diff --git a/fetch.go b/fetch.go
index ecd3ec9eac..e505776cb5 100644
--- a/fetch.go
+++ b/fetch.go
@@ -31,6 +31,12 @@ func Fetch(id int32, targetUrl string) []byte {
 			FetchResId: id,
 		}
 
+		if !Perms.Connect {
+			resMsg.Error = "Permission to connect denied."
+			PubMsg("fetch", resMsg)
+			return
+		}
+
 		resp, err := http.Get(targetUrl)
 		if err != nil {
 			resMsg.Error = err.Error()
diff --git a/integration_test.go b/integration_test.go
index 5b96c0abc1..d98856f378 100644
--- a/integration_test.go
+++ b/integration_test.go
@@ -149,7 +149,8 @@ func TestErrors(t *testing.T) {
 
 func TestTestsTs(t *testing.T) {
 	integrationTestSetup()
-	cmd := exec.Command(denoFn, "tests.ts")
+	// TODO Need unit test for each of the permissions.
+	cmd := exec.Command(denoFn, "--allow-connect", "--allow-write", "tests.ts")
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	err := cmd.Run()
diff --git a/main.go b/main.go
index 3069c03803..ce96c1e7fb 100644
--- a/main.go
+++ b/main.go
@@ -14,6 +14,29 @@ var flagV8Options = flag.Bool("v8-options", false, "Print V8 command line option
 var flagDebug = flag.Bool("debug", false, "Enable debug output.")
 var flagGoProf = flag.String("goprof", "", "Write golang cpu profile to file.")
 
+var flagAllowWrite = flag.Bool("allow-write", false,
+	"Allow program to write to the fs.")
+var flagAllowConnect = flag.Bool("allow-connect", false,
+	"Allow program to connect to other network addresses.")
+var flagAllowAccept = flag.Bool("allow-accept", false,
+	"Allow program to accept connections.")
+var flagAllowRead = flag.Bool("allow-read", true,
+	"Allow program to read file system.")
+
+var Perms struct {
+	FsRead  bool
+	FsWrite bool
+	Connect bool
+	Accept  bool
+}
+
+func setPerms() {
+	Perms.FsRead = *flagAllowRead
+	Perms.FsWrite = *flagAllowWrite
+	Perms.Connect = *flagAllowConnect
+	Perms.Accept = *flagAllowAccept
+}
+
 func stringAsset(path string) string {
 	data, err := Asset("dist/" + path)
 	check(err)
@@ -23,6 +46,7 @@ func stringAsset(path string) string {
 func FlagsParse() []string {
 	flag.Parse()
 	args := flag.Args()
+	setPerms()
 	if *flagV8Options {
 		args = append(args, "--help")
 	}
diff --git a/os.go b/os.go
index 7eebe41bd7..877fa24ca7 100644
--- a/os.go
+++ b/os.go
@@ -17,7 +17,14 @@ const assetPrefix string = "/$asset$/"
 var fs afero.Fs
 
 func InitOS() {
-	fs = afero.NewOsFs()
+	if Perms.FsWrite {
+		assert(Perms.FsRead, "Write access requires read access.")
+		fs = afero.NewOsFs()
+	} else if Perms.FsRead {
+		fs = afero.NewReadOnlyFs(afero.NewOsFs())
+	} else {
+		panic("Not implemented.")
+	}
 
 	Sub("os", func(buf []byte) []byte {
 		msg := &Msg{}