torsocks could support ptrace sandboxing
pros:
- 'fixes' SIP, suid, caps
- fixes static binaries
cons:
- kind of a pain to implement
- DNS would require actual parsing, which is apparently a hard problem even for 'minimal' implementations: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html. I think an initial hybrid implementation could punt on this, and it would still fix the ugly hack of hardcoding SIP paths.