What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
* Dave Howorth dave@howorth.org.uk [07-14-18 08:50]:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
disconnect from the internet, unplug cable or systemctl stop network
afterwards simply systemctl start network or re-plug cable
you will/should get an error when something tries to access the disconnected network.
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
YES! And that is significant. Dave's message was very unspecific. This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward opensuse@antonaylward.com wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running.
I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
* Dave Howorth dave@howorth.org.uk [07-14-18 11:39]:
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward opensuse@antonaylward.com wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running.
I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
kiss is the BEST principle!
it appears from following this thread and related that you specifically look for exotic approaches/solutions rather than simple ones. you will never achieve what you seek in a short, managable timeframe unless you try smaller steps and simpler approaches. it is very simple and easy to re-enable network access. does the checks you are trying to make take so much time that you cannot do w/o network access for a short time?
W dniu 14.07.2018 o 14:49, Dave Howorth pisze:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
You may try network namespaces: https://lmddgtfy.net/?q=linux%20netns
You can create a new network namespace, without attaching any interfaces to it, and run your application in it.
Example:
sudo ip netns add isolated sudo ip netns exec sudo -u my_username -i
This will start new shell session running as your user, but without any access to network.
If you want to start graphical application in it, you need to execute
export DISPLAY=unix:0
On Sat, 14 Jul 2018 21:29:45 +0200 Adam Mizerski adam@mizerski.pl wrote:
W dniu 14.07.2018 o 14:49, Dave Howorth pisze:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
You may try network namespaces: https://lmddgtfy.net/?q=linux%20netns
You can create a new network namespace, without attaching any interfaces to it, and run your application in it.
Example:
sudo ip netns add isolated sudo ip netns exec sudo -u my_username -i
This will start new shell session running as your user, but without any access to network.
If you want to start graphical application in it, you need to execute
export DISPLAY=unix:0
Excellent! Many thanks, that's exactly the kind of thing I was looking for.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID: alpine.LSU.2.21.1807142353320.15806@minas-tirith.valinor
El 2018-07-14 a las 14:17 -0400, Patrick Shanahan escribió:
- Dave Howorth <> [07-14-18 11:39]:
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward opensuse@antonaylward.com wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running.
I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
kiss is the BEST principle!
it appears from following this thread and related that you specifically look for exotic approaches/solutions rather than simple ones. you will never achieve what you seek in a short, managable timeframe unless you try smaller steps and simpler approaches. it is very simple and easy to re-enable network access. does the checks you are trying to make take so much time that you cannot do w/o network access for a short time?
Your approach blocks all programs and all users. He wants to block one.
- -- Cheers Carlos E. R.
(from openSUSE 42.3 x86_64 "Malachite" (Minas Tirith))
On 2018-07-14 14:49, Dave Howorth wrote:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
imho there are multiple ways to chive this. Firstly, iptables has a huge amount of seldom used uptions, you can specify the UID of who is generating traffic, and allow/deny that. But that is strict on every thing a specific user tries to to.
other approach, might be to handle this through apparmor. For each application you can define what a program is allowed to. In this case: refrain a program any network access.
* Carlos E. R. robin.listas@telefonica.net [07-14-18 17:55]:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID: alpine.LSU.2.21.1807142353320.15806@minas-tirith.valinor
El 2018-07-14 a las 14:17 -0400, Patrick Shanahan escribió:
- Dave Howorth <> [07-14-18 11:39]:
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward opensuse@antonaylward.com wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running.
I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
kiss is the BEST principle!
it appears from following this thread and related that you specifically look for exotic approaches/solutions rather than simple ones. you will never achieve what you seek in a short, managable timeframe unless you try smaller steps and simpler approaches. it is very simple and easy to re-enable network access. does the checks you are trying to make take so much time that you cannot do w/o network access for a short time?
Your approach blocks all programs and all users. He wants to block one.
-- Cheers Carlos E. R.
(from openSUSE 42.3 x86_64 "Malachite" (Minas Tirith))-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iF4EAREIAAYFAltKcO0ACgkQja8UbcUWM1zcJAD+Pcx51LgxlVsnN0XBSFDMaU3h vgHJm/2YAxAjP8Rk04EBAI0ZlqisE4mkY3LBnRY0gocNIwgwXZxDkE1qbUtdPZ// =g30r -----END PGP SIGNATURE-----
yes, for testing over a short period, wtf.
-
Adam Mizerski -
Anton Aylward -
Carlos E. R. -
Dave Howorth -
Patrick Shanahan -
suse@a-domani.nl