diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index c3bb9cfd..fb385847 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -71,8 +71,9 @@ let
               (p: path-lib.concat [ xdgRuntimeDir p ])
               (
                 sandbox.extraRuntimePaths
-                ++ lib.optionals sandbox.whitelistDbus [ "bus" ]
                 ++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ]  # also pipewire-0-manager, unknown purpose
+                ++ lib.optionals sandbox.whitelistDbus [ "bus" ]
+                ++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ]  # app can still communicate with wayland server w/o this, if it has net access
               )
           );
           allowedPaths = [
@@ -385,6 +386,14 @@ let
           allow the program full access to whichever directory it was launched from.
         '';
       };
+      sandbox.whitelistWayland = mkOption {
+        type = types.bool;
+        default = true;  #< TODO: harden default!
+        description = ''
+          allow sandbox to communicate with the wayland server.
+          note that this does NOT permit access to compositor admin tooling like `swaymsg`.
+        '';
+      };
 
       sandbox.extraPaths = mkOption {
         type = types.listOf types.str;