Properly Containerize all new processes

Currently we don't enforce permission restrictions on new processes. We should, by default, have a method to deny all network, filesystem, and any other syscalls on both linux and windows, with the ability to turn this on or off on a per-module basis.