diff --git a/hosts/common/programs/rofi/default.nix b/hosts/common/programs/rofi/default.nix
index 13268eac3..ff7ab7613 100644
--- a/hosts/common/programs/rofi/default.nix
+++ b/hosts/common/programs/rofi/default.nix
@@ -141,7 +141,11 @@ in
       srcRoot = ./.;
       pkgs = [ "sane-open" ];
     };
-    sandbox.method = null;  #< trivial script, and all our deps are sandboxed
+    # sandboxing options cribbed from sane-open
+    sandbox.whitelistDbus = [ "user" ];
+    sandbox.keepPidsAndProc = true;
+    sandbox.extraHomePaths = [ ".local/share/applications" ];
+    sandbox.extraRuntimePaths = [ "sway" ];
 
     suggestedPrograms = [
       "sane-open"