Google's nsjail (https://github.com/google/nsjail) has a nice "inetd style" mode where it can launch a sandboxed process in response to a TCP connection for similar use cases to this (and is relatively quick to fire up).

Related material on Linux namespaces and "let's hand-roll our own docker":

https://blog.quarkslab.com/digging-into-linux-namespaces-par...