Perhaps a flag for a hardened mode which uses a separate network stack and only expose some /dev files (e.g., null, (u)random, zero).

Something that makes sudo ./try rm -rf / not affect the host system.

@mgree Thoughts?

I think we shouldn't call anything try does 'hardened', because that seems to make a security claim we're not really going to be able to backup.

But I think there are good moves to make in this direction:

• We should have tests that do really risky things (in CI).

• We should by default only be mapping the safe /dev files I outlined before.

• I don't think the separate network stack is super material here, though having a flag to turn off network access makes sense.

All of this has been done except for #127.