too bad you can't do it from within the application itself. some of the security-related system calls (e.g. unshare) expect the application to be single-threaded or at least require acute awareness of threading. go's automatic threading makes this difficult.