[apparmor] [patch] Change test-severity.py to use 'unknown' as default rank, and fix the bugs it found

Christian Boltz apparmor at cboltz.de
Sun May 24 14:43:03 UTC 2015 

Hello,

to be able to distinguish between severity 10 and unknown severity,
this patch changes AASetup to specify 'unknown' as default rank, and 
changes the expected result to 'unknown' where it's expected.

Also change the "expected rank %d" to "%s" because it can be a string now.

After these changes, handle_variable_rank() errors out with
    TypeError: unorderable types: str() > int()
so fix it by
- initializing rank with the default rank (instead of none)
- explicitely check that rank and rank_new are != the default rank before
  doing a comparison

A side effect is another bugfix - '@{HOME}/sys/@{PROC}/overcommit_memory'
is severity 4, not 10 or unknown (confirmed by reading severity.db).


Because of the bugfixes, I propose this patch for trunk and 2.9.
This also means
a) also apply patches 14, 15 and 16 to 2.9 or
b) only apply the severity.py changes in this patch to 2.9, but not the test changes

Please choose your prefered option ;-)


[ 17-rank-unknown.diff ]

=== modified file utils/apparmor/severity.py
--- utils/apparmor/severity.py  2015-05-24 15:10:04.944333580 +0200
+++ utils/apparmor/severity.py  2015-05-24 16:18:39.727934947 +0200
@@ -143,16 +145,17 @@
     def handle_variable_rank(self, resource, mode):
         """Returns the max possible rank for file resources containing variables"""
         regex_variable = re.compile('@{([^{.]*)}')
-        rank = None
         matches = regex_variable.search(resource)
         if matches:
+            rank = self.severity['DEFAULT_RANK']
             variable = '@{%s}' % matches.groups()[0]
             #variables = regex_variable.findall(resource)
             for replacement in self.severity['VARIABLES'][variable]:
                 resource_replaced = self.variable_replace(variable, replacement, resource)
                 rank_new = self.handle_variable_rank(resource_replaced, mode)
-                #rank_new = self.handle_variable_rank(resource.replace('@{'+variable+'}', replacement), mode)
-                if rank is None or rank_new > rank:
+                if rank == self.severity['DEFAULT_RANK']:
+                    rank = rank_new
+                elif rank_new != self.severity['DEFAULT_RANK'] and rank_new > rank:
                     rank = rank_new
             return rank
         else:
=== modified file utils/test/test-severity.py
--- utils/test/test-severity.py 2015-05-24 15:51:19.508698719 +0200
+++ utils/test/test-severity.py 2015-05-24 16:13:33.267252785 +0200
@@ -23,30 +23,30 @@
 class SeverityBaseTest(AATest):
 
     def AASetup(self):
-        self.sev_db = severity.Severity('severity.db')
+        self.sev_db = severity.Severity('severity.db', 'unknown')
 
     def _simple_severity_test(self, path, expected_rank):
         rank = self.sev_db.rank(path)
         self.assertEqual(rank, expected_rank,
-                         'expected rank %d, got %d' % (expected_rank, rank))
+                         'expected rank %s, got %s' % (expected_rank, rank))
 
     def _simple_severity_w_perm(self, path, perm, expected_rank):
         rank = self.sev_db.rank(path, perm)
         self.assertEqual(rank, expected_rank,
-                         'expected rank %d, got %d' % (expected_rank, rank))
+                         'expected rank %s, got %s' % (expected_rank, rank))
 
 class SeverityTest(SeverityBaseTest):
     tests = [
         (['/usr/bin/whatis',    'x'     ],  5),
-        (['/etc',               'x'     ],  10),
+        (['/etc',               'x'     ],  'unknown'),
         (['/dev/doublehit',     'x'     ],  0),
         (['/dev/doublehit',     'rx'    ],  4),
         (['/dev/doublehit',     'rwx'   ],  8),
         (['/dev/tty10',         'rwx'   ],  9),
         (['/var/adm/foo/**',    'rx'    ],  3),
         (['/etc/apparmor/**',   'r'     ],  6),
-        (['/etc/**',            'r'     ],  10),
-        (['/usr/foo at bar',       'r'     ],  10),  ## filename containing @
+        (['/etc/**',            'r'     ],  'unknown'),
+        (['/usr/foo at bar',       'r'     ],  'unknown'),  ## filename containing @
         (['/home/foo at bar',      'rw'    ],  6),  ## filename containing @
     ]
 
@@ -62,8 +62,8 @@
         ('KILL', 8),
         ('SETPCAP', 9),
         ('setpcap', 9),
-        ('UNKNOWN', 10),
-        ('K*', 10),
+        ('UNKNOWN', 'unknown'),
+        ('K*', 'unknown'),
     ]
 
     def _run_test(self, params, expected):
@@ -70,7 +71,7 @@
         self._simple_severity_test(cap_with_prefix, expected)
 
         rank = self.sev_db.rank_capability(params)
-        self.assertEqual(rank, expected, 'expected rank %d, got %d' % (expected, rank))
+        self.assertEqual(rank, expected, 'expected rank %s, got %s' % (expected, rank))
 
 
 class SeverityVarsTest(SeverityBaseTest):
@@ -101,8 +102,8 @@
 
     tests = [
         (['@{PROC}/sys/vm/overcommit_memory',           'r'],    6),
-        (['@{HOME}/sys/@{PROC}/overcommit_memory',      'r'],    10),
-        (['/overco@{multiarch}mmit_memory',             'r'],    10),
+        (['@{HOME}/sys/@{PROC}/overcommit_memory',      'r'],    4),
+        (['/overco@{multiarch}mmit_memory',             'r'],    'unknown'),
         (['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory',  'r'],    6),
     ]
 



Regards,

Christian Boltz
-- 
"Ihr DNS liefert falsche IPs für unsere Domain!"
"Diese Domain wird gar nicht bei uns gehostet!"
"Ja eben, ihr Dödel! Nehmt die aus eurem DNS raus!"
"Die kann nicht in unserem DNS sein. Wir hosten diese Domain nicht."
"Ich weiss, wo deine Karre steht, Blödmann!"
"Ich sehe gerade, wir haben versehentlich ihre Domain in unserem DNS..."
[Ratti in linux-liste]

More information about the AppArmor mailing list