[apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

Steve Beattie steve at nxnw.org
Fri May 29 23:32:10 UTC 2015 

On Sun, May 24, 2015 at 06:53:35PM +0200, Christian Boltz wrote:
> Note: the   != '--'   check in aa-mergeprof is superfluous for
> capabilities, but will become useful once this code block is used
> for other rule types.
> 
> 
> [ 21-read-severity-from-capability-rule.diff ]

Again, I like everything here except for the magic value '--' that
is yet another representation of 'unknown value'

> === modified file utils/aa-mergeprof
> --- utils/aa-mergeprof  2015-05-24 18:48:10.454327370 +0200
> +++ utils/aa-mergeprof  2015-05-24 18:26:44.337170095 +0200
> @@ -317,13 +317,9 @@
>                          continue
>  
>                      if rule_obj.all_caps:
> -                        severity = 10
>                          cap_txt = 'ALL'
>                      else:
>                          cap_txt = ' '.join(rule_obj.capability)
> -                        severity = 0
> -                        for cap in rule_obj.capability:
> -                            severity = max(severity, sev_db.rank('CAP_%s' % cap))
>  
>                      if rule_obj.deny:
>                          cap_txt = 'deny %s' % cap_txt
> @@ -345,7 +341,10 @@
>  
>                      q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
>                      q.headers += [_('Capability'), cap_txt]
> -                    q.headers += [_('Severity'), severity]
> +
> +                    severity = rule_obj.severity(sev_db)
> +                    if severity != '--':
> +                        q.headers += [_('Severity'), severity]
>  
>                      audit_toggle = 0
>  
> === modified file utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-05-17 23:18:49.560093509 +0200
> +++ utils/apparmor/aa.py        2015-05-24 18:48:48.857062323 +0200
> @@ -1569,8 +1569,8 @@
>                      capability_obj = CapabilityRule(capability)
>                      if is_known_rule(aa[profile][hat], 'capability', capability_obj):
>                          continue
> -                    # Load variables? Don't think so.
> -                    severity = sev_db.rank('CAP_%s' % capability)
> +                    # Load variables into sev_db? Not needed/used for capabilities.
> +                    severity = capability_obj.severity(sev_db)
>                      default_option = 1
>                      options = []
>                      newincludes = match_includes(aa[profile][hat], 'capability', capability_obj)

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150529/0bf6f8e9/attachment.pgp>

More information about the AppArmor mailing list