There is rfork(RFNOMNT) which forbids a process (or its later children)
from walking (therfore binding) anything in # except #{|decp} and from
mounting anything period.

If you take a subtree of the file system, bind onto it what you
want, bind the subtree onto '#/', and then rfork(RFNOMNT), you
effectively sandbox a process.  If we also disallowed unmounts,
we could remove the restriction of a subtree.  It would be
nice if someone was willing to experiment a bit on what
constituted a generally useful (and hopefully minimal) set
of controls.

We also have the special group 'noworld' on the file server.  Anyone
in that group has no world (perm & 7) permissions to access files
on the file server.  It's an attempt from the file server side of
protecting accidental disclosure to files that certain groups of
users shouldn't see.  For example, we have a bunch of astronomers
that use our systems from the outside.  They have signed no
agreements with Lucent and are prohibited from seeing stuff
belonging to anyone else here lest an accident occur.  Their
telnet, ftp, and ssh sessions are started in an RFNOMNT sandbox
that binds in only the main file server and the outside network.
They are also members of noworld so that they can't see files
other than from their own group (and themselves).  I consider it
a failed experiment mostly because it didn't last long enough.
It did prove that RFNOMNT by itself wasn't enough.  We couldn't
just give them access to /bin and a few other directories because
we just don't control well enough what goes into them.   Instead
we had to create a complete subworld that included the /bin, /lib,
etc. files that they needed.  The 'no world' was just a second
protection in case our name space failed (because of bad
implementations).  It was a reasonable precaution since it was
very possible to walk out of your circumscibed namespace before
rob's last rewrite (and probably still is via some bug or other).