/usr/bin/bwrap should be immutable and have 4111 permissions

[DemiMarie]

This ensures that no process can overwrite it unless it has CAP_LINUX_IMMUTABLE, which helps protect against /proc/self/exe vulnerabilities. That said, Mandatory Access Control (such as SELinux, AppArmor, or SMACK) is probably a better way to prevent these attacks. Also, bwrap has legitimate uses other than sandboxing: it can be used purely to virtualize the filesystem, for example.