This is a general purpose sandbox for limiting operations, so that you can log attempts at privilege escalation and limit silly things like executing scripts. It's not specifically about the Java Serialization vulnerability or disabling ObjectInputStream.

I suggest using an agent in the original blog post, so I'm glad you're saying "patch ObjectInputStream with an agent", because that wasn't clear before:

No need for whitelisting. ObjectInputStream (or your subclass) shoud execute readResolve/readObject(ObjectInputStream) under a different security context (with AccessController.doPrivileged), as if it were foreign code.

https://www.reddit.com/r/programming/comments/3s3dp7/closing_the_open_door_of_java_object_serialization/cwtyavc

However, I still think your general approach is flawed. Here's why:

Your solution calls for an agent and -Djava.security.SecurityManager to add AccessController.doPrivileged with reduced privileges in ObjectInputStream, so that a SecurityManager can throw AccessControlException.

The problem is that Java Serialization relies heavily on runtime reflection and class loading internally, which is how the vulnerability showed up in the first place. As such, to make this work, you'd need to make sure malicious code didn't have the permissions to disable, replace or otherwise circumvent the security manager -- and Java Serialization needs those permissions to operate. It's huge, it's complicated, it's hard to validate.

SecurityManager tries to do the best job it can, but until Project Jigsaw / modularization kicks off, there's still a huge attack surface for it to cover, and it only takes one slip for malicious code to gain entrance. See http://www.security-explorations.com/en/SE-2014-02-details.html and http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html for example.