Originally posted by SledgeHammer_999
View Post
You pretended there's no way on linux to block peculiar programs from the network, I just showed you three different approaches.
( PID-based rules, AppArmor/SELinux, or the container-level in the case of container-based solutions).
I have researched them, but on that front (network blocking) docs is limited
Network Rules
AppArmor supports simple coarse grained network mediation. The network rule restrict all socket(2) based operations. The mediation done is a course grained check on whether a socket of a given type and family can be created, read, or written. There is no mediation based of port number or protocol beyond tcp, udp, and raw. Network
netlink(7) rules may only specify type 'dgram' and 'raw'.
AppArmor network rules are accumulated so that the granted network permissions are the union of all the listed network rule permissions.
AppArmor network rules are broad and general and become more restrictive as further information is specified.
eg.
network, #allow access to all networking
network tcp, #allow access to tcp
network inet tcp, #allow access to tcp only for inet4 addresses
network inet6 tcp, #allow access to tcp only for inet6 addresses
network netlink raw, #allow access to AF_NETLINK SOCK_RAW
AppArmor supports simple coarse grained network mediation. The network rule restrict all socket(2) based operations. The mediation done is a course grained check on whether a socket of a given type and family can be created, read, or written. There is no mediation based of port number or protocol beyond tcp, udp, and raw. Network
netlink(7) rules may only specify type 'dgram' and 'raw'.
AppArmor network rules are accumulated so that the granted network permissions are the union of all the listed network rule permissions.
AppArmor network rules are broad and general and become more restrictive as further information is specified.
eg.
network, #allow access to all networking
network tcp, #allow access to tcp
network inet tcp, #allow access to tcp only for inet4 addresses
network inet6 tcp, #allow access to tcp only for inet6 addresses
network netlink raw, #allow access to AF_NETLINK SOCK_RAW
SELinux:
I'm not a SELinux guy, but a quick googling reveals that the current preferred method in SELinux is labelling.
(i.e.: iptable rules can SECMARK to attach a label to a packet, and SELinux rules can be used to control the access for these packets.).
Leave a comment: