Perfect? No. Since this is a mitigation technology, it can never be complete Should be measured by: 1. Is it easy to reason about? 2. Can regular programmers use it? 3. Does it influence programmers to create better code? a. Does it encourage use of priv-sep / priv-drop in new development or refactorings? 4. Does it cover most cases? 5. Does it avoid giving false promises? 6. Can it fit into existing sandbox use cases (ie. sshd pre-auth) 7. Does it expose pre-existing bugs? 8. OpenBSD only -- this is not a stable interface! (in theory, someone smart could match this API on seccomp)