forbid internet access to an application?

Hi, I'd like to ask if it's possible to restrict access to the internet to
an application (i.e. the list of files which belongs to a package).
Under windows there are plenty of firewall programs, which make you decide
if an application should access the internet or not.
I looked on internet and didn't find anything similar under linux. For what
I could understand, neither apparmor or selinux can do that...

Thank you.

On Sat, 26 May 2007 15:02:16 +0000, lucatrv rearranged some electrons to
form:

> Hi, I'd like to ask if it's possible to restrict access to the internet to
> an application (i.e. the list of files which belongs to a package).
> Under windows there are plenty of firewall programs, which make you decide
> if an application should access the internet or not.
> I looked on internet and didn't find anything similar under linux. For what
> I could understand, neither apparmor or selinux can do that...
>
> Thank you.


man hosts.deny


--
David M (dmacchiarolo)
http://home.triad.rr.com/redsled
T/S 53
sled351 Linux 2.4.18-14 has been up 2 days 9:54

In comp.os.linux.networking David M <(E-Mail Removed)>:
> On Sat, 26 May 2007 15:02:16 +0000, lucatrv rearranged some electrons to
> form:

>> Hi, I'd like to ask if it's possible to restrict access to the internet to
>> an application (i.e. the list of files which belongs to a package).
>> Under windows there are plenty of firewall programs, which make you decide
>> if an application should access the internet or not.
>> I looked on internet and didn't find anything similar under linux. For what
>> I could understand, neither apparmor or selinux can do that...
>>
>> Thank you.


> man hosts.deny

This is thought to restrict incoming connections not outgoing. A
typical Linux installation isn't infested with spy and malware,
so there might not be demand for such an application?

Though one could run some cron job, checking for apps opening
outgoing connections and kill them if they can't be found in a
given file with allowed apps. I suppose it shouldn't take more
then 20 minutes to stick a halfway working script together.

If there is no such thing you want, consider writing your own
and put the source online, so others might use and perhaps
improve it.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 50: Change in Earth's rotational speed

lucatrv wrote:
> Hi, I'd like to ask if it's possible to restrict access to the internet to
> an application (i.e. the list of files which belongs to a package).
> Under windows there are plenty of firewall programs, which make you decide
> if an application should access the internet or not.
> I looked on internet and didn't find anything similar under linux. For what
> I could understand, neither apparmor or selinux can do that...

The netfilter owner module can accomplish this objective (according to
the man page, though I've never used it). The switch you want is
--cmd-owner, however the man page also states that cmd matching is
broken on SMP machines. YMMV

Hello,

Allen Kistler a écrit :
>
> The netfilter owner module can accomplish this objective (according to
> the man page, though I've never used it). The switch you want is
> --cmd-owner, however the man page also states that cmd matching is
> broken on SMP machines.

Support for the --pid-owner, --sid-owner and --cmd-owner options has
been removed from kernel 2.6.14 and later versions.

[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Rip out cmd/sid/pid matching since its unfixable broken and stands in
the way of locking changes to tasklist_lock.

On Sat, 26 May 2007 19:54:25 +0200, Michael Heiming rearranged some
electrons to form:

> In comp.os.linux.networking David M <(E-Mail Removed)>:
>> On Sat, 26 May 2007 15:02:16 +0000, lucatrv rearranged some electrons to
>> form:
>
>>> Hi, I'd like to ask if it's possible to restrict access to the internet to
>>> an application (i.e. the list of files which belongs to a package).
>>> Under windows there are plenty of firewall programs, which make you decide
>>> if an application should access the internet or not.
>>> I looked on internet and didn't find anything similar under linux. For what
>>> I could understand, neither apparmor or selinux can do that...
>>>
>>> Thank you.
>
>
>> man hosts.deny
>
> This is thought to restrict incoming connections not outgoing. A
> typical Linux installation isn't infested with spy and malware,
> so there might not be demand for such an application?
>
> Though one could run some cron job, checking for apps opening
> outgoing connections and kill them if they can't be found in a
> given file with allowed apps. I suppose it shouldn't take more
> then 20 minutes to stick a halfway working script together.
>
> If there is no such thing you want, consider writing your own
> and put the source online, so others might use and perhaps
> improve it.

I misread the OP, I thought he was trying to block incoming
connections. My mistake.


--
David M (dmacchiarolo)

In comp.os.linux.networking Allen Kistler <(E-Mail Removed)>:
> lucatrv wrote:
>> Hi, I'd like to ask if it's possible to restrict access to the internet to
>> an application (i.e. the list of files which belongs to a package).
>> Under windows there are plenty of firewall programs, which make you decide
>> if an application should access the internet or not.
>> I looked on internet and didn't find anything similar under linux. For what
>> I could understand, neither apparmor or selinux can do that...

> The netfilter owner module can accomplish this objective (according to
> the man page, though I've never used it). The switch you want is
> --cmd-owner, however the man page also states that cmd matching is
> broken on SMP machines. YMMV

Indeed, nice shot. I see other options I hadn't seen last time
checking the man page. Presuming the OP had done his homework, I
didn't bother to take a look before replying...

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 4: static from nylon underwear

In comp.os.linux.networking Pascal Hambourg <boite-a-(E-Mail Removed)>:
> Hello,

> Allen Kistler a écrit :

>> The netfilter owner module can accomplish this objective (according to
>> the man page, though I've never used it). The switch you want is
>> --cmd-owner, however the man page also states that cmd matching is
>> broken on SMP machines.

> Support for the --pid-owner, --sid-owner and --cmd-owner options has
> been removed from kernel 2.6.14 and later versions.

Interesting, seems my man page is broken and the OP back to the
script I had already recommended. ;-)

> [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

> Rip out cmd/sid/pid matching since its unfixable broken and stands in
> the way of locking changes to tasklist_lock.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 338: old inkjet cartridges emanate barium-based
fumes

On Sat, 26 May 2007 21:45:07 +0200, Michael Heiming wrote:

> Indeed, nice shot. I see other options I hadn't seen last time
> checking the man page. Presuming the OP had done his homework, I
> didn't bother to take a look before replying...

One should never make such assumptions regarding outhouse excess users

Allen Kistler <(E-Mail Removed)> writes:

>lucatrv wrote:
>> Hi, I'd like to ask if it's possible to restrict access to the internet to
>> an application (i.e. the list of files which belongs to a package).
>> Under windows there are plenty of firewall programs, which make you decide
>> if an application should access the internet or not.

That would of course be entirely trivial to evade. Just make a hard link to
the program with a different name.

It is like denying access to a building to anyone who says their name is John.
How long would that be effective?

If you told us which program you wanted to restrict, then we could perhaps
give better advice.

>> I looked on internet and didn't find anything similar under linux. For what
>> I could understand, neither apparmor or selinux can do that...

>The netfilter owner module can accomplish this objective (according to
>the man page, though I've never used it). The switch you want is
>--cmd-owner, however the man page also states that cmd matching is
>broken on SMP machines. YMMV