brainboxdotcc
diff --git a/‎docpages/user-guide/commands/rocketsh.md‎
Lines changed: 16 additions & 0 deletions b/‎docpages/user-guide/commands/rocketsh.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎docs/doxygen_crawl.html‎
Lines changed: 1 addition & 0 deletions b/‎docs/doxygen_crawl.html‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/rocketsh.html‎
Lines changed: 12 additions & 1 deletion b/‎docs/rocketsh.html‎
Lines changed: 12 additions & 1 deletion
@@ -169,6 +169,22 @@ Show all commands stored in the command history, which you may retrieve with the
 history
 ```
 
+#### sandbox
+
+Launches a command in a sandboxed environment. The sandboxed environment cannot run various unsafe BASIC functions. All children
+of the sandboxed process also inherit the same restrictions.
+
+```basic
+sandbox dir /programs
+```
+
+**While sandboxed, a BASIC program cannot:**
+
+- Write to or delete files or directories
+- Load or unload kernel modules
+- Write to or read from raw memory (including buffers)
+- Perform raw hardware I/O
+
 ### Rocketsh Variables
 
 The rocketsh shell allows you to change certain variables that influence how the shell operates. These are:
 
@@ -1372,6 +1372,7 @@
 <a href="rocketsh.html#rocket-shell-commands"/>
 <a href="rocketsh.html#rocketsh-variables"/>
 <a href="rocketsh.html#run"/>
+<a href="rocketsh.html#sandbox"/>
 <a href="rocketsh.html#task"/>
 <a href="rocketsh.html#up"/>
 <a href="rocketsh.html#version"/>
 
@@ -234,7 +234,18 @@ <h4 class="doxsection"><a class="anchor" id="dirs"></a>
 history</h4>
 <p>Show all commands stored in the command history, which you may retrieve with the cursor keys.</p>
 <div class="fragment"><div class="line">history</div>
-</div><!-- fragment --><h3 class="doxsection"><a class="anchor" id="rocketsh-variables"></a>
+</div><!-- fragment --><h4 class="doxsection"><a class="anchor" id="sandbox"></a>
+sandbox</h4>
+<p>Launches a command in a sandboxed environment. The sandboxed environment cannot run various unsafe BASIC functions. All children of the sandboxed process also inherit the same restrictions.</p>
+<div class="fragment"><div class="line">sandbox dir /programs</div>
+</div><!-- fragment --><p><b>While sandboxed, a BASIC program cannot:</b></p>
+<ul>
+<li>Write to or delete files or directories</li>
+<li>Load or unload kernel modules</li>
+<li>Write to or read from raw memory (including buffers)</li>
+<li>Perform raw hardware I/O</li>
+</ul>
+<h3 class="doxsection"><a class="anchor" id="rocketsh-variables"></a>
 Rocketsh Variables</h3>
 <p>The rocketsh shell allows you to change certain variables that influence how the shell operates. These are:</p>
 <h4 class="doxsection"><a class="anchor" id="path"></a>