討論區: Open Discussion (Thread #33585)

"Reverse" sandbox possible? (2013-02-23 08:10 by Riviera #67462)

Hi,

I'm wondering if it's possible to create some kind of reverse sandbox with tomoyo linux 2.0.
What I want is to deny everything access to one specific folder, except one program.
Specificlly I only want the bitcoin client and nothing else to be able to acces ~/.bitcon/


Thanks,
Anonymous user

回覆 #67462×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) 登入

RE: "Reverse" sandbox possible? (2013-02-23 16:35 by kumaneko #67463)

Hello.

> I'm wondering if it's possible to create some kind of reverse sandbox with
> tomoyo linux 2.0.
> What I want is to deny everything access to one specific folder, except one
> program.
> Specificlly I only want the bitcoin client and nothing else to be able to
> acces ~/.bitcoin/

So far, only \- operator is possible. That is, define a path_group like

path_group ALL_BUT_BITCOIN /\*\-home/\*
path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/
path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/\*
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\*
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/\*

and define an acl_group like

acl_group 0 file read @ALL_BUT_BITCOIN
acl_group 0 file write @ALL_BUT_BITCOIN

and let each domain refer that acl_group using use_group keyword.

use_group 0



If you can use CaitSith ( http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf )
instead of TOMOYO 2.x, then CaitSith would be easier to achieve that.
Rules in CaitSith will look like below.

0 acl read path="/home/\*/.bitcoin/\(\*\)/\*"
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

0 acl write path="/home/\*/.bitcoin/\(\*\)/\*"
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

I demonstrated only read and write operations. But you need to be also careful
about pathname manipulation operations like rename/link/mount.

If you can move ~/.bitcoin/ directory to a dedicated partition and have a
symlink to the dedicated partition, you can use attributes of the dedicated
partition (e.g. path.major and path.minor) for conditions to restrict access.

0 acl read path.major=XX path.minor=XX
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

0 acl write path.major=XX path.minor=XX
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny
回覆: #67462

回覆 #67463×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) 登入