allowing individual syscall is the sandbox standard today on BSDs and optin on linux. project have some issues but being too restrictive is not one