Allow granular network or file system restrictions

After we enable basic containerization in #46, we should extend this to allowing a particular module access to just a particular part of the filesystem, or to a specific ip address range or domain, and have this be configurable in the module configuration. This must function identically on linux and windows, but will have to be implemented using completely different techniques. 