Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.
Mbox introduces a novel sandbox usage model; when executing a program in the sandbox, Mbox prevents programs from modifying the host filesystem while giving them the impression that they are in fact making those modifications. Mbox achieves this by providing a layered sandbox filesystem and by interposing on system calls with ptrace and seccomp/BPF. At the end of program execution, the user can examine changes in the sandbox filesystem, and selectively commit them back to the host filesystem.
Discontinued sandboxing sandbox