Sandstorm — Self-Hostable Web App Platform with Sandboxing

Introduction

Sandstorm is a self-hostable web productivity platform that packages web applications into secure, isolated sandboxes. Each app instance runs in its own container with strict capability-based security, making it safe to run untrusted or community-contributed apps on your personal server.

What Sandstorm Does

• Installs web apps from a marketplace with one-click deployment
• Sandboxes every app instance using Linux namespaces and seccomp filters
• Manages user authentication with built-in login via email, Google, or GitHub
• Provides per-document sharing with fine-grained access controls
• Handles backups and restores for individual app grains

Architecture Overview

Sandstorm uses a capability-based security model where each app instance (called a grain) runs in its own namespace-isolated sandbox. The platform communicates with apps through Cap'n Proto, a high-performance RPC protocol. A supervisor process mediates all grain I/O, enforcing security policies without requiring apps to be security-aware.

Self-Hosting & Configuration

• Install via the official script on any Debian or Ubuntu server
• Configure your domain and wildcard DNS for grain subdomains
• Set up HTTPS with a built-in certificate manager or reverse proxy
• Manage users and permissions through the admin panel
• Install apps from the Sandstorm App Market or upload custom SPK packages

Key Features

• Capability-based sandboxing isolates every app instance
• One-click app installation from a curated marketplace
• Per-document access control modeled after Google Docs sharing
• Built-in user management with multiple auth providers
• Grain-level backup and export for data portability

Comparison with Similar Tools

• Cloudron — commercial app platform; Sandstorm is fully open source with stronger sandboxing
• YunoHost — Linux distro for self-hosting; Sandstorm provides per-instance isolation
• CasaOS — homelab dashboard; Sandstorm offers security-hardened app sandboxing
• Coolify — PaaS for deploying apps; Sandstorm focuses on end-user web productivity

FAQ

Q: What apps are available on Sandstorm? A: The marketplace includes EtherCalc, Wekan, Rocket.Chat, GitWeb, and dozens of productivity and collaboration apps.

Q: Does Sandstorm require root access? A: Yes, it uses Linux kernel features (namespaces, seccomp) that require privileged access for sandboxing.

Q: Can I develop my own Sandstorm apps? A: Yes, Sandstorm provides an SDK and packaging tools to convert any web app into an SPK package.

Q: How much resources does Sandstorm need? A: A server with 1 GB RAM can run several grains. Each idle grain uses minimal memory.

Sources

• https://github.com/sandstorm-io/sandstorm
• https://sandstorm.org