This seems to map more to Chrome's Native Client/PPAPI than to anything like container virtualization: a reduced set of pretend syscalls that actually go to an interop library that talks to the host OS. It's just missing the "static analysis to ensure it only uses those syscalls" step.