a qqeZ@sddlZddlZddlmZddlmZddlmZmZm Z m Z m Z m Z z ddl ZddlmZmZmZWn"eyeedYn0ddlmZmZdd lmZmZmZmZgd ZGd d d e Z Gd dde Z!ee!Z"eee efZ#GdddZ$GdddZ%dS)N defaultdict)suppress) DefaultDictIterableList NamedTupleOptionalUnion) NetworkXErrorNetworkXNoPath NodeNotFoundzNetworkX failed to import.) EdgeAttrDict EdgeAttrList) AnyTERule SELinuxPolicy TERuletypeType)DomainTransitionAnalysisDomainTransitionDomainEntrypointDTAPathc@s>eZdZUdZeed<eeed<eeed<eeed<dS)rz0Entrypoint list entry named tuple output format.name entrypointexecutetype_transitionN)__name__ __module__ __qualname____doc__r__annotations__rrr"r"1/usr/lib64/python3.9/site-packages/setools/dta.pyrs   rc@s^eZdZUdZeed<eed<eeed<eeed<eeed<eeed<eeed<d S) rz*Transition step output named tuple format.sourcetarget transition entrypointssetexec dyntransition setcurrentN) rrrr rr!rrrr"r"r"r#r#s     rc@seZdZUdZeeed<eed<d,eee e e ee fddddZ eed d d Zejdd d d Zeeed d dZeje e e ee fddddZe ee fe ee fe edddZd-e ee fe ee fee edddZe ee fe ee fe edddZe ee fedddZe d ddZedeed d!d"Zeeed#d$d%Zdd d&d'Zdd d(d)Zdd d*d+ZdS).rzDomain transition analysis._exclude_reverseFN)policyreverseexcludereturncCsvtt|_||_||_||_d|_d|_zt |_ |j |_ Wn,typ|jd|jdYn0dS)z Parameter: policy The policy to analyze. Keyword Parameters: reverse True means reverse the direction of the analysis (find parent domains). exclude An iterable of types to exclude from the analysis. TzLNetworkX is not available. This is requried for Domain Transition Analysis.z2This is typically in the python3-networkx package.N)logging getLoggerrlogr-r/r. rebuildgraphrebuildsubgraphnxZDiGraphGcopysubG NameErrorZcritical)selfr-r.r/r"r"r#__init__>s     z!DomainTransitionAnalysis.__init__)r0cCs|jSN)r,r;r"r"r#r.Ysz DomainTransitionAnalysis.reversecCst||_d|_dS)NT)boolr,r5)r; directionr"r"r#r.]s cCs|jSr=)r+r>r"r"r#r/bsz DomainTransitionAnalysis.exclude)typesr0cs*|rfdd|D_ng_d_dS)Ncsg|]}j|qSr")r- lookup_type).0tr>r"r# iz4DomainTransitionAnalysis.exclude..T)r+r5)r;rAr"r>r#r/fs)r$r%r0ccs|j|}|j|}|jr&||jd||ttt *| t j |j ||dVWdn1st0YdS)a Generator which yields one shortest domain transition path between the source and target types (there may be more). Parameters: source The source type. target The target type. Yield: generator(steps) steps A generator that returns the tuple of source, target, and rules for each domain transition. z8Generating one domain transition path from {0} to {1}...)r$r%N)r-rBr5_build_subgraphr3infoformatrr r )_DomainTransitionAnalysis__generate_stepsr6 shortest_pathr9)r;r$r%srDr"r"r#rKos   z&DomainTransitionAnalysis.shortest_path)r$r%maxlenr0ccs|dkrtd|j|}|j|}|jr6||jd|||tt t 4t |j |||D]}||VqjWdn1s0YdS)a Generator which yields all domain transition paths between the source and target up to the specified maximum path length. Parameters: source The source type. target The target type. maxlen Maximum length of paths. Yield: generator(steps) steps A generator that returns the tuple of source, target, and rules for each domain transition. rz%Maximum path length must be positive.zIGenerating all domain transition paths from {0} to {1}, max length {2}...N) ValueErrorr-rBr5rGr3rHrIrr r r6Zall_simple_pathsr9rJ)r;r$r%rNrLrDpathr"r"r# all_pathss    z"DomainTransitionAnalysis.all_pathsccs|j|}|j|}|jr&||jd||ttt 2t |j ||D]}| |VqVWdn1s|0YdS)a Generator which yields all shortest domain transition paths between the source and target types. Parameters: source The source type. target The target type. Yield: generator(steps) steps A generator that returns the tuple of source, target, and rules for each domain transition. zBGenerating all shortest domain transition paths from {0} to {1}...N)r-rBr5rGr3rHrIrr r r6all_shortest_pathsr9rJ)r;r$r%rLrDrPr"r"r#rRs    z+DomainTransitionAnalysis.all_shortest_paths)type_r0c cs|j|}|jr||jd||jr0dndtt t|j |D]V\}}t |j ||}|jrv||}}n ||}}t |||j|||j|j|jVqNWdn1s0YdS)aM Generator which yields all domain transitions out of a specified source type. Parameters: type_ The starting type. Yield: generator(steps) steps A generator that returns the tuple of source, target, and rules for each domain transition. z)Generating all domain transitions {1} {0}zin tozout fromN)r-rBr5rGr3rHrIr.rr r9Z out_edgesEdgerr&/_DomainTransitionAnalysis__generate_entrypointsr(r)r*)r;rSrLr$r%edge real_source real_targetr"r"r# transitionss(     z$DomainTransitionAnalysis.transitionscCs.|jr|dt|jdt|jS)zR Get the domain transition graph statistics. Return: str z Graph nodes: z Graph edges: )r4 _build_graphr6number_of_nodesr7number_of_edgesr>r"r"r# get_statss  z"DomainTransitionAnalysis.get_statsrT)rVr0csfddjDS)a Creates a list of entrypoint, execute, and type_transition rules for each entrypoint. Parameter: data The dictionary of entrypoints. Return: list of tuple(type, entry, exec, trans) type The entrypoint type. entry The list of entrypoint rules. exec The list of execute rules. trans The list of type_transition rules. cs,g|]$}t|j|j|j|qSr")rrrr)rCerVr"r#rEszCDomainTransitionAnalysis.__generate_entrypoints..)rr_r"r_r#Z__generate_entrypoints s z/DomainTransitionAnalysis.__generate_entrypoints)rPr0c csztdt|D]f}||d}||}t|j||}|jrF||}}n ||}}t|||j|||j|j |j VqdS)a Generator which yields the source, target, and associated rules for each domain transition. Parameter: path A list of graph node names representing an information flow path. Yield: tuple(source, target, transition, entrypoints, setexec, dyntransition, setcurrent) source The source type for this step of the domain transition. target The target type for this step of the domain transition. transition The list of transition rules. entrypoints Generator which yields entrypoint-related rules. setexec The list of setexec rules. dyntranstion The list of dynamic transition rules. setcurrent The list of setcurrent rules. rN) rangelenrTr9r.rr&rUr(r)r*)r;rPrLr$r%rVrWrXr"r"r#Z__generate_stepss   z)DomainTransitionAnalysis.__generate_stepscCs|jd|j|j_|jd|jtt}tt}tdd}tdd}tdd}|j D]}|j t j kr"|j dvrql|j dkrd |jvrt|j|jD].\}}||krt|j||d d } | j|qd |jvrBt|j|jD]2\}}||krt|j||d d } | j|qd |jvrn|jD]}|||qXd|jvr |jD]}|||qnd|jvrt|j|jD]\}}||||qd|jvr|t|j|jD]\}}||||qql|j t jkrl|j dkrrFz7DomainTransitionAnalysis._build_graph..cSsttSr=rbr"r"r"r#rdrFcSs tddS)NcSsttSr=rbr"r"r"r#rdrFzIDomainTransitionAnalysis._build_graph....rr"r"r"r#rdrF)processfilerer&T)creater)r(r*rrFz+Completed building domain transition graph.z$Graph stats: nodes: {0}, edges: {1}.)*r7clearrIr-rr3rHrrcZterulesZruletyperZallowZtclassZperms itertoolsproductr$expandr%rTr&appendr)rdefaultedgessetkeys intersectionrrr(extendr*remove_edges_fromr4r5debugr6r[r\)r;r(r*rrZ type_transZrulerLrDrVr^dZ invalid_edgeZclear_transitionZclear_dyntransitionZ invalid_transZinvalid_dyntransentryZexematchmr"r"r#rZ{s                     "          z%DomainTransitionAnalysis._build_graphc Csg}|jD]\}}t|j||}t|j}||j|s@q|D]D}|j|=|j|=tt |j |=WdqD1s~0YqD|js|j s| |q|j |dSr=)r9rnrTrorintersection_updater/rrKeyErrorrr)rlrs)r;Z invalid_edgesr$r%rVr'r^r"r"r#Z__remove_excluded_entrypointss   (  z6DomainTransitionAnalysis.__remove_excluded_entrypointscCs|jr||jd|jd|j|jd|j|jrZ|jjdd|_ n |j |_ |jr|j |j| d|_ |jd|jdt|j t|j dS) Nz$Building domain transition subgraph.z Excluding {0}z Reverse {0}T)r8Fz.Completed building domain transition subgraph.z'Subgraph stats: nodes: {0}, edges: {1}.)r4rZr3rHrtrIr/r.r7r9r8Zremove_nodes_from6_DomainTransitionAnalysis__remove_excluded_entrypointsr5r6r[r\r>r"r"r#rG+s"      z(DomainTransitionAnalysis._build_subgraph)FN)rM) rrrr rrr!r?rr rr strr<propertyr.setterr/rrKintrQrRrYr] staticmethodrrUrJrZr{rGr"r"r"r#r7sD   "  % (^rc@sveZdZdZedZedZedZedZe dZ e dZ e dZ de e ed d d d ZddZee dddZd S)rTaS A graph edge. Also used for returning domain transition steps. Parameters: graph The NetworkX graph. source The source type of the edge. target The target tyep of the edge. Keyword Parameters: create (T/F) create the edge if it does not exist. The default is False. r&r(r)r*rrrFN)r$r%rgr0cCsj||_||_||_|j||sf|s.tdn8|j||d|_d|_d|_d|_ d|_ d|_ d|_ dS)NzEdge does not exist in graph) r7r$r%Zhas_edgerOZadd_edger&rrrr(r)r*)r;Zgraphr$r%rgr"r"r#r<^s z Edge.__init__cs4t|tr&fddt|dDS|SdS)Ncsg|]}|qSr")_index_to_item)rCir>r"r#rEtrFz$Edge.__getitem__..rM) isinstanceslicer`indicesr)r;keyr"r>r# __getitem__ps zEdge.__getitem__)indexr0cCs.|dkr|jS|dkr|jStd|dS)z'Return source or target based on index.rrz,Invalid index (edges only have 2 items): {0}N)r$r% IndexErrorrI)r;rr"r"r#rxs zEdge._index_to_item)F)rrrr rr&r(r)r*rrrrrr?r<rrrr"r"r"r#rTGs rT)&rir1 collectionsr contextlibrtypingrrrrr r Znetworkxr6Znetworkx.exceptionr r r ImportErrorr2rrtZ descriptorsrrZ policyreprrrr__all__rrrZRuleHashrrTr"r"r"r#s,