sandbox@gentoo.org Sandbox Maintainers Enable NO_NEW_PRIVS which blocks set*id programs from gaining privileges (e.g. sudo) proj/sandbox gentoo/sandbox