Firejail is a SUID program that reduces the risk of security breaches
by restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf.
It allows a process and all its descendants to have their own private
view of the globally shared kernel resources, such as the network stack,
process table, mount table.

Written in C with virtually no dependencies, the software runs on any
Linux computer with a 3.x kernel version or newer.
The sandbox is lightweight, the overhead is low.
There are no complicated configuration files to edit, no socket
connections open, no daemons running in the background.
All security features are implemented directly in Linux kernel and
available on any Linux computer.