
        valid_values = ['yes', 'no']
        config.SETTINGS[param] = (callback, valid_values)

        # insert entry into system security settings
        config.SETTINGS_SYSTEM.append(param)

    def enable_apparmor(self, params):
        """Enable AppArmor security framework on boot"""
        if self.log:
            #self.log.info("AppArmor plugin: not implemented yet!")
            pass

That’s it. Any python functionality can be added to the enable_apparmor function afterwards.

This is more like a proof-of-concept than complete plugin, but the remaining pieces will be polished soon. Keep visiting here for news .

Combining this with the possibility of creating custom msec frontends (right now we have command line frontend (msec) and a graphical one (msecgui)), the possibilities are endless. You could create a WEB frontend with just a few lines of python code (for example, using web.py or django), add plugins which enforce settings for your organization (for example, configure all user home directories to start with “user_” prefix, check periodically for changes into /usr/local/big_project/* files, synchronize ldap databases for offices, and so on).

• por algum motivo a integração twitter/blog quebrou de vez esses dias… #

Powered by Twitter Tools.

• 18:47 T-13 (and counting) para o carnaval! #

Automatically shipped by LoudTwitter

• T-13 (and counting) para o carnaval! #

Powered by Twitter Tools.

• 09:46 @olavojunior, querer eu quero faz tempo, o problema é $$$. Depois de andar num Land Rover, a minha vida nunca mais foi a mesma hehehe. #
• 18:59 Estava em Salvador a exatamente 1 ano atrás… e exatamente 2 anos atrás estava nos EUA. E hoje estou trabalhando. hehehe. É a vida . #

Automatically shipped by LoudTwitter

• 10:31 World of Goo acaba com a vida social.. #
• 10:43 Living with XFCE 4.6 alpha. Arch Linux version uses the same source as Mandriva, but it just works WAAY faster… #
• 11:00 @Capitulino, @coxande, i686. I just installed default packages for both Mandriva and Arch. I’m looking on what’s wrong with it right now . #
• 12:45 @fabiocpn, o arch é um dos melhores que eu conheço. Mas é um rolling release, não tem versões fixas, tudo é atualizado diariamente. #
• 17:44 @Capitulino, daqui a 1 mes tem Iron em SP! Esse é mais light . #
• 18:09 haja paciencia.. (tinyurl.com/cxq3r8) #
• 20:05 @mvkampen é f**a… a mesma coisa acontece com UFSCar, metade do campus é praticamente sede de PSTU.. #
• 21:32 @olavojunior eu tentei fazer trilha (sem querer ) com o meu megane nesse fim da semana. Meu deus… como eu queria um jipe . hehehe. #
• 21:35 Chegou um spam aqui: "Earn your PhD easily". Eles só podem estar de brincadeira!! Que raiva!!!! #

Automatically shipped by LoudTwitter

• 08:41 @fabiocpn xulrunner nada, compila o openoffice para você ver #
• 12:22 Dear God.. please, please, PLEASE make all perl code in the world burst in flames and disappear from this universe forever. #
• 21:03 update do X do arch linux f***u com minha configuracao de teclado de uma vez por todas agora! #
• 22:33 Um email que recebi hoje literalmente f***u com o meu carnaval. #
• 22:45 @Capitulino, eu estou remoto de qualquer jeito.. No pior caso, código com àlcool no sangue sai até mais bonito! Principalmente em perl #

Automatically shipped by LoudTwitter

• 18:40 400+ emails para email de mandriva over the weekend… e isso que só estamos na metade de domingo ainda… #
• 23:48 Updated flickr with nice Ituverava photos. Powered by N95. And a bit of gimp+hugin . tinyurl.com/c32tvv #

Automatically shipped by LoudTwitter

• 09:04 World of Goo nativo para Linux!! Mais um software comprado . #

Automatically shipped by LoudTwitter

• 00:21 Rest in Peace PalmOS! I’ll turn on my Palm Zire 31 in your memoriam. And play DopeWars. hehe. tinyurl.com/ckxvba #
• 00:24 @mvkampen agora é só compilar o openoffice pro motorola E8 que t #
• 00:25 @mvkampen tá tudo feito (maldito enter que cortou mensagem no meio!) #
• 11:02 @Capitulino modelo cascata devia ter morrido na década de 70… #
• 11:03 @olavojunior Death Magnetic é o melhor CD deles da última década-e-pouco! #

Automatically shipped by LoudTwitter

• 22:41 Just watched Transporter 3. Another great french movie. Well.. mostly . #
• 23:58 2.6.28.5… maaaaais um update.. que saudades do 2.4… #
• 00:00 O último jogo de computador que me viciou mesmo foi Baldur’s Gate. Depois dele nada chegou nem perto….. #
• 00:21 Rest in Peace PalmOS! I’ll turn on my Palm Zire 31 in your memoriam. And play DopeWars. hehe. tinyurl.com/ckxvba #
• 00:24 @mvkampen agora é só compilar o openoffice pro motorola E8 que t #
• 00:25 @mvkampen tá tudo feito (maldito enter que cortou mensagem no meio!) #

Automatically shipped by LoudTwitter

Muitos, MUITOS escreveram me falaram que esse filme é muito ruim. Mas no fundo não é tããão ruim assim. Até que é legal.

O ponto mais importante é encarar ele como comédia. Pelo menos a parte que trata de Ucrânia. E principalmente a parte que diz que existem políticos honestos na Ucrânia. hehehe. Isso torna-se particularmente engraçado porque não conheço nenhum outro país tão zoneado e corrupto quanto Ucrânia (tirando talvez a Somália).

Mas.. tirando o operador de câmera, e o escritor do roteiro, e a “atriz” principal.. o filme foi da hora! Tá certo que podia ser beeem melhor.. mas, mesmo assim, ainda é o Frank Martin!

Ahhhh… e o sotaque improvisado foi bem engraçado também. hehehe.

Atualisei WordPress para 2.7.1. Foi a coisa mais fácil – só clicar em “upgrade automatically”. Fantástico!

AppArmor support in msec was one of the first issues I thought for the new msec in Mandriva. However, until now it is in semi-nonexistent state, due to two big problems:

• I still don’t know if AppArmor will be supported by the time we release 2009.1. I mean, it should be, but.. the semi-official status of this project (albeit there are rumors that it could be included in 2.6.30), combined with a large number of custom patches required to make it work make hard to maintain it in kernel.

• AppArmor must be enabled as a kernel boot options (apparmor=1) in recent kernels. It is no longer supported as a module. So that sucks . Msec could locate the kernel-related lines in /boot/grub/menu.lst and in /etc/lilo.conf, and append (or remove) this parameter. But.. at least on my machine, I have more then 10 different kernels in these files (for Mandriva, Ubuntu and Arch Linux). So this would add (or remove) this parameter to all of them. And it doesn’t seems to be a good idea at all.

So for now, the ‘Enable AppArmor’ option in msec does nothing at all. Hopefully not for long, and only until I get a brilliant idea on how to fix it.

Another issue is the PolicyKit support. Messing with it would require XML support in msec (or some cute little regexp scripts). And besides, I don’t know what exactly should be enabled/disabled there (a few ideas on this are outlined here).

In other news, my bugzilla assigned bugs count right now is about 310 (since today). Most of these bugs are related to drakx-net, which I am fixing kinda slow (my opinion about perl is well described in the last post ). But in the next few weeks I hope to fix the most annoying ones, and finally push the big update to mandi+ifw+drakids+drakfirewall I was working on for the last few weeks. This will transform these apps in a (mostly) feature-full IDS and firewall control system.

• 08:39 cama nova… a antiga vai ser aposentada depois de 13 anos de uso. Desde que vim pro Brasil. #

Automatically shipped by LoudTwitter

• 10:28 tmporariamente carless.. #

Automatically shipped by LoudTwitter

• 18:46 Meu carro quebrou de novo….. #

Automatically shipped by LoudTwitter

• 00:35 After Forever is no more… … tinyurl.com/czb82y #
• 13:20 Reading about malware that started spreading via windshield fliers (@lennyzeltser via @sans_isc) bit.ly/fliers #
• 15:14 Mais um software legalmente comprado: Defcon. Fico me sentindo mal ultimamente baixando coisas piratas quando tem versão barata e nativa… #
• 19:23 Quase 12000 faixas ouvidas pelo last.fm! www.last.fm/user/eugeni_dodonov #

Automatically shipped by LoudTwitter

• 10:51 trying to (correctly) put msec into Mandriva installer. #

Automatically shipped by LoudTwitter

I was thinking these days, and I guess now it is a good time to add my blog to PlanetMandriva. I think this would be a good way to keep in touch with the community, and post some things that are too detailed (or maybe not-so-detailed) to be posted to the wiki or cooker mailing list.

And, just to start, I’ll just share what I was working on for the last days.

For msec, I added support for localization (not only to gui, but also to command line app), and plugins. This was requested often, and it seems to be a good idea. In a few days, after I finish testing it all, I’ll write a quick guide on how this plugin system will work, maybe with a small example plugin.

But right now msec looks (at least, for me) really cool. It is almost completely modular now. There is a core library, which handles files, permissions, and core functions. There are several frontends to it: msec.py, which is the command line frontend to main msec functionality, msecperms.py, which is responsible for everything permission-related, and msecgui.py, which is the graphical frontend to everything. Furthermore, it is really easy to add new frontends. If you want to write a web interface for msec, you could do that with less than 20 lines of code . And maybe I’ll do it at some point in the future, it may come handy to control a remote server.

Besides the frontends, all msec functionality could be extended with plugins. For example, you could add your own security check which (just an example) would verify if all users with UID > 500 belong to a specific group, or if there are any suspicious processes running, and so on. All of that could be controlled by already existent frontends. And it would require just a bit of coding too.

Besides msec, I was also struggling with mandi/ifw/drakids. More specifically, the way it handles white and blacklists, and overall dbus scheme. It took me much longer than expected to do what I wanted, but mostly because of the parts written in perl. And my opinion about perl is quite similar to Godsmack’s “I f**ing hate you” song . But everything worked out in the end, I am mostly finishing the details now.

Besides all of that, I also digged around initscripts, drakfirewall, AppArmor, cups, sudo and shorewall. But nothing too exciting to talk about. And, apart from development, some security updates (the MDVSA ones) were also released by me in the last few days .

Well.. I guess that’s it for now. The first post is already long enough to get started. I have to leave something for next ones .

• 21:56 Watching SAW 5. No matter what, I just cannot find Jigsaw (and H.. hmm.. better not reveal ) guilty. Eye for eye, and things like that.. #

Automatically shipped by LoudTwitter

• 00:59 quite interesting read about code optimization: tinyurl.com/alyb8h #
• 12:05 Mais um paper aceito! :) #
• 20:11 que saco.. demoro mais para entender como o perl funciona de que para programar mesmo! #
• 20:12 acho que vou fazer tudo em python, e fazer um python2perl.. vai sair mais rápido! e com certeza mais legível! Die die perl!! #

Automatically shipped by LoudTwitter

• 15:57 fim da semana agitado.. 750km andados, 8 horas dormidas (em total), +/- 6 litros de cerveja tomados.. ai ai. quero de novo . #
• 22:55 the phd thesis source hit 155th revision in the bzr… but it will end some day! I hope . #
• 00:59 quite interesting read about code optimization: tinyurl.com/alyb8h #

Automatically shipped by LoudTwitter