Awesome! I was just reading about pledge. I think I need to find some time to play around with it. Right now, there's a lot of interest in using WASM as a sandbox for untrusted code, but pledge looks easier to use and more versatile (you don't need any kind of WASM compatibility, just a binary to run).
Offline WASM runtimes like Wasmtime are pretty cool, however I'd call SECCOMP BPF with Landlock LSM a shining beacon of light. The problem is that (1) coding BPF assembly has always been terrifying to the uninitiated and (2) Landlock LSM only came out in the past year. I believe pledge.com is the first tool that makes using both these Linux security tools together universally accessible for everyone. Be sure to run a bleeding edge Linux kernel if you use the `-v PATH` flag. If you're running an older kernel, then the pledge.com command will treat unveiling as a no-op in the interest of compatibility. I use Landlock LSM on my desktop, which runs Alpine Linux 5.15.74-0-lts. I also use Landlock in production on GCE, but I needed to `apt install linux-image-5.18.0-0.deb11.4-cloud-amd64` in order for it to work.
