If you are working with Linux, you can use a nifty kernel feature called seccomp:
https://en.wikipedia.org/wiki/Seccomp
The basic idea is that the program opens any files it needs to read from or write to, and then the program tells the kernel it wants to switch to seccomp code. Once in seccomp mode, the kernel will not allow the process to open any new files or use any system calls except for read(), write(), exit(), and sigreturn(). If the process tries to do so, it will receive a swift and brutal SIGKILL from the kernel.
That's an
internal way of handling it. Of course, there are external options like grsec, selinux, and apparmor, but you have to change your entire system to use them.