View previous topic :: View next topic |
Author |
Message |
tholin Apprentice
Joined: 04 Oct 2008 Posts: 204
|
Posted: Fri Jun 07, 2024 7:41 pm Post subject: Block internet access for a program without root privileges? |
|
|
tl;dr at the bottom.
After upgrading to a new version of app-misc/anki I noticed that it always tries to dial home, and there is no setting in Anki to prevent that. My go-to solution for preventing unwanted network access is to run programs in new network namespaces. So I tried to create a little bash wrapper around Anki like this:
Code: | unshare --user --net -- anki |
Anki now fails to launch. Anki always launches something it calls "mediasrv", which is a local Flask-based web server on the 127.0.0.1 interface, and it fails to launch without that. Turns out a new network namespace doesn't even have the loopback interface up so it's not possible to bind to 127.0.0.1. You have to bring up lo yourself.
Code: | unshare --user --net -- bash -c "ip link set dev lo up; anki"
RTNETLINK answers: Operation not permitted |
So I don't even have permission to bring up lo. That's because I map my regular unprivileged user into the new namespace. Let's try mapping root instead.
Code: | unshare --map-root-user --net -- bash -c "ip link set dev lo up; anki" |
The loopback interface now comes up but everything in the namespace is running as (fake) root. That means Anki tries to write stuff to /root which is not going to work. I need some way to run Anki as my regular user after bringing up lo.
Code: | unshare --map-root-user --net -- bash -c "ip link set dev lo up; su myuser --command anki"
su: could not obtain user info (myuser) |
That doesn't work either. Based on what I've learned, unshare only maps one user into the namespace so my regular user does not even exist there. But then let's try to unshare again into a new user namespace with my user.
Code: | unshare --map-root-user --net -- bash -c "ip link set dev lo up; unshare --user --map-user=1000 --map-group=1000 anki" |
That kind of works but not really. It only maps my user and my group into the namespace. All other groups like the "audio", "video", and "scanner" groups are missing and all the /dev nodes belonging to those groups now belong to "nobody". I may be able to run Anki in software rendering mode without "video" permission, but I have audio flashcards and need access to the audio device.
unshare allows you to map ranges of user/groups into namespaces so let's try mapping all groups.
Code: | unshare --map-root-user --net -- bash -c "ip link set dev lo up; unshare --user --map-user=1000 --map-group=1000 --map-groups=1:1:1000 anki"
newgidmap: gid range [1-1000) -> [1-1000) not allowed
|
I'm not allowed to map the groups? Apparently I need to edit /etc/subgid to "authorize the configuration for subordinate group ids"... I have no idea what I'm doing anymore. This rabbit hole is so much deeper than I expected. All I want is an easy way to prevent Anki from dialing home.
To be more specific, I want a general way to prevent a given program from accessing the internet, but still allow access to 127.0.0.1. The program should be running in an environment that is as close as possible to the environment it would be running in without the network block in place to prevent unexpected behavioral changes. The program should be launchable as my regular user without sudo, and I preferably want the solution to work without modifying my current system. No messing with system files like /etc/subgid, firewalls, or suid root hacks. Is this even possible? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22613
|
Posted: Fri Jun 07, 2024 8:27 pm Post subject: |
|
|
The simplest solution would be to turn off the call-home feature. If upstream refuses to support one, make one.
If you want to go the namespace route, I suggest you look at sys-apps/bubblewrap. It is fairly flexible, and its network namespaces seem to be set up properly on their own. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5088 Location: Bavaria
|
Posted: Fri Jun 07, 2024 8:35 pm Post subject: |
|
|
I'm sorry to have to tell you that a firewall is the most sensible solution for precisely this use case (software wants to ‘phone home’) - and also the simplest ... or perhaps the second simplest (@Hu has already mentioned the simplest method).
Even if you don't want to use the FW for the rest of your system (and therefore allow everyone to do everything), you only need a few commands to configure this:
Code: | #!/bin/sh
set -eu
# 2024-06-07: Initial Sript
### Defines ###
# define special user
spuser_uid="--uid-owner 1001"
### Basic Settings ###
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
### Allow loopback for everyone
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
### Deny every other networking for spuser
iptables -A OUTPUT -m owner ${spuser_uid} -j DROP
### Everything else is now allowed because of the default policies (-P OUTPUT/INPUT ACCEPT). |
Edit the user-id, run this script and add "iptables" to your default runlevel.
(I don't know if bubblewrap is able to distinguish between loopback and ethernet; maybe you need filtering for bubblewrap as well?) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
bjorn-fischer n00b
Joined: 13 Nov 2023 Posts: 8 Location: Bielefeld
|
Posted: Sat Jul 27, 2024 7:11 pm Post subject: |
|
|
Having almost the same problem to approach, I came up with this solution. Can be used in suid root mode of operation or by utilizing capabilities. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3418
|
Posted: Sat Jul 27, 2024 8:54 pm Post subject: |
|
|
Running a program in an isolated namespace is not a bad idea, but it can be done with ip alone, there's really no need for any additional software.
Still, owner match on firewall is a very handy feature, which can be used not only for blocking traffic, but also for shaping it and building advanced routing policies (for multihomed systems). _________________ Make Computing Fun Again |
|
Back to top |
|
|
bjorn-fischer n00b
Joined: 13 Nov 2023 Posts: 8 Location: Bielefeld
|
Posted: Sat Jul 27, 2024 10:20 pm Post subject: |
|
|
It needs several commands to create a netns and setup a loopback device. Most or all of these require elevated privileges.
The OP was looking for a simple one liner without skripting, sudo, etc. |
|
Back to top |
|
|
stefantalpalaru n00b
Joined: 11 Jan 2009 Posts: 65 Location: Italy
|
Posted: Sat Jul 27, 2024 11:26 pm Post subject: |
|
|
Install "sys-apps/firejail" and use it like this:
Code: | firejail --noprofile --net=none anki |
|
|
Back to top |
|
|
|