[korhojoa]

Now if then the commands run via some kind of privilege elevation mechanism would require pledges to be used, that would be awesome: https://news.ycombinator.com/item?id=38037075

"This needs root", okay. But you only get exactly what you need.

[ece]

It's not pledge, but firejail and other SUID binaries like it (bubblewrap, nsjail, etc..) are the only such ones on my system. It's better than grsec/chroot sandbox I used back in the day on Gentoo. I've also used shorewall, ufw, opensnitch for firewalls over the years. I could go on.