[apparmor] [patch] Add severity() to BaseRule class
apparmor at cboltz.de
Sat Jun 6 13:09:15 UTC 2015
Am Freitag, 5. Juni 2015 schrieb Steve Beattie:
> On Sat, Jun 06, 2015 at 12:38:41AM +0200, Christian Boltz wrote:
> > Am Freitag, 5. Juni 2015 schrieb Steve Beattie:
> > > On Wed, Jun 03, 2015 at 11:57:00PM +0200, Christian Boltz wrote:
> > > > + def severity(self, sev_db):
> > > > + '''return severity of this rule (a number between 0 and
> > > > 10,
> > > > where 0 means harmless and 10 means critical), + or
> > > > sev_db.NOT_IMPLEMENTED if no severity check is implemented for
> > > > this
> > > > rule type.
> > >
> > > Should the comment here say anything about possibly returning
> > > sev_db.unknown?
> > Should I add another line to the comment mentioning "unknown"?
> Umm that's what I was asking. What are a rule object's
> responsibilities here, and what should an implementor know about
> them? It seems likely that if an implementor of a rule class needs
> to know some of the possible returned values, they might need to know
> all of them.
OK, comment updated before commiting.
I also commited all acked patches, which makes my "bzr diff" output a
bit ;-) shorter.
> > (to make things more interesting, the exact value of "unknown" is
> > specified when creating a sev_db instance, the default for unknown
> > is
> > "10", and everywhere we use sev_db we have _("unknown") as default)
> Yes, the value of unknown is unknown and not necessarily "unknown" :)
> (at least, until the class is instantiated). I'm not so sure that's
> a great design.
The (only?) advantage is that you can simply print out the result
without further processing.
> > Summed up "Dear rule, how severe are you?"
> > Summed up: "Dear sev_db, how severe is this rule?"
> WRT your second point, I certainly expected the severity db to turn
> around and say "So, rule, I've been asked to determine how severe you
> are. Why don't you tell me a little about yourself? Do you like hugs,
> puppies, and long walks on the beach?".
You are working hard to feed my sigmonster.
> It also gets the rule class author out of worrying about what the
> specific severity values that can be returned by the severity db are,
The rule class just passes through the sev_db result, which isn't really
> as well as needing to know whether the severity db has implemented
> mappings for the specific rule type.
That translates to "don't implement severity() in the rule class".
Also not really hard ;-)
> > Can we agree to disagree, or do we need to vote in the next meeting?
> > ;-)
> Wait, you want to start a discussion on which voting system
> (http://en.wikipedia.org/wiki/Voting_system) to use? :)
That page looks wrong or at least incomplete - it doesn't mention
https://en.wikipedia.org/wiki/Patch_(Unix) or at least
Key Signing Party? Was ist denn das?
Kultiges Zusammensitzen und gemeinsames Murmeln magischer Zahlen.
-- Gert Döring, FdI 95
More information about the AppArmor