I have created a script to allow easy sandboxing of applications, by running them in a separate temporary single-use user account. By controlling which groups the temporary user is added to, one can control hardware access (e.g. audio, webcam, networking, etc). With permissions set correctly, one can protect their home folder from the prying eyes of dodgy closed-source software.
This script is not intended to be a *perfect* security solution – it is far from perfect, but will suffice in most situations where a little extra isolation is required.
There are two scripts:
The first script (sandbox) is used to launch a program in a sandbox. The second script (sandchrome) demonstrates this by launching an incognito chrome session in a sandbox, with access to audio explicitly granted.