[apparmor] [patch] [21/38] Add severity support to FileRule

Christian Boltz apparmor at cboltz.de
Fri Aug 12 20:59:22 UTC 2016 

Hello,

$subject.

Also add a rank_path() function to severity.py and change rank() to call
rank_path() for paths.
Long-term goal: get rid of the type "guessing" in rank()

Finally add some tests, mostly based on test-severity.py SeverityTest


[ 21-add-severity-support-to-FileRule.diff ]

=== modified file ./utils/apparmor/rule/file.py
--- utils/apparmor/rule/file.py	2016-03-28 23:10:21.515270509 +0200
+++ utils/apparmor/rule/file.py	2016-04-10 20:35:21.725474139 +0200
@@ -305,6 +305,20 @@
 
         return True
 
+    def severity(self, sev_db):
+        if self.all_paths:
+            severity = sev_db.rank_path('/**', 'mrwlkix')
+        else:
+            severity = -1
+            sev = sev_db.rank_path(self.path.regex, self._joint_perms())
+            if isinstance(sev, int):  # type check avoids breakage caused by 'unknown'
+                severity = max(severity, sev)
+
+        if severity == -1:
+            severity = sev  # effectively 'unknown'
+
+        return severity
+
     def logprof_header_localvars(self):
         if self.owner:
             owner = _('Yes')
=== modified file ./utils/apparmor/severity.py
--- utils/apparmor/severity.py	2015-06-14 21:15:25.363684107 +0200
+++ utils/apparmor/severity.py	2016-04-10 20:42:18.331183459 +0200
@@ -88,6 +88,15 @@
         warn("unknown capability: %s" % resource)
         return self.severity['DEFAULT_RANK']
 
+    def rank_path(self, path, mode=None):
+        """Returns the rank for the given path"""
+        if '@' in path:    # path contains variable
+            return self.handle_variable_rank(path, mode)
+        elif path[0] == '/':    # file resource
+            return self.handle_file(path, mode)
+        else:
+            raise AppArmorException("Unexpected path input: %s" % path)
+
     def check_subtree(self, tree, mode, sev, segments):
         """Returns the max severity from the regex tree"""
         if len(segments) == 0:
@@ -136,9 +145,9 @@
     def rank(self, resource, mode=None):
         """Returns the rank for the resource file/capability"""
         if '@' in resource:    # path contains variable
-            return self.handle_variable_rank(resource, mode)
+            return self.rank_path(resource, mode)
         elif resource[0] == '/':    # file resource
-            return self.handle_file(resource, mode)
+            return self.rank_path(resource, mode)
         elif resource[0:4] == 'CAP_':    # capability resource
             return self.rank_capability(resource[4:])
         else:--- utils/test/test-file.py	2016-03-28 23:10:21.515270509 +0200
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py	2016-04-10 20:37:25.540793448 +0200
+++ utils/test/test-file.py	2016-04-10 20:37:25.540793448 +0200
@@ -19,6 +19,7 @@
 
 from apparmor.rule.file import FileRule, FileRuleset
 from apparmor.rule import BaseRule
+import apparmor.severity as severity
 from apparmor.common import AppArmorException, AppArmorBug
 from apparmor.logparser import ReadLog
 from apparmor.translations import init_translation
@@ -699,6 +700,29 @@
         with self.assertRaises(AppArmorBug):
             obj.is_equal(testobj)
 
+class FileSeverityTest(AATest):
+    tests = [
+        ('/usr/bin/whatis ix,',         5),
+        ('/etc ix,',                    'unknown'),
+        ('/dev/doublehit ix,',          0),
+        ('/dev/doublehit rix,',         4),
+        ('/dev/doublehit rwix,',        8),
+        ('/dev/tty10 rwix,',            9),
+        ('/var/adm/foo/** rix,',        3),
+        ('/etc/apparmor/** r,',         6),
+        ('/etc/** r,',                  'unknown'),
+        ('/usr/foo at bar r,',             'unknown'),  # filename containing @
+        ('/home/foo at bar rw,',           6),  # filename containing @
+        ('file,',                       'unknown'),  # bare file rule XXX should return maximum severity
+    ]
+
+    def _run_test(self, params, expected):
+        sev_db = severity.Severity('severity.db', 'unknown')
+        obj = FileRule.parse(params)
+        rank = obj.severity(sev_db)
+        self.assertEqual(rank, expected)
+
+
 #class FileLogprofHeaderTest(AATest):
 #    tests = [
 #        ('file,',                        [                               _('Access mode'), _('ALL'),    _('Bus'), _('ALL'),    _('Path'), _('ALL'), _('Name'), _('ALL'),    _('Interface'), _('ALL'),  _('Member'), _('ALL'), _('Peer exec_perms'), _('ALL'),   _('Peer label'), _('ALL')]),




Regards,

Christian Boltz
-- 
Gibt es Kundenhotlines ohne erhöhtes Anruferaufkommen?
[http://www.titanic-magazin.de/news/sind-so-fragen-7330/]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/f2d51236/attachment.pgp>

More information about the AppArmor mailing list