-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy patheatmynetwork
executable file
·105 lines (85 loc) · 2.35 KB
/
eatmynetwork
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/sh
# eatmynetwork: run a program with (minimal) network sandboxing
#
# Usage: eatmynetwork <command> [arg ...]
#
# This is a program testing tool, NOT a security tool; you should not use it to
# provide strong network sandboxing or isolation. Instead, you should use it
# to test whether *trusted code* behaves correctly (including degrading
# gracefully) in the absence of a network connection.
set -e
VERSION="1.0.0"
installed() {
command -v "${1}"
}
dbg() {
[ -n "${DEBUG}" ] && >&2 echo "[+] ${1}"
return 0
}
err() {
>&2 echo "[!] ${1}"
return 0
}
die() {
err "${1}"
exit 1
}
_do_linux_bwrap() {
dbg "_do_linux_bwrap"
bwrap --dev-bind / / --unshare-net "${@}"
}
_do_linux_unshare() {
dbg "_do_linux_unshare"
unshare --map-root-user --net "${@}"
}
_do_linux() {
dbg "_do_linux"
# On Linux, we have a couple of techniques available. In order of decreasing
# preference:
# * unshare (rootless)
# * bwrap (rootless)
#
# There are probably others that would work (`ip netns exec`?), but they
# aren't implemented yet.
if installed unshare; then
_do_linux_unshare "${@}"
elif installed bwrap; then
_do_linux_bwrap "${@}"
else
die "No network sandboxing techniques discovered."
fi
}
_do_macos() {
dbg "_do_macos"
# NOTE: macOS has a built-in sandbox profile called no-network, which we could
# use instead of writing our own policy here. However, recent versions warn
# that the built-in policy is insecure. Which it is, but we don't care,
# since the boundary here is meant for testing only and not security.
#
# Instead of hacking around the built-in profile's warning, we simply
# replicate the core parts of the built-in profile with our own profile below.
profile="
(version 1)
(allow default)
(deny network*)
"
sandbox-exec -p "${profile}" "${@}"
}
if [ "${#}" -eq 0 ] || [ "${1}" = "--help" ] || [ "${1}" = "-h" ]; then
>&2 echo "Usage: eatmynetwork <command> [arg ...]"
>&2 echo "Example: eatmynetwork ping 8.8.8.8"
exit
elif [ "${1}" = "--version" ] || [ "${1}" = "-V" ]; then
>&2 echo "eatmynetwork version ${VERSION}"
exit
fi
system=$(uname -s)
if [ "${system}" = "Linux" ]; then
_do_linux "${@}"
elif [ "${system}" = "Darwin" ]; then
_do_macos "${@}"
else
err "Fatal: Unsupported host: ${system}"
err "Help us out by adding support for your platform!"
exit 1
fi