[Wine] Disable networking

Sun Aug 2 15:28:34 CDT 2009

I saw the notes about blocking networking on the advanced wine user information wiki (http://wiki.jswindle.com/index.php/Advanced_Wine_User_Information#Blocking_Network_access_to_Software_running_on_Wine) and I thought I'd try to come up with something a bit easier than running the application as a particular user:

(add the "nonet" group)

Code:
# groupadd nonet

(setup the iptables rule)

Code:
# iptables -I OUTPUT -m owner --gid-owner nonet -j REJECT --reject-with icmp-net-unreachable

(create nonet.c)

Code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <grp.h>
#include <unistd.h>

#ifndef _NONET_GROUP
#define _NONET_GROUP "nonet"
#endif

int main(int argc, char *argv[])
{
  struct group *gr;

  if (argc <= 1)  {
    fprintf(stderr, "Usage: %s command [ arg ... ]\n", argv[0]);
    exit(1);
  }

  if (!(gr = getgrnam(_NONET_GROUP))) {
    perror("getgrnam");
    exit(1);
  }

  if (setgid(gr->gr_gid) == -1) {
    perror("setgid");
    exit(1);
  }

  if (setuid(getuid()) == -1) {
    perror("setuid");
    exit(1);
  }

  argv++;
  argc--;

  if (execvp(*argv, argv) == -1) {
    perror("execvp");
    exit(1);
  }

  exit(0); /* not reached */
}

(compile and make setuid, limit execution to staff group)

Code:
# gcc -o nonet nonet.c ; chown root:staff nonet ; chmod 4750 nonet

(run application)

Code:
# nonet wine some.exe

It seems to work alright.. I can nonet bash and not ping or connect anywhere and the same goes for Steam. Since Steam is the only game(-related application) I need networking for, I made this the default in my wine wrapper script. Any thoughts?