here’s the how it works - https://github.com/kentonv/sandstorm#how-it-works
it’s an lxc wrapper like docker. or perhaps an alternative to lxc using cgroups? but with more of an api to write against and an emphasis on “apps” (which seem to be visible in a browser?)
Sandstorm’s containerization directly uses the unshare system call (and others); there’s no dependency on lxc.
Yes, apps are currently accessible through a web interface.
Apps will be able to define their own APIs via Cap'n Proto intefaces. This will enable apps to work together in ways more interesting than those available to traditional web apps.
See also the discussion on Hacker News : https://news.ycombinator.com/item?id=7460828.