bwrap [OPTION...] [COMMAND]
It works by creating a new, completely empty, filesystem namespace where the root is on a tmpfs that is invisible from the host, and which will be automatically cleaned up when the last process exits. You can then use commandline options to construct the root filesystem and process environment for the command to run in the namespace.
By default, bwrap creates a new mount namespace for the sandbox. Optionally it also sets up new user, ipc, pid, network and uts namespaces (but note the user namespace is required if bwrap is not installed setuid root). The application in the sandbox can be made to run with a different UID and GID.
If needed (e.g. when using a PID namespace) bwrap is running a minimal pid 1 process in the sandbox that is responsible for reaping zombies. It also detects when the initial application process (pid 2) dies and reports its exit status back to the original spawner. The pid 1 process exits to clean up the sandbox when there are no other processes in the sandbox left.
Options related to kernel namespaces:
Options about environment setup:
--setenv VAR VALUE
Options for monitoring the sandbox from the outside:
Filesystem related options. These are all operations that modify the filesystem directly, or mounts stuff in the filesystem. These are applied in the order they are given as arguments. Any missing parent directories that are required to create a specified destination are automatically created as needed.
--bind SRC DEST
--bind-try SRC DEST
--dev-bind SRC DEST
--dev-bind-try SRC DEST
--ro-bind SRC DEST
--ro-bind-try SRC DEST
--file FD DEST
--bind-data FD DEST
--ro-bind-data FD DEST
--symlink SRC DEST
Note: In a general sandbox, if you don't use --new-session, it is recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise the application can feed keyboard input to the terminal.