Constant ENV_SECURITY_PROFILE 

pub const ENV_SECURITY_PROFILE: &str = "MSB_SECURITY_PROFILE";

Environment variable carrying the sandbox in-guest security profile.

Values:

• default — preserve normal guest-root semantics. Exec sessions do not set no_new_privs and keep CAP_SYS_ADMIN.
• restricted — set no_new_privs and drop CAP_SYS_ADMIN before user exec sessions. Agentd also forces nosuid,nodev on user mounts.

Example:

• MSB_SECURITY_PROFILE=restricted