On 2026-04-02, Janne Johansson <icepic.dz@gmail.com> wrote:
> Den ons 1 apr. 2026 kl 23:47 skrev <seb.mouton@gmail.com>:
>> Hi all,
>> I am looking to run a process on my machine that I do not fully trust.
>> I would like to avoid the penalty cost of spinning a VM to run it, and would like instead to sandbox it.
>> As far as I know, `pledge` is nice to create a sandbox, but it's coarse-grained, it either allow access to all ips, or it allows no access at all.
>> I need to give this untrusted app network access, but to avoid it being a spyware/trojan horse, I'd like to restrict its network connection to a specific list of ips.
>> The idea I have for now is to create a user dedicated to it, and add an anchor in pf that filters for that user, and only allow that user to speak to that list of ip.
>> Is that a reasonable approach? Is there a better way to do that?
>
> For processes running on an obsd machine, PF supports matching on a
> specifik user, like the user _pbuild for ports which is not allowed to
> talk network at all.
>
> So make a table or a macro of the allowed destinations, allow any
> traffic matching this user to those destinations, and block all other
> traffic from this user that did not match the previous rule.
>
> See some examples in the pf.conf manpage:
> https://man.ifconfig.se/pf.conf.5#user
>
> Yours would be a bit more specific than the examples, but you should
> be able to get a hint from them at least.
Just be aware that this is only for tcp/udp, and also consider that
if it needs DNS, you'll need something fancy to avoid exfiltration via
DNS queries.
--
Please keep replies on the mailing list.
No comments:
Post a Comment