TOMOYO

Fork

Hello.

> I'm wondering if it's possible to create some kind of reverse sandbox with
> tomoyo linux 2.0.
> What I want is to deny everything access to one specific folder, except one
> program.
> Specificlly I only want the bitcoin client and nothing else to be able to
> acces ~/.bitcoin/

So far, only \- operator is possible. That is, define a path_group like

path_group ALL_BUT_BITCOIN /\*\-home/\*
path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/
path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/\*
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\*
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/
path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/\*

and define an acl_group like

acl_group 0 file read @ALL_BUT_BITCOIN
acl_group 0 file write @ALL_BUT_BITCOIN

and let each domain refer that acl_group using use_group keyword.

use_group 0



If you can use CaitSith ( http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf )
instead of TOMOYO 2.x, then CaitSith would be easier to achieve that.
Rules in CaitSith will look like below.

0 acl read path="/home/\*/.bitcoin/\(\*\)/\*"
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

0 acl write path="/home/\*/.bitcoin/\(\*\)/\*"
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

I demonstrated only read and write operations. But you need to be also careful
about pathname manipulation operations like rename/link/mount.

If you can move ~/.bitcoin/ directory to a dedicated partition and have a
symlink to the dedicated partition, you can use attributes of the dedicated
partition (e.g. path.major and path.minor) for conditions to restrict access.

0 acl read path.major=XX path.minor=XX
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny

0 acl write path.major=XX path.minor=XX
audit 0
0 allow task.exe="/path/to/bitcoin/client"
1 deny