Comment by jart

> Firejail

I'm sure it's great but it requires setuid privileges. If it needs root it isn't ad-hoc.

> But I agree that software developers know their software the best so they should be the ones writing the rules

Exactly! You get it. pledge() is basically an App Store permissions model in spirit. It's curated and, like Android / Apple devs, the developer is thinking about what permissions they'll need to ask for at each step of writing their program. Not needing root is an important aspect of enabling that. The good news is that with SECCOMP BPF and Landlock I think we finally have a comprehensive solution for building the perfect unprivileged sandbox.