Seeing your reply to rictic, it seems you want something else? I'm not sure what that is. You want some automation to this sandboxing for each application? Either way, I think rictic was right to bring up the work that has been done in the Linux kernel with KVM, namespaces, etc. As one commenter on the LWN article points out, "with KVM we call hypervisors 'Linux'".