Known problem: A lot of unsafe code. Open are ideas to mitigate this issue.

This is a big TODO. Which permissions can be reduced. Now we assume we are quite privileagued:

• We have all Linux kernel capabilities,
• The default seccomp profile is disabled,
• The default AppArmor profile is disabled,
• The default SELinux process label is disabled,
• all host devices are accessible,
• /sys is read-write,
• cgroups mount is read-write.