diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index a7d72ac2c..2d0ca877b 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -829,8 +829,6 @@ in
 
     landlock-sandboxer.sandbox.enable = false;  #< sandbox helper
 
-    libcamera = {};
-
     libcap_ng.sandbox.enable = false;  # TODO: `pscap` can sandbox with bwrap, `captest` and `netcap` with landlock
 
     libnotify.sandbox.method = "bunpen";
diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix
index 3d917dc89..75a2d595c 100644
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -96,6 +96,7 @@
     ./less.nix
     ./lftp.nix
     ./lgtrombetta-compass.nix
+    ./libcamera.nix
     ./libreoffice.nix
     ./lemoa.nix
     ./loupe.nix
diff --git a/hosts/common/programs/libcamera.nix b/hosts/common/programs/libcamera.nix
new file mode 100644
index 000000000..6acd4c6f0
--- /dev/null
+++ b/hosts/common/programs/libcamera.nix
@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.libcamera;
+in
+{
+  sane.programs.libcamera = {};
+  services.udev.extraRules = lib.mkIf cfg.enabled ''
+    # libcamera (snapshot, millipixels, ...)
+    # see: <https://gitlab.com/postmarketOS/pmaports/-/merge_requests/5541>
+    # can be removed for systemd 257+
+    # - <https://github.com/systemd/systemd/pull/33738>
+    #
+    # i do the old and/or lazy way, just grant broad R+W access
+    # dma_heap is the old resource; udmabuf is the new one.
+    KERNEL=="udmabuf", GROUP="video", MODE="0660"
+    SUBSYSTEM=="dma_heap", GROUP="video", MODE="0660"
+  '';
+}