On 2026-04-02, Janne Johansson <[email protected]> wrote: > Den ons 1 apr. 2026 kl 23:47 skrev <[email protected]>: >> Hi all, >> I am looking to run a process on my machine that I do not fully trust. >> I would like to avoid the penalty cost of spinning a VM to run it, and would >> like instead to sandbox it. >> As far as I know, `pledge` is nice to create a sandbox, but it's >> coarse-grained, it either allow access to all ips, or it allows no access at >> all. >> I need to give this untrusted app network access, but to avoid it being a >> spyware/trojan horse, I'd like to restrict its network connection to a >> specific list of ips. >> The idea I have for now is to create a user dedicated to it, and add an >> anchor in pf that filters for that user, and only allow that user to speak >> to that list of ip. >> Is that a reasonable approach? Is there a better way to do that? > > For processes running on an obsd machine, PF supports matching on a > specifik user, like the user _pbuild for ports which is not allowed to > talk network at all. > > So make a table or a macro of the allowed destinations, allow any > traffic matching this user to those destinations, and block all other > traffic from this user that did not match the previous rule. > > See some examples in the pf.conf manpage: > https://man.ifconfig.se/pf.conf.5#user > > Yours would be a bit more specific than the examples, but you should > be able to get a hint from them at least.
Just be aware that this is only for tcp/udp, and also consider that if it needs DNS, you'll need something fancy to avoid exfiltration via DNS queries. -- Please keep replies on the mailing list.
