Config Sandbox

To understand how Legato sandboxes are implemented, see Sandboxes basics.


Sandboxes are configured through the Definition Files :

This is what a sandboxed app Config Tree Schema looks like.

Common Problems

Often, when sandbox problems occur, it's because either:

  • the permissions are set incorrectly: check the .sdef bundles section to ensure permissions are valid.
  • there's a file missing from the file system within the sandbox: check that the def files' requires sections include all required files.

Sandbox Sample Apps

Legato provides sample apps that use sandboxes:
Shell Piping
Command Line

Sample Code

This is the Shell Piping sample app's .adef file:

start: manual

        // Bundling the script into the sandbox with the permissions needed to run it.
        [rx] utilPipes    /

        // Adding sh (shell), ls, grep and echo utilities into the sandbox.
        /bin/sh     /usr/local/bin/
        /bin/ls     /usr/local/bin/
        /bin/grep   /usr/local/bin/
        /bin/echo   /usr/local/bin/

        // Run sh (shell) and pass it the script for it to run.
        (sh utilPipes)

Access Services Outside

A Legato sandboxed app can access services outside its sandbox. All available services are advertised by the Service Directory. Apps connect to services through a request to the Service Directory. The Service Directory grants access only if the app has been explicitly bound to a service (using the .adef and .sdef bindings section).

If you want to allow direct access to bind mount objects from the file system (e.g., files, directories, named sockets and pipes, etc.), explicitly allow it through app configuration in the .adef and .cdef files requires section.


Although it's not recommended, you can turn-off sandboxing by setting Sandboxed to false.

Copyright (C) Sierra Wireless Inc. Use of this work is subject to license.