

Disabling Internet for specific processes with libfiu - lamby
https://chris-lamb.co.uk/posts/disabling-internet-specific-processes-libfiu

======
yourad_io
Thanks for the tip.

Just FYI - the Ubuntu repo is way outdated on this one - 0.14 vs 0.92. The
syntax is also different:

    
    
        $ fiu-run -x -e 'posix/io/*' curl google.com
        curl: (6) Couldn't resolve host 'google.com'
    

(instead of -c 'enable name=posix/io/*')

~~~
lamby
> instead of -c 'enable name=posix/io/*

Thanks! Although you probably don't want io/* :)

~~~
yourad_io
I intended to block io functions :) And the /* seems mandatory in 0.14:

    
    
        $ fiu-run -x -e 'posix' ls | wc -l
        37
        $ fiu-run -x -e 'posix/*' ls | wc -l
        ls: cannot open directory .: Too many open files in system
        0
    

I like the probability switch as well - 10% chance of each op failing in a dir
with 10 files:

    
    
        $ fiu-run -x -e 'posix/*' -p 10 ls 
        1  10  2  3  4	5  6  7  8  9
        $ fiu-run -x -e 'posix/*' -p 10 ls 
        1  10  2  3  4	5  6  7  8  9
        $ fiu-run -x -e 'posix/*' -p 10 ls 
        ls: reading directory .: Bad file descriptor
        1
        $ fiu-run -x -e 'posix/*' -p 10 ls 
        ls: reading directory .: Bad file descriptor
    

(edit: you don't need my hostname)

~~~
yourad_io
The more I play with this, the more I like it. There's some potential for
mischief here as well:

    
    
        $ sudo su
        $ killall sshd
        $ fiu-run -x -f "/tmp/sshctrl" $( which sshd )
        $ ps aux | grep sshd
        root      5177  0.0  0.0  56272  1256 ?        Ss   14:45   0:00 /usr/sbin/sshd 
    

nothing visibly wrong in ps output

    
    
        $ ssh root@localhost 
        The authenticity of host 'localhost (127.0.0.1)' can't be established. (...)
    

works, we haven't messed with it yet

    
    
        $ fiu-ctrl -e 'posix/*' /tmp/sshctrl-$(pgrep sshd)
        $ ssh root@localhost 
    

hangs; sshd process stays at 100% until it is killed or gets posix/*
functionality back

