3
O+e[:������������������@���s����d�dl�Z�d�dlZd�dlmZ�d�dlZd�dlmZmZ�ddl m
Z
m
Z
�ddl
m
Z
�ddlmZ�dgZG�d d��d�ZG�d
d
��d
�ZdS�)
�����N)�suppress)�
NetworkXError�NetworkXNoPath����)�EdgeAttrIntMax�
EdgeAttrList)�RuleNotConditional)�
TERuletype�InfoFlowAnalysisc���������������@���s����e�Zd�ZdZd!dd�Zedd���Zejdd���Zed d
���Zejd
d
���Zed
d
���Z e jdd
���Z dd��Z
d"dd�Z
dd��Z
d#dd�Z
dd��Zdd
��Zd
d
��Zd d ��ZdS�)$r
���zInformation flow analysis.r���Nc�������������C���sJ���t�jt�|�_||�_||�_||�_||�_||�_d|�_ d|�_
t
j
��|�_
d|�_dS�)a���
Parameters:
policy The policy to analyze.
perm_map The permission map or path to the permission map file.
minweight The minimum permission weight to include in the analysis.
(default is 1)
exclude The types excluded from the information flow analysis.
(default is none)
booleans If None, all rules will be added to the analysis (default).
otherwise it should be set to a dict with keys corresponding
to boolean names and values of True/False. Any unspecified
booleans will use the policy's default values.
TN)�loggingZ getLogger�__name__�log�policy�
min_weight�perm_map�exclude�booleans�
rebuildgraph�rebuildsubgraph�nxZDiGraph�G�subG)�selfr���r���r���r���r�����r���� /usr/lib64/python3.6/infoflow.py�__init__%���s����
zInfoFlowAnalysis.__init__c�������������C���s���|�j�S�)N)�
_min_weight)r���r���r���r���r���A���s����zInfoFlowAnalysis.min_weightc�������������C���s0���d|��kodkn��s t�d��||�_d|�_d�S�)Nr����
���z4Min information flow weight must be an integer 1-10.T)�
ValueErrorr
���r���)r����weightr���r���r���r���E���s
����c�������������C���s���|�j�S�)N)� _perm_map)r���r���r���r���r���N���s����zInfoFlowAnalysis.perm_mapc�������������C���s���||�_�d|�_d|�_d�S�)NT)r ���r���r���)r���r���r���r���r���r���R���s����c�������������C���s���|�j�S�)N)�_exclude)r���r���r���r���r���X���s����zInfoFlowAnalysis.excludec����������������s*���|r��fdd�|D����_�ng���_�d��_d�S�)Nc����������������s���g�|�]}��j�j|��qS�r���)r����
lookup_type)�.0�t)r���r���r����
<listcomp>_���s����z,InfoFlowAnalysis.exclude.<locals>.<listcomp>T)r!���r���)r����typesr���)r���r���r���\���s����c����������
���c���sj���|�j�j|�}|�j�j|�}|�jr&|�j���|�jjdj||���tt��
�|�j t
j
|�j
||��V��W�dQ�R�X�dS�)a��
Generator which yields one shortest path between the source
and target types (there may be more).
Parameters:
source The source type.
target The target type.
Yield: generator(steps)
steps Yield: tuple(source, target, rules)
source The source type for this step of the information flow.
target The target type for this step of the information flow.
rules The list of rules creating this information flow step.
z@Generating one shortest information flow path from {0} to {1}...N)
r���r"���r����_build_subgraphr
����info�formatr���r����!_InfoFlowAnalysis__generate_stepsr����
shortest_pathr���)r����source�target�sr$���r���r���r���r+���e���s����
z
InfoFlowAnalysis.shortest_path����c����������
���c���s����|dk�rt�d��|�jj|�}|�jj|�}|�jr6|�j���|�jjdj|||���tt ��.�x&t
j
|�j
|||�D�]}|�j
|�V��qjW�W�dQ�R�X�dS�)a���
Generator which yields all paths between the source and target
up to the specified maximum path length. This algorithm
tends to get very expensive above 3-5 steps, depending
on the policy complexity.
Parameters:
source The source type.
target The target type.
maxlen Maximum length of paths.
Yield: generator(steps)
steps Yield: tuple(source, target, rules)
source The source type for this step of the information flow.
target The target type for this step of the information flow.
rules The list of rules creating this information flow step.
r���z%Maximum path length must be positive.zHGenerating all information flow paths from {0} to {1}, max length {2}...N)r
���r���r"���r���r'���r
���r(���r)���r���r���r���Zall_simple_pathsr���r*���)r���r,���r-����maxlenr.���r$����pathr���r���r���� all_paths����s����
zInfoFlowAnalysis.all_pathsc����������
���c���sx���|�j�j|�}|�j�j|�}|�jr&|�j���|�jjdj||���tt��,�x$t j
|�j
||�D�]}|�j
|�V��qVW�W�dQ�R�X�dS�)a���
Generator which yields all shortest paths between the source
and target types.
Parameters:
source The source type.
target The target type.
Yield: generator(steps)
steps Yield: tuple(source, target, rules)
source The source type for this step of the information flow.
target The target type for this step of the information flow.
rules The list of rules creating this information flow step.
zAGenerating all shortest information flow paths from {0} to {1}...N)
r���r"���r���r'���r
���r(���r)���r���r���r����all_shortest_pathsr���r*���)r���r,���r-���r.���r$���r1���r���r���r���r3�������s����
z#InfoFlowAnalysis.all_shortest_pathsTc����������
���c���s����|�j�j|�}|�jr|�j���|�jjdj|r,dnd|���tt��F�|rR|�j j
|�}n
|�j j
|�}x |D�]\}}t
|�j ||�V��qdW�W�dQ�R�X�dS�)a(��
Generator which yields all information flows in/out of a
specified source type.
Parameters:
source The starting type.
Keyword Parameters:
out If true, information flows out of the type will
be returned. If false, information flows in to the
type will be returned. Default is true.
Yield: generator(steps)
steps A generator that returns the tuple of
source, target, and rules for each
information flow.
z(Generating all information flows {0} {1}zout ofZintoN)
r���r"���r���r'���r
���r(���r)���r���r���r���Z out_edgesZin_edges�Edge)r���Ztype_�outr.���Zflowsr,���r-���r���r���r���� infoflows����s����
zInfoFlowAnalysis.infoflowsc�������������C���s���|�j�r|�j���tj|�j�S�)zQ
Get the information flow graph statistics.
Return: str
)r����
_build_graphr���r(���r���)r���r���r���r���� get_stats����s����zInfoFlowAnalysis.get_statsc�������������c���s8���x2t�dt|��D�] }t|�j||d��||��V��qW�dS�)a���
Generator which returns the source, target, and associated rules
for each information flow step.
Parameter:
path A list of graph node names representing an information flow path.
Yield: tuple(source, target, rules)
source The source type for this step of the information flow.
target The target type for this step of the information flow.
rules The list of rules creating this information flow step.
r���N)�range�lenr4���r���)r���r1���r.���r���r���r���Z__generate_steps��s����z!InfoFlowAnalysis.__generate_stepsc�������������C���s,��|�j�j���dj|�j�|�j�_|�jj|�j��|�jjdj|�j���x�|�jj ��D�]�}|j
t
j
krZqH|�jj
|�\}}x|tj|jj��|jj���D�]`\}}||kr�|r�t|�j�||dd�}|jj|��||_|r�t|�j�||dd�}|jj|��||_q�W�qHW�d|�_d|�_|�jjd��|�jjdjtj|�j��tj
|�j�����d�S�)Nz Information flow graph for {0}.z+Building information flow graph from {0}...T)�createFz*Completed building information flow graph.z$Graph stats: nodes: {0}, edges: {1}.)
r����clearr)���r����namer���Z
map_policyr
���r(���ZterulesZruletyper ���ZallowZ
rule_weight� itertools�productr,����expandr-���r4����rules�appendr ���r���r����debugr����number_of_nodes�number_of_edges)r����ruleZrweightZwweightr.���r$����edger���r���r���r7���&��s0����
"
z
InfoFlowAnalysis._build_graphc������� ���������s�����j�r��j�����jjd����jjdj��j�����jjdj��j�����jjdj��jd�k �����fdd���j j
��D��}��j j
|�j
����_
��jdkr�g�}x:��j
j��D�],\}}t��j
||�}|j��jk�r�|j|��q�W���j
j|����jd�k �r�g�}x���j
j��D�]�\}}t��j
||�}g�}x*|jD�] }|jf���j��s|j|���qW�g�}x.|D�]&}||k�rF|jj|��|j|���qFW�|js�|j|��q�W���j
j|��d��_��jjd ����jjd
jtj��j
�tj��j
����d�S�)
Nz%Building information flow subgraph...zExcluding {0!r}zMin weight {0}z(Exclude disabled conditional policy: {0}c����������������s���g�|�]}|��j�kr|�qS�r���)r���)r#����n)r���r���r���r%���T��s����z4InfoFlowAnalysis._build_subgraph.<locals>.<listcomp>r���Fz-Completed building information flow subgraph.z'Subgraph stats: nodes: {0}, edges: {1}.)r���r7���r
���r(���rC���r)���r���r���r���r����nodesZsubgraph�copyr���Zedgesr4���r ���rB���Zremove_edges_fromrA���Zenabled�remover���r���rD���rE���) r���rI���Z
delete_listr.���r$���rG���Z rule_listrF���Z
deleted_rulesr���)r���r���r'���I��sJ����
z InfoFlowAnalysis._build_subgraph)r���NN)r/���)T)r
����
__module__�
__qualname__�__doc__r����propertyr����setterr���r���r+���r2���r3���r6���r8���r*���r7���r'���r���r���r���r���r
���!���s ���
!
("
' #c���������������@���s:���e�Zd�ZdZed�Zed�Zd
dd�Zdd��Z d d
��Z
d
S�)
r4���aR��
A graph edge. Also used for returning information flow steps.
Parameters:
graph The NetworkX graph.
source The source type of the edge.
target The target type of the edge.
Keyword Parameters:
create (T/F) create the edge if it does not exist.
The default is False.
rA���ZcapacityFc�������������C���sP���||�_�||�_||�_|�j�j||�sL|rD|�j�j||dd��d�|�_d�|�_ntd��d�S�)Nr���)r ���z
Edge does not exist in graph)r���r,���r-���Zhas_edgeZadd_edgerA���r ���r
���)r���Zgraphr,���r-���r;���r���r���r���r������s����z
Edge.__init__c����������������s4���t�|t�r&��fdd�t|jd���D��S���j|�S�d�S�)Nc����������������s���g�|�]}��j�|��qS�r���)�_index_to_item)r#����i)r���r���r���r%������s����z$Edge.__getitem__.<locals>.<listcomp>r/���)�
isinstance�slicer9����indicesrQ���)r����keyr���)r���r����
__getitem__���s����
zEdge.__getitem__c�������������C���s.���|dkr|�j�S�|dkr
|�jS�tdj|���dS�)z'Return source or target based on index.r���r���z,Invalid index (edges only have 2 items): {0}N)r,���r-����
IndexErrorr)���)r����indexr���r���r���rQ������s
����zEdge._index_to_itemN)F)
r
���rL���rM���rN���r���rA���r���r ���r���rW���rQ���r���r���r���r���r4������s
���
r4���)r>���r
����
contextlibr���Znetworkxr���Znetworkx.exceptionr���r���Z
descriptorsr���r���Z exceptionr���Z policyrepr ����__all__r
���r4���r���r���r���r����<module>���s���
��b