eatmynetwork
is a small script for running programs with (minimal) network
sandboxing.
$ eatmynetwork ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Operation not permitted
Network connectivity sneaks its way into programs — many things that shouldn't need network access do, and fail in surprising ways when a network connection isn't available.
eatmynetwork
makes it easy to quickly determine how a program behaves when it
doesn't have network access, without actually having to turn off your host's
network adapter(s). This makes it useful for:
-
Resiliency testing: ensuring that a program that shouldn't require network access handles the lack of access gracefully
-
Unit testing: ensuring that network access does not creep into idempotent and offline-only unit tests and, separately, ensuring that online unit tests are correctly marked and filtered when testing offline
Under the hood, all eatmynetwork
does is wrap a handful of platform-specific
network isolation techniques: on macOS it uses sandbox-exec
, and on Linux
it tries a handful of different network namespace management tools.
Importantly, eatmynetwork
does not provide a security boundary: it does
not guarantee that a motivated or malicious process can't access the
network, only that ordinary ("honest") programs will think that they're offline.
If you need strong isolation, you need another tool.
eatmynetwork
is a POSIX sh
script, and should work correctly on
modern Linux and macOS installations.
To install it, just copy it wherever you need it:
$ git clone https://github.com/trailofbits/eatmynetwork && cd eatmynetwork
$ cp ./eatmynetwork /some/bin/dir/
There's also a manual page that you can copy.
Run a command:
$ eatmynetwork ls
Run a command, with arguments:
$ eatmynetwork curl https://example.com
Do some debug logging while running:
$ DEBUG=1 eatmynetwork ssh example.com
In general, prefixing any command with eatmynetwork
should run the command
exactly the same, just without network access. There are no behavior-modifying
flags or options.
eatmynetwork
is licensed under the terms of the
Apache-2.0 License.