[apparmor] [patch] Add severity() to BaseRule class

Steve Beattie steve at nxnw.org
Sat Jun 6 00:41:04 UTC 2015 

On Sat, Jun 06, 2015 at 12:38:41AM +0200, Christian Boltz wrote:
> Am Freitag, 5. Juni 2015 schrieb Steve Beattie:
> > On Wed, Jun 03, 2015 at 11:57:00PM +0200, Christian Boltz wrote:
> > > +    def severity(self, sev_db):
> > > +        '''return severity of this rule (a number between 0 and 10,
> > > where 0 means harmless and 10 means critical), +           or
> > > sev_db.NOT_IMPLEMENTED if no severity check is implemented for this
> > > rule type.
> > Should the comment here say anything about possibly returning
> > sev_db.unknown?
> 
> Should I add another line to the comment mentioning "unknown"?

Umm that's what I was asking. What are a rule object's responsibilities
here, and what should an implementor know about them?  It seems
likely that if an implementor of a rule class needs to know some of
the possible returned values, they might need to know all of them.

> (to make things more interesting, the exact value of "unknown" is 
> specified when creating a sev_db instance, the default for unknown is 
> "10", and everywhere we use sev_db we have _("unknown") as default)

Yes, the value of unknown is unknown and not necessarily "unknown" :)
(at least, until the class is instantiated). I'm not so sure that's
a great design.

> I see the severity as a property of the rule, which is one of the 
> reasons why I placed it in the rule. (sev_db is just the tool helping to 
> find out the severity, and the main reason why I pass in the sev_db is 
> that I don't want to have it as global variable somewhere.)
> 
> Another reason was that the check needs to access a class-internal 
> variable, and it felt more natural to have access to that variables 
> inside the class (and then ask sev_db about a string).
> 
> Summed up "Dear rule, how severe are you?"

versus

> Summed up: "Dear sev_db, how severe is this rule?"

WRT your second point, I certainly expected the severity db to turn
around and say "So, rule, I've been asked to determine how severe you
are. Why don't you tell me a little about yourself? Do you like hugs,
puppies, and long walks on the beach?".

It also gets the rule class author out of worrying about what the
specific severity values that can be returned by the severity db are,
as well as needing to know whether the severity db has implemented
mappings for the specific rule type.

> Can we agree to disagree, or do we need to vote in the next meeting? ;-)

Wait, you want to start a discussion on which voting system
(http://en.wikipedia.org/wiki/Voting_system) to use? :)

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150605/87036a12/attachment-0001.pgp>

More information about the AppArmor mailing list