I guess that representing something like "block out user daemon_id" and "pass out quick from any to specific_host port specific_port user daemon_id" in terms of pledge() parameters would make it rather unwieldy, if you want your fooDB to only be able to make outward connections to the designated fooDB tcp port on a specific destination ip.
But its rather simple in PF already. And very flexible if you want to have very advanced exceptions later on. 2017-04-26 13:38 GMT+02:00 Luke Small <[email protected]>: > Pledge will presumably have per process (including fork()ed process) > **path limitations on rpath rpath and wpath calls, why not limitations on > inet and unix? > > On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson <[email protected]> > wrote: > >> 2017-04-26 13:19 GMT+02:00 Luke Small <[email protected]>: >> >>> I'm not saying to alter pledge necessarily, maybe make new system call >>> like pledge. There aren't any per-process pf rules that are applied. >> >> >> If your daemon has a specific user, you can make such rules in PF. >> The goal you stated can be reached already, why keep on suggesting new >> syscalls? >> >> >> -- >> May the most significant bit of your life be positive. >> > -- May the most significant bit of your life be positive.
