- Running kde4 inside virtualbox feels like running doom1 on 386 with 2MB RAM. It works and looks nice, but it is slow as hell. #
Powered by Twitter Tools.
Feb 252009
One of most wanted features for new MSEC in Mandriva 2009.1 was the support for plugins. It is an interesting idea, as it allows to convert MSEC from a tool with fixed-and-controlled-by-msec-gods list of features into a utility that can be extended by anyone, adding their own functionality, or just implementing something specific to their organization, class, or environment.
Well, starting today, it is possible to do so 
. I just committed into cooker a new version of msec which supports plugins, and fully integrates them with other msec modules. I added a “sample” plugin (which will someday become the AppArmor plugin, but.. as it is still not working in cooker, I just added it to use as a proof-of-concept).
Plugins are automatically loaded by libmsec on startup, checking for all entries in config.PLUGINS_DIR configuration variable (which defaults to /usr/share/msec/plugins). For each file there, it is parsed as a python script, the plugin name is determined, and a plugin class is initialized with current msec settings (such as logging backend, chroot’ed configuration and list of modified system files). After that, the plugin is automatically added into the config.SETTINGS array, which correlates msec variables (such as ENABLE_APPARMOR) with corresponding callback function (libmsec.somefunction or, in our case, apparmor.enable_apparmor) and list of valid parameters (in our case, yes and no).
After that, everything continues normally. Msec processes the configuration parameters as usual, until it gets to the ENABLE_APPARMOR parameter. At this point, it detects that this functionality is provided by the apparmor plugin, and it is handled by enable_apparmor function. So it simply calls this function, in exactly the same way as any other libmsec element.
To show how simple a msec plugin can be, the following is the complete code of (not yet functional) AppArmor plugin:
#!/usr/bin/python
"""AppArmor plugin for msec """
# main plugin class name
PLUGIN = "apparmor"
# msec configuration
import config
class apparmor:
def __init__(self, log=None, configfiles=None, root=None):
"""Initializes AppArmor plugin"""
# initializing plugin with libmsec data
self.log = log
self.configfiles = configfiles
self.root = root
# configuring entry in global settings
param = 'ENABLE_APPARMOR'
callback = "%s.enable_apparmor" % PLUGIN
valid_values = ['yes', 'no']
config.SETTINGS[param] = (callback, valid_values)
# insert entry into system security settings
config.SETTINGS_SYSTEM.append(param)
def enable_apparmor(self, params):
"""Enable AppArmor security framework on boot"""
if self.log:
#self.log.info("AppArmor plugin: not implemented yet!")
pass
That’s it. Any python functionality can be added to the enable_apparmor function afterwards.
This is more like a proof-of-concept than complete plugin, but the remaining pieces will be polished soon. Keep visiting here for news .
Combining this with the possibility of creating custom msec frontends (right now we have command line frontend (msec) and a graphical one (msecgui)), the possibilities are endless. You could create a WEB frontend with just a few lines of python code (for example, using web.py or django), add plugins which enforce settings for your organization (for example, configure all user home directories to start with “user_” prefix, check periodically for changes into /usr/local/big_project/* files, synchronize ldap databases for offices, and so on).
- por algum motivo a integração twitter/blog quebrou de vez esses dias…
#
Powered by Twitter Tools.
Feb 212009
- 18:47 T-13 (and counting) para o carnaval! #
Automatically shipped by LoudTwitter
- T-13 (and counting) para o carnaval! #
Powered by Twitter Tools.
Feb 202009
- 09:46 @olavojunior, querer eu quero faz tempo, o problema é $$$. Depois de andar num Land Rover, a minha vida nunca mais foi a mesma hehehe. #
- 18:59 Estava em Salvador a exatamente 1 ano atrás… e exatamente 2 anos atrás estava nos EUA. E hoje estou trabalhando. hehehe. É a vida . #
Automatically shipped by LoudTwitter
Feb 192009
- 10:31 World of Goo acaba com a vida social.. #
- 10:43 Living with XFCE 4.6 alpha. Arch Linux version uses the same source as Mandriva, but it just works WAAY faster… #
- 11:00 @Capitulino, @coxande, i686. I just installed default packages for both Mandriva and Arch. I’m looking on what’s wrong with it right now . #
- 12:45 @fabiocpn, o arch é um dos melhores que eu conheço. Mas é um rolling release, não tem versões fixas, tudo é atualizado diariamente. #
- 17:44 @Capitulino, daqui a 1 mes tem Iron em SP! Esse é mais light . #
- 18:09 haja paciencia.. (tinyurl.com/cxq3r8) #
- 20:05 @mvkampen é f**a… a mesma coisa acontece com UFSCar, metade do campus é praticamente sede de PSTU.. #
- 21:32 @olavojunior eu tentei fazer trilha (sem querer ) com o meu megane nesse fim da semana. Meu deus… como eu queria um jipe . hehehe. #
- 21:35 Chegou um spam aqui: "Earn your PhD easily". Eles só podem estar de brincadeira!! Que raiva!!!! #
Automatically shipped by LoudTwitter
Feb 182009
- 08:41 @fabiocpn xulrunner nada, compila o openoffice para você ver #
- 12:22 Dear God.. please, please, PLEASE make all perl code in the world burst in flames and disappear from this universe forever. #
- 21:03 update do X do arch linux f***u com minha configuracao de teclado de uma vez por todas agora! #
- 22:33 Um email que recebi hoje literalmente f***u com o meu carnaval. #
- 22:45 @Capitulino, eu estou remoto de qualquer jeito.. No pior caso, código com àlcool no sangue sai até mais bonito! Principalmente em perl #
Automatically shipped by LoudTwitter
Feb 162009
- 18:40 400+ emails para email de mandriva over the weekend… e isso que só estamos na metade de domingo ainda… #
- 23:48 Updated flickr with nice Ituverava photos. Powered by N95. And a bit of gimp+hugin . tinyurl.com/c32tvv #
Automatically shipped by LoudTwitter
Feb 152009
- 09:04 World of Goo nativo para Linux!! Mais um software comprado . #
Automatically shipped by LoudTwitter
Feb 142009
- 00:21 Rest in Peace PalmOS! I’ll turn on my Palm Zire 31 in your memoriam. And play DopeWars. hehe. tinyurl.com/ckxvba #
- 00:24 @mvkampen agora é só compilar o openoffice pro motorola E8 que t #
- 00:25 @mvkampen tá tudo feito (maldito enter que cortou mensagem no meio!) #
- 11:02 @Capitulino modelo cascata devia ter morrido na década de 70… #
- 11:03 @olavojunior Death Magnetic é o melhor CD deles da última década-e-pouco! #
Automatically shipped by LoudTwitter
Feb 132009
- 22:41 Just watched Transporter 3. Another great french movie. Well.. mostly . #
- 23:58 2.6.28.5… maaaaais um update.. que saudades do 2.4… #
- 00:00 O último jogo de computador que me viciou mesmo foi Baldur’s Gate. Depois dele nada chegou nem perto….. #
- 00:21 Rest in Peace PalmOS! I’ll turn on my Palm Zire 31 in your memoriam. And play DopeWars. hehe. tinyurl.com/ckxvba #
- 00:24 @mvkampen agora é só compilar o openoffice pro motorola E8 que t #
- 00:25 @mvkampen tá tudo feito (maldito enter que cortou mensagem no meio!) #
Automatically shipped by LoudTwitter
Muitos, MUITOS escreveram me falaram que esse filme é muito ruim. Mas no fundo não é tããão ruim assim. Até que é legal.
O ponto mais importante é encarar ele como comédia. Pelo menos a parte que trata de Ucrânia. E principalmente a parte que diz que existem políticos honestos na Ucrânia. hehehe. Isso torna-se particularmente engraçado porque não conheço nenhum outro país tão zoneado e corrupto quanto Ucrânia (tirando talvez a Somália).
Mas.. tirando o operador de câmera, e o escritor do roteiro, e a “atriz” principal.. o filme foi da hora! Tá certo que podia ser beeem melhor.. mas, mesmo assim, ainda é o Frank Martin!
Ahhhh… e o sotaque improvisado foi bem engraçado também. hehehe.
Atualisei WordPress para 2.7.1. Foi a coisa mais fácil – só clicar em “upgrade automatically”. Fantástico!
Feb 112009
AppArmor support in msec was one of the first issues I thought for the new msec in Mandriva. However, until now it is in semi-nonexistent state, due to two big problems:
I still don’t know if AppArmor will be supported by the time we release 2009.1. I mean, it should be, but.. the semi-official status of this project (albeit there are rumors that it could be included in 2.6.30), combined with a large number of custom patches required to make it work make hard to maintain it in kernel.
AppArmor must be enabled as a kernel boot options (apparmor=1) in recent kernels. It is no longer supported as a module. So that sucks
. Msec could locate the kernel-related lines in /boot/grub/menu.lst and in /etc/lilo.conf, and append (or remove) this parameter. But.. at least on my machine, I have more then 10 different kernels in these files (for Mandriva, Ubuntu and Arch Linux). So this would add (or remove) this parameter to all of them. And it doesn’t seems to be a good idea at all.
So for now, the ‘Enable AppArmor’ option in msec does nothing at all. Hopefully not for long, and only until I get a brilliant idea on how to fix it.
Another issue is the PolicyKit support. Messing with it would require XML support in msec (or some cute little regexp scripts). And besides, I don’t know what exactly should be enabled/disabled there (a few ideas on this are outlined here).
In other news, my bugzilla assigned bugs count right now is about 310 (since today). Most of these bugs are related to drakx-net, which I am fixing kinda slow (my opinion about perl is well described in the last post ). But in the next few weeks I hope to fix the most annoying ones, and finally push the big update to mandi+ifw+drakids+drakfirewall I was working on for the last few weeks. This will transform these apps in a (mostly) feature-full IDS and firewall control system.
