kktsuri I have something horrible dirty due to requirement of root password but it works.
http://linux.die.net/man/1/unshare
If you suid bit unshare you can do unshare -n -- application unfortunate this equals all networking including loopback disabled lots of applications really hate this. For applications that don't hate this it is really nice solution. No extra user or iptable settings.
is network unreachable.
The hack using root/admin level unshare and su to change back to a lower user.
Code: Select all
unshare -n -- sh -c "ifconfig lo up; su [user] -- [application]"
or
Code: Select all
unshare -n -- sh -c " ip link set dev lo up; su [user] -- [application]"
Unfortunately both commands have to run with root privilege so sudo -c or su -c on batch file containing it. ifconfig is the old way of configuring network interfaces and ip is new.
kktsuri the reason why I had to go home and look at my home system was that I could not remember how I pulled it off simply myself.
This should be able to be done cleaner using nsenter but I have not done this myself and not every distribution has nsenter yet. nsenter accepts a file describing how the network should look when you fire up the application so avoiding need to turn network on.
There are some gui tools for managing cgroups but for this I just hack it. Please note unshare -n -- application should work with some windows applications because if you uninstall all network cards under windows tcp loop-back disappear.
If you are on a system with systemd there is another way to replicate what I did. systemd-nspawn --private-network --drop-capability=. I have not messed with this myself.
This is the problem cgroups has a stack of different command line interfaces will get a lot simpler when everything linux uses systemd.
kktsuri yes blocking network traffic will get simpler and cleaner than using iptables. In fact blocking applications from seeing everything else on the system will also get simpler.
What makes LXC solutions complex at the moment is too many ways to skin the 1 cat. Yes the different methods end up with the kernel ending up with exactly the same instructions.