Networking Lockdown For Specific Process
I would like to lock down specific executables from being able to use networking: bluetooth, wireless, ethernet, etc.
I've downloaded untrusted Linux apps (that I like). I'd just like to be precautionary because I don't have the time to read all the source code. Is there anyway to sand box these apps, while still using them? I.e., is it possible to change permissions so a specific app can't use networking or any process it spawns? |
Quickest and most efficient way IMHO would be to run it as a virtualization guest.
|
Quote:
|
Eventually, you could check what the apps do network wise by using iptables, block and log all connections attempts, then setup iptables rules accordingly. Tedious somewhat, but instructive
|
Cedrik,
Do you know of a how-to that could walk me through the process getting the logs set up for each app? |
Quote:
|
Quote:
something like (assuming you connect to the net with eth0 interface): Code:
iptables -A OUTPUT -o eth0 -j LOG --log-prefix 'Packet Dropped: ' Code:
tail -f /var/log/syslog edit, if you run behind a router/gateway, better to add accept connection for the gateway/router IP :) Code:
iptables -A OUTPUT -o eth0 -d <Gateway IP> -j ACCEPT |
Another thing to explore would be SELinux; but you may find the time you'll need to invest
prohibitive for that particular approach. I like Unspawns suggestion of virtualising a box and locking it off. |
All times are GMT -5. The time now is 04:18 PM. |