Hello, $subject.
Also add a rank_path() function to severity.py and change rank() to call
rank_path() for paths.
Long-term goal: get rid of the type "guessing" in rank()
Finally add some tests, mostly based on test-severity.py SeverityTest
[ 21-add-severity-support-to-FileRule.diff ]
=== modified file ./utils/apparmor/rule/file.py
--- utils/apparmor/rule/file.py 2016-03-28 23:10:21.515270509 +0200
+++ utils/apparmor/rule/file.py 2016-04-10 20:35:21.725474139 +0200
@@ -305,6 +305,20 @@
return True
+ def severity(self, sev_db):
+ if self.all_paths:
+ severity = sev_db.rank_path('/**', 'mrwlkix')
+ else:
+ severity = -1
+ sev = sev_db.rank_path(self.path.regex, self._joint_perms())
+ if isinstance(sev, int): # type check avoids breakage caused by
'unknown'
+ severity = max(severity, sev)
+
+ if severity == -1:
+ severity = sev # effectively 'unknown'
+
+ return severity
+
def logprof_header_localvars(self):
if self.owner:
owner = _('Yes')
=== modified file ./utils/apparmor/severity.py
--- utils/apparmor/severity.py 2015-06-14 21:15:25.363684107 +0200
+++ utils/apparmor/severity.py 2016-04-10 20:42:18.331183459 +0200
@@ -88,6 +88,15 @@
warn("unknown capability: %s" % resource)
return self.severity['DEFAULT_RANK']
+ def rank_path(self, path, mode=None):
+ """Returns the rank for the given path"""
+ if '@' in path: # path contains variable
+ return self.handle_variable_rank(path, mode)
+ elif path[0] == '/': # file resource
+ return self.handle_file(path, mode)
+ else:
+ raise AppArmorException("Unexpected path input: %s" % path)
+
def check_subtree(self, tree, mode, sev, segments):
"""Returns the max severity from the regex tree"""
if len(segments) == 0:
@@ -136,9 +145,9 @@
def rank(self, resource, mode=None):
"""Returns the rank for the resource file/capability"""
if '@' in resource: # path contains variable
- return self.handle_variable_rank(resource, mode)
+ return self.rank_path(resource, mode)
elif resource[0] == '/': # file resource
- return self.handle_file(resource, mode)
+ return self.rank_path(resource, mode)
elif resource[0:4] == 'CAP_': # capability resource
return self.rank_capability(resource[4:])
else:--- utils/test/test-file.py 2016-03-28 23:10:21.515270509
+0200
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py 2016-04-10 20:37:25.540793448 +0200
+++ utils/test/test-file.py 2016-04-10 20:37:25.540793448 +0200
@@ -19,6 +19,7 @@
from apparmor.rule.file import FileRule, FileRuleset
from apparmor.rule import BaseRule
+import apparmor.severity as severity
from apparmor.common import AppArmorException, AppArmorBug
from apparmor.logparser import ReadLog
from apparmor.translations import init_translation
@@ -699,6 +700,29 @@
with self.assertRaises(AppArmorBug):
obj.is_equal(testobj)
+class FileSeverityTest(AATest):
+ tests = [
+ ('/usr/bin/whatis ix,', 5),
+ ('/etc ix,', 'unknown'),
+ ('/dev/doublehit ix,', 0),
+ ('/dev/doublehit rix,', 4),
+ ('/dev/doublehit rwix,', 8),
+ ('/dev/tty10 rwix,', 9),
+ ('/var/adm/foo/** rix,', 3),
+ ('/etc/apparmor/** r,', 6),
+ ('/etc/** r,', 'unknown'),
+ ('/usr/foo@bar r,', 'unknown'), # filename containing @
+ ('/home/foo@bar rw,', 6), # filename containing @
+ ('file,', 'unknown'), # bare file rule XXX
should return maximum severity
+ ]
+
+ def _run_test(self, params, expected):
+ sev_db = severity.Severity('severity.db', 'unknown')
+ obj = FileRule.parse(params)
+ rank = obj.severity(sev_db)
+ self.assertEqual(rank, expected)
+
+
#class FileLogprofHeaderTest(AATest):
# tests = [
# ('file,', [
_('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'),
_('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'),
_('Peer exec_perms'), _('ALL'), _('Peer label'), _('ALL')]),
Regards,
Christian Boltz
--
Gibt es Kundenhotlines ohne erhöhtes Anruferaufkommen?
[http://www.titanic-magazin.de/news/sind-so-fragen-7330/]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
