[$] Domesticating applications, OpenBSD style

One of the many approaches to improving system security consists ofreducing the attack surface of a given program by restricting the range ofsystem calls available to it. If an application has no need for access tothe network, say, then removing its ability to use the socket() systemcall should cause no loss in functionality while reducing the scope of themischief that can be made should that application be compromised. In theLinux world, this kind of sandboxing can be done using a security module orthe seccomp() system call. OpenBSD has lacked this capability sofar, but it may soon gain it via a somewhat different approach than hasbeen seen in Linux.