“appcl.py is a Python script that can be used to manage the AppCL LSM extended attributes and security policies. The appcl.py tool is currently located at: ‘/appcl-lsm/security-config/tools/appcl.py’ in the project repository.” –appcl.py
appcl.py now has a ‘build mode’, that can be started against a file (–file option) or a complete directory (–dir option). Knowledge of the AppCL LSM attribute format (as discussed in the post ‘Default ‘DENY’ behaviour‘), nor the pathname of an application is required. Figure 1.0 shows build mode against a file (test3).
The user first enters the application name, which then finds the path for the binary applications matching the application name. Then the user enters the permission to grant the application.
Multiple applications can be restricted by adding additional programs to the attribute. Finally build mode checks whether the user wants to enable default DENY behaviour to DENY all other actions by default. appcl.py then sets the attribute to the file specified and sets up the security information on the inode.
Figure 1.0 – appcl.py file build mode
Figure 2.0 shows build mode against a complete directory (testdir/). The same process as with a file is completed, except appcl.py sets the attribute to all files within the specified directory.
Figure 2.0 – appcl.py directory build mode
‘Build mode’ makes the job of setting AppCL LSM attributes to files/directories simpler. If the required pathname is known and the AppCL extended attribute format is known then the appcl.py ‘–set’ option can still be used to set the attributes. The appcl.py ‘–get’ and ‘–remove’ options are still used to view and remove the AppCL LSM attributes.
As well as the long argument options (–file, –dir, –set, –get, –remove, –build), short switches (-f, -d, -v, -g, -x, -b) can be used, this is detailed in the appcl.py help page (appcl.py –help/-h).
To view the public git for this project visit:
Continue to see the development blog page for updates regarding the project progress/development blog.