I released aegisctl earlier today - this should be useful for running things as root inside the chroot environment.

Run aegisctl -s,+r, then assert CAP::* and UID::root on the root launcher script (make sure that this can't be used as a privilege escalation for non-root users). You might want to consider narrowing down the privileges from full root access - for example, the chroot probably shouldn't be messing with the entire system's iptables rules (via CAP::net_admin).

This system is probably going to need a new name, since the OM part of HARMCHOM isn't needed anymore.