I wish instead of a patchwork of hacks like this we had a nice fundamental mechanism, e.g. capabilities exposed via a union file system (i.e. you make everything your process might want to access available via a file handle and run it in some chroot where you "mounted in" the things you want it to be able to touch; e.g. /bin has all the programs it can run, network, window manager and process tree access is mapped to /net /x and /proc etc).
