[apparmor] [patch] Add severity() to BaseRule class

Christian Boltz apparmor at cboltz.de
Wed Jun 3 21:41:20 UTC 2015 

Hello,

Am Freitag, 29. Mai 2015 schrieb Steve Beattie:
> The other way to approach it would be to have .severity() return the
> actual value that severity db treats as unknown, rather than ginning
> up yet another magic value. But I'd rather push that into the Rules
> subclasses themselves, so that at least the author of the subclass
> thinks about whether or not to implement something more sophisticated
> for the severity db than just returning essentially unknown.

As discussed on IRC, I see some value in not displaying "Severity: 
unknown" for rule types that don't have any ratings (for example 
network rules).

So here's the updated patch that adds a NOT_IMPLEMENTED constant to 
severity.py and changes the code to use it.

See [1] for an interdiff.



Add severity() to BaseRule class

severity() will, surprise!, return the severity of a rule, or
sev_db.NOT_IMPLEMENTED if a *Rule class doesn't implement the severity()
function.

Also add the NOT_IMPLEMENTED constant to severity.py, and a test to
test-baserule.py that checks the return value in BaseRule.


[ 19-baserule-add-severity.diff ]

=== modified file utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py     2015-06-03 23:24:34.798948576 +0200
+++ utils/apparmor/rule/__init__.py     2015-06-03 23:25:46.638698441 +0200
@@ -135,6 +135,12 @@
         '''compare if rule-specific variables are equal'''
         raise AppArmorBug("'%s' needs to implement is_equal_localvars(), but didn't" % (str(self)))
 
+    def severity(self, sev_db):
+        '''return severity of this rule (a number between 0 and 10, where 0 means harmless and 10 means critical),
+           or '--' if no severity check is implemented for this rule type.
+           sev_db must be an apparmor.severity.Severity object.'''
+        return sev_db.NOT_IMPLEMENTED
+
     def modifiers_str(self):
         '''return the allow/deny and audit keyword as string, including whitespace'''
 
=== modified file utils/apparmor/severity.py
--- utils/apparmor/severity.py  2015-06-03 23:24:34.789949109 +0200
+++ utils/apparmor/severity.py  2015-06-03 23:27:30.412600284 +0200
@@ -20,6 +20,7 @@
     def __init__(self, dbname=None, default_rank=10):
         """Initialises the class object"""
         self.PROF_DIR = '/etc/apparmor.d'  # The profile directory
+        self.NOT_IMPLEMENTED = '_-*not*implemented*-_'  # used for rule types that don't have severity ratings
         self.severity = dict()
         self.severity['DATABASENAME'] = dbname
         self.severity['CAPABILITIES'] = {}
=== modified file utils/test/test-baserule.py
--- utils/test/test-baserule.py 2015-06-03 23:24:34.798948576 +0200
+++ utils/test/test-baserule.py 2015-06-03 23:29:26.556777257 +0200
@@ -14,6 +14,7 @@
 
 from apparmor.common import AppArmorBug
 from apparmor.rule import BaseRule, parse_modifiers
+import apparmor.severity as severity
 
 import re
 
@@ -51,6 +52,11 @@
         with self.assertRaises(AppArmorBug):
             parse_modifiers(matches)
 
+    def test_default_severity(self):
+        sev_db = severity.Severity('severity.db', 'unknown')
+        obj = BaseRule()
+        rank = obj.severity(sev_db)
+        self.assertEqual(rank, sev_db.NOT_IMPLEMENTED)
 
 
 setup_all_loops(__name__)



Regards,

Christian Boltz

[1] interdiff 19-baserule-add-severity.OLD 19-baserule-add-severity.diff 
diff -u utils/apparmor/rule/__init__.py utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py     2015-05-24 17:06:10.870529896 +0200
+++ utils/apparmor/rule/__init__.py     2015-06-03 23:25:46.638698441 +0200
@@ -139,7 +139,7 @@
         '''return severity of this rule (a number between 0 and 10, where 0 means harmless and 10 means critical),
            or '--' if no severity check is implemented for this rule type.
            sev_db must be an apparmor.severity.Severity object.'''
-        return '--'
+        return sev_db.NOT_IMPLEMENTED
 
     def modifiers_str(self):
         '''return the allow/deny and audit keyword as string, including whitespace'''
diff -u utils/test/test-baserule.py utils/test/test-baserule.py
--- utils/test/test-baserule.py 2015-05-24 17:04:12.643586340 +0200
+++ utils/test/test-baserule.py 2015-06-03 23:29:26.556777257 +0200
@@ -14,6 +14,7 @@
 
 from apparmor.common import AppArmorBug
 from apparmor.rule import BaseRule, parse_modifiers
+import apparmor.severity as severity
 
 import re
 
@@ -52,9 +53,10 @@
             parse_modifiers(matches)
 
     def test_default_severity(self):
+        sev_db = severity.Severity('severity.db', 'unknown')
         obj = BaseRule()
-        rank = obj.severity(None)
-        self.assertEqual(rank, '--')
+        rank = obj.severity(sev_db)
+        self.assertEqual(rank, sev_db.NOT_IMPLEMENTED)
 
 
 setup_all_loops(__name__)
only in patch2:
unchanged:
--- utils/apparmor/severity.py  2015-06-03 23:24:34.789949109 +0200
+++ utils/apparmor/severity.py  2015-06-03 23:27:30.412600284 +0200
@@ -20,6 +20,7 @@
     def __init__(self, dbname=None, default_rank=10):
         """Initialises the class object"""
         self.PROF_DIR = '/etc/apparmor.d'  # The profile directory
+        self.NOT_IMPLEMENTED = '_-*not*implemented*-_'  # used for rule types that don't have severity ratings
         self.severity = dict()
         self.severity['DATABASENAME'] = dbname
         self.severity['CAPABILITIES'] = {}

-- 
> Besteht die Möglichkeit irgendwo ein GUI für Skeleton "downzuloaden"?
Wieso downloaden? /etc/init.d/skeleton ist ne Textdatei, guis liefert
SuSE da jede Menge für mit, kwrite, xemacs, kvim, ...
[> Matthias Reinhardt und Manfred Tremmel in suse-linux]

More information about the AppArmor mailing list