Complete settings for AppContainer (AC / LPAC) and Restricted Token modes β every key, its default, and whether it is mandatory, optional, or unavailable.
Every config must have a [sandbox] section. Everything else defaults to deny-all / disabled. Omitting a setting never grants more access. Wrong-mode keys, unknown keys, and unknown sections are all configuration errors (exit 128).
[sandbox] token = 'appcontainer'
Two lines. All other sections are optional. No access is granted by omission β defaults are deny-all / disabled.
| Config file | max 1 MB |
| Path length | max 32,768 chars |
| Rules per section | max 256 in [allow.*], [deny.*], [registry] |
Using an AC-only key (e.g. network) in an RT config, or an RT-only key (named_pipes, integrity) in an AC config, is a configuration error β exit 128. Unknown keys/sections are also rejected.
[sandbox]| Key | Values | Default | AC / LPAC | Restricted | Notes |
|---|---|---|---|---|---|
| token | 'appcontainer' / 'lpac' / 'restricted' | β | Required | Required | Isolation model |
| integrity | 'low' / 'medium' | β | N/A | Required | low = strongest; medium = wider compatibility |
| strict | true / false | false | N/A | Optional | Exclude user SID from restricting list. Forces explicit grants for user-owned resources. Default false. |
| workdir | absolute path | 'inherit' | Optional | Optional | Child cwd. Default: inherited from Sandy's cwd |
[allow.deep] / [allow.this] β File and folder grantsAll keys optional (default []). Two scopes: [allow.deep] applies recursively (OI|CI inheritance); [allow.this] applies to the named object only (instant, no child walk). Same access keys in both scopes.
| Key | Default | AC / LPAC | RT | Permission granted |
|---|---|---|---|---|
| read | [] | Optional | Optional | Read files, list dirs. Does NOT grant execute. |
| write | [] | Optional | Optional | Create/modify files. Does NOT grant read. |
| execute | [] | Optional | Optional | Read + execute files, list dirs |
| append | [] | Optional | Optional | Append-only. Cannot overwrite or read. |
| delete | [] | Optional | Optional | Delete only. No read or write. |
| all | [] | Optional | Optional | Full access: read+write+execute+delete. Strips WRITE_DAC, WRITE_OWNER, FILE_DELETE_CHILD. |
| run | [] | Optional | Optional | Execute only, no read (can't copy binary) |
| stat | [] | Optional | Optional | Read attributes only |
| touch | [] | Optional | Optional | Modify attributes only |
| create | [] | Optional | Optional | Create new files/subdirs, no overwrite |
In Restricted Token mode, you can carve exempt subtrees inside denied areas. All allow/deny entries are merged and sorted by depth β deny applied before allow at each level. An allow inside a deny automatically strips the deny ACEs first. Example: [deny.deep] all = ['C:\repos'] + [allow.deep] all = ['C:\repos\snipps'].
[deny.deep] / [deny.this] β Block specific permissionsNot available in AppContainer / LPAC mode (kernel ignores DENY ACEs for AC SIDs). All keys optional (default []). Same access keys and scope semantics as allow. [deny.deep] is recursive; [deny.this] applies to the single object only. Deny is surgical β only the specified permission type is blocked. deny.write does NOT block delete.
| Key | Default | Mechanism (Restricted Token only) |
|---|---|---|
| read | [] | Real DENY_ACCESS ACE |
| write | [] | Real DENY_ACCESS ACE. Does NOT block delete. |
| execute | [] | Real DENY_ACCESS ACE |
| append | [] | Real DENY_ACCESS ACE |
| delete | [] | Real DENY_ACCESS ACE |
| all | [] | Real DENY_ACCESS ACE (all bits) |
| run | [] | Real DENY_ACCESS ACE |
| stat | [] | Real DENY_ACCESS ACE |
| touch | [] | Real DENY_ACCESS ACE |
| create | [] | Real DENY_ACCESS ACE |
The Windows kernel ignores DENY_ACCESS ACEs for AppContainer SIDs. Sandy rejects [deny.*] for AppContainer / LPAC mode at config validation time (exit 128). Use Restricted Token mode for deny rules.
[privileges] β Sandbox capabilities| Key | Type | Default | AC / LPAC | RT | Description |
|---|---|---|---|---|---|
| network | bool | false | Optional | N/A | Outbound internet. RT mode: always allowed. |
| lan | bool / string | false | Optional | N/A | LAN + loopback. false Β· 'with localhost' Β· 'without localhost'. |
| named_pipes | bool | false | N/A | Optional | Allow CreateNamedPipeW. Required for Flutter, Chromium, Bun/Node IPC. |
| desktop | bool | true | N/A | Optional | WinSta0 + Desktop access. Default true. Set false only for headless services. |
| stdin | bool / absolute path | false | Optional | Optional | false=NUL; true=inherit parent stdin; absolute path=redirect from file |
| clipboard_read | bool | false | Optional | Optional | Allow reading from the system clipboard |
| clipboard_write | bool | false | Optional | Optional | Allow writing to the system clipboard |
| child_processes | bool | true | Optional | Optional | Allow spawning child processes. Set false only for strictly single-process scripts. |
[registry] β Registry key grantsNot available in AppContainer / LPAC mode β AC uses a fixed private registry hive automatically. Most HKLM\Software and HKCU keys are already readable via BUILTIN\Users in RT.
| Key | Default | AC / LPAC | RT | Description |
|---|---|---|---|---|
| read | [] | N/A | Optional | Grant read access to specific registry keys |
| write | [] | N/A | Optional | Grant write access to specific registry keys |
[environment] β Environment variables| Key | Type | Default | AC / LPAC | RT | Description |
|---|---|---|---|---|---|
| inherit | bool | false | Optional | Optional | true: pass full parent env; false: clean env + essential Windows vars + pass list |
| pass | string array | [] | Optional | Optional | Specific vars to include when inherit = false |
inherit = false
SYSTEMROOT Β· SYSTEMDRIVE Β· WINDIR Β· OS Β· TEMP Β· TMP Β· COMSPEC Β· PATHEXT Β· LOCALAPPDATA Β· APPDATA Β· USERPROFILE Β· HOMEDRIVE Β· HOMEPATH Β· PROCESSOR_ARCHITECTURE Β· NUMBER_OF_PROCESSORS
[limit] β Resource constraints| Key | Unit | Default | AC / LPAC | RT | Description |
|---|---|---|---|---|---|
| timeout | seconds | 0 | Optional | Optional | Kill root process after N seconds. 0=no limit. After the root exits (or is killed on timeout), Sandy waits for all descendant processes in the job to finish before cleanup. Sandy exits 130 on timeout. |
| memory | MB | 0 | Optional | Optional | Job-wide memory cap. 0=no limit. Enforced via job objects. |
| processes | count | 0 | Optional | Optional | Max active process count. 0=no limit. |
If a limit is configured but cannot be enforced (job object failure), Sandy terminates the child and exits with code 129. The sandbox never runs with unenforced limits.
One-glance view of every key and its status per mode.
| Section / Key | Default | AC / LPAC | Restricted |
|---|---|---|---|
| [sandbox] | β | Required | Required |
| token | β | Required | Required |
| integrity | β | N/A | Required |
| strict | false | N/A | Optional |
| workdir | 'inherit' | Optional | Optional |
| [allow.deep] / [allow.this] | [] | Optional | Optional |
| [deny.deep] / [deny.this] | [] | N/A | Optional |
| [privileges] | β | mode-gated | |
| network | false | Optional | N/A |
| lan | false | Optional | N/A |
| named_pipes | false | N/A | Optional |
| desktop | true | N/A | Optional |
| stdin | false | Optional | Optional |
| clipboard_read | false | Optional | Optional |
| clipboard_write | false | Optional | Optional |
| child_processes | true | Optional | Optional |
| [registry] | [] | N/A | Optional |
| read / write | [] | N/A | Optional |
| [environment] | β | Optional | Optional |
| inherit | false | Optional | Optional |
| pass | [] | Optional | Optional |
| [limit] | β | Optional | Optional |
| timeout / memory / processes | 0 | Optional | Optional |
Exact Windows access masks per [allow.*] level. write β read, and read β execute.
| Level | Key | Key Windows bits | Notes |
|---|---|---|---|
| Read | read | FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE | Cannot load DLLs β no FILE_EXECUTE |
| Write | write | FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_EA, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, FILE_READ_ATTRIBUTES | Cannot list/read contents |
| Execute | execute | All Read bits + FILE_EXECUTE | Standard (RX) β minimum to run programs |
| Append | append | FILE_APPEND_DATA, FILE_READ_ATTRIBUTES, SYNCHRONIZE | Cannot overwrite existing data |
| Delete | delete | DELETE, FILE_READ_ATTRIBUTES, SYNCHRONIZE | No read or write |
| All | all | FILE_ALL_ACCESS & ~(FILE_DELETE_CHILD | WRITE_DAC | WRITE_OWNER) | Full data control. WRITE_DAC, WRITE_OWNER, FILE_DELETE_CHILD intentionally stripped. |
| Run | run | FILE_EXECUTE, FILE_READ_ATTRIBUTES, SYNCHRONIZE | Execute only, no read (canβt copy binary) |
| Stat | stat | FILE_READ_ATTRIBUTES, SYNCHRONIZE | Attributes only |
| Touch | touch | FILE_WRITE_ATTRIBUTES, FILE_READ_ATTRIBUTES, SYNCHRONIZE | Modify attributes only |
| Create | create | FILE_ADD_FILE, FILE_ADD_SUBDIRECTORY, FILE_READ_ATTRIBUTES, SYNCHRONIZE | Create new files/subdirs, no overwrite |