Confine services in a limited environment

 Compartment was designed to allow safe execution of privileged and/or
 untrusted executables and services. It can execute a process:
  - Setting specific Linux capabilities
  - Chrooting it to a certain location
  - setting the user or group it will run with
  - running a program before it is executed
 These features can be used to minimize the risk of a trojanized or vulnerable
 program/service.