Restrict access to networking for all the software except one program.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Restrict access to networking for all the software except one program.
Hi!
I want to grant access to networking for one specific program only.
All other software, including underlying non-userspace code should be isolated from networking totally. Kernel should be isolated as well (if one has built-in possibility to access network).
Is it possible? I googled a bit and found "unshare" command, but seems it works in opposite direction - isolates one specified process.
I thought about iptables, but seems it isn't an option for me.
Are there any other way to do such a thing?
I don't know about Gentoo, but if AppArmor is available you can limit access to network socket calls by creating a corresponding policy. Then you could whitelist your application in a separate profile.
I am not aware of any other mechanisms for controlling userspace access to network calls or binding iptable rules to pid's...
Thanks for suggestion.
AppArmor is available in Gentoo, I read a bit online regarding it and seems it worth to try, especially because SELinux author said that AppArmor is useless.
owner
This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.
[!] --uid-owner username
[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range.
[!] --socket-exists
Matches if the packet is associated with a socket.
AppArmor is available in Gentoo, I read a bit online regarding it and seems it worth to try, especially because SELinux author said that AppArmor is useless.
SELinux and AppArmor have been at each others throats for a long time. SELinux needs to tag just about everything with a security context - including the filesystem. I actually like the Apparmor approach of not having to medle with the every program involved, but restricting access to basic system functions. That however does not protect the memory in the extensive way SELinux does, so both have pros and cons.
I'd actually give descendant_command's suggestion a try first because it is way easier than setting up a functioning apparmor policy that all programs go along with. You would have to keep in mind that loopback interfaces and unix sockets are socket calls too, which might break just about everything. Create a different user like "NoNetworking" and run the program as that user.
Keep in mind that this will not work with all programs, especially if they are based on dbus functionality. If the program tries to bind to the Session Management interface of your GUI and you are running it as another user, it will be denied access and fail to start. You could start the entire window manager as the NoNetworking user, but I suspect that is not the point of your undertaking, as you might as well just disable the interface in that scenario.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.