Even more serious: file


tame() started as side-project after Nicholas Marriott
wrote a new file command

New command is priv-seperated, using systrace() for security
Very complicated...  exposed the need for a simpler mechanism

parent opens files, FD-passes them to child, child runs in constrained
environment

systrace sandbox: 300 lines of code.  But the tame() sandbox...