Restrict access to networking for all the software except one program.

Teufel · 11-24-2014, 12:20 PM

Hi!
I want to grant access to networking for one specific program only.
All other software, including underlying non-userspace code should be isolated from networking totally. Kernel should be isolated as well (if one has built-in possibility to access network).
Is it possible? I googled a bit and found "unshare" command, but seems it works in opposite direction - isolates one specified process.
I thought about iptables, but seems it isn't an option for me.
Are there any other way to do such a thing?

ichrispa · 11-24-2014, 02:54 PM

I don't know about Gentoo, but if AppArmor is available you can limit access to network socket calls by creating a corresponding policy. Then you could whitelist your application in a separate profile.

I am not aware of any other mechanisms for controlling userspace access to network calls or binding iptable rules to pid's...

Teufel · 11-25-2014, 03:35 AM

Thanks for suggestion.
AppArmor is available in Gentoo, I read a bit online regarding it and seems it worth to try, especially because SELinux author said that AppArmor is useless.

descendant_command · 11-25-2014, 03:47 AM

http://ipset.netfilter.org/iptables-extensions.man.html

Quote:

owner
This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.

[!] --uid-owner username
[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range.
[!] --socket-exists
Matches if the packet is associated with a socket.

Teufel · 11-25-2014, 06:05 AM

It seems owner module restricts access by username and groupname. Did you suggest to create some "dedicated" user for running particular program?

ichrispa · 11-25-2014, 01:25 PM

Quote:

AppArmor is available in Gentoo, I read a bit online regarding it and seems it worth to try, especially because SELinux author said that AppArmor is useless.

SELinux and AppArmor have been at each others throats for a long time. SELinux needs to tag just about everything with a security context - including the filesystem. I actually like the Apparmor approach of not having to medle with the every program involved, but restricting access to basic system functions. That however does not protect the memory in the extensive way SELinux does, so both have pros and cons.

I'd actually give descendant_command's suggestion a try first because it is way easier than setting up a functioning apparmor policy that all programs go along with. You would have to keep in mind that loopback interfaces and unix sockets are socket calls too, which might break just about everything. Create a different user like "NoNetworking" and run the program as that user.

Keep in mind that this will not work with all programs, especially if they are based on dbus functionality. If the program tries to bind to the Session Management interface of your GUI and you are running it as another user, it will be denied access and fail to start. You could start the entire window manager as the NoNetworking user, but I suspect that is not the point of your undertaking, as you might as well just disable the interface in that scenario.