diff --git a/hosts/common/programs/networkmanager.nix b/hosts/common/programs/networkmanager.nix
index b7d8e741..91cbb06c 100644
--- a/hosts/common/programs/networkmanager.nix
+++ b/hosts/common/programs/networkmanager.nix
@@ -24,97 +24,24 @@ in
           "net_admin"
           "net_raw"
           "net_bind_service"  #< TODO: is this needed? why? (DNS?)
-          # "setgid"
-          # "setuid"
-          # "sys_module"  #< TODO: is this needed?
+          # "sys_module"
           "audit_write"  #< allow writing to the audit log
           # "kill"
-          # "sys_chroot"
         ];
         sandbox.extraPaths = [
-          # "/proc"
-          # "/run"
-          # "/sys"
-          # "/var/lib"
-          #^ works
-
-          # "/dev"
-          # "/proc"
-          # "/run"
-          # "/sys"
-          # "/var/lib/NetworkManager"
-          # "/var/lib/trust-dns"  #< for trust-dns-nmhook
-          #^ works
-
-          # # "/dev/net"
-          # # "/dev/rfkill"
-          # # "/proc/sys/net"
-          # "/dev"
-          # "/proc"
-          # "/run/NetworkManager"
-          # "/run/dbus"
-          # "/run/log"
-          # "/run/resolvconf"
-          # "/run/secrets"
-          # "/run/systemd"
-          # "/run/udev"
-          # "/run/user"
-          # "/run/wg-home.priv"
-          # "/var/run/NetworkManager"  #< legacy symlinks, which NM wants to crawl
-          # "/var/run/dbus"
-          # "/var/run/log"
-          # "/var/run/resolvconf"
-          # "/var/run/systemd"
-          # "/var/run/udev"
-          # "/var/run/user"
-          # "/sys"
-          # # "/sys/class/net"
-          # # "/sys/devices"
-          # "/var/lib/NetworkManager"
-          # "/var/lib/trust-dns"  #< for trust-dns-nmhook
-          #^ works
-
-          # "/dev/net"
-          # "/dev/rfkill"  #< TODO: check if really necessary!
-          # "/proc"  #< TODO: specify this more precisely
-          # "/proc/acpi"
-          # "/proc/asound"
-          # "/proc/bus"
-          # "/proc/cpuinfo"
-          # "/proc/crypto"
-          # "/proc/devices"
-          # "/proc/driver"
-          # "/proc/fs"
-          # "/proc/irq"
-          # "/proc/modules"
-          # "/proc/net"
-          # "/proc/pressure"
           "/proc/net"
           "/proc/sys/net"
-          # "/proc/sysvipc"
-          # "/proc/tty"
           "/run/NetworkManager"
-          # "/run/dbus"
-          # "/run/secrets/net"
           "/run/systemd"  # for trust-dns-nmhook
           "/run/udev"
-          # "/run/wg-home.priv"  #< TODO: move this into /run/secrets?
+          # "/run/wg-home.priv"
           "/sys/class"  #< TODO: specify this more precisely
           "/sys/devices"
           "/var/lib/NetworkManager"
-          # "/var/lib/bluetooth"
-          # "/var/lib/cups"
-          # "/var/lib/etc_secrets"
-          # "/var/lib/machines"
-          # "/var/lib/nixos"
-          # "/var/lib/portables"
-          # "/var/lib/private"
-          # "/var/lib/systemd"  #< rfkill?
           "/var/lib/trust-dns"  #< for trust-dns-nmhook
-          # "/var/lib/udisks2"
         ];
 
-        # sandbox.whitelistDbus = [ "system" ];
+        sandbox.whitelistDbus = [ "system" ];  #< apparently not actually needed?
       };
     }