How would one make it impossible for Ubuntu 12 to talk to the network, even though there's a network card present (which may have a cable plugged-in)?
I found this answer which advocates removing the NIC drivers, but I'm concerned that the driver might be re-installed during an upgrade. I don't have much experience of administering linux.
Is there a best practice for running GNU/linux without networking capabilities?
You can do this by disabling different network capabilities in the the Linux kernel. It will be destructive to disable ALL networking options (because some programs do use loopback interface for operation - one of them is X server). But what can help - disable any NIC device drivers from kernel. This will ensure no external network activity.
But here is another point - as you stated:
but I'm concerned that the driver might be re-installed during an upgrade
This assumes user who is doing updates has root access to the system. If this is the case - you can't solve the problem with software-like solution. Since user has root access (and knowledge) - user will be able to make any changes.
Another point - even if user does not have root access - there is possibility to boot Linux live distribution and make any changes to config files of the computer including substituting kernel image with new one (thus enabling NIC drivers).
This all is about that simple fact - if one has physical access to the computer - one can change anything on it (providing one has knowledge and tools).
So following are some possible ways:
If users do not have advanced Linux knowledge than compiling Linux kernel without NIC drivers (do not forget about USB network cards) in the kernel will be sufficient IMO.
Also, you can disable network card in the BIOS settings - but again, these settings can be reset if one has physical access to computer.
You can set iptables rules to reject any external network traffic.
Use physical security device like port lock kit;
CONFIG_NET=n
This options controls network support in the kernel. But as the docs themselves say, this might break many userland programs that do network-ish looking things:
menuconfig NET
bool "Networking support"
select NLATTR
select GENERIC_NET_UTILS
select BPF
---help---
Unless you really know what you are doing, you should say Y here.
The reason is that some programs need kernel networking support even
when running on a stand-alone machine that isn't connected to any
other computer.
If you are upgrading from an older kernel, you
should consider updating your networking tools too because changes
in the kernel and the tools often go hand in hand. The tools are
contained in the package net-tools, the location and version number
of which are given in <file:Documentation/Changes>.
For a general introduction to Linux networking, it is highly
recommended to read the NET-HOWTO, available from
<http://www.tldp.org/docs.html#howto>.
I have tested that option at: https://github.com/cirosantilli/linux-kernel-module-cheat/blob/71d673bac48f43a2e38f5e1e4f94b10da15b7cee/kernel_config_fragment#L58
Outcome: many (all?) networking system return a failure status and do nothing, e.g.:
# nc -l -p 8000 127.0.0.1
nc: socket: Function not implemented
TODO: UNIX sockets? Not present on that version of nc and I was lazy to try it out.
I can still use the shell and call basic utilities. but for example X-server requires networking system calls to work, and won't start properly.
