diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix
index 9949a4a7c..dac554afb 100644
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -1,14 +1,16 @@
-{ lib
-, stdenv
-, buildPackages
-, file
-, gnugrep
-, runCommandLocal
-, runtimeShell
-, sanebox
-, symlinkJoin
-, writeShellScriptBin
-, writeTextFile
+{
+  lib,
+  stdenv,
+  buildPackages,
+  file,
+  gnugrep,
+  makeWrapper,
+  runCommandLocal,
+  runtimeShell,
+  sanebox,
+  symlinkJoin,
+  writeShellScriptBin,
+  writeTextFile,
 }:
 let
   fakeSaneSandboxed = writeShellScriptBin "sanebox" ''
@@ -42,7 +44,7 @@ let
 
   # take an existing package, which may have a `bin/` folder as well as `share/` etc,
   # and patch the `bin/` items in-place
-  sandboxBinariesInPlace = sanebox': extraSandboxArgsStr: pkgName: pkg: pkg.overrideAttrs (unwrapped: {
+  sandboxBinariesInPlace = sanebox': extraSandboxArgs: pkgName: pkg: pkg.overrideAttrs (unwrapped: {
     # disable the sandbox and inject a minimal fake sandboxer which understands that flag,
     # in order to support packages which invoke sandboxed apps in their check phase.
     # note that it's not just for packages which invoke their *own* binaries in check phase,
@@ -56,6 +58,7 @@ let
     outputs = lib.remove "lib" (unwrapped.outputs or [ "out" ]);
     nativeBuildInputs = (unwrapped.nativeBuildInputs or []) ++ [
       fakeSaneSandboxed
+      makeWrapper
     ];
     disallowedReferences = (unwrapped.disallowedReferences or []) ++ [
       # the fake sandbox gates itself behind SANEBOX_DISABLE, so if it did end up deployed
@@ -64,6 +67,10 @@ let
     ];
 
     postFixup = (unwrapped.postFixup or "") + ''
+      assertExecutable() {
+        # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
+        :
+      }
       sandboxWrap() {
         local _dir="$1"
         local _name="$2"
@@ -81,9 +88,7 @@ let
         else
           mv "$_dir/$_name" "$_dir/.sandboxed/"
         fi
-        echo '#!${runtimeShell}' > "$_dir/$_name"
-        echo 'exec ${sanebox'}' ${extraSandboxArgsStr} "$_dir/.sandboxed/$_name" '"$@"' >> "$_dir/$_name"
-        chmod +x "$_dir/$_name"
+        makeShellWrapper ${sanebox'} "$_dir/$_name" --inherit-argv0 ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
       }
 
       crawlAndWrap() {
@@ -309,8 +314,6 @@ let
       sanebox.meta.mainProgram
     ;
 
-    extraSandboxerArgsStr = lib.escapeShellArgs extraSandboxerArgs;
-
     # two ways i could wrap a package in a sandbox:
     # 1. package.overrideAttrs, with `postFixup`.
     # 2. pkgs.symlinkJoin, creating an entirely new package which calls into the inner binaries.
@@ -320,14 +323,14 @@ let
     sandboxedBy = {
       inplace = sandboxBinariesInPlace
         sanebox'
-        extraSandboxerArgsStr
+        extraSandboxerArgs
         pkgName
         (makeHookable unsandboxed);
 
       wrappedDerivation = let
         sandboxedBin = sandboxBinariesInPlace
           sanebox'
-          extraSandboxerArgsStr
+          extraSandboxerArgs
           pkgName
           (symlinkBinaries pkgName unsandboxed);
         sandboxedNonBin = sandboxNonBinaries pkgName unsandboxed sandboxedBin;