Containment & sandboxing

Launched apps are sandboxed by default. The default level is fail-closed: with no sandbox runtime available, glass_start errors rather than running the app unconfined.

Set the level with the GLASS_SANDBOX environment variable on the server (e.g. GLASS_SANDBOX=off to launch unconfined when you understand the risk):

• Linux: bubblewrap + unprivileged user namespaces.
• Windows: Sandboxie Classic.

glass-mcp doctor reports sandbox availability alongside display/compositor checks and prints the exact remedy for your system. The full level table is in the glass README.