[aomix]

Everything I've read about pledge and unveil really admire the approach and the results but it didn't seem to have a big impact outside of OpenBSD. It took ~20 years for OpenBSD's CSPRNG to be re-implemented everywhere else maybe we're operating on a similar timeline here.

[hellcow]

https://justine.lol/pledge/

While not the same, this is a SECCOMP-based Linux alternative (and it can even be used to restrict pre-compiled binaries).

[eyberg]

We definitely took inspiration and implemented in the nanos unikernel cause we think it's a great idea:

https://nanovms.com/dev/tutorials/applying-sandbox-security-...

[saagarjha]

This is generally how modern systems do sandboxing.