Plash
From Erights
Plash is a Unix shell which lets you run Unix programs with access only to the files and directories they need to run. Programs are given access to files which were passed as command line arguments.
In order to implement this, the filesystem is virtualised. Each process can have its own namespace — its own root directory — which can contain a subset of your files.
This is implemented by modifying GNU libc and replacing the system
calls that use filenames. For example, open() is changed so that it
sends a message to a file server via a socket. If the request is
successful, the server sends the client a file descriptor via the
socket as a result. Processes are run as the user ‘nobody’, and in a
chroot jail, so that they can't access any files using the usual
system calls, and must go through the file server instead. This
approach doesn't require modifying the kernel at all.
