pkgs/sandbox: Add UTS/PID/IPC namespacing

In order to isolate processes even further it's a good idea to not let
them access information about other PIDs, eg. by enumerating /proc.

However, this still bind-mounts /sys from the root namespace, so we
might want to restrict /sys further. For our games however we will need
/sys because it is used to enumerate gamepads and other input devices.

Currently the processes will now be PID 1. I've tested this against a
few games and none of them had problems with that so far, so let's keep
it that way.

Another thing we might want to add and which currently isn't there is a
subreaper, which is useful if we have a process that leaves zombie
processes around.

Signed-off-by: aszlig <aszlig@nix.build>

0 files changed, 0 insertions, 0 deletions