A very nice primer on how to sandbox a service, with OpenBSD DHCP client used as an example: https://sha256.net/privsep.html
@minoru Extremely limited and uncomfortable to do compared to Linux MACs like SELinux or AppArmor.
@L29Ah Do you have a primer on those? As far as I understand, SELinux and AppArmor are static for the duration of the program run time; e.g. you can't give access to raw sockets for the initialization phase and then revoke it.
