9

I have a Python script that access the network, and I want to deny it network access sometimes. How can I achieve this with SELinux or AppArmor? I want to be able to launch this specific script with restricted access.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
scythargon
  • 191
  • 1
  • 2

3 Answers3

2

AppArmor has the ability to block network connections from applications. I've never done it myself, but you should look at the AppArmor community page and the network rules page for details on how to do it.

From the looks of it, the deny network directive should allow you to block all network access for an application.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
1

If you have SELinux enabled, I was under the impression that the default action was to deny access so what you want to do is to allow network access at times, right?

I suspect that you going to have to do something like this answer on serverfault, which contains SE Linux configuration for a single process httpd and then combines that configuration with iptables to control the network access.

To add in the time aspect, there's a time module in iptables. Here's a link showing some real usage on another forum.

AppArmor has already been well-answered :)

Community
  • 1
Mark Hillick
  • 2,124
  • 11
  • 14
1

AppArmor profile for this case is:

profile nonetwork /path/to/exec {
  # Allow all rules...
  capability,
  network,
  mount,
  remount,
  umount,
  pivot_root,
  ptrace,
  signal,
  dbus,
  unix,
  file,
  # ...but no network
  deny network,
  deny capability net_admin,
  deny capability net_bind_service,
  deny capability net_broadcast,
  deny capability net_raw,
}

Nowadays not all linux distros support some features, for example Debian 10 not support network, unix, dbus rules. So this profile will not works in such distros.

canondmajor
  • 86
  • 1
  • 3