diff --git a/src/crosvm/cmdline.rs b/src/crosvm/cmdline.rs
index 6e21018223..e785ca6cbc 100644
--- a/src/crosvm/cmdline.rs
+++ b/src/crosvm/cmdline.rs
@@ -1620,10 +1620,6 @@ impl TryFrom<RunCommand> for super::config::Config {
 
         cfg.initrd_path = cmd.initrd_path;
 
-        if cmd.disable_sandbox {
-            cfg.jail_config = None;
-        }
-
         if let Some(p) = cmd.bios {
             if cfg.executable_path.is_some() {
                 return Err(format!(
@@ -1855,6 +1851,12 @@ impl TryFrom<RunCommand> for super::config::Config {
             cfg.vfio_isolate_hotplug = cmd.vfio_isolate_hotplug;
         }
 
+        // `--disable-sandbox` has the effect of disabling sandboxing altogether, so make sure
+        // to handle it after other sandboxing options since they implicitly enable it.
+        if cmd.disable_sandbox {
+            cfg.jail_config = None;
+        }
+
         // Now do validation of constructed config
         super::config::validate_config(&mut cfg)?;