Directory binding options
NOTE: Unless –no-default-dirs is specified, the default set of directory rules binds /bin, /dev (with devices allowed), /lib, /lib64 (if it exists), and /usr.
It also binds the working directory to /box (read-write), mounts the proc filesystem at /proc, and creates a temporary directory /tmp.
Resource limits for isolate sandbox
All size-related items are in kilobytes (kB), time-related items are in seconds (s).
NOTE: use cgroups-related options first to control memory precisely.