Well, it doesn't exist as a Capability bit so that's out.

If the processes are running as one or more defined non root UIDs you could
block them with [iptables --uid-owner...]

This does not stop them receiving packets, but it stops them sending any
which pretty much neuters them.

Would that work?

Tim

A network jail is a good idea for a new tool.

Mark.

A network jail is a good idea for a new tool.

Mark.

You could run them inside a so-called 'Linux container' with an
'empty' network namespace, cf

http://lxc.sourceforge.net

NETWORK

The network section defines how the network is virtualized in
the container. The network virtualization acts at layer two. In
order to use the network virtualization, parameters must be
specified to define the network interfaces of the
container. Several virtual interfaces can be assigned and used
in a container even if the system has only one physical network
interface.

lxc.network.type

specify what kind of network virtualization to be used
for the container. Each time a lxc.network.type field is
found a new round of network con- figuration begins. In
this way, several network virtualization types can be
specified for the same container, as well as assigning
several net- work interfaces for one container. The
different virtualization types can be:

empty: will create only the loopback interface.
[lxc.conf(5)]

The company I work for uses this in production to host 'virtual IPsec
gateways' (with added security features) for different customers on
shared computers and because of this, I can confidentially state that
it is stable (the main drawback is that the netfilter people generally
don't care for network namespace support and are thus neither willing
to implement it themselves nor to accept patches of people who do[*]).

[*] Yes, I'm writing about me. I don't usually bother to
submit 'feature contributions' to Linux because this is, in my
experience, simply a total waste of time: If the responsible
people cared for the issue, it wouldn't exist and since they
don't it will persist.

You could run them inside a so-called 'Linux container' with an
'empty' network namespace, cf

http://lxc.sourceforge.net

NETWORK

The network section defines how the network is virtualized in
the container. The network virtualization acts at layer two. In
order to use the network virtualization, parameters must be
specified to define the network interfaces of the
container. Several virtual interfaces can be assigned and used
in a container even if the system has only one physical network
interface.

lxc.network.type

specify what kind of network virtualization to be used
for the container. Each time a lxc.network.type field is
found a new round of network con- figuration begins. In
this way, several network virtualization types can be
specified for the same container, as well as assigning
several net- work interfaces for one container. The
different virtualization types can be:

empty: will create only the loopback interface.
[lxc.conf(5)]

The company I work for uses this in production to host 'virtual IPsec
gateways' (with added security features) for different customers on
shared computers and because of this, I can confidently state that
it is stable (the main drawback is that the netfilter people generally
don't care for network namespace support and are thus neither willing
to implement it themselves nor to accept patches of people who do[*]).

[*] Yes, I'm writing about me. I don't usually bother to
submit 'feature contributions' to Linux because this is, in my
experience, simply a total waste of time: If the responsible
people cared for the issue, it wouldn't exist and since they
don't it will persist.

You could create a VM with no gateway and no DNS resolution.

Is this out of native caution or are you hoping to comply with some set
of laws or regulations?
Another option to consider would be to use a separate machine with no
network connection and connect it to the outside using a serial port
(over which your stdin/out/err are carried).

This is closely analogous to the VM/container suggestions but avoids
relying on software to isolate the sensitive code (at least to the same
extent). It's also more expensive, of course.

If you're so afraid of unknown bugs in your own code, don't bother
with anything fancy: This means you have to write even more code and
why would that be any less buggy?

NB: This is a completely serious statement in form of a rethorical
question. The only way to be safe from 'yet unknown future dangers' is
immediate suicide.