Friday, August 24, 2007

Random collection of amazing stuff

The most cool thing that I noticed today ever is that Google Maps now allows you to add custom waypoints by dragging-and-dropping the route line onto a given road. This is great! I'm going to a charity biker raffle thing in Pensford next weekend, and Google's usual recommendation is that I stay on the M4 to Bristol, and drive through Bristol towards Shepton Mallet. This is, frankly, ludicrous. It's much more sensible to go through Bath and attack the A37 from the South, and now I can let Google know that.

Trusted JDS is ├╝ber-cool. Not so much the actual functionality, which is somewhere between being pointy-haired enterprisey nonsense and NSA-derived "we require this feature, we can't tell you why, or what it is, or how it should work, but implement it because I'm authorised to shoot you and move in with your wife" fun. But implementing Mandatory Access Control in a GUI, and having it work, and make sense, is one hell of an achievement. Seven hells, in the case of Trusted Openlook, of which none are achievement. My favourite part of TJDS is that the access controls are checked by pasteboard actions, so trying to paste Top Secret text into an Unrestricted e-mail becomes a no-no.

There does exist Mac MAC (sorry, I've also written "do DO" this week) support, in the form of SEDarwin, but (as with SELinux) most of the time spent in designing policies for SEDarwin actually boils down to opening up enough permissions to stop from breaking stuff - and that stuff mainly breaks because the applications (or even the libraries on which those applications are based) don't expect to not be allowed to, for instance, talk to the pasteboard server. In fact, I'm going to save this post as a draft, then kill pbs and see what happens.

Hmmm... that isn't what I expected. I can actually still copy and paste text (probably uses a different pasteboard mechanism). pbs is a zombie, though. Killed an app by trying to copy an image out of it, too, and both of these symptoms would seem to fit with my assumption above; Cocoa just doesn't know what to do if the pasteboard server isn't available. If you started restricting access to it (and probably the DO name servers and distributed notification centres too) then you'd be in a right mess.

No comments: