I have a significant number of untrusted binary applications that need to be executed on a *nix box.
I'm hoping that there might be some simple command/script (e.g. sandbox ./app1953
) that could easily be used to isolate a single application from being able to harm or access the rest of the system (I only need access to stdin/stdout).
I'd rather not use full-blown virtual machines, as the overhead resulting from running thousands of copies of an OS is considerably larger than I'd like to consider.