ALSA "device or resource busy" error

Date: May 23, 2016

For some time, I have used a special group on my desktop that has networking traffic blocked by iptables(8) rules so I could run programs without network access. iptables(8) has been supplanted nft(8), and rather than continue to use iptables(8) or porting the configuration to nft(8), I decided to experiment with a couple of different approaches: using AppArmor and ptrace(2).

AppArmor ¶

Using AppArmor has the lowest barrier to entry and only required creating two files. First, I created a simple script at "/usr/local/bin/no-networking" that contained a script that merely executes the arguments passed to the script:

#!/bin/sh
exec "$@"

Next, I created an AppArmor profile at /etc/apparmor.d/usr.local.bin.no-networking:

#include <tunables/global>

/usr/local/bin/no-networking {
  #include <abstractions/base>

  deny network,
  deny network inet stream,
  deny network inet6 stream,
  deny network inet dgram,
  deny network inet6 dgram,
  deny network netlink raw,

  /** rwix,
}

This defines a policy that disables networking while allowing the script full access to the filesystem along with the ability to execute other commands. Since "ix" is used for the execution permissions, the executed program inherits the network restrictions. After loading the profile with aa-enforce /etc/apparmor.d/usr.local.bin.no-networking, we can verify that it works as expected: