I'm a little disappointed after reading the page. I had hoped it would do more and require no manual configuration. It uses chroot and says that it will autodetect library dependencies. That's great, but what about dlopen()'ed libraries? You can't detect those. What about data files? Can't detect those either. You'll have to manually specify them as dependencies.
- have parent isolate process monitor a dir in the chroot env. If it sees a file appear (with no .tmp suffix) it adds any .so files which are listed in the file (one per line) then removes the file
- set a LD_PRELOAD shim in the child process to hook dlopen() to write the filename to a .tmp file in the monitored dir (and then flush/close/rename/loops until file gone, then loads the .so)
Protecting data files is part of the point. You could try hooking some open/stat calls via LD_PRELOAD and make them available in the chroot if they are world-readable I guess.
