When I first heard about Audacity's plans to start shooting data back to the mother ship, I was dismayed. But then I thought, "boy, we have some technical tools to address this" and I started digging. The obvious answer, since AppArmor made it into Devuan Beowulf, was to use that to block Audacity from using the network. After all, it can do absolutely everything I want without network access.
Sadly, I soon ran into this, in apparmor.d(5): Some features are not supported on Debian yet: Network Rules DBus rules Unix socket rules I thought I'd check Debian Bullseye since it's out now, but it has the same limitation, which means Chimaera will have the same limitation. However, in digging, I noted that the same thing can be accomplished with the unshare(1) command. I tried "unshare -n" but it didn't work: $ unshare -n ping 4.2.2.1 unshare: unshare failed: Operation not permitted Turns out, there's a sysctl that defaults to "0" in Buster/Beowulf, but "1" in Bullseye/Chimera, that lets regular users do this. However, in addition to turning that on, as an additional step you have to say "map me to root in a new/cloned namespace so I can then have the privilege to drop the existing namespace". So, whether you set it persistently or not, you start with: sudo sysctl -w kernel.unprivileged_userns_clone=1 ...and then you can run something that has no configured network: $ unshare -n ping 4.2.2.1 unshare: unshare failed: Operation not permitted It's conceivable that a process running in this new space could note that it had no configured network and construct something, and as such this might not be as complete as the AppArmor answer would have been, but this has the advantage of being possible today. There's also an iptables-centric method: https://serverfault.com/questions/550276/how-to-block-internet-access-to-certain-programs-on-linux Either way, this is a good model for semi-trusted things that ought not to be allowed to use the network. -- Mason Loring Bliss (( If I have not seen as far as others, it is because ma...@blisses.org )) giants were standing on my shoulders. - Hal Abelson
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng