Example: file(1)


pledge() started as side-project after Nicholas Marriott
wrote a new file(1) command

New command was priv-sep, using systrace(2) for security

systrace mechanism was terrible --  got us riled up..

parent opens files, FD-passes them to child, child runs in
constrained environment

systrace sandbox: 300 lines of code.  But the pledge() sandbox...