allowing individual syscall is the sandbox standard today on BSDs and optin on linux. project have some issues but being too restrictive is not one
allowing individual syscall is the sandbox standard today on BSDs and optin on linux. project have some issues but being too restrictive is not one