[Pidgin] mmcco modified

Pidgin trac at pidgin.im
Fri Aug 21 16:18:35 EDT 2015


Page "mmcco" was changed by mmcco
Diff URL: <https://developer.pidgin.im/wiki/mmcco?action=diff&version=60>
Revision 60
Comment: more privsep info
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: mmcco
=========================================================================
--- mmcco (version: 59)
+++ mmcco (version: 60)
@@ -152,6 +152,13 @@
 
 [https://tails.boum.org/ Tails], an anonymity-focused operating system based on Tor and Debian, includes Pidgin and OTR by default. They've written an App^^Armor profile for Pidgin that's now included in the Debian/^^Ubuntu package `apparmor-profiles-extra`.
 
+All existing MAC frameworks are pretty cumbersome and have a slow learning curve. (tame is trying to buck this trend, but it's far too new and rarely used to be an option yet.) So, the best model is:
+
+* program developers make their code multiprocess and refrain from using unnecessary privileges
+* packagers and OS/distro developers use this to write good MAC profiles
+
+''Anecdotally, it'd be nice to start the convention of using a tag like `PRIVSEP` in code to help packagers find points of potential lockdown. Lacking these, searching for `fork()` and `exec()`-family functions with cscope or something similar is a good approach.''
+
 === Breakages ===
 
 There are, of course exceptions. Below is a (likely incomplete) list of files outside of `~/.purple/` that are accessed and where the access occurs.
-------8<------8<------8<------8<------8<------8<------8<------8<--------

--
Page URL: <https://developer.pidgin.im/wiki/mmcco>
Pidgin <https://pidgin.im>
Pidgin

This is an automated message. Someone added your email address to be
notified of changes on 'mmcco' page.
If it was not you, please report to datallah at pidgin.im.


More information about the Wikiedit mailing list