diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index ebfc1f281..dfb66e8ff 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -443,6 +443,9 @@ in
     losslesscut-bin.sandbox.whitelistWayland = true;
     losslesscut-bin.sandbox.whitelistX = true;
 
+    lsof.sandbox.method = "capshonly";  # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
+    lsof.sandbox.wrapperType = "wrappedDerivation";
+
     "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
     "mate.engrampa".sandbox.wrapperType = "inplace";
     "mate.engrampa".sandbox.whitelistWayland = true;