Re: [apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

Steve Beattie Fri, 29 May 2015 16:32:59 -0700

On Sun, May 24, 2015 at 06:53:35PM +0200, Christian Boltz wrote:
> Note: the   != '--'   check in aa-mergeprof is superfluous for
> capabilities, but will become useful once this code block is used
> for other rule types.
> 
> 
> [ 21-read-severity-from-capability-rule.diff ]


Again, I like everything here except for the magic value '--' that
is yet another representation of 'unknown value'

> === modified file utils/aa-mergeprof
> --- utils/aa-mergeprof  2015-05-24 18:48:10.454327370 +0200
> +++ utils/aa-mergeprof  2015-05-24 18:26:44.337170095 +0200
> @@ -317,13 +317,9 @@
>                          continue
>  
>                      if rule_obj.all_caps:
> -                        severity = 10
>                          cap_txt = 'ALL'
>                      else:
>                          cap_txt = ' '.join(rule_obj.capability)
> -                        severity = 0
> -                        for cap in rule_obj.capability:
> -                            severity = max(severity, sev_db.rank('CAP_%s' % 
> cap))
>  
>                      if rule_obj.deny:
>                          cap_txt = 'deny %s' % cap_txt
> @@ -345,7 +341,10 @@
>  
>                      q.headers = [_('Profile'), 
> apparmor.aa.combine_name(profile, hat)]
>                      q.headers += [_('Capability'), cap_txt]
> -                    q.headers += [_('Severity'), severity]
> +
> +                    severity = rule_obj.severity(sev_db)
> +                    if severity != '--':
> +                        q.headers += [_('Severity'), severity]
>  
>                      audit_toggle = 0
>  
> === modified file utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-05-17 23:18:49.560093509 +0200
> +++ utils/apparmor/aa.py        2015-05-24 18:48:48.857062323 +0200
> @@ -1569,8 +1569,8 @@
>                      capability_obj = CapabilityRule(capability)
>                      if is_known_rule(aa[profile][hat], 'capability', 
> capability_obj):
>                          continue
> -                    # Load variables? Don't think so.
> -                    severity = sev_db.rank('CAP_%s' % capability)
> +                    # Load variables into sev_db? Not needed/used for 
> capabilities.
> +                    severity = capability_obj.severity(sev_db)
>                      default_option = 1
>                      options = []
>                      newincludes = match_includes(aa[profile][hat], 
> 'capability', capability_obj)

-- 
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/

signature.asc
Description: Digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

Reply via email to