[apparmor] [patch] Implement severity() in CapabilityRule
Christian Boltz
apparmor at cboltz.de
Sun May 24 16:22:15 UTC 2015
Hello,
this patch implements severity() in CapabilityRule.
Also implement handling for the special capability value '__ALL__' in
severity.py, which is used for 'capability,' rules (aa-mergeprof might
need to display the severity for such a rule).
Finally, add some tests for severity() in test-capability.py and a test
for '__ALL__' in test-severity.py.
[ 20-capability-rule-add-severity.diff ]
=== modified file utils/apparmor/rule/capability.py
--- utils/apparmor/rule/capability.py 2015-05-24 18:19:02.986380011 +0200
+++ utils/apparmor/rule/capability.py 2015-05-24 17:49:12.033506974 +0200
@@ -126,6 +126,20 @@
return True
+ def severity(self, sev_db):
+ if self.all_caps:
+ severity = sev_db.rank_capability('__ALL__')
+ else:
+ severity = -1
+ for cap in self.capability:
+ sev = sev_db.rank_capability(cap)
+ if isinstance(sev, int): # type check avoids breakage caused by 'unknown'
+ severity = max(severity, sev)
+
+ if severity == -1:
+ severity = sev # effectively 'unknown'
+
+ return severity
class CapabilityRuleset(BaseRuleset):
'''Class to handle and store a collection of capability rules'''
=== modified file utils/apparmor/severity.py
--- utils/apparmor/severity.py 2015-05-24 18:19:02.986380011 +0200
+++ utils/apparmor/severity.py 2015-05-24 16:18:39.727934947 +0200
@@ -78,6 +78,8 @@
def rank_capability(self, resource):
"""Returns the severity of for the capability resource, default value if no match"""
cap = 'CAP_%s' % resource.upper()
+ if resource == '__ALL__':
+ return max(self.severity['CAPABILITIES'].values())
if cap in self.severity['CAPABILITIES'].keys():
return self.severity['CAPABILITIES'][cap]
# raise ValueError("unexpected capability rank input: %s"%resource)
=== modified file utils/test/test-capability.py
--- utils/test/test-capability.py 2015-05-24 18:19:02.987379952 +0200
+++ utils/test/test-capability.py 2015-05-24 18:18:56.951735849 +0200
@@ -18,6 +18,7 @@
from apparmor.rule.capability import CapabilityRule, CapabilityRuleset
from apparmor.rule import BaseRule
+import apparmor.severity as severity
from apparmor.common import AppArmorException, AppArmorBug, hasher
from apparmor.logparser import ReadLog
@@ -419,6 +420,20 @@
self.assertFalse(self._is_covered(obj2, 'capability sys_admin,'))
self.assertTrue(self._is_covered(obj2, 'capability ptrace,'))
+class CapabiliySeverityTest(AATest):
+ tests = [
+ ('fsetid', 9),
+ ('dac_read_search', 7),
+ (['fsetid', 'dac_read_search'], 9),
+ (CapabilityRule.ALL, 10),
+ ('foo', 'unknown'),
+ ]
+ def _run_test(self, params, expected):
+ sev_db = severity.Severity('severity.db', 'unknown')
+ obj = CapabilityRule(params)
+ rank = obj.severity(sev_db)
+ self.assertEqual(rank, expected)
+
# --- tests for CapabilityRuleset --- #
class CapabilityRulesTest(AATest):
=== modified file utils/test/test-severity.py
--- utils/test/test-severity.py 2015-05-24 18:19:02.987379952 +0200
+++ utils/test/test-severity.py 2015-05-24 16:32:11.647446108 +0200
@@ -64,6 +64,7 @@
('setpcap', 9),
('UNKNOWN', 'unknown'),
('K*', 'unknown'),
+ ('__ALL__', 10),
]
def _run_test(self, params, expected):
Regards,
Christian Boltz
--
> es ist doch ausgesprochen ruhig hier und das nach dem Release einer
> neuen openSUSE Version. Sollte es etwa keine Probleme geben?
Vermutlich sind alle damit beschaeftigt, kmail2 ans Laufen zu bekommen.
Dann gibt es auch wieder Mails :-)
[> Marco Röben und Thomas Moritz in opensuse-de]
More information about the AppArmor
mailing list