Would be cool if there was a tool that could detect that configured path was attempted to be opened, and redirect the open() syscall to the real path... But that would most likely require kernel support.
I actually attempted using ptrace to rewrite syscalls first! It was... horribly painful, and didn't work anywhere near as well as the bind-mount version.
In the past I used something like inotab to use an inotify-based trigger to pipe data from SSH to a different system that didn't have any NAS or SAN support, it might also work to detect 'who' is touching any files that boxxy has previously seen rules for.
Perhaps still too tricky to make it do magic things and break programs in the process, but it could be used to audit who's working with what paths and let the user print a report so they know what apps to boxx up and make them behave.
That is an excellent idea! Something like could definitely be worth adding. It's why there's a "remount rootfs as ro" flag; that way anything not specified in rules is ro and misbehaving programs will explode.
For a structured approach to ptrace/syscall rewriting, you could try FB's reverie. I worked on and used it during an internship a few years back; it's pretty amazing at what it does.
I suppose that is indeed more trouble than it's worth. As for applications that might behave like AWS and their SDK; I think that if someone uses boxxy they would probably also remember to do the same thing for other stuff that uses aws under the hood, so overall a win either way!
You may also be able to tell I don't have a lot of AWS experience (: