alt Hacker News> Been working on a derviative which hooks the VFS to allow dynamically remapping file paths on a per process basis so I can force badly behaved apps to load custom TLS certificates (looking at you Bazil builds in nixpkgs).
chroot or namespaces/containers?
Well he said nix so it's probably hardcoded to load from the store. Tampering with the store itself might have unintended consequences if anything else references the same certificate package.