Sandstorm

Sandstorm uses the same Linux kernel features that Docker uses for containerization. The main things are attack surface reduction and designing a platform API that's actually sandboxable. On sandstorm, we drastically reduce the Linux API by using set comp Bpf to disable a lot of system calls. We don't mount Prox FS, we don't mountsys FS, those are huge interfaces that are not very well reviewed.