[apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

Christian Boltz apparmor at cboltz.de
Wed Jun 3 21:52:56 UTC 2015 

Hello,

Am Montag, 1. Juni 2015 schrieb Steve Beattie:
> And even if we wanted to burble up "unimplemented" as a status rather
> than "unknown", using a magic string that is not even a constant
> defined somewhere strikes me as not the best way to do that.

Here's the updated patch, with an interdiff as simple as:

interdiff 21-read-severity-from-capability-rule.{OLD,diff}
diff -u utils/aa-mergeprof utils/aa-mergeprof
--- utils/aa-mergeprof  2015-05-24 18:26:44.337170095 +0200
+++ utils/aa-mergeprof  2015-06-03 23:46:39.255031972 +0200
@@ -344,7 +344,7 @@
                     q.headers += [_('Capability'), cap_txt]
 
                     severity = rule_obj.severity(sev_db)
-                    if severity != '--':
+                    if severity != sev_db.NOT_IMPLEMENTED:
                         q.headers += [_('Severity'), severity]
 
                     audit_toggle = 0



and here's the full patch:


Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

Note: the   != sev_db.NOT_IMPLEMENTED:   check in aa-mergeprof is
superfluous for capabilities, but will become useful once this code
block is used for other rule types.



[ 21-read-severity-from-capability-rule.diff ]

=== modified file utils/aa-mergeprof
--- utils/aa-mergeprof  2015-06-03 23:24:34.707953960 +0200
+++ utils/aa-mergeprof  2015-06-03 23:46:39.255031972 +0200
@@ -318,13 +318,9 @@
                         continue
 
                     if rule_obj.all_caps:
-                        severity = 10
                         cap_txt = 'ALL'
                     else:
                         cap_txt = ' '.join(rule_obj.capability)
-                        severity = 0
-                        for cap in rule_obj.capability:
-                            severity = max(severity, sev_db.rank('CAP_%s' % cap))
 
                     if rule_obj.deny:
                         cap_txt = 'deny %s' % cap_txt
@@ -346,7 +342,10 @@
 
                     q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
                     q.headers += [_('Capability'), cap_txt]
-                    q.headers += [_('Severity'), severity]
+
+                    severity = rule_obj.severity(sev_db)
+                    if severity != sev_db.NOT_IMPLEMENTED:
+                        q.headers += [_('Severity'), severity]
 
                     audit_toggle = 0
 
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-06-03 23:24:34.708953901 +0200
+++ utils/apparmor/aa.py        2015-06-03 23:45:17.500845213 +0200
@@ -1569,8 +1569,8 @@
                     capability_obj = CapabilityRule(capability)
                     if is_known_rule(aa[profile][hat], 'capability', capability_obj):
                         continue
-                    # Load variables? Don't think so.
-                    severity = sev_db.rank('CAP_%s' % capability)
+                    # Load variables into sev_db? Not needed/used for capabilities.
+                    severity = capability_obj.severity(sev_db)
                     default_option = 1
                     options = []
                     newincludes = match_includes(aa[profile][hat], 'capability', capability_obj)





Regards,

Christian Boltz
-- 
> Wann ist jemand Fortgeschrittener ( Profi )?
wenn man es nicht mehr selbst behaupten muß und es andere für einen tun.
[> Bernhard Junk und Martin Falley in suse-linux]

More information about the AppArmor mailing list