Filesystem sandboxing isn't new. chroot() probably being the first example. There are others. but always "externally set" over the lifetime of the program, including the startup phases of the program. Effectively this means that often, you have to have a *lot* of things available to the program. Do "users" of the program know all the corner cases?