[apparmor] [patch] Add severity() to BaseRule class
Christian Boltz
apparmor at cboltz.de
Wed Jun 3 21:41:20 UTC 2015
Hello,
Am Freitag, 29. Mai 2015 schrieb Steve Beattie:
> The other way to approach it would be to have .severity() return the
> actual value that severity db treats as unknown, rather than ginning
> up yet another magic value. But I'd rather push that into the Rules
> subclasses themselves, so that at least the author of the subclass
> thinks about whether or not to implement something more sophisticated
> for the severity db than just returning essentially unknown.
As discussed on IRC, I see some value in not displaying "Severity:
unknown" for rule types that don't have any ratings (for example
network rules).
So here's the updated patch that adds a NOT_IMPLEMENTED constant to
severity.py and changes the code to use it.
See [1] for an interdiff.
Add severity() to BaseRule class
severity() will, surprise!, return the severity of a rule, or
sev_db.NOT_IMPLEMENTED if a *Rule class doesn't implement the severity()
function.
Also add the NOT_IMPLEMENTED constant to severity.py, and a test to
test-baserule.py that checks the return value in BaseRule.
[ 19-baserule-add-severity.diff ]
=== modified file utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py 2015-06-03 23:24:34.798948576 +0200
+++ utils/apparmor/rule/__init__.py 2015-06-03 23:25:46.638698441 +0200
@@ -135,6 +135,12 @@
'''compare if rule-specific variables are equal'''
raise AppArmorBug("'%s' needs to implement is_equal_localvars(), but didn't" % (str(self)))
+ def severity(self, sev_db):
+ '''return severity of this rule (a number between 0 and 10, where 0 means harmless and 10 means critical),
+ or '--' if no severity check is implemented for this rule type.
+ sev_db must be an apparmor.severity.Severity object.'''
+ return sev_db.NOT_IMPLEMENTED
+
def modifiers_str(self):
'''return the allow/deny and audit keyword as string, including whitespace'''
=== modified file utils/apparmor/severity.py
--- utils/apparmor/severity.py 2015-06-03 23:24:34.789949109 +0200
+++ utils/apparmor/severity.py 2015-06-03 23:27:30.412600284 +0200
@@ -20,6 +20,7 @@
def __init__(self, dbname=None, default_rank=10):
"""Initialises the class object"""
self.PROF_DIR = '/etc/apparmor.d' # The profile directory
+ self.NOT_IMPLEMENTED = '_-*not*implemented*-_' # used for rule types that don't have severity ratings
self.severity = dict()
self.severity['DATABASENAME'] = dbname
self.severity['CAPABILITIES'] = {}
=== modified file utils/test/test-baserule.py
--- utils/test/test-baserule.py 2015-06-03 23:24:34.798948576 +0200
+++ utils/test/test-baserule.py 2015-06-03 23:29:26.556777257 +0200
@@ -14,6 +14,7 @@
from apparmor.common import AppArmorBug
from apparmor.rule import BaseRule, parse_modifiers
+import apparmor.severity as severity
import re
@@ -51,6 +52,11 @@
with self.assertRaises(AppArmorBug):
parse_modifiers(matches)
+ def test_default_severity(self):
+ sev_db = severity.Severity('severity.db', 'unknown')
+ obj = BaseRule()
+ rank = obj.severity(sev_db)
+ self.assertEqual(rank, sev_db.NOT_IMPLEMENTED)
setup_all_loops(__name__)
Regards,
Christian Boltz
[1] interdiff 19-baserule-add-severity.OLD 19-baserule-add-severity.diff
diff -u utils/apparmor/rule/__init__.py utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py 2015-05-24 17:06:10.870529896 +0200
+++ utils/apparmor/rule/__init__.py 2015-06-03 23:25:46.638698441 +0200
@@ -139,7 +139,7 @@
'''return severity of this rule (a number between 0 and 10, where 0 means harmless and 10 means critical),
or '--' if no severity check is implemented for this rule type.
sev_db must be an apparmor.severity.Severity object.'''
- return '--'
+ return sev_db.NOT_IMPLEMENTED
def modifiers_str(self):
'''return the allow/deny and audit keyword as string, including whitespace'''
diff -u utils/test/test-baserule.py utils/test/test-baserule.py
--- utils/test/test-baserule.py 2015-05-24 17:04:12.643586340 +0200
+++ utils/test/test-baserule.py 2015-06-03 23:29:26.556777257 +0200
@@ -14,6 +14,7 @@
from apparmor.common import AppArmorBug
from apparmor.rule import BaseRule, parse_modifiers
+import apparmor.severity as severity
import re
@@ -52,9 +53,10 @@
parse_modifiers(matches)
def test_default_severity(self):
+ sev_db = severity.Severity('severity.db', 'unknown')
obj = BaseRule()
- rank = obj.severity(None)
- self.assertEqual(rank, '--')
+ rank = obj.severity(sev_db)
+ self.assertEqual(rank, sev_db.NOT_IMPLEMENTED)
setup_all_loops(__name__)
only in patch2:
unchanged:
--- utils/apparmor/severity.py 2015-06-03 23:24:34.789949109 +0200
+++ utils/apparmor/severity.py 2015-06-03 23:27:30.412600284 +0200
@@ -20,6 +20,7 @@
def __init__(self, dbname=None, default_rank=10):
"""Initialises the class object"""
self.PROF_DIR = '/etc/apparmor.d' # The profile directory
+ self.NOT_IMPLEMENTED = '_-*not*implemented*-_' # used for rule types that don't have severity ratings
self.severity = dict()
self.severity['DATABASENAME'] = dbname
self.severity['CAPABILITIES'] = {}
--
> Besteht die Möglichkeit irgendwo ein GUI für Skeleton "downzuloaden"?
Wieso downloaden? /etc/init.d/skeleton ist ne Textdatei, guis liefert
SuSE da jede Menge für mit, kwrite, xemacs, kvim, ...
[> Matthias Reinhardt und Manfred Tremmel in suse-linux]
More information about the AppArmor
mailing list