Disable networking

[superlgn]

I saw the notes about blocking networking on the advanced wine user information wiki and I thought I'd try to come up with something a bit easier than running the application as a particular user:

(add the "nonet" group)

Code: Select all

# groupadd nonet

(setup the iptables rule)

Code: Select all

# iptables -I OUTPUT -m owner --gid-owner nonet -j REJECT --reject-with icmp-net-unreachable

(create nonet.c)

Code: Select all

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <grp.h>
#include <unistd.h>

#ifndef _NONET_GROUP
#define _NONET_GROUP "nonet"
#endif

int main(int argc, char *argv[])
{
  struct group *gr;

  if (argc <= 1)  {
    fprintf(stderr, "Usage: %s command [ arg ... ]\n", argv[0]);
    exit(1);
  }

  if (!(gr = getgrnam(_NONET_GROUP))) {
    perror("getgrnam");
    exit(1);
  }

  if (setgid(gr->gr_gid) == -1) {
    perror("setgid");
    exit(1);
  }

  if (setuid(getuid()) == -1) {
    perror("setuid");
    exit(1);
  }

  argv++;
  argc--;

  if (execvp(*argv, argv) == -1) {
    perror("execvp");
    exit(1);
  }

  exit(0); /* not reached */
}

(compile and make setuid, limit execution to staff group)

Code: Select all

# gcc -o nonet nonet.c ; chown root:staff nonet ; chmod 4750 nonet

(run application)

Code: Select all

# nonet wine some.exe

It seems to work alright.. I can nonet bash and not ping or connect anywhere and the same goes for Steam. Since Steam is the only game(-related application) I need networking for, I made this the default in my wine wrapper script. Any thoughts?