Turning off the ability to use pipes and the environment means you
pretty much can't run any programs.  Turning of the ability to
open /dev/fd doesn't really save anything since you can always
dup.

The only ones that are really a problem are devproc and devcons.  They
are used for access to notes and to console i/o.  They were left
on since devcons protects itself, only the host owner can do anything
important, and devproc needs to be linked in anyways so that stuff
like notes works.  Access to devproc needs to be rethought.  I'm not sure the
right semantics though.