setools/seinfoflow

#!/usr/bin/env python
# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
#

from __future__ import print_function
import setools
import argparse
import sys
import logging

parser = argparse.ArgumentParser(
    description="SELinux policy information flow analysis tool.",
    epilog="If no analysis is selected, all information flow out of the source will be printed.")
parser.add_argument("--version", action="version", version=setools.__version__)
parser.add_argument("--stats", action="store_true",
                    help="Display statistics at the end of the analysis.")
parser.add_argument("-v", "--verbose", action="store_true",
                    help="Print extra informational messages")
parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.")

settings = parser.add_argument_group("Analysis settings")
settings.add_argument("-p", "--policy",
                      help="Path to SELinux policy to analyze.")
settings.add_argument("-m", "--map", required=True,
                      help="Path to permission map file.")
settings.add_argument("-s", "--source", required=True,
                      help="Source type of the analysis.")
settings.add_argument("-t", "--target", default="",
                      help="Target type of the analysis.")

alg = parser.add_argument_group("Analysis algorithm")
alg.add_argument("-S", "--shortest_path", action="store_true",
                 help="Calculate all shortest paths.")
alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS",
                 help="Calculate all paths, with the specified maximum path length. (Expensive)")

opts = parser.add_argument_group("Analysis options")
opts.add_argument("-w", "--min_weight", default=3, type=int,
                  help="Minimum permission weight.  Default is 3.")
opts.add_argument("-l", "--limit_flows", default=0, type=int,
                  help="Limit to the specified number of flows.  Default is unlimited.")
opts.add_argument("exclude", nargs="*",
                  help="List of excluded types in the analysis.")

args = parser.parse_args()

if not args.target and (args.shortest_path or args.all_paths):
    parser.error("The target type must be specified to determine a path.")

if args.target and not (args.shortest_path or args.all_paths):
    parser.error("A target type is not used for flows in/out of a type.")

if args.limit_flows < 0:
    parser.error("Limit on information flows cannot be negative.")

if args.debug:
    logging.basicConfig(level=logging.DEBUG,
                        format='%(asctime)s|%(levelname)s|%(name)s|%(message)s')
elif args.verbose:
    logging.basicConfig(level=logging.INFO, format='%(message)s')
else:
    logging.basicConfig(level=logging.WARNING, format='%(message)s')

try:
    p = setools.SELinuxPolicy(args.policy)
    m = setools.PermissionMap(args.map)
    g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)

    if args.shortest_path or args.all_paths:
        if args.shortest_path:
            paths = g.all_shortest_paths(args.source, args.target)
        else:
            paths = g.all_paths(args.source, args.target, args.all_paths)

        flownum = 0
        for flownum, path in enumerate(paths, start=1):
            print("Flow {0}:".format(flownum))
            for stepnum, step in enumerate(path, start=1):
                print("  Step {0}: {1} -> {2}".format(stepnum, step.source, step.target))

                for rule in sorted(step.rules):
                    print("   ", rule)

                print()

            if args.limit_flows and flownum >= args.limit_flows:
                break

            print()

    else:  # single direct info flow
        flownum = 0
        for flownum, flow in enumerate(g.infoflows(args.source), start=1):
            print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target))
            for rule in sorted(flow.rules):
                print("   ", rule)

            print()

            if args.limit_flows and flownum >= args.limit_flows:
                break

    print(flownum, "information flow(s) found.")

    if args.stats:
        print("\nGraph statistics:")
        print(g.get_stats())

except Exception as err:
    if args.debug:
        logging.exception(str(err))
    else:
        print(err)

    sys.exit(1)
Change #! to use standard Python form 2016-02-26 14:12:34 +00:00			`#!/usr/bin/env python`
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`# Copyright 2014-2015, Tresys Technology, LLC`
Initial public release. 2014-07-08 18:28:55 +00:00			`#`
			`# This file is part of SETools.`
			`#`
			`# SETools is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 2 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# SETools is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with SETools. If not, see <http://www.gnu.org/licenses/>.`
			`#`

			`from __future__ import print_function`
Rename libapol package to setools. 2014-10-25 01:23:13 +00:00			`import setools`
Initial public release. 2014-07-08 18:28:55 +00:00			`import argparse`
			`import sys`
Add logging. Not comprehensive yet. Only planning to do setools pkg (not policyrep), with the exception being the SELinuxPolicy class in policyrep. Avoids performance-critical paths. Use only info and debug so in normal cases the user only sees messages if they ask for it (e.g. -v). 2015-03-19 12:07:23 +00:00			`import logging`
Initial public release. 2014-07-08 18:28:55 +00:00
String changes to meet PEP8 standards. Except max line length of 100. Also use escaping to fix long lines. 2015-02-12 19:01:44 +00:00			`parser = argparse.ArgumentParser(`
			`description="SELinux policy information flow analysis tool.",`
			`epilog="If no analysis is selected, all information flow out of the source will be printed.")`
Rename libapol package to setools. 2014-10-25 01:23:13 +00:00			`parser.add_argument("--version", action="version", version=setools.__version__)`
Initial public release. 2014-07-08 18:28:55 +00:00			`parser.add_argument("--stats", action="store_true",`
			`help="Display statistics at the end of the analysis.")`
Add logging. Not comprehensive yet. Only planning to do setools pkg (not policyrep), with the exception being the SELinuxPolicy class in policyrep. Avoids performance-critical paths. Use only info and debug so in normal cases the user only sees messages if they ask for it (e.g. -v). 2015-03-19 12:07:23 +00:00			`parser.add_argument("-v", "--verbose", action="store_true",`
			`help="Print extra informational messages")`
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.")`
Initial public release. 2014-07-08 18:28:55 +00:00
			`settings = parser.add_argument_group("Analysis settings")`
SELinuxPolicy: add support for finding the policy to load. Restore legacy CLI tool behavior for not having to specify a policy to load 2015-05-08 19:21:00 +00:00			`settings.add_argument("-p", "--policy",`
Reorder parameters to meet PEP8 standards. Except max line length of 100. 2015-02-12 18:59:54 +00:00			`help="Path to SELinux policy to analyze.")`
			`settings.add_argument("-m", "--map", required=True,`
			`help="Path to permission map file.")`
Remove unnecessary option defaults in CLI tools. 2015-03-19 19:20:37 +00:00			`settings.add_argument("-s", "--source", required=True,`
Reorder parameters to meet PEP8 standards. Except max line length of 100. 2015-02-12 18:59:54 +00:00			`help="Source type of the analysis.")`
			`settings.add_argument("-t", "--target", default="",`
			`help="Target type of the analysis.")`
Initial public release. 2014-07-08 18:28:55 +00:00
			`alg = parser.add_argument_group("Analysis algorithm")`
			`alg.add_argument("-S", "--shortest_path", action="store_true",`
			`help="Calculate all shortest paths.")`
Reorder parameters to meet PEP8 standards. Except max line length of 100. 2015-02-12 18:59:54 +00:00			`alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS",`
			`help="Calculate all paths, with the specified maximum path length. (Expensive)")`
Initial public release. 2014-07-08 18:28:55 +00:00
			`opts = parser.add_argument_group("Analysis options")`
Reorder parameters to meet PEP8 standards. Except max line length of 100. 2015-02-12 18:59:54 +00:00			`opts.add_argument("-w", "--min_weight", default=3, type=int,`
			`help="Minimum permission weight. Default is 3.")`
			`opts.add_argument("-l", "--limit_flows", default=0, type=int,`
			`help="Limit to the specified number of flows. Default is unlimited.")`
			`opts.add_argument("exclude", nargs="*",`
			`help="List of excluded types in the analysis.")`
Initial public release. 2014-07-08 18:28:55 +00:00
			`args = parser.parse_args()`

			`if not args.target and (args.shortest_path or args.all_paths):`
			`parser.error("The target type must be specified to determine a path.")`

Throw error in seinfoflow when target is specified but not used. 2014-11-09 16:22:23 +00:00			`if args.target and not (args.shortest_path or args.all_paths):`
			`parser.error("A target type is not used for flows in/out of a type.")`

Initial public release. 2014-07-08 18:28:55 +00:00			`if args.limit_flows < 0:`
			`parser.error("Limit on information flows cannot be negative.")`

Add logging. Not comprehensive yet. Only planning to do setools pkg (not policyrep), with the exception being the SELinuxPolicy class in policyrep. Avoids performance-critical paths. Use only info and debug so in normal cases the user only sees messages if they ask for it (e.g. -v). 2015-03-19 12:07:23 +00:00			`if args.debug:`
Fully configure logging in CLI tools. 2015-03-25 17:40:03 +00:00			`logging.basicConfig(level=logging.DEBUG,`
			`format='%(asctime)s\|%(levelname)s\|%(name)s\|%(message)s')`
Add logging. Not comprehensive yet. Only planning to do setools pkg (not policyrep), with the exception being the SELinuxPolicy class in policyrep. Avoids performance-critical paths. Use only info and debug so in normal cases the user only sees messages if they ask for it (e.g. -v). 2015-03-19 12:07:23 +00:00			`elif args.verbose:`
Fully configure logging in CLI tools. 2015-03-25 17:40:03 +00:00			`logging.basicConfig(level=logging.INFO, format='%(message)s')`
			`else:`
			`logging.basicConfig(level=logging.WARNING, format='%(message)s')`
Add logging. Not comprehensive yet. Only planning to do setools pkg (not policyrep), with the exception being the SELinuxPolicy class in policyrep. Avoids performance-critical paths. Use only info and debug so in normal cases the user only sees messages if they ask for it (e.g. -v). 2015-03-19 12:07:23 +00:00
Initial public release. 2014-07-08 18:28:55 +00:00			`try:`
Rename libapol package to setools. 2014-10-25 01:23:13 +00:00			`p = setools.SELinuxPolicy(args.policy)`
setools __init__: import query/analysis classes Makes use simpler. The setools submodules map 1:1 to classes anyway; the separate modules are simply to ease organization. Change seinfo to use conditional setter use rather than conditional instantiation of queries. Note: pylint disable is added because pylint gets confused by the reuse of the q variable and thinks that q is always BoolQuery, so it incorrectly reports missing member functions. 2015-04-15 16:00:59 +00:00			`m = setools.PermissionMap(args.map)`
Refactor SETools queries/analyses to use descriptors instead of get/setters This is Pythonic. 2015-05-17 01:59:10 +00:00			`g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)`
Initial public release. 2014-07-08 18:28:55 +00:00
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`if args.shortest_path or args.all_paths:`
seinfoflow: remove redundant try block 2015-03-31 19:49:08 +00:00			`if args.shortest_path:`
			`paths = g.all_shortest_paths(args.source, args.target)`
			`else:`
			`paths = g.all_paths(args.source, args.target, args.all_paths)`
Initial public release. 2014-07-08 18:28:55 +00:00
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`flownum = 0`
			`for flownum, path in enumerate(paths, start=1):`
			`print("Flow {0}:".format(flownum))`
InfoFlowAnalysis: convert output to namedtuples 2015-04-26 14:41:03 +00:00			`for stepnum, step in enumerate(path, start=1):`
			`print(" Step {0}: {1} -> {2}".format(stepnum, step.source, step.target))`
Initial public release. 2014-07-08 18:28:55 +00:00
InfoFlowAnalysis: convert output to namedtuples 2015-04-26 14:41:03 +00:00			`for rule in sorted(step.rules):`
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`print(" ", rule)`

			`print()`

			`if args.limit_flows and flownum >= args.limit_flows:`
			`break`
Initial public release. 2014-07-08 18:28:55 +00:00
			`print()`

Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`else: # single direct info flow`
			`flownum = 0`
InfoFlowAnalysis: convert output to namedtuples 2015-04-26 14:41:03 +00:00			`for flownum, flow in enumerate(g.infoflows(args.source), start=1):`
			`print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target))`
			`for rule in sorted(flow.rules):`
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`print(" ", rule)`
Initial public release. 2014-07-08 18:28:55 +00:00
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`print()`
Initial public release. 2014-07-08 18:28:55 +00:00
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`if args.limit_flows and flownum >= args.limit_flows:`
			`break`
Initial public release. 2014-07-08 18:28:55 +00:00
DomainTransitionAnalysis/InfoFlowAnalysis: use NetworkX's info for stats 2015-07-02 14:23:36 +00:00			`print(flownum, "information flow(s) found.")`
Initial public release. 2014-07-08 18:28:55 +00:00
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`if args.stats:`
DomainTransitionAnalysis/InfoFlowAnalysis: use NetworkX's info for stats 2015-07-02 14:23:36 +00:00			`print("\nGraph statistics:")`
			`print(g.get_stats())`
Initial public release. 2014-07-08 18:28:55 +00:00
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`except Exception as err:`
			`if args.debug:`
cli: switch to logging.exception for debug reporting of unrecoverable exception. 2016-03-04 18:59:21 +00:00			`logging.exception(str(err))`
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`else:`
			`print(err)`
Initial public release. 2014-07-08 18:28:55 +00:00
Add --debug options to CLI tools. Catch all exceptions in the main bulk of the CLI code. We can't do anything if there is an exception, so either print the error message from the exception, or print the traceback if debug is enabled. 2015-03-07 16:41:04 +00:00			`sys.exit(1)`