I've only recently been playing around with Solaris derivatives, and am pretty impressed at how far it is with some of this stuff. My recent favorite is discovering 'ppriv', which lets you drop processes' privileges on a process-by-process basis without even starting up a new container/zone to encapsulate them. E.g. you can run a process with no network access or with no ability to fork, or with no ability to read/write files (or all of the above). Super-handy for running untrusted code as a stdin->stdout filter without worrying about it causing other mischief, and not having to encapsulate it in a zone/jail/container just to run one process.
FreeBSD's 'capsicum' [1] also looks promising at the OS API level as a similar initiative to write code with minimal privileges, but afaict you can't use it on the command line to run unmodified code with restricted privileges, at least not yet.
Writing a command line wrapper should be relatively simple for capsicum. Designing the interface might need some work. I think the idea mainly has been to get code to sandbox itself but I can see a use case.
Yeah, for the base system that approach makes sense to me (build privilege-dropping into the code), but sometimes I just want to sandbox an existing binary. One recent example where it's come up is a student AI competition, where their submissions aren't supposed to do anything but read/write stdin/stdout, and it'd be nice to be able to enforce that externally by just lowering the process's privileges.
FreeBSD's 'capsicum' [1] also looks promising at the OS API level as a similar initiative to write code with minimal privileges, but afaict you can't use it on the command line to run unmodified code with restricted privileges, at least not yet.
[1] http://www.cl.cam.ac.uk/research/security/capsicum/