restricted execution

[erlang@REDACTED]

First: thank you very much for being so helpful :)

> The essence of the answer is to ensure that the "untrusted" erlang node is
> forced to use a (more) trusted node to mediate all external communications
> to ensure it conforms to your policy. As it stands I don't believe the
> current OTP erlang ndes make it easy to do this (though by running the
> untrusted node in a chroot jail and seriously constraining its environment
> you could probably hack it up). 

Actually, environment constraints are feasible in my envisioned application.
I can almost certainly use a read-only filesystem, and only have network
connectivity to other erlang-using machines, hence no generalised internet
access (unless mediated by a trusted erlang node).  The hard part is 
forcing other erlang nodes into not honouring spawn commands, but still
accepting ordinary messages.

As I understand it, if I can guarantee the host's behaviour, then
constraining the behaviour of other erlang nodes requires messing around
with the net_kernel?
 
[snip reference to interesting paper]

The only other alternative that I really see is pretty much implementation
of a virtual machine... which might actually be the easier answer.