Merge severity.py: bump test coverage to 100%

... by adding some new tests, and by marking two lines as "pragma: no branch" because I didn't find a testcase that doesn't let them continue with the next line. Finally, remove severity.py from the "not 100% covered" list in test/Makefile. Also run severity tests with the official severity.db instead of the slightly outdated copy in test/. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/737 Acked-by: John Johansen <john.johansen@canonical.com>
2025-03-04 00:14:44 +01:00 · 2021-04-14 21:23:35 +00:00 · 2021-04-14 21:23:35 +00:00 · 3ee4f9c75f
commit 3ee4f9c75f
parent 94b7704e56 a07515bdd4
7 changed files with 12 additions and 470 deletions
--- a/utils/apparmor/severity.py
+++ b/utils/apparmor/severity.py
@ -51,7 +51,7 @@ class Severity(object):
                        else:
                            ptr = self.severity['REGEXPS']
                            pieces = path.split('/')
-                            for index, piece in enumerate(pieces):
+                            for index, piece in enumerate(pieces):  # pragma: no branch
                                if '*' in piece:
                                    path = '/'.join(pieces[index:])
                                    regexp = convert_regexp(path)
@ -114,7 +114,7 @@ class Severity(object):
                    # Match rest of the path
                    if re.search("^" + chunk, path):
                        # Find max rank
-                        if "AA_RANK" in tree[chunk].keys():
+                        if "AA_RANK" in tree[chunk].keys():  # pragma: no branch
                            for m in mode:
                                if sev is None or tree[chunk]["AA_RANK"].get(m, -1) > sev:
                                    sev = tree[chunk]["AA_RANK"].get(m, None)
--- a/utils/test/Makefile
+++ b/utils/test/Makefile
@ -21,7 +21,7 @@ COMMONDIR=../../common/
 include $(COMMONDIR)/Make.rules

 # files that don't have 100% test coverage
-INCOMPLETE_COVERAGE=libraries/libapparmor|utils/apparmor/aa.py|utils/apparmor/common.py|utils/apparmor/config.py|utils/apparmor/easyprof.py|utils/apparmor/fail.py|utils/apparmor/logparser.py|utils/apparmor/profile_storage.py|utils/apparmor/rule/abi.py|utils/apparmor/rule/include.py|utils/apparmor/rules.py|utils/apparmor/severity.py|utils/apparmor/ui.py|minitools_test.py
+INCOMPLETE_COVERAGE=libraries/libapparmor|utils/apparmor/aa.py|utils/apparmor/common.py|utils/apparmor/config.py|utils/apparmor/easyprof.py|utils/apparmor/fail.py|utils/apparmor/logparser.py|utils/apparmor/profile_storage.py|utils/apparmor/rule/abi.py|utils/apparmor/rule/include.py|utils/apparmor/rules.py|utils/apparmor/ui.py|minitools_test.py


 ifdef USE_SYSTEM
--- a/utils/test/severity.db
+++ b/utils/test/severity.db
@ -1,463 +0,0 @@
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2002-2005 Novell/SUSE
-#    Copyright (C) 2014 Canonical Ltd.
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-# Allow this process to 0wn the machine:
-       CAP_SYS_ADMIN 10
-       CAP_SYS_CHROOT 10
-       CAP_SYS_MODULE 10
-       CAP_SYS_PTRACE 10
-       CAP_SYS_RAWIO 10
-       CAP_MAC_ADMIN 10
-       CAP_MAC_OVERRIDE 10
-# Allow other processes to 0wn the machine:
-       CAP_SETPCAP 9
-       CAP_SETFCAP 9
-       CAP_CHOWN 9
-       CAP_FSETID 9
-       CAP_MKNOD 9
-       CAP_LINUX_IMMUTABLE 9
-       CAP_DAC_OVERRIDE 9
-       CAP_SETGID 9
-       CAP_SETUID 9
-       CAP_FOWNER 9
-# Denial of service, bypass audit controls, information leak
-       CAP_SYS_TIME 8
-       CAP_NET_ADMIN 8
-       CAP_SYS_RESOURCE 8
-       CAP_KILL 8
-       CAP_IPC_OWNER 8
-       CAP_SYS_PACCT 8
-       CAP_SYS_BOOT 8
-       CAP_NET_BIND_SERVICE 8
-       CAP_NET_RAW 8
-       CAP_SYS_NICE 8
-       CAP_LEASE 8
-       CAP_IPC_LOCK 8
-       CAP_SYS_TTY_CONFIG 8
-       CAP_AUDIT_CONTROL 8
-       CAP_AUDIT_WRITE 8
-       CAP_SYSLOG 8
-       CAP_WAKE_ALARM 8
-       CAP_BLOCK_SUSPEND 8
-       CAP_DAC_READ_SEARCH 7
-# unused
-       CAP_NET_BROADCAST 0
-
-# filename	r w x
-# 'hard drives' are generally 4 10 0
-/**/lost+found/**	5 5 0
-/boot/**	7 10 0
-/etc/passwd*	4 8 0
-/etc/group*	4 8 0
-/etc/shadow*	7 9 0
-/etc/shadow*	7 9 0
-/home/*/.ssh/**	7 9 0
-/home/*/.gnupg/**	5 7 0
-/home/**	4 6 0
-/srv/**         4 6 0
-/proc/**	6 9 0
-/proc/sys/kernel/hotplug	2 10 0
-/proc/sys/kernel/modprobe	2 10 0
-/proc/kallsyms	7 0 0
-/sys/**		4 8 0
-/sys/power/state	2 8 0
-/sys/firmware/**	2 10 0
-/dev/pts/*	8 9 0
-/dev/ptmx	8 9 0
-/dev/pty*	8 9 0
-/dev/null	0 0 0
-/dev/adbmouse	3 8 0
-/dev/ataraid	9 10 0
-/dev/zero	0 0 0
-/dev/agpgart*	8 10 0
-/dev/aio	3 3 0
-/dev/cbd/*	5 5 0
-/dev/cciss/*	4 10 0
-/dev/capi*	4 6 0
-/dev/cfs0	4 10 0
-/dev/compaq/*   4 10 0
-/dev/cdouble*   4 8 0
-/dev/cpu**	5 5 0
-/dev/cpu**microcode	1 10 0
-/dev/double*	4 8 0
-/dev/hd*	4 10 0
-/dev/sd*	4 10 0
-/dev/ida/*	4 10 0
-/dev/input/*	4 8 0
-/dev/mapper/control	4 10 0
-/dev/*mem	8 10 0
-/dev/loop*	4 10 0
-/dev/lp*	0 4 0
-/dev/md*	4 10 0
-/dev/msr	4 10 0
-/dev/nb*	4 10 0
-/dev/ram*	8 10 0
-/dev/rd/*	4 10 0
-/dev/*random	3 1 0
-/dev/sbpcd*	4 0 0
-/dev/rtc	6 0 0
-/dev/sd*	4 10 0
-/dev/sc*	4 10 0
-/dev/sg*	4 10 0
-/dev/st*	4 10 0
-/dev/snd/*	3 8 0
-/dev/usb/mouse*	4 6 0
-/dev/usb/hid*	4 6 0
-/dev/usb/tty*	4 6 0
-/dev/tty*	8 9 0
-/dev/stderr	0 0 0
-/dev/stdin	0 0 0
-/dev/stdout	0 0 0
-/dev/ubd*	4 10 0
-/dev/usbmouse*	4 6 0
-/dev/userdma	8 10 0
-/dev/vcs*	8 9 0
-/dev/xta*	4 10 0
-/dev/zero	0 0 0
-/dev/inittcl	8 10 0
-/dev/log	5 7 0
-/etc/fstab	3 8 0
-/etc/mtab	3 5 0
-/etc/SuSEconfig/*	1 8 0
-/etc/X11/*	2 7 0
-/etc/X11/xinit/*	2 8 0
-/etc/SuSE-release	1 5 0
-/etc/issue*	1 3 0
-/etc/motd	1 3 0
-/etc/aliases.d/*	1 7 0
-/etc/cron*	1 9 0
-/etc/cups/*	2 7 0
-/etc/default/*	3 8 0
-/etc/init.d/*	1 10 0
-/etc/permissions.d/*	1 8 0
-/etc/ppp/*	2 6 0
-/etc/ppp/*secrets	8 6 0
-/etc/profile.d/*	1 8 0
-/etc/skel/*	0 7 0
-/etc/sysconfig/*	4 10 0
-/etc/xinetd.d/*	1 9 0
-/etc/termcap/*	1 4 0
-/etc/ld.so.*	1 9 0
-/etc/pam.d/*	3 9 0
-/etc/udev/*	3 9 0
-/etc/insserv.conf	3 6 0
-/etc/security/*	1 9 0
-/etc/securetty	0 7 0
-/etc/sudoers	4 9 0
-/etc/hotplug/*	2 10 0
-/etc/xinitd.conf	1 9 0
-/etc/gpm/*	2 10 0
-/etc/ssl/**	2 7 0
-/etc/shadow*	5 9 0
-/etc/bash.bashrc	1 9 0
-/etc/csh.cshrc		1 9 0
-/etc/csh.login		1 9 0
-/etc/inittab	1 10 0
-/etc/profile*		1 9 0
-/etc/shells	1 5 0
-/etc/alternatives	1 6 0
-/etc/sysctl.conf	3 7 0
-/etc/dev.d/*	1 8 0
-/etc/manpath.config	1 6 0
-/etc/permissions*	1 8 0
-/etc/evms.conf	3 8 0
-/etc/exports	3 8 0
-/etc/samba/*	5 8 0
-/etc/ssh/*	3 8 0
-/etc/ssh/ssh_host_*key 8 8 0
-/etc/krb5.conf	4 8 0
-/etc/ntp.conf	3 8 0
-/etc/auto.*	3 8 0
-/etc/postfix/*	3 7 0
-/etc/postfix/*passwd*	6 7 0
-/etc/postfix/*cert*	6 7 0
-/etc/foomatic/*	3 5 0
-/etc/printcap	3 5 0
-/etc/youservers	4 9 0
-/etc/grub.conf	7 10 0
-/etc/modules.conf	4 10 0
-/etc/resolv.conf	2 7 0
-/etc/apache2/**	3 7 0
-/etc/apache2/**ssl**	7 7 0
-/etc/subdomain.d/**	6 10 0
-/etc/apparmor.d/**	6 10 0
-/etc/apparmor/**	6 10 0
-/var/log/**		3 8 0
-/var/adm/SuSEconfig/**	3 8 0
-/var/adm/**		3 7 0
-/var/lib/rpm/**		4 8 0
-/var/run/nscd/*		3 3 0
-/var/run/.nscd_socket	3 3 0
-/usr/share/doc/**	1 1 0
-/usr/share/man/**	3 5 0
-/usr/X11/man/**		3 5 0
-/usr/share/info/**	2 4 0
-/usr/share/java/**	2 5 0
-/usr/share/locale/**	2 4 0
-/usr/share/sgml/**	2 4 0
-/usr/share/YaST2/**	3 9 0
-/usr/share/ghostscript/**	3 5 0
-/usr/share/terminfo/**	1 8 0
-/usr/share/latex2html/**	2 4 0
-/usr/share/cups/**	5 6 0
-/usr/share/susehelp/**	2 6 0
-/usr/share/susehelp/cgi-bin/**	3 7 7
-/usr/share/zoneinfo/**	2 7 0
-/usr/share/zsh/**	3 6 0
-/usr/share/vim/**	3 8 0
-/usr/share/groff/**	3 7 0
-/usr/share/vnc/**	3 8 0
-/usr/share/wallpapers/**	2 4 0
-/usr/X11**		3 8 5
-/usr/X11*/bin/XFree86	3 8 8
-/usr/X11*/bin/Xorg	3 8 8
-/usr/X11*/bin/sux	3 8 8
-/usr/X11*/bin/xconsole	3 7 7
-/usr/X11*/bin/xhost	3 7 7
-/usr/X11*/bin/xauth	3 7 7
-/usr/X11*/bin/ethereal	3 6 8
-/usr/lib/ooo-**		3 6 5
-/usr/lib/lsb/**		2 8 8
-/usr/lib/pt_chwon	2 8 5
-/usr/lib/tcl**		2 5 3
-/usr/lib/lib*so*	3 8 4
-/usr/lib/iptables/*	2 8 2
-/usr/lib/perl5/**	4 10 6
-/usr/lib/*/perl/**	4 10 6
-/usr/lib/*/perl5/**	4 10 6
-/usr/lib/gconv/*	4 7 4
-/usr/lib/locale/**	4 8 0
-/usr/lib/jvm/**		5 7 5
-/usr/lib/sasl*/**	5 8 4
-/usr/lib/jvm-exports/**	5 7 5
-/usr/lib/jvm-private/**	5 7 5
-/usr/lib/python*/**	5 7 5
-/usr/lib/libkrb5*	4 8 4
-/usr/lib/postfix/*	4 7 4
-/usr/lib/rpm/**		4 8 6
-/usr/lib/rpm/gnupg/**	4 9 0
-/usr/lib/apache2**	4 7 4
-/usr/lib/mailman/**	4 6 4
-/usr/bin/ldd		1 7 4
-/usr/bin/netcat		5 7 8
-/usr/bin/clear		2 6 3
-/usr/bin/reset		2 6 3
-/usr/bin/tput		2 6 3
-/usr/bin/tset		2 6 3
-/usr/bin/file		2 6 3
-/usr/bin/ftp		3 7 5
-/usr/bin/busybox	4 8 6
-/usr/bin/rbash		4 8 5
-/usr/bin/screen		3 6 5
-/usr/bin/getfacl	3 7 4
-/usr/bin/setfacl	3 7 9
-/usr/bin/*awk*		3 7 7
-/usr/bin/sudo		2 9 10
-/usr/bin/lsattr		2 6 5
-/usr/bin/chattr		2 7 8
-/usr/bin/sed		3 7 6
-/usr/bin/grep		2 7 2
-/usr/bin/chroot		2 6 10
-/usr/bin/dircolors	2 9 3
-/usr/bin/cut		2 7 2
-/usr/bin/du		2 7 3
-/usr/bin/env		2 7 2
-/usr/bin/head		2 7 2
-/usr/bin/tail		2 7 2
-/usr/bin/install	2 8 4
-/usr/bin/link		2 6 4
-/usr/bin/logname	2 6 2
-/usr/bin/md5sum		2 8 3
-/usr/bin/mkfifo		2 6 10
-/usr/bin/nice		2 7 7
-/usr/bin/nohup		2 7 7
-/usr/bin/printf		2 7 1
-/usr/bin/readlink	2 7 3
-/usr/bin/seq		2 7 1
-/usr/bin/sha1sum	2 8 3
-/usr/bin/shred		2 7 3
-/usr/bin/sort		2 7 3
-/usr/bin/split		2 7 3
-/usr/bin/stat		2 7 4
-/usr/bin/sum		2 8 3
-/usr/bin/tac		2 7 3
-/usr/bin/tail		3 8 4
-/usr/bin/tee		2 7 3
-/usr/bin/test		2 8 4
-/usr/bin/touch		2 7 3
-/usr/bin/tr		2 8 3
-/usr/bin/tsort		2 7 3
-/usr/bin/tty		2 7 3
-/usr/bin/unexpand	2 7 3
-/usr/bin/uniq		2 7 3
-/usr/bin/unlink		2 8 4
-/usr/bin/uptime		2 7 3
-/usr/bin/users		2 8 4
-/usr/bin/vdir		2 8 4
-/usr/bin/wc		2 7 3
-/usr/bin/who		2 8 4
-/usr/bin/whoami		2 8 4
-/usr/bin/yes		1 6 1
-/usr/bin/ed		2 7 5
-/usr/bin/red		2 7 4
-/usr/bin/find		2 8 5
-/usr/bin/xargs		2 7 5
-/usr/bin/ispell		2 7 4
-/usr/bin/a2p		2 7 5
-/usr/bin/perlcc		2 7 5
-/usr/bin/perldoc	2 7 5
-/usr/bin/pod2*		2 7 5
-/usr/bin/prove		2 7 5
-/usr/bin/perl		2 10 7
-/usr/bin/perl*		2 10 7
-/usr/bin/suidperl	2 8 8
-/usr/bin/csh		2 8 8
-/usr/bin/tcsh		2 8 8
-/usr/bin/tree		2 6 5
-/usr/bin/last		2 7 5
-/usr/bin/lastb		2 7 5
-/usr/bin/utmpdump	2 6 5
-/usr/bin/alsamixer	2 6 8
-/usr/bin/amixer		2 6 8
-/usr/bin/amidi		2 6 8
-/usr/bin/aoss		2 6 8
-/usr/bin/aplay		2 6 8
-/usr/bin/aplaymidi	2 6 8
-/usr/bin/arecord	2 6 8
-/usr/bin/arecordmidi	2 6 8
-/usr/bin/aseqnet	2 6 8
-/usr/bin/aserver	2 6 8
-/usr/bin/iecset		2 6 8
-/usr/bin/rview		2 6 5
-/usr/bin/ex		2 7 5
-/usr/bin/enscript	2 6 5
-/usr/bin/genscript	2 6 5
-/usr/bin/xdelta		2 6 5
-/usr/bin/edit		2 6 5
-/usr/bin/vimtutor	2 6 5
-/usr/bin/rvim		2 6 5
-/usr/bin/vim		2 8 7
-/usr/bin/vimdiff	2 8 7
-/usr/bin/aspell		2 6 5
-/usr/bin/xxd		2 6 5
-/usr/bin/spell		2 6 5
-/usr/bin/eqn		2 6 5
-/usr/bin/eqn2graph	2 6 5
-/usr/bin/word-list-compress	2 6 4
-/usr/bin/afmtodit	2 6 4
-/usr/bin/hpf2dit	2 6 4
-/usr/bin/geqn		2 6 4
-/usr/bin/grn		2 6 4
-/usr/bin/grodvi		2 6 4
-/usr/bin/groff		2 6 5
-/usr/bin/groffer	2 6 4
-/usr/bin/grolj4		2 6 4
-/usr/bin/grotty		2 6 4
-/usr/bin/gtbl		2 6 4
-/usr/bin/pic2graph	2 6 4
-/usr/bin/indxbib	2 6 4
-/usr/bin/lkbib		2 6 4
-/usr/bin/lookbib	2 6 4
-/usr/bin/mmroff		2 6 4
-/usr/bin/neqn	  2 6 4
-/usr/bin/pfbtops	2 6 4
-/usr/bin/pic		2 6 4
-/usr/bin/tfmtodit	2 6 4
-/usr/bin/tbl		2 6 4
-/usr/bin/post-grohtml	2 6 4
-/usr/bin/pre-grohtml	2 6 4
-/usr/bin/refer		2 6 4
-/usr/bin/soelim		2 6 4
-/usr/bin/disable-paste	2 6 6
-/usr/bin/troff		2 6 4
-/usr/bin/strace-graph	2 6 4
-/usr/bin/gpm-root	2 6 7
-/usr/bin/hltest		2 6 7
-/usr/bin/mev		2 6 6
-/usr/bin/mouse-test	2 6 6
-/usr/bin/strace		2 8 9
-/usr/bin/scsiformat	2 7 10
-/usr/bin/lsscsi		2 7 7
-/usr/bin/scsiinfo	2 7 7
-/usr/bin/sg_*		2 7 7
-/usr/bin/build-classpath		2 6 6
-/usr/bin/build-classpath-directory	2 6 6
-/usr/bin/build-jar-repository		2 6 6
-/usr/bin/diff-jars			2 6 6
-/usr/bin/jvmjar				2 6 6
-/usr/bin/rebuild-jar-repository		2 6 6
-/usr/bin/scriptreplay	2 6 5
-/usr/bin/cal		2 6 3
-/usr/bin/chkdupexe	2 6 5
-/usr/bin/col		2 6 4
-/usr/bin/colcrt		2 6 4
-/usr/bin/colrm		2 6 3
-/usr/bin/column		2 6 4
-/usr/bin/cytune		2 6 6
-/usr/bin/ddate		2 6 3
-/usr/bin/fdformat	2 6 6
-/usr/bin/getopt		2 8 6
-/usr/bin/hexdump	2 6 4
-/usr/bin/hostid		2 6 4
-/usr/bin/ipcrm		2 7 7
-/usr/bin/ipcs		2 7 6
-/usr/bin/isosize	2 6 4
-/usr/bin/line		2 6 4
-/usr/bin/look		2 6 5
-/usr/bin/mcookie	2 7 5
-/usr/bin/mesg		2 6 4
-/usr/bin/namei		2 6 5
-/usr/bin/rename		2 6 5
-/usr/bin/renice		2 6 7
-/usr/bin/rev		2 6 5
-/usr/bin/script		2 6 6
-/usr/bin/ChangeSymlinks	2 8 8
-/usr/bin/setfdprm	2 6 7
-/usr/bin/setsid		2 6 3
-/usr/bin/setterm	2 6 5
-/usr/bin/tailf		2 6 4
-/usr/bin/time		2 6 4
-/usr/bin/ul		2 6 4
-/usr/bin/wall		2 6 5
-/usr/bin/whereis	2 6 4
-/usr/bin/which		2 6 3
-/usr/bin/c_rehash	2 7 6
-/usr/bin/openssl	2 8 6
-/usr/bin/lsdev		2 6 5
-/usr/bin/procinfo	2 6 5
-/usr/bin/socklist	2 6 5
-/usr/bin/filesize	2 6 3
-/usr/bin/linkto		2 6 3
-/usr/bin/mkinfodir	2 6 5
-/usr/bin/old		2 6 4
-/usr/bin/rpmlocate	2 6 5
-/usr/bin/safe-rm	2 8 6
-/usr/bin/safe-rmdir	2 8 6
-/usr/bin/setJava	2 6 1
-/usr/bin/vmstat		2 6 4
-/usr/bin/top		2 6 6
-/usr/bin/pinentry*	2 7 6
-/usr/bin/free		2 8 4
-/usr/bin/pmap		2 6 5
-/usr/bin/slabtop	2 6 4
-/usr/bin/tload		2 6 4
-/usr/bin/watch		2 6 3
-/usr/bin/w		2 6 4
-/usr/bin/pstree.x11	2 6 4
-/usr/bin/pstree		2 6 4
-/usr/bin/snice		2 6 6
-/usr/bin/skill		2 6 7
-/usr/bin/pgrep		2 6 4
-/usr/bin/killall	2 6 7
-/usr/bin/curl		2 7 7
-/usr/bin/slptool	2 7 8
-/usr/bin/ldap*		2 7 7
-/usr/bin/whatis		2 7 5
--- a/utils/test/test-baserule.py
+++ b/utils/test/test-baserule.py
@ -58,7 +58,7 @@ class TestBaserule(AATest):
            parse_modifiers(matches)

    def test_default_severity(self):
-        sev_db = severity.Severity('severity.db', 'unknown')
+        sev_db = severity.Severity('../severity.db', 'unknown')
        obj = BaseRule()
        rank = obj.severity(sev_db)
        self.assertEqual(rank, sev_db.NOT_IMPLEMENTED)
--- a/utils/test/test-capability.py
+++ b/utils/test/test-capability.py
@ -434,7 +434,7 @@ class CapabiliySeverityTest(AATest):
        ('foo',                         'unknown'),
    ]
    def _run_test(self, params, expected):
-        sev_db = severity.Severity('severity.db', 'unknown')
+        sev_db = severity.Severity('../severity.db', 'unknown')
        obj = CapabilityRule(params)
        rank = obj.severity(sev_db)
        self.assertEqual(rank, expected)
--- a/utils/test/test-file.py
+++ b/utils/test/test-file.py
@ -798,7 +798,7 @@ class FileSeverityTest(AATest):
    ]

    def _run_test(self, params, expected):
-        sev_db = severity.Severity('severity.db', 'unknown')
+        sev_db = severity.Severity('../severity.db', 'unknown')
        obj = FileRule.parse(params)
        rank = obj.severity(sev_db)
        self.assertEqual(rank, expected)
--- a/utils/test/test-severity.py
+++ b/utils/test/test-severity.py
@ -23,7 +23,7 @@ from apparmor.common import AppArmorException
 class SeverityBaseTest(AATest):

    def AASetup(self):
-        self.sev_db = severity.Severity('severity.db', 'unknown')
+        self.sev_db = severity.Severity('../severity.db', 'unknown')

    def _capability_severity_test(self, cap, expected_rank):
        rank = self.sev_db.rank_capability(cap)
@ -48,6 +48,9 @@ class SeverityTest(SeverityBaseTest):
        (['/etc/**',            'r'     ],  'unknown'),
        (['/usr/foo@bar',       'r'     ],  'unknown'),  ## filename containing @
        (['/home/foo@bar',      'rw'    ],  6),  ## filename containing @
+        (['/etc/apache2/ssl.key/bar',       'r'   ],  7),  # /etc/apache2/** (3) vs. /etc/apache2/**ssl** (7)
+        (['/etc/apache2/foo/ssl/bar',       'r'   ],  7),  # additional path level triggers otherwise untested branch
+        (['/proc/sys/kernel/hotplug',       'rwx' ], 10),  # non-glob filename, severity depends on mode
    ]

    def _run_test(self, params, expected):
@ -81,6 +84,7 @@ class SeverityVarsTest(SeverityBaseTest):
        (['/overco@{multiarch}mmit_memory',             'r'],    'unknown'),
        (['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory',  'r'],    6),
        (['@{somepaths}/somefile',                      'r'],    7),
+        (['@{strangevar}/somefile',                     'r'],    6),
    ]

    def _run_test(self, params, expected):
@ -91,6 +95,7 @@ class SeverityVarsTest(SeverityBaseTest):
            '@{TFTP_DIR}':  {'/var/tftp /srv/tftpboot'},
            '@{PROC}':      {'/proc/'},
            '@{somepaths}': {'/home/foo/downloads', '@{HOMEDIRS}/foo/.ssh/'},
+            '@{strangevar}': ['/srv/', '/proc/'],  # Note: using [] instead of {} is intentional to keep order of checking (and therefore code coverage) constant
        }
        self.sev_db.set_variables(vars)
        self._simple_severity_w_perm(params[0], params[1], expected)