Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.
With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system.
In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel.
There are quite a few pages of stuff to read and some of the comments are worth a read aswell.Of interest is the fact that you can run VLC-without internet access (or similar program) and also isolate programs like the TorBrowser and Dropbox.
I ran a quick comparison opening up FF with a page with video running and it does not seem to use up any more cpu or ram than a normal FF.
Edited by abarbarian, 24 March 2015 - 02:20 PM.