How can I sandbox filesystem activity, particularly writes?

Question

Gentoo has a feature in portage, that prevents and logs writes outside of the build and packaging directories.

Checkinstall is able to monitor writes, and package up all the generated files after completion.

Autotools have the DESTDIR macro that enables you to usually direct most of the filesystem activity to an alternate location.

• How can I do this myself with the safety of the Gentoo sandboxing method?
• Can I use SELinux, rlimit, or some other resource limiting API?
• What APIs are available do this from C, Python?

Update0

• The mechanism used will not require root privileges or any involved/persistent system modification. This rules out creating users and using chroot().
• Please link to the documentation for APIs that you mention, for some reason they're exceptionally difficult to find.

Update1

• This is to prevent accidents. I'm not worried about malicious code, only the poorly written variety.

Answer 1

There are two methods to do this. One is to use LD_PRELOAD to hook library calls that result in syscalls, such as those in libc, and call dlsym/dlopen. This will not allow you to directly hook syscalls.

The second method, which allows hooking syscalls, is to run your executable under ptrace, which provides options to stop and examine syscalls when they occur. This can be set up programmatically to sandbox calls to restricted areas of the filesystem, among other things.

• LD_PRELOAD can not intercept syscalls, but only libcalls?
• Dynamic linker tricks: Using LD_PRELOAD to cheat, inject features and investigate programs
• Write Yourself an Strace in 70 Lines of Code