diff --git a/.gitignore b/.gitignore
index d6f56f5259e29d1eedd7ab3a98f1316f7c901dc3..3c4c91e04cef87928fd89f31533b0eb612b0da15 100644
--- a/.gitignore
+++ b/.gitignore
@@ -185,6 +185,8 @@ uptime-*.json
 /src/lib/libtor-malloc-testing.a
 /src/lib/libtor-net.a
 /src/lib/libtor-net-testing.a
+/src/lib/libtor-sandbox.a
+/src/lib/libtor-sandbox-testing.a
 /src/lib/libtor-string.a
 /src/lib/libtor-string-testing.a
 /src/lib/libtor-tls.a
diff --git a/Makefile.am b/Makefile.am
index d80f81de107843c00839b6e2ff4cda84fc0ffcbc..97057048d72ad5a827d7f38450fd2d45de8ae762 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -40,6 +40,7 @@ endif
 # "Common" libraries used to link tor's utility code.
 TOR_UTIL_LIBS = \
 	src/common/libor.a \
+        src/lib/libtor-sandbox.a \
 	src/lib/libtor-net.a \
         src/lib/libtor-log.a \
         src/lib/libtor-lock.a \
@@ -56,6 +57,7 @@ TOR_UTIL_LIBS = \
 # and tests)
 TOR_UTIL_TESTING_LIBS = \
 	src/common/libor-testing.a \
+        src/lib/libtor-sandbox-testing.a \
 	src/lib/libtor-net-testing.a \
         src/lib/libtor-log-testing.a \
         src/lib/libtor-lock-testing.a \
diff --git a/src/common/include.am b/src/common/include.am
index 56666b87f2b362df6635de510afc7c06a6a05c74..c8be3658e99267edec8df97cb80ea760bc4615ba 100644
--- a/src/common/include.am
+++ b/src/common/include.am
@@ -41,7 +41,6 @@ LIBOR_A_SRC = \
   src/common/util.c					\
   src/common/util_format.c				\
   src/common/util_process.c				\
-  src/common/sandbox.c					\
   src/common/storagedir.c				\
   src/common/token_bucket.c				\
   src/common/workqueue.c				\
@@ -84,9 +83,7 @@ COMMONHEADERS = \
   src/common/confline.h				\
   src/common/handles.h				\
   src/common/memarea.h				\
-  src/common/linux_syscalls.inc			\
   src/common/procmon.h				\
-  src/common/sandbox.h				\
   src/common/storagedir.h			\
   src/common/timers.h				\
   src/common/token_bucket.h			\
diff --git a/src/include.am b/src/include.am
index 5b8aacdd59f54eaa7322139b57644c7be717e5d4..5d28ea34ecd9d78393490bba3a6439282c9d62f3 100644
--- a/src/include.am
+++ b/src/include.am
@@ -13,6 +13,7 @@ include src/lib/lock/include.am
 include src/lib/log/include.am
 include src/lib/malloc/include.am
 include src/lib/net/include.am
+include src/lib/sandbox/include.am
 include src/lib/string/include.am
 include src/lib/testsupport/include.am
 include src/lib/tls/include.am
diff --git a/src/lib/sandbox/.may_include b/src/lib/sandbox/.may_include
new file mode 100644
index 0000000000000000000000000000000000000000..5c22b0e509a7edf5a092f55189cbb1fb0429d0de
--- /dev/null
+++ b/src/lib/sandbox/.may_include
@@ -0,0 +1,11 @@
+orconfig.h
+
+lib/cc/*.h
+lib/container/*.h
+lib/err/*.h
+lib/log/*.h
+lib/sandbox/*.h
+
+ht.h
+siphash.h
+tor_queue.h
diff --git a/src/lib/sandbox/include.am b/src/lib/sandbox/include.am
new file mode 100644
index 0000000000000000000000000000000000000000..adfda6bde53a2ced1a92fe90c99b9c31a93dd162
--- /dev/null
+++ b/src/lib/sandbox/include.am
@@ -0,0 +1,18 @@
+
+noinst_LIBRARIES += src/lib/libtor-sandbox.a
+
+if UNITTESTS_ENABLED
+noinst_LIBRARIES += src/lib/libtor-sandbox-testing.a
+endif
+
+src_lib_libtor_sandbox_a_SOURCES =			\
+	src/lib/sandbox/sandbox.c
+
+src_lib_libtor_sandbox_testing_a_SOURCES = \
+	$(src_lib_libtor_sandbox_a_SOURCES)
+src_lib_libtor_sandbox_testing_a_CPPFLAGS = $(AM_CPPFLAGS) $(TEST_CPPFLAGS)
+src_lib_libtor_sandbox_testing_a_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
+
+noinst_HEADERS +=					\
+	src/lib/sandbox/linux_syscalls.inc		\
+	src/lib/sandbox/sandbox.h
diff --git a/src/common/linux_syscalls.inc b/src/lib/sandbox/linux_syscalls.inc
similarity index 100%
rename from src/common/linux_syscalls.inc
rename to src/lib/sandbox/linux_syscalls.inc
diff --git a/src/common/sandbox.c b/src/lib/sandbox/sandbox.c
similarity index 100%
rename from src/common/sandbox.c
rename to src/lib/sandbox/sandbox.c
diff --git a/src/common/sandbox.h b/src/lib/sandbox/sandbox.h
similarity index 100%
rename from src/common/sandbox.h
rename to src/lib/sandbox/sandbox.h
diff --git a/src/rust/build.rs b/src/rust/build.rs
index b51a87ab1ba36fe11f8599cdb0ab564984b9df8a..4d3c9d8eb49e8f60e22a6434cb5c901429ee2cf5 100644
--- a/src/rust/build.rs
+++ b/src/rust/build.rs
@@ -151,6 +151,7 @@ pub fn main() {
             // moving forward!
             cfg.component("tor-crypt-ops-testing");
             cfg.component("or-testing");
+            cfg.component("tor-sandbox");
             cfg.component("tor-net");
             cfg.component("tor-log");
             cfg.component("tor-lock");