diff --git a/sdk_lib/Dockerfile.lean-arch b/sdk_lib/Dockerfile.lean-arch
index 6819233e536..c650caf91bd 100644
--- a/sdk_lib/Dockerfile.lean-arch
+++ b/sdk_lib/Dockerfile.lean-arch
@@ -5,7 +5,8 @@ ARG RMARCH
 ARG RMCROSS
 
 RUN if [ -n "$RMCROSS" ]; then \
-        sudo crossdev --clean --force "$RMCROSS"; \
+        FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
+            sudo crossdev --clean --force "$RMCROSS"; \
     fi
 
 RUN if [ -n "$RMARCH" ]; then \
diff --git a/sdk_lib/Dockerfile.sdk-build b/sdk_lib/Dockerfile.sdk-build
index d532f700651..8217ea14fad 100644
--- a/sdk_lib/Dockerfile.sdk-build
+++ b/sdk_lib/Dockerfile.sdk-build
@@ -7,7 +7,8 @@ ARG OFFICIAL=0
 # mark build as official where appropriate
 RUN echo "export COREOS_OFFICIAL=$OFFICIAL" > /mnt/host/source/.env
 
-RUN /home/sdk/sdk_entry.sh ./sdk_lib/setup_boards.sh start "${BINHOST}"
+RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
+        /home/sdk/sdk_entry.sh ./sdk_lib/setup_boards.sh start "${BINHOST}"
 
 RUN rm /mnt/host/source/.env
 RUN rm -rf /home/sdk/toolchain-pkgs
diff --git a/sdk_lib/Dockerfile.sdk-import b/sdk_lib/Dockerfile.sdk-import
index a8e75e5d121..a7e11ef9acc 100644
--- a/sdk_lib/Dockerfile.sdk-import
+++ b/sdk_lib/Dockerfile.sdk-import
@@ -48,7 +48,8 @@ RUN chmod 755 /home/sdk/sdk_entry.sh
 
 # This should be a NOP; if you see packages being rebuilt
 #  it's likely that scripts and SDK tarball are out of sync
-RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
+RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
+        /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
 
 # Clean up ephemeral key directory variables that were added during build
 RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \