[apparmor] [new directory + files] utils/vim/

Christian Boltz apparmor at cboltz.de
Sat Apr 9 16:40:07 UTC 2011 

Hello,

Am Samstag, 9. April 2011 schrieb Seth Arnold:
> > A working automated solution might be:
...
> > The only disadvantage is the additional BuildRequire for vim -
> > we'll see if packagers like it or not ;-)
> 
> I found that the /usr/bin/replace utility is part of the mysql-server
> package; installing that brought many other requirements. (On my
> Ubuntu system, mysql-server-5.1 brought in an additional 56 megabytes
> of packages.)

Oh yes :-/  I totally forgot about this dependency because I have 
installed MySQL on my local system anyway.

> It is a pity that such a useful tool is stuffed in such an expensive
> package :) but it would probably forever prevent apparmor.vim from
> being included into vim via BuildRequires. 

Well, it's the AppArmor package that will BuildRequire MySQL, but that 
doesn't make it better ;-)

> I'd love to see the replace tool replaced. :)

I'm open to suggestions. The job that needs to be done is:
1. replace $string1 with $sting2, $string3 with $string4, ... (to allow 
   more than one replacement per call)
2. do not "interpret" $string* (variables, regex etc.) - just do a 
   boring str_replace (that's the function name in PHP, not sure how it 
   is called in the base libraries)
3. do all this with stdin and stdout or with files (both ways will work)

The funny thing is that the second requirement makes it difficult - 
otherwise sed, awk, perl, whatever would be good and easily available 
options.

Thinking of a long-term solution, I'll probably use a (perl? PHP?) 
script to generate apparmor.vim (think of a 
    function filerule($name, $flag_regex)
;-) - but as I said: that's a long-term solution, not something I 
can/will do in the next days.

> Another note: I think cap_sys_module and cap_sys_rawio should be
> placed into the "dangerous" capabilities list: cap_sys_module allows
> loading any arbitrary file into the kernel as a module, and
> cap_sys_rawio allows poking bytes into the IO ports of x86-land and
> disabling interrupts (which would just be a denial-of-service, but
> the poking bytes into protected magic memory sounds scary).

Sounds reasonable. I have sent a patch some minutes ago ;-)


Regards,

Christian Boltz
-- 
>He Mann, isse krasse, erste Wort: "Kyptographie", isse schon falsch.
>Was machst du?
Uuuhhh. Ist in der Listenkasse noch genug Geld für ein Wörterbuch?
[> Ratti und Thorsten Haude in sl-etikette]

More information about the AppArmor mailing list