Google Summer of Code/2020/Ideas/FUSE-powered sandbox
Gentoo sandbox is a cheap hack that aims to detect when ebuilds are accessing locations they aren't supposed to reach. It is implemented as LD_PRELOAD library which generally makes it a bit of a hack. It is imperfect, sometimes requires hacks to stop breaking other software and sometimes need to be plain disabled.
I've proposed in the past to reimplement it as a overlay-alike filesystem using FUSE but never found time to work on it. The idea is rather simple — create a basic FUSE filesystem that wraps access to the root filesystem, add access control on top of it, add IPC to make it possible to edit access lists dynamically. Integrate everything into Portage, so it can be used in place of old sandbox.