[apparmor] [patch] Change test-severity.py to use 'unknown' as default rank, and fix the bugs it found
Christian Boltz
apparmor at cboltz.de
Mon May 25 00:37:08 UTC 2015
Hello,
Am Sonntag, 24. Mai 2015 schrieb Christian Boltz:
> [ 17-rank-unknown.diff ]
Here's a slightly updated version - the only changes are in test-
severity.py - I added the @{somepaths} variable and a test using it to
also have test that includes different severities for each part of the
variable.
Here's the updated patch:
Change test-severity.py to use 'unknown' as default rank, and fix the bugs it found
To be able to distinguish between severity 10 and unknown severity,
change AASetup to specify 'unknown' as default rank, and change the
expected result to 'unknown' where it's expected.
Also change the "expected rank %d" to "%s" because it can be a string
now, and add a test that contains directories with different severity
in one variable.
After these changes, handle_variable_rank() errors out with
TypeError: unorderable types: str() > int()
so fix it by
- initializing rank with the default rank (instead of none)
- explicitely check that rank and rank_new are != the default rank before
doing a comparison
A side effect is another bugfix - '@{HOME}/sys/@{PROC}/overcommit_memory'
is severity 4, not 10 or unknown (confirmed by reading severity.db).
Because of the bugfixes, I propose this patch for trunk and 2.9.
This also means
a) also apply patches 14, 15 and 16 to 2.9 or
b) only apply the severity.py changes in this patch to 2.9, but not the test changes
Please choose your prefered option ;-)
[ 17-rank-unknown.diff ]
=== modified file utils/apparmor/severity.py
--- utils/apparmor/severity.py 2015-05-24 15:10:04.944333580 +0200
+++ utils/apparmor/severity.py 2015-05-24 16:18:39.727934947 +0200
@@ -143,16 +145,17 @@
def handle_variable_rank(self, resource, mode):
"""Returns the max possible rank for file resources containing variables"""
regex_variable = re.compile('@{([^{.]*)}')
- rank = None
matches = regex_variable.search(resource)
if matches:
+ rank = self.severity['DEFAULT_RANK']
variable = '@{%s}' % matches.groups()[0]
#variables = regex_variable.findall(resource)
for replacement in self.severity['VARIABLES'][variable]:
resource_replaced = self.variable_replace(variable, replacement, resource)
rank_new = self.handle_variable_rank(resource_replaced, mode)
- #rank_new = self.handle_variable_rank(resource.replace('@{'+variable+'}', replacement), mode)
- if rank is None or rank_new > rank:
+ if rank == self.severity['DEFAULT_RANK']:
+ rank = rank_new
+ elif rank_new != self.severity['DEFAULT_RANK'] and rank_new > rank:
rank = rank_new
return rank
else:
=== modified file utils/test/test-severity.py
--- utils/test/test-severity.py 2015-05-24 15:51:19.508698719 +0200
+++ utils/test/test-severity.py 2015-05-24 16:13:33.267252785 +0200
@@ -23,30 +23,30 @@
class SeverityBaseTest(AATest):
def AASetup(self):
- self.sev_db = severity.Severity('severity.db')
+ self.sev_db = severity.Severity('severity.db', 'unknown')
def _simple_severity_test(self, path, expected_rank):
rank = self.sev_db.rank(path)
self.assertEqual(rank, expected_rank,
- 'expected rank %d, got %d' % (expected_rank, rank))
+ 'expected rank %s, got %s' % (expected_rank, rank))
def _simple_severity_w_perm(self, path, perm, expected_rank):
rank = self.sev_db.rank(path, perm)
self.assertEqual(rank, expected_rank,
- 'expected rank %d, got %d' % (expected_rank, rank))
+ 'expected rank %s, got %s' % (expected_rank, rank))
class SeverityTest(SeverityBaseTest):
tests = [
(['/usr/bin/whatis', 'x' ], 5),
- (['/etc', 'x' ], 10),
+ (['/etc', 'x' ], 'unknown'),
(['/dev/doublehit', 'x' ], 0),
(['/dev/doublehit', 'rx' ], 4),
(['/dev/doublehit', 'rwx' ], 8),
(['/dev/tty10', 'rwx' ], 9),
(['/var/adm/foo/**', 'rx' ], 3),
(['/etc/apparmor/**', 'r' ], 6),
- (['/etc/**', 'r' ], 10),
- (['/usr/foo at bar', 'r' ], 10), ## filename containing @
+ (['/etc/**', 'r' ], 'unknown'),
+ (['/usr/foo at bar', 'r' ], 'unknown'), ## filename containing @
(['/home/foo at bar', 'rw' ], 6), ## filename containing @
]
@@ -62,8 +62,8 @@
('KILL', 8),
('SETPCAP', 9),
('setpcap', 9),
- ('UNKNOWN', 10),
- ('K*', 10),
+ ('UNKNOWN', 'unknown'),
+ ('K*', 'unknown'),
]
def _run_test(self, params, expected):
@@ -70,7 +71,7 @@
self._simple_severity_test(cap_with_prefix, expected)
rank = self.sev_db.rank_capability(params)
- self.assertEqual(rank, expected, 'expected rank %d, got %d' % (expected, rank))
+ self.assertEqual(rank, expected, 'expected rank %s, got %s' % (expected, rank))
class SeverityVarsTest(SeverityBaseTest):
@@ -88,6 +88,7 @@
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
@{tid}=@{pid}
@{pids}=@{pid}
+@{somepaths}=/home/foo/downloads @{HOMEDIRS}/foo/.ssh/
'''
def _init_tunables(self, content=''):
@@ -103,9 +104,10 @@
tests = [
(['@{PROC}/sys/vm/overcommit_memory', 'r'], 6),
- (['@{HOME}/sys/@{PROC}/overcommit_memory', 'r'], 10),
- (['/overco@{multiarch}mmit_memory', 'r'], 10),
+ (['@{HOME}/sys/@{PROC}/overcommit_memory', 'r'], 4),
+ (['/overco@{multiarch}mmit_memory', 'r'], 'unknown'),
(['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory', 'r'], 6),
+ (['@{somepaths}/somefile', 'r'], 7),
]
def _run_test(self, params, expected):
Regards,
Christian Boltz
--
> Recovery ist, wenn Kunden anrufen und nach solchen Leuten verlangen.
Nun, ohne deinen Namen zu sehr verhunzen zu wollen.... aber es klingt
bestimmt lustig, wenn du dich einem Mann vorstellst, der auch Dirk
heißt. [Dirk Nimmich und Adrian Knoth in dasr]
More information about the AppArmor
mailing list