Improvements to the sandbox and supervisor machinery itself.
- We should be able to sandbox any arbitrary container, not just containers specifically configured for OpenShell.
- Drop elevated privileges such as
CAP_SYS_ADMIN for running the supervisor.
- Support different topologies such as running the supervisor simply as a network proxy.
- Implement various isolation backends.
- Configure Sandboxes with driver specific properties.
Improvements to the sandbox and supervisor machinery itself.
CAP_SYS_ADMINfor running the supervisor.