Make use of namespaces(7) to harden Cloud Hypervisor's security.

Firecracker uses a separate program called jailer. Virtiofsd uses unshare directly in the main program. CrosVM uses https://google.github.io/minijail/.

Chromium's sandboxing document https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md.

I think using a separate program is better, because it reduces the complexity of Cloud Hypervisor and can often be more flexible.