Forums: Open Discussion (Thread #33585)

"Reverse" sandbox possible? (2013-02-23 08:10 by Riviera #67462)

Hi,

I'm wondering if it's possible to create some kind of reverse sandbox with tomoyo linux 2.0.
What I want is to deny everything access to one specific folder, except one program.
Specificlly I only want the bitcoin client and nothing else to be able to acces ~/.bitcon/


Thanks,
Anonymous user

Répondre à 67462×

You can not use Wiki syntax
Vous n'êtes pas connecté. Pour distinguer vos messages en provenance du reste, vous devez choisir un surnom. (L'unicité du surnom est pas réservé. Il est possible que quelqu'un d'autre pourrait utiliser exactement le même surnom. Si vous voulez l'assurance de votre identité, nous vous recommandons de vous connecter avant de poster.) Connexion

RE: "Reverse" sandbox possible? (2013-02-23 16:35 by kumaneko #67463)

Hello.

> I'm wondering if it's possible to create some kind of reverse sandbox with
> tomoyo linux 2.0.
> What I want is to deny everything access to one specific folder, except one
> program.
> Specificlly I only want the bitcoin client and nothing else to be able to
> acces ~/.bitcoin/

So far, only \- operator is possible. That is, define a path_group like

path_group ALL_BUT_BITCOIN /\*\-home/\*
path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/
path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/\*
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\*
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/\*

and define an acl_group like

acl_group 0 file read @ALL_BUT_BITCOIN
acl_group 0 file write @ALL_BUT_BITCOIN

and let each domain refer that acl_group using use_group keyword.

use_group 0



If you can use CaitSith ( http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf )
instead of TOMOYO 2.x, then CaitSith would be easier to achieve that.
Rules in CaitSith will look like below.

0 acl read path="/home/\*/.bitcoin/\(\*\)/\*"
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

0 acl write path="/home/\*/.bitcoin/\(\*\)/\*"
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

I demonstrated only read and write operations. But you need to be also careful
about pathname manipulation operations like rename/link/mount.

If you can move ~/.bitcoin/ directory to a dedicated partition and have a
symlink to the dedicated partition, you can use attributes of the dedicated
partition (e.g. path.major and path.minor) for conditions to restrict access.

0 acl read path.major=XX path.minor=XX
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

0 acl write path.major=XX path.minor=XX
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny
Répondre à #67462

Répondre à 67463×

You can not use Wiki syntax
Vous n'êtes pas connecté. Pour distinguer vos messages en provenance du reste, vous devez choisir un surnom. (L'unicité du surnom est pas réservé. Il est possible que quelqu'un d'autre pourrait utiliser exactement le même surnom. Si vous voulez l'assurance de votre identité, nous vous recommandons de vous connecter avant de poster.) Connexion