Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Block internet access for a program without root privileges?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 204

PostPosted: Fri Jun 07, 2024 7:41 pm    Post subject: Block internet access for a program without root privileges? Reply with quote

tl;dr at the bottom.

After upgrading to a new version of app-misc/anki I noticed that it always tries to dial home, and there is no setting in Anki to prevent that. My go-to solution for preventing unwanted network access is to run programs in new network namespaces. So I tried to create a little bash wrapper around Anki like this:
Code:
unshare --user --net -- anki

Anki now fails to launch. Anki always launches something it calls "mediasrv", which is a local Flask-based web server on the 127.0.0.1 interface, and it fails to launch without that. Turns out a new network namespace doesn't even have the loopback interface up so it's not possible to bind to 127.0.0.1. You have to bring up lo yourself.
Code:
unshare --user --net -- bash -c "ip link set dev lo up; anki"
RTNETLINK answers: Operation not permitted

So I don't even have permission to bring up lo. That's because I map my regular unprivileged user into the new namespace. Let's try mapping root instead.
Code:
unshare --map-root-user --net -- bash -c "ip link set dev lo up; anki"

The loopback interface now comes up but everything in the namespace is running as (fake) root. That means Anki tries to write stuff to /root which is not going to work. I need some way to run Anki as my regular user after bringing up lo.
Code:
unshare --map-root-user --net -- bash -c "ip link set dev lo up; su myuser --command anki"
su: could not obtain user info (myuser)

That doesn't work either. Based on what I've learned, unshare only maps one user into the namespace so my regular user does not even exist there. But then let's try to unshare again into a new user namespace with my user.
Code:
unshare --map-root-user --net -- bash -c "ip link set dev lo up; unshare --user --map-user=1000 --map-group=1000 anki"

That kind of works but not really. It only maps my user and my group into the namespace. All other groups like the "audio", "video", and "scanner" groups are missing and all the /dev nodes belonging to those groups now belong to "nobody". I may be able to run Anki in software rendering mode without "video" permission, but I have audio flashcards and need access to the audio device.

unshare allows you to map ranges of user/groups into namespaces so let's try mapping all groups.
Code:
unshare --map-root-user --net -- bash -c "ip link set dev lo up; unshare --user --map-user=1000 --map-group=1000 --map-groups=1:1:1000 anki"
newgidmap: gid range [1-1000) -> [1-1000) not allowed

I'm not allowed to map the groups? Apparently I need to edit /etc/subgid to "authorize the configuration for subordinate group ids"... I have no idea what I'm doing anymore. This rabbit hole is so much deeper than I expected. All I want is an easy way to prevent Anki from dialing home.

To be more specific, I want a general way to prevent a given program from accessing the internet, but still allow access to 127.0.0.1. The program should be running in an environment that is as close as possible to the environment it would be running in without the network block in place to prevent unexpected behavioral changes. The program should be launchable as my regular user without sudo, and I preferably want the solution to work without modifying my current system. No messing with system files like /etc/subgid, firewalls, or suid root hacks. Is this even possible?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22618

PostPosted: Fri Jun 07, 2024 8:27 pm    Post subject: Reply with quote

The simplest solution would be to turn off the call-home feature. If upstream refuses to support one, make one.

If you want to go the namespace route, I suggest you look at sys-apps/bubblewrap. It is fairly flexible, and its network namespaces seem to be set up properly on their own.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5090
Location: Bavaria

PostPosted: Fri Jun 07, 2024 8:35 pm    Post subject: Reply with quote

I'm sorry to have to tell you that a firewall is the most sensible solution for precisely this use case (software wants to ‘phone home’) - and also the simplest ... or perhaps the second simplest (@Hu has already mentioned the simplest method).

Even if you don't want to use the FW for the rest of your system (and therefore allow everyone to do everything), you only need a few commands to configure this:

Code:
#!/bin/sh
set -eu

# 2024-06-07: Initial Sript


### Defines ###

# define special user
spuser_uid="--uid-owner 1001"


### Basic Settings ###

iptables -F
iptables -X
iptables -P INPUT       ACCEPT
iptables -P OUTPUT      ACCEPT
iptables -P FORWARD     ACCEPT

### Allow loopback for everyone

iptables -A INPUT       -i lo -j ACCEPT
iptables -A OUTPUT      -o lo -j ACCEPT

### Deny every other networking for spuser

iptables -A OUTPUT      -m owner ${spuser_uid} -j DROP

### Everything else is now allowed because of the default policies (-P OUTPUT/INPUT ACCEPT).


Edit the user-id, run this script and add "iptables" to your default runlevel.

(I don't know if bubblewrap is able to distinguish between loopback and ethernet; maybe you need filtering for bubblewrap as well?)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
bjorn-fischer
n00b
n00b


Joined: 13 Nov 2023
Posts: 8
Location: Bielefeld

PostPosted: Sat Jul 27, 2024 7:11 pm    Post subject: Reply with quote

Having almost the same problem to approach, I came up with this solution. Can be used in suid root mode of operation or by utilizing capabilities.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3420

PostPosted: Sat Jul 27, 2024 8:54 pm    Post subject: Reply with quote

Running a program in an isolated namespace is not a bad idea, but it can be done with ip alone, there's really no need for any additional software.

Still, owner match on firewall is a very handy feature, which can be used not only for blocking traffic, but also for shaping it and building advanced routing policies (for multihomed systems).
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
bjorn-fischer
n00b
n00b


Joined: 13 Nov 2023
Posts: 8
Location: Bielefeld

PostPosted: Sat Jul 27, 2024 10:20 pm    Post subject: Reply with quote

It needs several commands to create a netns and setup a loopback device. Most or all of these require elevated privileges.

The OP was looking for a simple one liner without skripting, sudo, etc.
Back to top
View user's profile Send private message
stefantalpalaru
n00b
n00b


Joined: 11 Jan 2009
Posts: 65
Location: Italy

PostPosted: Sat Jul 27, 2024 11:26 pm    Post subject: Reply with quote

Install "sys-apps/firejail" and use it like this:

Code:
firejail --noprofile --net=none anki
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum