On 18-03-16 16:31, Riccardo Murri wrote: > (Pablo Escobar Lopez, Fri, Mar 18, 2016 at 04:00:14PM +0100:) >> 2016-03-18 15:11 GMT+01:00 Fotis Georgatos <[email protected]>: >>> >>> ie. we might be able to stop most of the network activity in user-space, >>> w/out requiring blockage at root level (there are some caveats, agreed), >>> by rewiring certain calls. thoughts? > > Why not use docker? Just start a docker container w/ EasyBuild but give > it no network access.
You don't even have to go that far. Ordinary cgroups are sufficient: with the net_cls interface the network traffic from any process in the group can be tagged. With iptables you can then do whatever you want to do with that traffic (drop, log, ...): https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt Ward
