torsocks could support ptrace sandboxing
pros:
- 'fixes' SIP, suid, caps
- fixes static binaries
cons:
- kind of a pain to implement
- DNS would require actual parsing, which is apparently a hard problem even for 'minimal' implementations: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html. I think an initial hybrid implementation could punt on this, and it would still fix the ugly hack of hardcoding SIP paths.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information