That sounds like what pf can do for stuff running on the local machine, based on userid of the process opening the sockets. At least if your daemons all run as separate users.
2017-04-26 10:09 GMT+02:00 Luke Small <[email protected]>: > Would it be a good idea to make a pledge like call that limits a process > from connecting to ports and/or hosts? Maybe it could be done in way that > the kernel is made aware of the limitations like in a pledge call and while > the process is alive, the kernel spawns pf rules based upon the socket > ports that are created to connect to remote host ports. > > You could conceivably do things like limiting ntpd to predetermined hosts > and port 123 and 53 on the respective processes involved. > > It would make processes that need the inet pledge permission merely to use > libhiredis to connect to a Redis database more safe. > -- May the most significant bit of your life be positive.
