Service sandboxing #8
Description
Some services (e.g. nginx) don't support running in a chroot directly. For those services there should be options in the service configuration to set up a chroot (or preferably namespace & cgroup) jail.
Such services will need their own binary, their libraries, their configuration and possible some device nodes bind mounted into the jail.