current kernel allows unmount even if after rfork m. this feature makes sandboxing difficult. can anyone explain this feature is necessary?