From owner-freebsd-hackers@FreeBSD.ORG Tue Jul 11 14:27:41 2006 Return-Path: X-Original-To: freebsd-hackers@FreeBSD.ORG Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55BA416A4DE for ; Tue, 11 Jul 2006 14:27:41 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9664843D6B for ; Tue, 11 Jul 2006 14:27:40 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lmrwvm@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k6BERTXY079209; Tue, 11 Jul 2006 16:27:39 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k6BERTNc079208; Tue, 11 Jul 2006 16:27:29 +0200 (CEST) (envelope-from olli) Date: Tue, 11 Jul 2006 16:27:29 +0200 (CEST) Message-Id: <200607111427.k6BERTNc079208@lurza.secnetix.de> From: Oliver Fromme To: freebsd-hackers@FreeBSD.ORG, artifact.one@googlemail.com In-Reply-To: <8e96a0b90607031009v4ec2630fgfc432f5dad15abda@mail.gmail.com> X-Newsgroups: list.freebsd-hackers User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 11 Jul 2006 16:27:39 +0200 (CEST) X-Mailman-Approved-At: Tue, 11 Jul 2006 14:30:09 +0000 Cc: Subject: Re: Stop further socket() or connect() calls. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2006 14:27:41 -0000 mal content wrote: > I was looking for a way to write a small wrapper program > that disables network access and then exec()'s a given > program. Sorry for the late reply, but ... The easiest way to do what you described is to run the program in a jail which has a jail IP that doesn't exist and isn't routed. Then the program cannot perform any network access. For example: jail / foo 127.0.0.2 /your/program All attempts to access the network should result in an error "no route to host" (errno EHOSTUNREACH). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. C++: "an octopus made by nailing extra legs onto a dog" -- Steve Taylor, 1998