Track what mozilla is doing with their sandboxing efforts.
https://wiki.mozilla.org/Security/Sandbox is where their sandboxing efforts are. The goal of our sandboxing should be to augument such things, and not replace them.
Skimming the Linux stuff it looks like they want to use
seccomp-bpf and namespaces with
USER_NS. Life will get interesting/horrifying once non-USER_NS namespaces enter the picture, but till then, it's probably manageable.