[apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule
Christian Boltz
apparmor at cboltz.de
Sun May 24 16:53:35 UTC 2015
Hello,
$subject ;-)
Note: the != '--' check in aa-mergeprof is superfluous for
capabilities, but will become useful once this code block is used
for other rule types.
[ 21-read-severity-from-capability-rule.diff ]
=== modified file utils/aa-mergeprof
--- utils/aa-mergeprof 2015-05-24 18:48:10.454327370 +0200
+++ utils/aa-mergeprof 2015-05-24 18:26:44.337170095 +0200
@@ -317,13 +317,9 @@
continue
if rule_obj.all_caps:
- severity = 10
cap_txt = 'ALL'
else:
cap_txt = ' '.join(rule_obj.capability)
- severity = 0
- for cap in rule_obj.capability:
- severity = max(severity, sev_db.rank('CAP_%s' % cap))
if rule_obj.deny:
cap_txt = 'deny %s' % cap_txt
@@ -345,7 +341,10 @@
q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
q.headers += [_('Capability'), cap_txt]
- q.headers += [_('Severity'), severity]
+
+ severity = rule_obj.severity(sev_db)
+ if severity != '--':
+ q.headers += [_('Severity'), severity]
audit_toggle = 0
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-05-17 23:18:49.560093509 +0200
+++ utils/apparmor/aa.py 2015-05-24 18:48:48.857062323 +0200
@@ -1569,8 +1569,8 @@
capability_obj = CapabilityRule(capability)
if is_known_rule(aa[profile][hat], 'capability', capability_obj):
continue
- # Load variables? Don't think so.
- severity = sev_db.rank('CAP_%s' % capability)
+ # Load variables into sev_db? Not needed/used for capabilities.
+ severity = capability_obj.severity(sev_db)
default_option = 1
options = []
newincludes = match_includes(aa[profile][hat], 'capability', capability_obj)
Regards,
Christian Boltz
--
Alles wird gut. Nichts wird besser. :-)
[Ratti in fontlinge-devel]
More information about the AppArmor
mailing list