Limiting a process' network access on Linux?

HFLW asked:

I’ve been researching how to sandbox processes, and I came across cgroups, which looked promising. I’m not super interested in using virtualization or strace for this, since I want programs to run as fast as possible. I’m also aware of SELinux/AppArmor but I’m looking for something that doesn’t require kernel patching if possible.

I know cgroups can be used to limit cpu/mem usage and filesystem access, but can it be used to prevent a process from either opening sockets, or binding to ports? Or, is there something I could use in conjunction with cgroups to limit network access? Being able to limit each separately would be awesome.

Thanks again!

My answer:

You can set up iptables rules which match a UID/GID, or a range of UIDs/GIDs. Use the --uid-owner and --gid-owner options to select the UIDs/GIDs to match against, then run your process under one of those user accounts.

Such rules should be in the OUTPUT or POSTROUTING chains.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.