Isolation

• Filesystem
• chroot() barrier
• Filesystem Namespaces - private mount tables!
• Immutable enhancement - Immulink for secure, mutable hardlinks between vservers
• Networking
• ip4root - restrict network to list of IPv4s
• ngnet - private network stack for fully custom interfaces
• Capabilities - you're not such a "super" superuser anymore
• no raw sockets
• can't create device nodes
• can't power off the system
• etc