firejail

Firejail is a SUID security sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications using
Linux namespaces. It allows a process and all its descendants to have their own
private view of the globally shared kernel resources, such as the network stack,
process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and
even user login sessions. Written in C with virtually no dependencies, it should
work on any Linux computer with a 3.x kernel version.