Use fine-grained resource limits for each connection-handler process tree

[C0deH4cker]

After #32, we're now in a good state where resource exhaustion in a container won't affect the host. However, it will still affect connectivity to the challenge container. Ideally, each incoming connection will have a new child cgroup policy that limits the CPU/memory/PIDs available to something smaller than the container's limits.