Capsicum seems so useful, but some of the boundaries are so rigid. As far as I could tell, you can't capsicum anything like a TLS terminator or http proxy etc, because there's no way to allow opening new sockets after entering capabilities mode; you could have another process open up the sockets and pass the FD, but if I'm writing both the sandboxed process and the one that opens sockets, I'm not sure it makes enough difference. I ended up with jails instead, being stuck in a chroot with only a static executable, a config file, and a log file felt good enough to me.
It’s rigid, because it implements a security architecture (capability-based security) instead of providing a mechanism to implement random restrictions.
