diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 42c5a367..fffe5ba2 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -206,7 +206,13 @@ in
       ];
     };
 
-    "sane-scripts.stop-all-servo" = {};
+    "sane-scripts.stop-all-servo".sandbox = {
+      method = "bwrap";
+      extraPaths = [
+        "/run/dbus"
+        "/run/systemd"
+      ];
+    };
 
     # if `tee` isn't trustworthy we have bigger problems
     "sane-scripts.sudo-redirect".sandbox.enable = false;