[Pidgin] mmcco modified

Pidgin trac at pidgin.im
Fri Aug 21 21:36:20 EDT 2015 

Page "mmcco" was changed by mmcco
Diff URL: <https://developer.pidgin.im/wiki/mmcco?action=diff&version=70>
Revision 70
Comment: add additional paragraph about MAC profiles and privsep
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: mmcco
=========================================================================
--- mmcco (version: 69)
+++ mmcco (version: 70)
@@ -172,7 +172,9 @@
 * program developers make their code multiprocess and refrain from using unnecessary privileges
 * packagers and OS/distro developers use this to write good MAC profiles
 
-''Anecdotally, it'd be nice to start the convention of using a tag like `PRIVSEP` in code to help packagers find points of potential lockdown. Lacking these, searching for `fork()` and `exec()`-family functions with cscope or something similar is a good approach. Beyond that, running the program in a debugger and breaking on new process creation is educational, as is understanding its initialization and `main()` logic well.''
+Put more bluntly: it probably isn't worth developers' time to learn AppArmor et al. in order to write profiles. As long as MAC frameworks are big and complicated, the above method is far more efficient. Simple programs that use very few privileges (Pidgin definitely doesn't qualify) may be exceptions.
+
+Anecdotally, it'd be nice to start the convention of using a tag like `PRIVSEP` in code to help packagers find points of potential lockdown. Lacking these, searching for `fork()` and `exec()`-family functions with cscope or something similar is a good approach. Beyond that, running the program in a debugger and breaking on new process creation is educational, as is understanding its initialization and `main()` logic well.
 
 === Breakages ===
 
-------8<------8<------8<------8<------8<------8<------8<------8<--------

--
Page URL: <https://developer.pidgin.im/wiki/mmcco>
Pidgin <https://pidgin.im>
Pidgin

This is an automated message. Someone added your email address to be
notified of changes on 'mmcco' page.
If it was not you, please report to datallah at pidgin.im.

More information about the Wikiedit mailing list