for sandboxes you don't need containers and for resource management, neither. The only thing which docker gives you, is that it enforces immutable disks, which cgroups can't do, can't yet do or whatever.
however when even with docker you need to ensure that your program won't mutate the filesystem so anyways nothing special.
Enforcing an immutable filesystem is actually pretty easy to do, just don't give write permissions to the user under which the program is running :)
What Docker integrates is a layered filesystem, in which the application can mutate the filesystem, but only it will see those changes (and they'll go away when the container is destroyed).
oh yeah sorry. however on some linux filesystems you could also use `chattr +x` however most things won't play well with that ;) especially not programs which create logs / pids / whatever.
