Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
nirvimel2016-02-15 12:55:15
linux
nirvimel, 2016-02-15 12:55:15

What is the easiest way in Linux to get a shell (sandbox) from which access to the network is blocked?

I have never used all these SELinux / AppArmor and other LXCs for the reason that the tasks for them that arise on a home desktop are not worth the time it takes to smoke documentation, manually write configs and enter a bunch of commands in the console for every sneeze . But maybe there is a really simple way to create a dumbfounded sandbox without dancing with a tambourine (all spawned processes remain inside), which differs from the world outside it only by the lack of access to all network interfaces (possibly, except for loopback).

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
M
Mystray, 2016-02-15
@nirvimel

Running the process in a separate network namespace is the easiest way.
It will only contain the extinguished lo interface. You can forward interfaces inside, if necessary.

# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 38:2c:4a:bf:18:41 brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:15:17:0e:24:42 brd ff:ff:ff:ff:ff:ff
# ip route
default via 192.168.0.1 dev eth0 
169.254.0.0/16 dev eth0  scope link  metric 1000 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.12
# ip netns add TEST
# ip netns exec TEST bash #все последующее выполняется уже "внутри" неймспейса:
# ip route
# ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Report
Y
Yuri Chudnovsky, 2016-02-15
@Frankenstine

I think this is closest to what you need:
www.ibm.com/developerworks/ru/library/l-lxc-containers

Report
J
jacob1237, 2016-02-15
@jacob1237

chroot + iptables for specific user?

Report
V
v_cirill, 2016-02-25
@v_cirill

look at Linux Deploy CLI
meefik.ru

Similar questions
A
Alexander2017-06-23 20:13:44
Accepting cookies. Why is it returning an array? 2Reply
D
Denis Balandin2019-12-04 10:18:49
How do I replace the "Add to Cart" button for a specific brand? 2Reply
A
Andrew2016-12-13 16:04:09
How to append to a file using curl in the console? 1Reply
K
Kir2016-12-14 09:42:25
What interface to specify in the bcrelay vpn config parameter of the pptpd server? 0Reply
A
Alexey Kalinin2014-12-17 16:26:52
How to implement argument checking in bash? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question