[apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

Christian Boltz apparmor at cboltz.de
Sun May 24 16:53:35 UTC 2015


Hello,

$subject ;-)

Note: the   != '--'   check in aa-mergeprof is superfluous for
capabilities, but will become useful once this code block is used
for other rule types.


[ 21-read-severity-from-capability-rule.diff ]

=== modified file utils/aa-mergeprof
--- utils/aa-mergeprof  2015-05-24 18:48:10.454327370 +0200
+++ utils/aa-mergeprof  2015-05-24 18:26:44.337170095 +0200
@@ -317,13 +317,9 @@
                         continue
 
                     if rule_obj.all_caps:
-                        severity = 10
                         cap_txt = 'ALL'
                     else:
                         cap_txt = ' '.join(rule_obj.capability)
-                        severity = 0
-                        for cap in rule_obj.capability:
-                            severity = max(severity, sev_db.rank('CAP_%s' % cap))
 
                     if rule_obj.deny:
                         cap_txt = 'deny %s' % cap_txt
@@ -345,7 +341,10 @@
 
                     q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
                     q.headers += [_('Capability'), cap_txt]
-                    q.headers += [_('Severity'), severity]
+
+                    severity = rule_obj.severity(sev_db)
+                    if severity != '--':
+                        q.headers += [_('Severity'), severity]
 
                     audit_toggle = 0
 
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-05-17 23:18:49.560093509 +0200
+++ utils/apparmor/aa.py        2015-05-24 18:48:48.857062323 +0200
@@ -1569,8 +1569,8 @@
                     capability_obj = CapabilityRule(capability)
                     if is_known_rule(aa[profile][hat], 'capability', capability_obj):
                         continue
-                    # Load variables? Don't think so.
-                    severity = sev_db.rank('CAP_%s' % capability)
+                    # Load variables into sev_db? Not needed/used for capabilities.
+                    severity = capability_obj.severity(sev_db)
                     default_option = 1
                     options = []
                     newincludes = match_includes(aa[profile][hat], 'capability', capability_obj)


Regards,

Christian Boltz
-- 
Alles wird gut. Nichts wird besser. :-)
[Ratti in fontlinge-devel]




More information about the AppArmor mailing list