On linux you can use network namespaces to deprive the program of access to the ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

smcameron on July 6, 2021 | parent | context | favorite | on: Console Do Not Track – Proposal for a standard env...

On linux you can use network namespaces to deprive the program of access to the network (shouldn't be necessary, but this is the world we live in.)

    $ sudo ip netns add jail # create a new net namespace with no access
    $ sudo ip netns exec jail /bin/bash # launch a root shell in the new namespace
    # su - your-normal-username # become non-root
    $ ping google.com # see if network is accessible?
    ping: unknown host google.com
    $ ifconfig -a
    lo        Link encap:Local Loopback  
              LOOPBACK  MTU:65536  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    $ audacity & # See if you can track me without a network audacity...
    [1] 4284
    $ _

nickysielicki on July 7, 2021 [–]

I really hope that someday someone builds some proper UX around network namespaces for desktop Linux. It would not be all that difficult to implement something akin to Qubes if you made NetworkManager namespace aware and integrated with dbus-launch to start the applications in the desired namespace.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact