[anilakar]

Maybe Theo wanted fopen-like semantics?

[bonzini]

fopen is not a system call, it is a library call. The system call is open, and it uses bits for flags.

[int_19h]

Which makes it that much harder to extend.

There's nothing wrong with the use of strings here. It's very readable, easily understandable to anyone who knows C, can be checked by automated tools (or at runtime) for invalid values, and is easily extensible in the future. It's also not on a hot path (I mean, you shouldn't have to do this at any point other than process creation).

[therein]

Right but is there really any reason why the implementation should call strncmp or anything that would be costlier than a bitwise AND? It's not like "r" reads better than O_RDONLY.

[codetrotter]

Pledge happens on process startup only, so since it’s not like it is called over and over again during the life of the process, the overhead is certainly negligible for all modern servers, desktops and laptops.

[microtonal]

But compiler errors (typo in a flag) become runtime errors (typo in the unveil string).

[tedunangst]

You're only one character away from FLAG1 || FLAG2.

[protomyth]

It is trivial to run a script to check the values are correct.