appcl.py is a Python script that can be used to manage the AppCL LSM extended attributes and security policies. The linux utilities ‘setfattr’ and ‘getfattr’ can be used with the appropriate security namespace [security.appcl]. appcl.py offers an easier to use interface and also has the option to set an attribute to the contents of a directory.
Below is the help page for the appcl.py tool from the AppCL LSM project. It provides an interface to; set, get and remove the AppCL extended attributes for files and complete directories.
python appcl.py – -help
# Help:
# python appcl.py -h
#
DESCRIPTION
The appcl.py script handles the extended attributes associated with the AppCL LSM security module.
The setfattr and getfattr system utilities can also be used to manage extended attributes. If using these utilities the appcl security namespace must be specified [-n security.appcl] for AppCL LSM to process and enforce the attribute.
The attr package is still required for appcl.py.
#
EXAMPLE USAGE
Set Attributes:
Directory – python appcl.py –dir <input-directory> –set <xattr-value>
File – python appcl.py –file <input-file> –set <xattr-value>
Get Attributes:
Directory – python appcl.py –dir <input-directory> –get
File – python appcl.py –file <input-file> –get
Remove Attributes:
Directory – python appcl.py –dir <input-directory> –remove
File – python appcl.py –file <input-file> –remove
#
OPTIONS
-f file, –file=file
Specifies a file input.
-d directory, –dir=directory
Specifies a directory input.
-v, –set
Sets the new AppCL LSM extended attribute, and associated permissions.
-g, –get
View the AppCL LSM stored extended attribute for file/directory contents.
-x, –remove
Remove the AppCL LSM extended attribute and associated permission entries.
-h, –help
Help page
Setting attributes:
– -set “/path/to/app:perm;”
Figure 1.0 shows setting an AppCL attribute to the file ‘test3’ using the ‘–file’ option. The same was set to the contents of the directory ‘testdir’ using the –dir’ option.
Figure 1.0 – appcl.py setting AppCL LSM attributes
Getting attributes:
– -get
Figure 2.0 shows getting the AppCL attribute for the file ‘test3’ using the ‘–file’ option. The attributes for the contents of the directory ‘testdir’ are viewed using the –dir’ option.
Figure 2.0 – appcl.py getting AppCL LSM attributes
Removing attributes:
– -remove
Figure 3.0 shows removing the AppCL attribute for the file ‘test3’ using the ‘–file’ option. The attributes for the contents of the directory ‘testdir’ are removed using the –dir’ option.
Figure 3.0 – appcl.py removing AppCL LSM attributes
Example:
Default ‘DENY’ behaviour && appcl.py
Figure 4.0 shows the attribute set using appcl.py on the file ‘test3’. The application ‘less’ has ‘read’ permissions and the default DENY behaviour is set. In testing ‘less’ was able to read the file ‘test3’ and no other application was able to access it.
Figure 4.0 – appcl.py default DENY behaviour
The appcl.py tool is currently located at: ‘/appcl-lsm/security-config/tools/appcl.py’ in the project repository.
To view the public git for this project visit:
https://github.com/jamesbjohnson/appcl-lsm-public
Continue to see the development blog page for updates regarding the project progress/development blog.
AppCL LSM 