Local isolated network namespace interface

I’m trying to package an editor as a snap and there is no reason to grant it network access. The problem is that because it’s a node/electron app it’s trying to open a network connection. I’m not a node expert but I assume it only needs a device to bind to.

Is there a way to enable a namespaced loopback (lo) interface inside the snap without granting it access to the hosts loopback/network? If not, is there a workaround?

i think the bind() syscall is actually whats provided by the network interface… and blocked completely without it (the code to add interface related filtering to make sure you only get access to lo without using an interface might be more complex than it is worth to put manhours in … but i also think if you send a patch it wont be denied :wink: )

You can manipulate network interfaces with the ‘network-control’ interface and using ‘ip netns’. However, it seems like you are trying to take away privileges from your snap (a good thing to do! :slight_smile: and while fine-grained network mediation is planned in snapd (eg, supporting things like “you may bind only to this port on loopback” is on the roadmap, it is not available today.

I suggest perhaps stracing the application, using tcpdump, etc to determine why it is reaching out over the network and try to address that in your build. Another option might be to write a small LD_PRELOAD library to ignore the syscalls that are being blocked, but note that if the application is reaching out over the network, it might be assuming it can and fail at some point later.

Sorry, I meant to say “You can manipulate network namespaces with…”

I understand, think I need to do some research how snapd confinement works.



I temporarily allowed network but got stuck on a segfault. I just classified it as “un-snapable” and moved on, sorry :slight_smile: I snapped it mostly for my own needs to contain it and for easy install on my other systems. I contained it inside a firejail sandbox instead.

Just a little inspiration for the future

  • network-sandbox - A local namespaced network with a loopback and possible a dummy interface.
  • network-lan - Only access to to the local area network (my subnet).
  • network-onlyinternet - Access to the internet, but not my home network/lan.

Thank you for your feedback!