I use skuid based firewall rules + locked down permissions on the host so that processes can't elevate their privileges/change the user.
Works fine enough for untrusted non-gui SW, and trusted GUI SW, that I know will not try to hack my PC, but apps running inside it may be able to access stuff I don't want them to on my network (like Firefox).
cgroups may also work well for this without the need to use multiple UNIX users.
Works fine enough for untrusted non-gui SW, and trusted GUI SW, that I know will not try to hack my PC, but apps running inside it may be able to access stuff I don't want them to on my network (like Firefox).
cgroups may also work well for this without the need to use multiple UNIX users.