On 08/12/2013 02:52 PM, Christian Boltz wrote: > Hello, > > Am Montag, 12. August 2013 schrieb Jamie Strandboge: >> On 08/10/2013 03:46 PM, Christian Boltz wrote: >>>>> * apparmor-xdg-dirs.py: this takes the output of 'locale -a' and >>> >>> I'm afraid this will result in a bit too much ;-) >>> >>> On my system, locale -a gives me 270 locales from aa_DJ to zu_ZA >>> (and I even dropped suffixes like @euro or .utf-8 - with them, I get >>> 460 locales) [1] >>> >>> In other words: this should be configurable: >>> a) autogenerate for all installed languages (which would be a lot on >>> my> >>> system) >>> >>> b) autogenerate for all languages in $config_option >>> c) similar to b), but somehow automated (on openSUSE, you can choose >>> to> >>> install for example "all german translations" in YaST - this >>> should >>> also add the german XDG dirs to apparmor) >>> >>> d) do not autogenerate anything >>> >>> Option a) might even result in too many permissions - I'm quite sure >>> in one of the 270 locales I have, for example ~/downloads >>> translates to a directory name I have, and that should not be >>> accessible ;-) >>> >>> The perfect solution would be to only allow the directory names in >>> each user's language (so the profile would have /home/cb/Dokumente/ >>> and /home/english/documents/ for example) - but I know that's not >>> really easy to implement ;-) >> >> Note that apparmor-xdg-dirs.py is but one tool-- the apparmor project >> itself would not dictate how a distribution would use it. That said, >> apparmor-xdg-dirs.py currently strips off everything before the first >> '.' so en_NG and >> en_NG.utf8 are not counted twice. > > You'll still get some duplicates. To give you an example: > > # locale -a |grep ^de > de_AT > de_AT@euro > de_AT.utf8 > de_BE > de_BE@euro > de_BE.utf8 > de_CH > de_CH.utf8 > de_DE > de_DE@euro > de_DE.utf8 > de_LU > de_LU@euro > de_LU.utf8 > > FYI: @euro is ISO-8859-15 > > oh, and stripping off at the dot could also cause problems because > non-ascii names have different bytes in ISO-8859-15 and utf8 ;-) >
That's fine and I can make adjustments, but this is just an optimization in how we find unique translations and not an actual problem-- the list of locales isn't actually represented anywhere in policy. Is this all you are getting at? ... >> As for 'a' being too many permissions-- that is conceivably true >> though I would argue that since this is system policy and system >> installed locales, then they all should be represented. Admins can >> choose to not install the extra locales or even modify their policy. >> I suppose these tools could grow an option to honor a config file >> though. This would allow distribution to integrate the tool but set >> the default how they wish, and allow admins to override the >> distribution default. > > See above - a config file is really needed because "locale -a" is quite > useless for me. Or openSUSE splits all *-lang packages, but I doubt this > is realistic for packages with small translations (the overhead would be > bigger than the content of the package). > What overhead are you referring to? Script processing overhead? "locale -a" may be useless to you, but it is only used by the tool to enumerate the translations and output unique translations to be used in policy, and even if it isn't as efficient as it could be, again, this isn't actually a problem, is it? (I feel like I am missing something). As for the config file, again, a distribution can decide to use or not use apparmor-xdg-dirs-simple or apparmor-xdg-dirs-- I'm not trying to dictate what a distro should do. apparmor-xdg-dirs-simple will take a single locale and apparmor-xdg-dirs will try to enumerate them. I'm happy to leave these tools out if they aren't good enough, but I'm also happy to commit them as is and have people submit patches to make them work better for their environments or other distros. -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
