Skip to content

trailofbits/eatmynetwork

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
.github
.github
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
eatmynetwork
eatmynetwork
 
 
eatmynetwork.1
eatmynetwork.1
 
 

Repository files navigation

eatmynetwork

Lint

eatmynetwork is a small script for running programs with (minimal) network sandboxing.

$ eatmynetwork ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Operation not permitted

Why/what/how?

Network connectivity sneaks its way into programs — many things that shouldn't need network access do, and fail in surprising ways when a network connection isn't available.

eatmynetwork makes it easy to quickly determine how a program behaves when it doesn't have network access, without actually having to turn off your host's network adapter(s). This makes it useful for:

  • Resiliency testing: ensuring that a program that shouldn't require network access handles the lack of access gracefully

  • Unit testing: ensuring that network access does not creep into idempotent and offline-only unit tests and, separately, ensuring that online unit tests are correctly marked and filtered when testing offline

Under the hood, all eatmynetwork does is wrap a handful of platform-specific network isolation techniques: on macOS it uses sandbox-exec, and on Linux it tries a handful of different network namespace management tools.

Importantly, eatmynetwork does not provide a security boundary: it does not guarantee that a motivated or malicious process can't access the network, only that ordinary ("honest") programs will think that they're offline. If you need strong isolation, you need another tool.

Installation

eatmynetwork is a POSIX sh script, and should work correctly on modern Linux and macOS installations.

To install it, just copy it wherever you need it:

$ git clone https://github.com/trailofbits/eatmynetwork && cd eatmynetwork
$ cp ./eatmynetwork /some/bin/dir/

There's also a manual page that you can copy.

Usage

Run a command:

$ eatmynetwork ls

Run a command, with arguments:

$ eatmynetwork curl https://example.com

Do some debug logging while running:

$ DEBUG=1 eatmynetwork ssh example.com

In general, prefixing any command with eatmynetwork should run the command exactly the same, just without network access. There are no behavior-modifying flags or options.

License

eatmynetwork is licensed under the terms of the Apache-2.0 License.

About

A small script for running programs with (minimal) network sandboxing

trailofbits.github.io/eatmynetwork/

Topics

macos linux sandbox resilience-testing

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

26 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages