firejail : only let a program access localhost
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have this local network service and this client program needing to access it. I am running them both as an unprivileged user.
I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service).
first thing I tried was of course
firejail --net=lo program
But it didn’t work.
Error: cannot attach to lo device
I think I could work around it by creating a virtual network interface, for example veth0 and veth1,
moving veth1 to a new network namespace in which I’d run the service
and using firejail to restrain the client to veth0
Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type
firejail server
(without having to run anything as root)?
Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)
networking namespace network-namespaces sandbox firejail
asked 17 mins ago
Nephanth
52638
add a comment |Â
up vote
0
down vote
favorite
I have this local network service and this client program needing to access it. I am running them both as an unprivileged user.
I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service).
first thing I tried was of course
firejail --net=lo program
But it didn’t work.
Error: cannot attach to lo device
I think I could work around it by creating a virtual network interface, for example veth0 and veth1,
moving veth1 to a new network namespace in which I’d run the service
and using firejail to restrain the client to veth0
Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type
firejail server
(without having to run anything as root)?
Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)
networking namespace network-namespaces sandbox firejail
asked 17 mins ago
Nephanth
52638
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have this local network service and this client program needing to access it. I am running them both as an unprivileged user.
I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service).
first thing I tried was of course
firejail --net=lo program
But it didn’t work.
Error: cannot attach to lo device
I think I could work around it by creating a virtual network interface, for example veth0 and veth1,
moving veth1 to a new network namespace in which I’d run the service
and using firejail to restrain the client to veth0
Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type
firejail server
(without having to run anything as root)?
Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)
networking namespace network-namespaces sandbox firejail
asked 17 mins ago
Nephanth
52638
I have this local network service and this client program needing to access it. I am running them both as an unprivileged user.
I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service).
first thing I tried was of course
firejail --net=lo program
But it didn’t work.
Error: cannot attach to lo device
I think I could work around it by creating a virtual network interface, for example veth0 and veth1,
moving veth1 to a new network namespace in which I’d run the service
and using firejail to restrain the client to veth0
Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type
firejail server
(without having to run anything as root)?
Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)
networking namespace network-namespaces sandbox firejail
networking namespace network-namespaces sandbox firejail
asked 17 mins ago
Nephanth
52638
asked 17 mins ago
Nephanth
52638
asked 17 mins ago
Nephanth
52638
asked 17 mins ago
Nephanth
52638
asked 17 mins ago
Nephanth
52638
52638
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f478131%2ffirejail-only-let-a-program-access-localhost%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
