Linux application sandbox is designed for providing an independent, secure operating environment for untrusted applications. The sandbox has its own independent working directory, and the operation of applications in the sandbox has no impact on the host. The sandbox provides filesystem isolation, system resources isolation, physical resources isolation, capabilities limits and mandatory access control (MAC) policies, adding memory protection policies like address randomization and non-executable memory page protection. The sandbox increases several security mechanisms relative to existing sandboxes, improving the system security and protecting the system and user’s personal privacy.