Instance-level setting to enforce nsjail sandboxing across all jobs, and per-script #sandbox annotation for bash scripts.
New features
- job_isolation instance setting with nsjail_sandboxing value to enforce sandboxing for all jobs.
- Sandboxing enabled when either job_isolation is set or DISABLE_NSJAIL=false.
- #sandbox bash annotation to enable sandboxing for individual bash scripts.
- Nsjail always probed at startup regardless of DISABLE_NSJAIL setting.