Understand design choices of nsjail and improvements

[Alessandro Mantovani]

Hello ,

I and my team are actively working on a sandbox project which is originally inspired from the bazel sandbox but turns out to be really similar to nsjail too. Our goal is running build processes (like Android OS or more custom ones) inside our sandbox. We have few questions:

1) We have seen that few steps of the Android build already leverage nsjail, but only a minor part. Do you think it'd be possible to have the whole Android build running inside nsjail (assuming the sync steps that download the code to be executed out of the sandbox)? 

2) One of the changes we have done was to have an overlay filesystem for certain directories, instead of a read-only fs that in some cases might be a limitation. Do you think this change makes sense? Would you be interested in a PR ? 

3) Maybe a little out of topic, but what are the major roadblocks that you guys are experiencing/have experienced for sandboxing complex builds such as Android ? 

Thanks,

Alessandro