If a program just needs to communicate over open sockets, cap_enter() will restrict the program from opening more sockets.

But the existing fds aren't restricted. You can use caph_limit_stream(fd, CAPH_READ/CAPH_WRITE) to restrict existing sockets down to only what is needed for stdio routines.