2024-10-21

Interested in running a program without net access, without the more obvious 
but long-winded methods such as making a special user-id to run it as and 
blocking this user by iptables or its successor whose name eludes me just now.

thanks to https://unix.stackexchange.com/questions/252714/is-it-possible-to-run-unshare-n-program-as-an-unprivileged-user



$ unshare -n ping gnu 
unshare: unshare failed: Operation not permitted 

$ unshare -r -n ping gnu
ping: connect: Network is unreachable  
  [the -r affects privilege at the time of making the change of available namespace ... don't really get, but it works]

$ unshare -r -n echo hi
hi



A supposedly higher-level command, 'bubblewrap'

$ bwrap --bind / / --dev /dev --unshare-net --  echo hi
hi

$ bwrap --bind / / --dev /dev --unshare-net --  ping gnu


$ bwrap --bind / / --dev /dev --unshare-net --  date 
Mon 21 Oct 01:02:46 CEST 2024