May 26, 2018
MAC policy to disable access to networking for certain group
Simple MAC framework policy to disable access to networking for certain group. Running kldload mac_nonet.ko to load the kernel module. The load action require root permissions.
Set gid that shouldn’t access the network sysctl security.mac.nonet.gid=31337 and enable enforcing sysctl security.mac.nonet.enabled=1
Any call to socket2 from user in this group will end with EPERM. You can also select group that can access only AF_UNIX sockets with security.mac.nonet.local_gid.