[Apparmor-dev] apparmor.vim
Christian Boltz
apparmor at cboltz.de
Mon Sep 3 06:46:48 MDT 2007
Hello,
Am Freitag, 31. August 2007 schrieb Crispin Cowan:
> Christian Boltz wrote:
> > A small question remains that Seth couldn't answer:
> > Which keywords for "network" are dangerous (things like raw
> > packages)? Currently I flag "raw" in red. Are there more I should
> > mark this way?
>
> Some shoot-from-the-hip proposals:
>
> * any low-numbered port is yellow
> * port 22 is red
How would the profile syntax for those look like? I know only keywords
yet...
> Hmmm. I don't have any other ideas. The security significance of a
> network rule is so context dependent.
>
> * "Can accept from" is much more dangerous from the internet than
> from some restricted address, but that's likely beyond vim's
> parsing ability, and we don't yet have addresses in this
> release.
> * "Can initiate connection" is perfectly safe in a client
> (Firefox) and very dangerous in a server (Apache) but how
> would vim know which a profile is?
> * ... etc. etc.
Yes, it's probably impossible to recognize this in vim. However, I'd
follow the "better safe than sorry" rule here...
Again, I'd need some syntax examples for this.
Regards,
Christian Boltz
--
31.8.-3.9.2007: Weinfest und Jubiläum 1225 Jahre Insheim
Pig Slip, Hifi-Delity, Human Fact, Frank Petersen und die Söhne Insheims
spielen bei der Landjugend.
Mehr Infos: www.Landjugend-Insheim.de
More information about the Apparmor-dev
mailing list