When I first heard about Audacity's plans to start shooting data back to the mother ship, I was dismayed. But then I thought, "boy, we have some technical tools to address this" and I started digging. The obvious answer, since AppArmor made it into Devuan Beowulf, was to use that to block Audacity from using the network. After all, it can do absolutely everything I want without network access.
Sadly, I soon ran into this, in apparmor.d(5):
Some features are not supported on Debian yet:
Network Rules
DBus rules
Unix socket rules
I thought I'd check Debian Bullseye since it's out now, but it has the same
limitation, which means Chimaera will have the same limitation.
However, in digging, I noted that the same thing can be accomplished with
the unshare(1) command. I tried "unshare -n" but it didn't work:
$ unshare -n ping 4.2.2.1
unshare: unshare failed: Operation not permitted
Turns out, there's a sysctl that defaults to "0" in Buster/Beowulf, but "1"
in Bullseye/Chimera, that lets regular users do this. However, in addition
to turning that on, as an additional step you have to say "map me to root
in a new/cloned namespace so I can then have the privilege to drop the
existing namespace".
So, whether you set it persistently or not, you start with:
sudo sysctl -w kernel.unprivileged_userns_clone=1
...and then you can run something that has no configured network:
$ unshare -n ping 4.2.2.1
unshare: unshare failed: Operation not permitted
It's conceivable that a process running in this new space could note that
it had no configured network and construct something, and as such this
might not be as complete as the AppArmor answer would have been, but this
has the advantage of being possible today.
There's also an iptables-centric method:
https://serverfault.com/questions/550276/how-to-block-internet-access-to-certain-programs-on-linux
Either way, this is a good model for semi-trusted things that ought not to
be allowed to use the network.
--
Mason Loring Bliss (( If I have not seen as far as others, it is because
ma...@blisses.org )) giants were standing on my shoulders. - Hal Abelson
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
