Previously we bwrap-ed the whole our.rb script. In this commit we switch
it so that our.rb is run outside of bwrap, but every user command it
executes is done inside bwrap. This allows us to use bwrap's
"--die-with-parent" (along with "--unshare-pid") to kill off any forked
processes when the parent processes is killed due to a timeout.
Stef Dunlap