A subsystem to restrict programs into a “reduced feature operating model”

[caf]

You might well be able to implement tame() entirely in userspace using seccomp-bpf.

[lclarkmichalek]

And that wouldn't be a bad thing; seccomp could do with a simpler user interface (in addition to the current, more powerfull one).

[strcat]

You can almost do it, but you can't whitelist paths. Luckily, none of the hard-wired paths is particularly compelling. With either feature, you end up needing a multi-process architecture as soon as you want to allow access to certain paths in a sandbox. It's just that tame hard-wired a few used by the base system, but they aren't generally useful outside of it.