What does HackerNews think of nsjail?
A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters (with help of the kafel bpf language)
Language:
C++
There is also https://github.com/google/nsjail
Google's nsjail (https://github.com/google/nsjail) has a nice "inetd style" mode where it can launch a sandboxed process in response to a TCP connection for similar use cases to this (and is relatively quick to fire up).
Good to read about that you're feeling similar and thank you for the pointer, going to check it out.
Sadly this thread never gained traction, but I'd love to read more discussion about this: https://news.ycombinator.com/item?id=13838596
(Link for convenience for others) https://github.com/google/nsjail
Here's your cool, lightweight and easily configurable sandbox - https://github.com/google/nsjail
You should try using nsjail, which makes using namespaces and seccomp-bpf easy. It's very simple, it's made to wrap existing programs with a single command line invocation. Done and done.