:: [DNG] The audacity of it all...
Startseite
Nachricht löschen
Nachricht beantworten
Autor: Mason Loring Bliss
Datum:  
To: DNG
Betreff: [DNG] The audacity of it all...
When I first heard about Audacity's plans to start shooting data back to
the mother ship, I was dismayed. But then I thought, "boy, we have some
technical tools to address this" and I started digging. The obvious answer,
since AppArmor made it into Devuan Beowulf, was to use that to block
Audacity from using the network. After all, it can do absolutely everything
I want without network access.

Sadly, I soon ran into this, in apparmor.d(5):

       Some features are not supported on Debian yet:


       Network Rules
       DBus rules
       Unix socket rules


I thought I'd check Debian Bullseye since it's out now, but it has the same
limitation, which means Chimaera will have the same limitation.

However, in digging, I noted that the same thing can be accomplished with
the unshare(1) command. I tried "unshare -n" but it didn't work:

    $ unshare -n ping 4.2.2.1
    unshare: unshare failed: Operation not permitted


Turns out, there's a sysctl that defaults to "0" in Buster/Beowulf, but "1"
in Bullseye/Chimera, that lets regular users do this. However, in addition
to turning that on, as an additional step you have to say "map me to root
in a new/cloned namespace so I can then have the privilege to drop the
existing namespace".

So, whether you set it persistently or not, you start with:

    sudo sysctl -w kernel.unprivileged_userns_clone=1


...and then you can run something that has no configured network:

    $ unshare -n ping 4.2.2.1
    unshare: unshare failed: Operation not permitted


It's conceivable that a process running in this new space could note that
it had no configured network and construct something, and as such this
might not be as complete as the AppArmor answer would have been, but this
has the advantage of being possible today.

There's also an iptables-centric method:

    https://serverfault.com/questions/550276/how-to-block-internet-access-to-certain-programs-on-linux


Either way, this is a good model for semi-trusted things that ought not to
be allowed to use the network.

--
Mason Loring Bliss (( If I have not seen as far as others, it is because
mason@??? )) giants were standing on my shoulders. - Hal Abelson