Eugeni's blog

One of most wanted features for new MSEC in Mandriva 2009.1 was the support for plugins. It is an interesting idea, as it allows to convert MSEC from a tool with fixed-and-controlled-by-msec-gods list of features into a utility that can be extended by anyone, adding their own functionality, or just implementing something specific to their organization, class, or environment.

Well, starting today, it is possible to do so . I just committed into cooker a new version of msec which supports plugins, and fully integrates them with other msec modules. I added a “sample” plugin (which will someday become the AppArmor plugin, but.. as it is still not working in cooker, I just added it to use as a proof-of-concept).

Plugins are automatically loaded by libmsec on startup, checking for all entries in config.PLUGINS_DIR configuration variable (which defaults to /usr/share/msec/plugins). For each file there, it is parsed as a python script, the plugin name is determined, and a plugin class is initialized with current msec settings (such as logging backend, chroot’ed configuration and list of modified system files). After that, the plugin is automatically added into the config.SETTINGS array, which correlates msec variables (such as ENABLE_APPARMOR) with corresponding callback function (libmsec.somefunction or, in our case, apparmor.enable_apparmor) and list of valid parameters (in our case, yes and no).

After that, everything continues normally. Msec processes the configuration parameters as usual, until it gets to the ENABLE_APPARMOR parameter. At this point, it detects that this functionality is provided by the apparmor plugin, and it is handled by enable_apparmor function. So it simply calls this function, in exactly the same way as any other libmsec element.

To show how simple a msec plugin can be, the following is the complete code of (not yet functional) AppArmor plugin:

#!/usr/bin/python
"""AppArmor plugin for msec """

# main plugin class name
PLUGIN = "apparmor"

# msec configuration
import config

class apparmor:
    def __init__(self, log=None, configfiles=None, root=None):
        """Initializes AppArmor plugin"""
        # initializing plugin with libmsec data
        self.log = log
        self.configfiles = configfiles
        self.root = root

        # configuring entry in global settings
        param = 'ENABLE_APPARMOR'
        callback = "%s.enable_apparmor" % PLUGIN
        valid_values = ['yes', 'no']
        config.SETTINGS[param] = (callback, valid_values)

        # insert entry into system security settings
        config.SETTINGS_SYSTEM.append(param)

    def enable_apparmor(self, params):
        """Enable AppArmor security framework on boot"""
        if self.log:
            #self.log.info("AppArmor plugin: not implemented yet!")
            pass

That’s it. Any python functionality can be added to the enable_apparmor function afterwards.

This is more like a proof-of-concept than complete plugin, but the remaining pieces will be polished soon. Keep visiting here for news .

Combining this with the possibility of creating custom msec frontends (right now we have command line frontend (msec) and a graphical one (msecgui)), the possibilities are endless. You could create a WEB frontend with just a few lines of python code (for example, using web.py or django), add plugins which enforce settings for your organization (for example, configure all user home directories to start with “user_” prefix, check periodically for changes into /usr/local/big_project/* files, synchronize ldap databases for offices, and so on).