Eugeni's blog

AppArmor support in msec was one of the first issues I thought for the new msec in Mandriva. However, until now it is in semi-nonexistent state, due to two big problems:

• I still don’t know if AppArmor will be supported by the time we release 2009.1. I mean, it should be, but.. the semi-official status of this project (albeit there are rumors that it could be included in 2.6.30), combined with a large number of custom patches required to make it work make hard to maintain it in kernel.

• AppArmor must be enabled as a kernel boot options (apparmor=1) in recent kernels. It is no longer supported as a module. So that sucks . Msec could locate the kernel-related lines in /boot/grub/menu.lst and in /etc/lilo.conf, and append (or remove) this parameter. But.. at least on my machine, I have more then 10 different kernels in these files (for Mandriva, Ubuntu and Arch Linux). So this would add (or remove) this parameter to all of them. And it doesn’t seems to be a good idea at all.

So for now, the ‘Enable AppArmor’ option in msec does nothing at all. Hopefully not for long, and only until I get a brilliant idea on how to fix it.

Another issue is the PolicyKit support. Messing with it would require XML support in msec (or some cute little regexp scripts). And besides, I don’t know what exactly should be enabled/disabled there (a few ideas on this are outlined here).

In other news, my bugzilla assigned bugs count right now is about 310 (since today). Most of these bugs are related to drakx-net, which I am fixing kinda slow (my opinion about perl is well described in the last post ). But in the next few weeks I hope to fix the most annoying ones, and finally push the big update to mandi+ifw+drakids+drakfirewall I was working on for the last few weeks. This will transform these apps in a (mostly) feature-full IDS and firewall control system.