Saturday, December 18, 2010

Irlandia: Ostatnie odliczanie

Rozpoczynam ostatnie odliczanie... Najbliższy poniedziałek będzie ostatnim dniem w dotychczasowej pracy w Polsce, potem kilka dni urlopu, a 2 stycznia 2011 wylatujemy do Dublina i zaczynamy przygodę z Irlandią. Lot zabookowany, tymczasowe mieszkanie na pierwszy miesiąc już jest, więc pozostanie pakowanie walizek. Tymczasem - fotki rewelacyjnej (i praktycznej) antyramy, którą sprezentowali mi na pożegnanie przyjaciele z firmy: rękawice "na zmywak", bilet powrotny i podręczny zestaw przydatnych zwrotów :)

Thursday, December 16, 2010

Work on QComicBook 0.8.0

The work on new "big" (i.e. middle version number change) QComicBook release
has started. You can track this work in the dev/0.8.0merge branch of the git repo; this branch will get merged back to master branch once ready.

One of the most important internal changes to be included in the upcoming release is switching from using widgets to Graphics View Framework provided by Qt. This switch made it possible for an easy and nice implementation of Zoom Lens, so QComicBook 0.8.0 will finally see this much welcome addition! Long-term, the switch Graphics Framework may result in improved QComicBook performance and make it possible to use e.g. OpenGL backend to speed up scaling etc.

The new 0.8.0 release will also bring PDF reading support (as I already indicated  earlier) via Poppler library, which is a new dependency starting from this release.

I'd like to push the new release out by end of this year if possible, but the scope of changes related to new graphics framework is substantial and there are still some rendering-related bugs, so it may slip to early 2011.

Wednesday, December 1, 2010

TOMOYO Linux - 5 tips to streamline your experience

I've already blogged about TOMOYO Linux, a nice MAC implementation before. This time I'd like to share a few tips that I worked out using TOMOYO. Most (or all) of them may be apparent for long-time TOMOYO users, but hopefully will be helpful for newcomers.
These tips are based on the tomoyo-tools v2.x (for mainlined version, i.e. included in the vanilla kernel and using LSM).  Use ccs-patternize, ccs-loadpolicy etc. for 1.x series.
  1. Use initialize_domain
    Tomoyo creates separate domains for all execution paths. If you execute, say, Firefox web browser from a bash shell running in gnome-terminal, then from gnome menu and finally from gnome “run” dialog, you’ll end up with three distinct domains (and the number is possibly infinite, since you can start any application in many ways). Since you probably want to use same policy rules for all Firefox domains, no matter how Firefox was started, use initialize_domain rule in the exception policy, e.g.

    initialize_domain /usr/bin/firefox
    This way only one domain, /usr/bin/firefox” will be created in the system.
  2. Use keep_domain
    Many applications spawn child processes and execute helper programs - for instance, /usr/bin/firefox is just a shell script, that runs /usr/lib/firefox-x.y.z/, which in turn starts firefox-bin; the latter runs plugin-container and so on. Since you’re probably interested in confining an application as a whole, you may consider keeping all child processes in the same domain as the parent. Put

    keep_domain /usr/bin/firefox"

    in the exception policy and all execution paths created by /usr/bin/firefox domain will use same policy rules. Be aware however, that this loosens security and violates the rule of minimum privileges a bit. For example, plugin-container is responsible for running macromedia flash content plugin (among other plugins) and running it in the same domain as /usr/bin/firefox means it gets all the privileges granted to Firefox itself.

  3. Use tomoyo-patternize combo
    You probably already know and use tomoyo-patternize, but the trick is to pipe it with tomoyo-savepolicy and tomoyo-loadpolicy combo for fast and efficient policy updates and tweaking. The “-” parameter of tomoyo-savepolicy / tomoyo-loadpolicy dumps policy rules to  standard output or reads rules from standard input respectively. Chain it with tomoyo-patternize like this:

    tomoyo-savepolicy -d | tomoyo-patternize ‘pattern1’ ‘pattern2’ … | tomoyo-loadpolicy -df

    And you can apply patterns immediately. This combo is so useful, that you may consider putting it in a wrapper script, e.g:

    tomoyo-savepolicy -d | tomoyo-patternize $@ | tomoyo-loadpolicy -df

    Don’t forget that changes are made to the policy rules currently loaded in the kernel (no changes are made to the /etc/tomoyo/domain_policy.conf file), so don’t forget to execute tomoyo-savepolicy before shutdown....

  4. Use recursive dir matching
    The recursive directory matching operator /\{dir\}/ matches one or more repetitions of 'dir/'. Use it with “\*” as a directory argument to match all subdirectories (and their subdirectories etc.) of given directory, regardless of depth. This is useful if you don’t know directory structure in advance or don’t need to grant specific permissions for subdirectories. For instance, Firefox extensions tend to mess a lot with their files in ~/.mozilla/firefox/\*/extensions directory and it subdirectories, so you may want to grant read, write, create, truncate, link, unlink rights to ~/.mozilla/firefox/\*/extensions/\* (for files/dirs in extensions directory) and ~/.mozilla/firefox/\*/extensions/\{\*\}/\* (for files in subdirectories of extensions directory, arbitrary depth).

  5. Use path_group for common paths
    There is a lot of common paths that applications are accessing, for instance all GUI apps will read font files and fontconfig related files, all GNOME apps will read GTK configuration files, icons, themes etc. Create path_group definitions for common stuff, e.g.
    path_group FONTS /etc/fonts/\*
    path_group FONTS /etc/fonts/\{\*\}/\*
    path_group FONTS /var/cache/fontconfig/\*
    path_group FONTS /home/\*/.fontconfig/\*
    path_group FONTS /etc/fontconfig/\{\*\}/\*
    path_group FONTS /usr/share/fonts/\{\*\}/\*
    path_group FONTS /usr/share/fonts/\*
    path_group FONTS /usr/share/fonts/\{\*\}/\*

    And then simplify your domain policy rules like this:
    allow_read @FONTS

    Do this for other common files, e.g. ICONSTHEMES, ALSACONF, SOUNDDEV etc.