I saw the notes about blocking networking on the advanced wine user information wiki (http://wiki.jswindle.com/index.php/Advanced_Wine_User_Information#Blocking_Network_access_to_Software_running_on_Wine) and I thought I'd try to come up with something a bit easier than running the application as a particular user: (add the "nonet" group) Code: # groupadd nonet (setup the iptables rule) Code: # iptables -I OUTPUT -m owner --gid-owner nonet -j REJECT --reject-with icmp-net-unreachable (create nonet.c) Code: #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <grp.h> #include <unistd.h> #ifndef _NONET_GROUP #define _NONET_GROUP "nonet" #endif int main(int argc, char *argv[]) { struct group *gr; if (argc <= 1) { fprintf(stderr, "Usage: %s command [ arg ... ]\n", argv[0]); exit(1); } if (!(gr = getgrnam(_NONET_GROUP))) { perror("getgrnam"); exit(1); } if (setgid(gr->gr_gid) == -1) { perror("setgid"); exit(1); } if (setuid(getuid()) == -1) { perror("setuid"); exit(1); } argv++; argc--; if (execvp(*argv, argv) == -1) { perror("execvp"); exit(1); } exit(0); /* not reached */ } (compile and make setuid, limit execution to staff group) Code: # gcc -o nonet nonet.c ; chown root:staff nonet ; chmod 4750 nonet (run application) Code: # nonet wine some.exe It seems to work alright.. I can nonet bash and not ping or connect anywhere and the same goes for Steam. Since Steam is the only game(-related application) I need networking for, I made this the default in my wine wrapper script. Any thoughts?
