encapsulate provides its client process the same environment it's started in, except for some limitations: encapsulate remounts the whole filesystem read-only, except for user-selectable regions which are mounted read-write. It also isolates the process from the system's process table, network interface, IPC, and shared memory tables.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It currently implements hostname, filesystem, PID, IPC, and networking stack isolation, and it runs on any recent Linux system. It includes a sandbox profile for Mozilla Firefox. Firejail also expands the restricted shell facility found in bash by adding Linux namespace support. It supports sandboxing specific users upon login. The software also includes a small monitoring utility, firemon.