Task Sandboxing

[lihaoyi]

Bazel restricts tasks being run to their given work directory: using sandbox-exec on OS-X, and LXC Containers on Linux. This is extremely useful to ensure that

• Badly-configured builds don't "accidentally" pass due to stale state lying around the filesystem
• Those builds don't fail mysteriously when that stale state is removed
• The presence of stale state doesn't cause other builds to fail mysteriously

We can do the same thing, at least to a best effort: using Java SecurityManagers to limit file access in Mill JVM code, and forcing people to use a "blessed" subprocess interface that restricts subprocesses using the same OS tools that Bazel uses.

Builds becoming brittle because parts of it accidentally/implicitly depend on other parts that "have to"/"have always been" run before-hand is a common problem, and this would fix it.

[lihaoyi]

#3347 and #3367 do a best effort job here. Even though it doesn't go as extreme as containerization, at least it prevents you from doing the wrong thing unless you actively work to do so