Isolation

• Filesystem
• chroot() barrier
• Filesystem Namespaces - private mount tables!
• Immutable enhancement - Immulink for secure, mutable hardlinks between vservers
• Networking
• ip4root - restrict network to list of IPv4s
• ngnet - private network stack for fully custom interfaces
• Capabilities - you're not such a "super" superuser anymore
• no raw sockets
• can't create device nodes
• can't power off the system
• etc
• IPC
• in general, no inter-context IPC
• context 0 can send signals to processes in any context
• context 1 can see all processes
• /proc filtering to be sure some driver doesn't ruin your day