The First Fully-Sandboxed Linux Desktop App Is...
GNOME has been working on sandboxing Linux applications using Wayland (for better security over X11), KDBUS for IPC, SELinux, cgroups, etc. A goal has been to have a preliminary test version of the sandboxing technology ready for GNOME 3.16.
Alexander Larsson has written a blog post this morning about the first fully sandboxed Linux desktop app. This first desktop app is... the open-source Neverball. Neverball is the ball-rolling puzzle game. This title was chosen first for sandboxing for being a simple application and the game having very little interaction with the rest of the system.
The sandbox is independent of the host distribution, has no access to system/user files aside from the runtime and application itself, has no hardware access besides DRI for OpenGL rendering, has no network access, cannot access other system processes, only obtains input via Wayland, can only supply audio to PulseAudio, etc.
Read more via Larsson's blog post and check out his sandbox demo video above.