Please be patient with me, as my knowledge of system level security is a bit superficial. I know that there are security infrastructures like AppArmor, GrSec, etc. that work on the kernel level to control access privileges in their various ways. And I've heard of the kernel sec capabilities that allow processes to limit their own privileges. However, is it possible to do something in between, i.e., start a program with another program, the latter limiting the access privileges of the former?

I use, for example, torsock, and throttling programs, to redirect/limit the connections/bandwidth of processes passed in on the command line - something to do with the preloader, I think. Could one make a similar program that say, prevents the child program from accessing the Internet, or prevents it from accessing (parts of) the file system? The idea being, for example, to input something like "safelaunch --no-internet-access somegame" at the command line and be confident that somegame wasn't sending data across the network.

I don't know if AppArmor network rules or Fedora's SELinux "sandbox" settings can be adjusted OTF but GRSecurity has sysctls that can be and so can the Iptables "owner" module be (given enough rights obviously) else maybe LD_PRELOAD a library that intercepts syscalls?

You can limit capabilities of started processes with tools like execcap and sucap