# Linux mapping notes (draft)

## Isolation domains
- namespaces (pid, net, mount, user) + cgroups.

## Capabilities / sandbox
- seccomp for syscall filtering
- LSM (AppArmor/SELinux/Landlock) for policy enforcement
- ambient capabilities should be avoided; prefer explicit capability passing.

## Eventing
- epoll + structured logs
- optional auditd hooks

## Resource control
- cgroups for CPU/memory/IO
- accelerator scheduling will depend on driver/runtime stack