appcl.py && appcl.py –build mode
appcl.py is a Python script that can be used to manage the AppCL LSM extended attributes and security policies. The linux utilities ‘setfattr’ and ‘getfattr’ can be used with the appropriate security namespace [security.appcl]. appcl.py offers an easier to use interface and also has the option to set an attribute to the contents of a directory.
Below is the help page for the appcl.py tool from the AppCL LSM project. It provides an interface to; set, get and remove the AppCL extended attributes for files and complete directories.
python appcl.py – -help
# PYTHON APPCL.PY -H
THE APPCL.PY SCRIPT HANDLES THE EXTENDED ATTRIBUTES ASSOCIATED WITH THE APPCL LSM SECURITY MODULE.
THE SETFATTR AND GETFATTR SYSTEM UTILITIES CAN ALSO BE USED TO MANAGE EXTENDED ATTRIBUTES. IF USING THESE UTILITIES THE APPCL SECURITY NAMESPACE MUST BE SPECIFIED [-N SECURITY.APPCL] FOR APPCL LSM TO PROCESS AND ENFORCE THE ATTRIBUTE.
THE ATTR PACKAGE IS STILL REQUIRED FOR APPCL.PY.
DIRECTORY – PYTHON APPCL.PY –DIR <INPUT-DIRECTORY> –SET <XATTR-VALUE>
FILE – PYTHON APPCL.PY –FILE <INPUT-FILE> –SET <XATTR-VALUE>
DIRECTORY – PYTHON APPCL.PY –DIR <INPUT-DIRECTORY> –GET
FILE – PYTHON APPCL.PY –FILE <INPUT-FILE> –GET
DIRECTORY – PYTHON APPCL.PY –DIR <INPUT-DIRECTORY> –REMOVE
FILE – PYTHON APPCL.PY –FILE <INPUT-FILE> –REMOVE
Directory – python appcl.py –dir <input-directory> –build
File – python appcl.py –file <input-file> –build
-F FILE, –FILE=FILE
SPECIFIES A FILE INPUT.
-D DIRECTORY, –DIR=DIRECTORY
SPECIFIES A DIRECTORY INPUT.
Recursively walk through directory. Only valid on directory input (-d, –dir).
SETS THE NEW APPCL LSM EXTENDED ATTRIBUTE, AND ASSOCIATED PERMISSIONS.
VIEW THE APPCL LSM STORED EXTENDED ATTRIBUTE FOR FILE/DIRECTORY CONTENTS.
REMOVE THE APPCL LSM EXTENDED ATTRIBUTE AND ASSOCIATED PERMISSION ENTRIES.
– Build the AppCL attributes. Knowledge of the AppCL attribute format is not required when using build mode. The path for a program is also not required as it locates the path of the binary applications from the program name.
– -set “/path/to/app:perm;”
Figure 1.0 shows setting an AppCL attribute to the file ‘test3’ using the ‘–file’ option. The same was set to the contents of the directory ‘testdir’ using the –dir’ option.
Figure 1.0 – appcl.py setting AppCL LSM attributes
Figure 2.0 shows getting the AppCL attribute for the file ‘test3’ using the ‘–file’ option. The attributes for the contents of the directory ‘testdir’ are viewed using the –dir’ option.
Figure 2.0 – appcl.py getting AppCL LSM attributes
Figure 3.0 shows removing the AppCL attribute for the file ‘test3’ using the ‘–file’ option. The attributes for the contents of the directory ‘testdir’ are removed using the –dir’ option.
Figure 3.0 – appcl.py removing AppCL LSM attributes
Default ‘DENY’ behaviour && appcl.py
Figure 4.0 shows the attribute set using appcl.py on the file ‘test3’. The application ‘less’ has ‘read’ permissions and the default DENY behaviour is set. In testing ‘less’ was able to read the file ‘test3’ and no other application was able to access it.
Figure 4.0 – appcl.py default DENY behaviour
The appcl.py tool is currently located at: ‘/appcl-lsm/security-config/tools/appcl.py’ in the project repository.
appcl.py –build mode
“appcl.py is a Python script that can be used to manage the AppCL LSM extended attributes and security policies. The appcl.py tool is currently located at: ‘/appcl-lsm/security-config/tools/appcl.py’ in the project repository.” –appcl.py
appcl.py now has a ‘build mode’, that can be started against a file (–file option) or a complete directory (–dir option). Knowledge of the AppCL LSM attribute format (as discussed in the post ‘Default ‘DENY’ behaviour‘), nor the pathname of an application is required. Figure 1.0 shows build mode against a file (test3).
The user first enters the application name, which then finds the path for the binary applications matching the application name. Then the user enters the permission to grant the application.
Multiple applications can be restricted by adding additional programs to the attribute. Finally build mode checks whether the user wants to enable default DENY behaviour to DENY all other actions by default. appcl.py then sets the attribute to the file specified and sets up the security information on the inode.
Figure 1.0 – appcl.py file build mode
Figure 2.0 shows build mode against a complete directory (testdir/). The same process as with a file is completed, except appcl.py sets the attribute to all files within the specified directory.
Figure 2.0 – appcl.py directory build mode
‘Build mode’ makes the job of setting AppCL LSM attributes to files/directories simpler. If the required pathname is known and the AppCL extended attribute format is known then the appcl.py ‘–set’ option can still be used to set the attributes. The appcl.py ‘–get’ and ‘–remove’ options are still used to view and remove the AppCL LSM attributes.
As well as the long argument options (–file, –dir, –set, –get, –remove, –build), short switches (-f, -d, -v, -g, -x, -b) can be used, this is detailed in the appcl.py help page (appcl.py –help/-h).
To view the public git for this project visit:
Continue to see the development blog page for updates regarding the project progress/development blog.