diff --git a/libc/calls/pledge-linux.c b/libc/calls/pledge-linux.c
index 145ee5c56..0b1835e1d 100644
--- a/libc/calls/pledge-linux.c
+++ b/libc/calls/pledge-linux.c
@@ -811,6 +811,22 @@ static const uint16_t kPledgeInet[] = {
     __NR_linux_getsockname,            //
 };
 
+// anet is similar to init, but without connect;
+// this allows to accept, but not initiate socket connections
+static const uint16_t kPledgeAnet[] = {
+    __NR_linux_socket | INET,          //
+    __NR_linux_listen,                 //
+    __NR_linux_bind,                   //
+    __NR_linux_sendto,                 //
+    __NR_linux_accept,                 //
+    __NR_linux_accept4,                //
+    __NR_linux_ioctl | INET,           //
+    __NR_linux_getsockopt | RESTRICT,  //
+    __NR_linux_setsockopt | RESTRICT,  //
+    __NR_linux_getpeername,            //
+    __NR_linux_getsockname,            //
+};
+
 static const uint16_t kPledgeUnix[] = {
     __NR_linux_socket | UNIX,          //
     __NR_linux_listen,                 //
@@ -955,6 +971,7 @@ const struct Pledges kPledge[PROMISE_LEN_] = {
     [PROMISE_FLOCK] = {"flock", PLEDGE(kPledgeFlock)},             //
     [PROMISE_FATTR] = {"fattr", PLEDGE(kPledgeFattr)},             //
     [PROMISE_INET] = {"inet", PLEDGE(kPledgeInet)},                //
+    [PROMISE_ANET] = {"anet", PLEDGE(kPledgeAnet)},                //
     [PROMISE_UNIX] = {"unix", PLEDGE(kPledgeUnix)},                //
     [PROMISE_DNS] = {"dns", PLEDGE(kPledgeDns)},                   //
     [PROMISE_TTY] = {"tty", PLEDGE(kPledgeTty)},                   //
diff --git a/libc/calls/pledge.c b/libc/calls/pledge.c
index 21b7ce4f7..64b1c2beb 100644
--- a/libc/calls/pledge.c
+++ b/libc/calls/pledge.c
@@ -143,6 +143,9 @@
  * - "inet" allows socket(AF_INET), listen, bind, connect, accept,
  *   accept4, getpeername, getsockname, setsockopt, getsockopt, sendto.
  *
+ * - "anet" allows socket(AF_INET), listen, bind, accept,
+ *   accept4, getpeername, getsockname, setsockopt, getsockopt, sendto.
+ *
  * - "unix" allows socket(AF_UNIX), listen, bind, connect, accept,
  *   accept4, getpeername, getsockname, setsockopt, getsockopt.
  *
diff --git a/libc/intrin/promises.internal.h b/libc/intrin/promises.internal.h
index 01768c66f..217ee90c8 100644
--- a/libc/intrin/promises.internal.h
+++ b/libc/intrin/promises.internal.h
@@ -23,7 +23,8 @@
 #define PROMISE_VMINFO    19
 #define PROMISE_TMPPATH   20
 #define PROMISE_CHOWN     21
-#define PROMISE_LEN_      22
+#define PROMISE_ANET      22
+#define PROMISE_LEN_      23
 
 #define PLEDGED(x) ((~__promises >> PROMISE_##x) & 1)
 
diff --git a/tool/net/help.txt b/tool/net/help.txt
index 9960cc794..6d6a776da 100644
--- a/tool/net/help.txt
+++ b/tool/net/help.txt
@@ -4347,6 +4347,11 @@ UNIX MODULE
       Allows socket (AF_INET), listen, bind, connect, accept,
       getpeername, getsockname, setsockopt, getsockopt.
 
+    anet
+
+      Allows socket (AF_INET), listen, bind, accept,
+      getpeername, getsockname, setsockopt, getsockopt.
+
     unix
 
       Allows socket (AF_UNIX), listen, bind, connect, accept,