[carlosrg]

> they provide little to prevent unknown bugs bing exploited

They provide plenty of mitigations (https://www.openbsd.org/innovations.html). In fact OP's article is for preventing unknown bugs from being exploited.

[PrimeMcFly]

They don't provide any mitigations of the sort I was clearly referencing. Specifically, for restricting malicious code or users that already has access to the system, exploiting insecure software that was not compiled with pledge support.

[saagarjha]

What kind of mitigations would help here?

[PrimeMcFly]

SELinux/RSBAC/AppArmor/grsecurity and similar.

[saagarjha]

These largely require buy-in from applications just like pledge.

[PrimeMcFly]

They absolutely don't, that's the key difference.

What makes you think otherwise?

[saagarjha]

You can’t just stick sandboxing around arbitrary apps without them breaking.