You could spawn their processes in a isolated network namespace, connected to a proxy via tun interface. You can then setup firewall rules on that interface to block all traffic, except the proxy an maybe your own dns - that should all be out of the users „reach“.
You could spawn their processes in a isolated network namespace, connected to a proxy via tun interface. You can then setup firewall rules on that interface to block all traffic, except the proxy an maybe your own dns - that should all be out of the users „reach“.