[$] A sandbox mode for the kernel
The Linux kernel follows a monolithic design, and that brings a well-knownproblem: all code in the kernel has access to the entirety of the kernel'saddress space. As a result, a bug in (for example) an obscure driver maywell be exploitable to wreak havoc on core-kernel data structures. Variousattempts have been made over the years to increase the degree of isolationwithin the kernel. The latest of these, "SandBoxMode" proposed by Petr Tesaik, makes it possible for the kernel to runsome limited code safely, but it has encountered a bit of a chilly reception.