The Cloudflare blog is running an
overview of sandboxing with seccomp(), culminating in a tool
written there to sandbox any existing program. “We really liked the
‘zero code seccomp’ approach with systemd SystemCallFilter= directive, but
were not satisfied with its limitations. We decided to take it one step
further and make it possible to prohibit any system call in any process
externally without touching its source code, so came up with the Cloudflare
sandbox. It’s a simple standalone toolkit consisting of a shared library
and an executable. The shared library is supposed to be used with
dynamically linked applications and the executable is for statically linked
applications.“

Source: LWN.net – Sandboxing in Linux with zero lines of code (Cloudflare blog)