Home

Simple Linux Shared Object to Drop Network Access

dropnet is a simple shared object that, when loaded into a process, will drop the ability for that process and all its children to create network sockets.

I use dropnet as part of my build system to constrain all the downloading when building packages to be done as part of the "download" phase, and if network access is attempted during the "build" phase it fails. This helps to ensure that network resources do not affect the build results, which aids in reproducible builds.

One side-effect of the implementation is that no more setuid or capabilities can be added to the current process or any of its children, so after loading this shared object you cannot use things like "sudo" or "su".

dropnet still permits UNIX domain sockets, which are often needed for normal system operation.

Example:

$ curl https://google.com/
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
$ enable -f ./dropnet.so dropnet
$ curl http://1.1.1.1/
curl: (7) Couldn't connect to server
$ curl https://google.com/
curl: (6) Could not resolve host: google.com
$ sudo id
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
$