[apparmor] [patch] Add severity() to BaseRule class

Christian Boltz apparmor at cboltz.de
Sat Jun 6 13:09:15 UTC 2015 

Hello,

Am Freitag, 5. Juni 2015 schrieb Steve Beattie:
> On Sat, Jun 06, 2015 at 12:38:41AM +0200, Christian Boltz wrote:
> > Am Freitag, 5. Juni 2015 schrieb Steve Beattie:
> > > On Wed, Jun 03, 2015 at 11:57:00PM +0200, Christian Boltz wrote:
> > > > +    def severity(self, sev_db):
> > > > +        '''return severity of this rule (a number between 0 and
> > > > 10,
> > > > where 0 means harmless and 10 means critical), +           or
> > > > sev_db.NOT_IMPLEMENTED if no severity check is implemented for
> > > > this
> > > > rule type.
> > > 
> > > Should the comment here say anything about possibly returning
> > > sev_db.unknown?
> > 
> > Should I add another line to the comment mentioning "unknown"?
> 
> Umm that's what I was asking. What are a rule object's
> responsibilities here, and what should an implementor know about
> them?  It seems likely that if an implementor of a rule class needs
> to know some of the possible returned values, they might need to know
> all of them.

OK, comment updated before commiting.

I also commited all acked patches, which makes my "bzr diff" output a 
bit ;-) shorter.

> > (to make things more interesting, the exact value of "unknown" is
> > specified when creating a sev_db instance, the default for unknown
> > is
> > "10", and everywhere we use sev_db we have _("unknown") as default)
> 
> Yes, the value of unknown is unknown and not necessarily "unknown" :)
> (at least, until the class is instantiated). I'm not so sure that's
> a great design.

The (only?) advantage is that you can simply print out the result 
without further processing.

> > Summed up "Dear rule, how severe are you?"
> 
> versus
> 
> > Summed up: "Dear sev_db, how severe is this rule?"
> 
> WRT your second point, I certainly expected the severity db to turn
> around and say "So, rule, I've been asked to determine how severe you
> are. Why don't you tell me a little about yourself? Do you like hugs,
> puppies, and long walks on the beach?".

*lol*

You are working hard to feed my sigmonster.

> It also gets the rule class author out of worrying about what the
> specific severity values that can be returned by the severity db are,

The rule class just passes through the sev_db result, which isn't really 
hard ;-)

> as well as needing to know whether the severity db has implemented
> mappings for the specific rule type.

That translates to "don't implement severity() in the rule class". 
Also not really hard ;-)

> > Can we agree to disagree, or do we need to vote in the next meeting?
> > ;-)
> Wait, you want to start a discussion on which voting system
> (http://en.wikipedia.org/wiki/Voting_system) to use? :)

That page looks wrong or at least incomplete - it doesn't mention 
https://en.wikipedia.org/wiki/Patch_(Unix) or at least 
https://en.wikipedia.org/wiki/Diff ;-)


Regards,

Christian Boltz
-- 
Key Signing Party? Was ist denn das?
Kultiges Zusammensitzen und gemeinsames Murmeln magischer Zahlen.
-- Gert Döring, FdI 95

More information about the AppArmor mailing list