graph.py 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
  1. # -*- encoding: utf8 -*-
  2. #
  3. # The Qubes OS Project, http://www.qubes-os.org
  4. #
  5. # Copyright (C) 2017 Marek Marczykowski-Górecki
  6. # <marmarek@invisiblethingslab.com>
  7. #
  8. # This program is free software; you can redistribute it and/or modify
  9. # it under the terms of the GNU General Public License as published by
  10. # the Free Software Foundation; either version 2 of the License, or
  11. # (at your option) any later version.
  12. #
  13. # This program is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. # GNU General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU General Public License along
  19. # with this program; if not, see <http://www.gnu.org/licenses/>.
  20. import argparse
  21. import json
  22. import os
  23. import sys
  24. import qubespolicy
  25. parser = argparse.ArgumentParser(description='Graph qrexec policy')
  26. parser.add_argument('--include-ask', action='store_true',
  27. help='Include `ask` action in graph')
  28. parser.add_argument('--source', action='store', nargs='+',
  29. help='Limit graph to calls from *source*')
  30. parser.add_argument('--target', action='store', nargs='+',
  31. help='Limit graph to calls to *target*')
  32. parser.add_argument('--service', action='store', nargs='+',
  33. help='Limit graph to *service*')
  34. parser.add_argument('--output', action='store',
  35. help='Write to *output* instead of stdout')
  36. parser.add_argument('--policy-dir', action='store',
  37. default=qubespolicy.POLICY_DIR,
  38. help='Look for policy in *policy-dir*')
  39. parser.add_argument('--system-info', action='store',
  40. help='Load system information from file instead of querying qubesd')
  41. parser.add_argument('--skip-labels', action='store_true',
  42. help='Do not include service names on the graph, also deduplicate '
  43. 'connections.')
  44. def handle_single_action(args, action):
  45. '''Get single policy action and output (or not) a line to add'''
  46. if args.skip_labels:
  47. service = ''
  48. else:
  49. service = action.service
  50. if action.action == qubespolicy.Action.ask:
  51. if args.include_ask:
  52. # handle forced target=
  53. if len(action.targets_for_ask) == 1:
  54. return ' "{}" -> "{}" [label="{}" color=orange];\n'.format(
  55. action.source, action.targets_for_ask[0], service)
  56. return ' "{}" -> "{}" [label="{}" color=orange];\n'.format(
  57. action.source, action.original_target, service)
  58. elif action.action == qubespolicy.Action.allow:
  59. return ' "{}" -> "{}" [label="{}" color=red];\n'.format(
  60. action.source, action.target, service)
  61. return ''
  62. def main(args=None):
  63. args = parser.parse_args(args)
  64. output = sys.stdout
  65. if args.output:
  66. output = open(args.output, 'w')
  67. if args.system_info:
  68. with open(args.system_info) as f_system_info:
  69. system_info = json.load(f_system_info)
  70. else:
  71. system_info = qubespolicy.get_system_info()
  72. sources = list(system_info['domains'].keys())
  73. if args.source:
  74. sources = args.source
  75. targets = list(system_info['domains'].keys())
  76. if args.target:
  77. targets = args.target
  78. else:
  79. targets.append('$dispvm')
  80. targets.extend('$dispvm:' + dom for dom in system_info['domains']
  81. if system_info['domains'][dom]['dispvm_allowed'])
  82. connections = set()
  83. output.write('digraph g {\n')
  84. for service in os.listdir(args.policy_dir):
  85. if os.path.isdir(os.path.join(args.policy_dir, service)):
  86. continue
  87. if args.service and service not in args.service and \
  88. not any(service.startswith(srv + '+') for srv in args.service):
  89. continue
  90. policy = qubespolicy.Policy(service, args.policy_dir)
  91. for source in sources:
  92. for target in targets:
  93. try:
  94. action = policy.evaluate(system_info, source, target)
  95. line = handle_single_action(args, action)
  96. if line in connections:
  97. continue
  98. if line:
  99. output.write(line)
  100. connections.add(line)
  101. except qubespolicy.AccessDenied:
  102. continue
  103. output.write('}\n')
  104. if args.output:
  105. output.close()
  106. if __name__ == '__main__':
  107. sys.exit(main())