I saw the notes about blocking networking on the advanced wine user information
wiki
(http://wiki.jswindle.com/index.php/Advanced_Wine_User_Information#Blocking_Network_access_to_Software_running_on_Wine)
and I thought I'd try to come up with something a bit easier than running
the application as a particular user:
(add the "nonet" group)
Code:
# groupadd nonet
(setup the iptables rule)
Code:
# iptables -I OUTPUT -m owner --gid-owner nonet -j REJECT --reject-with
icmp-net-unreachable
(create nonet.c)
Code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <grp.h>
#include <unistd.h>
#ifndef _NONET_GROUP
#define _NONET_GROUP "nonet"
#endif
int main(int argc, char *argv[])
{
  struct group *gr;
  if (argc <= 1)  {
    fprintf(stderr, "Usage: %s command [ arg ... ]\n", argv[0]);
    exit(1);
  }
  if (!(gr = getgrnam(_NONET_GROUP))) {
    perror("getgrnam");
    exit(1);
  }
  if (setgid(gr->gr_gid) == -1) {
    perror("setgid");
    exit(1);
  }
  if (setuid(getuid()) == -1) {
    perror("setuid");
    exit(1);
  }
  argv++;
  argc--;
  if (execvp(*argv, argv) == -1) {
    perror("execvp");
    exit(1);
  }
  exit(0); /* not reached */
}
(compile and make setuid, limit execution to staff group)
Code:
# gcc -o nonet nonet.c ; chown root:staff nonet ; chmod 4750 nonet
(run application)
Code:
# nonet wine some.exe
It seems to work alright.. I can nonet bash and not ping or connect anywhere and
the same goes for Steam. Since Steam is the only game(-related application) I
need networking for, I made this the default in my wine wrapper script. Any
thoughts?