Hello, $subject.
Also add a rank_path() function to severity.py and change rank() to call rank_path() for paths. Long-term goal: get rid of the type "guessing" in rank() Finally add some tests, mostly based on test-severity.py SeverityTest [ 21-add-severity-support-to-FileRule.diff ] === modified file ./utils/apparmor/rule/file.py --- utils/apparmor/rule/file.py 2016-03-28 23:10:21.515270509 +0200 +++ utils/apparmor/rule/file.py 2016-04-10 20:35:21.725474139 +0200 @@ -305,6 +305,20 @@ return True + def severity(self, sev_db): + if self.all_paths: + severity = sev_db.rank_path('/**', 'mrwlkix') + else: + severity = -1 + sev = sev_db.rank_path(self.path.regex, self._joint_perms()) + if isinstance(sev, int): # type check avoids breakage caused by 'unknown' + severity = max(severity, sev) + + if severity == -1: + severity = sev # effectively 'unknown' + + return severity + def logprof_header_localvars(self): if self.owner: owner = _('Yes') === modified file ./utils/apparmor/severity.py --- utils/apparmor/severity.py 2015-06-14 21:15:25.363684107 +0200 +++ utils/apparmor/severity.py 2016-04-10 20:42:18.331183459 +0200 @@ -88,6 +88,15 @@ warn("unknown capability: %s" % resource) return self.severity['DEFAULT_RANK'] + def rank_path(self, path, mode=None): + """Returns the rank for the given path""" + if '@' in path: # path contains variable + return self.handle_variable_rank(path, mode) + elif path[0] == '/': # file resource + return self.handle_file(path, mode) + else: + raise AppArmorException("Unexpected path input: %s" % path) + def check_subtree(self, tree, mode, sev, segments): """Returns the max severity from the regex tree""" if len(segments) == 0: @@ -136,9 +145,9 @@ def rank(self, resource, mode=None): """Returns the rank for the resource file/capability""" if '@' in resource: # path contains variable - return self.handle_variable_rank(resource, mode) + return self.rank_path(resource, mode) elif resource[0] == '/': # file resource - return self.handle_file(resource, mode) + return self.rank_path(resource, mode) elif resource[0:4] == 'CAP_': # capability resource return self.rank_capability(resource[4:]) else:--- utils/test/test-file.py 2016-03-28 23:10:21.515270509 +0200 === modified file ./utils/test/test-file.py --- utils/test/test-file.py 2016-04-10 20:37:25.540793448 +0200 +++ utils/test/test-file.py 2016-04-10 20:37:25.540793448 +0200 @@ -19,6 +19,7 @@ from apparmor.rule.file import FileRule, FileRuleset from apparmor.rule import BaseRule +import apparmor.severity as severity from apparmor.common import AppArmorException, AppArmorBug from apparmor.logparser import ReadLog from apparmor.translations import init_translation @@ -699,6 +700,29 @@ with self.assertRaises(AppArmorBug): obj.is_equal(testobj) +class FileSeverityTest(AATest): + tests = [ + ('/usr/bin/whatis ix,', 5), + ('/etc ix,', 'unknown'), + ('/dev/doublehit ix,', 0), + ('/dev/doublehit rix,', 4), + ('/dev/doublehit rwix,', 8), + ('/dev/tty10 rwix,', 9), + ('/var/adm/foo/** rix,', 3), + ('/etc/apparmor/** r,', 6), + ('/etc/** r,', 'unknown'), + ('/usr/foo@bar r,', 'unknown'), # filename containing @ + ('/home/foo@bar rw,', 6), # filename containing @ + ('file,', 'unknown'), # bare file rule XXX should return maximum severity + ] + + def _run_test(self, params, expected): + sev_db = severity.Severity('severity.db', 'unknown') + obj = FileRule.parse(params) + rank = obj.severity(sev_db) + self.assertEqual(rank, expected) + + #class FileLogprofHeaderTest(AATest): # tests = [ # ('file,', [ _('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer exec_perms'), _('ALL'), _('Peer label'), _('ALL')]), Regards, Christian Boltz -- Gibt es Kundenhotlines ohne erhöhtes Anruferaufkommen? [http://www.titanic-magazin.de/news/sind-so-fragen-7330/]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor