The virt-sandbox command is used to dynamically create sandboxes for running interactive / batch commands.

The libvirt guest is created when the virt-sandbox command starts
The libvirt guest is automatically deleted when the virt-sandbox command completes, or dies from a signal
The sandboxed command sees a read-only view of the entire host filesystem
Specific areas can be made writable by mapping in an alternative host directory
There is no network access inside the sandbox by default
Virtual network interfaces can be associated with libvirt virtual networks
The stdin/stdout/stderr file handles of the sandbox command will be connected to the controlling terminal.
The virt-sandbox support multiple virtualization drivers, so a URI should be specified when running them to choose the techology to use

lxc:/// – valid if the calling user is root
qemu:///session – valid if the calling user is non-root
qemu:///system – valid if the calling user is root. NB there are some current known issues with this driver which temporarily prevent its use
Sandboxes can be used to run interactive commands, such as shells

# virt-sandbox -c lxc:/// /bin/sh
Or output-only commands

# virt-sandbox -c qemu:///session /bin/cat /proc/cpuinfo