diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 80540244..82054c56 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -615,6 +615,8 @@ in
       "tmp"
     ];
 
+    libcamera = {};
+
     libcap_ng.sandbox.enable = false;  # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
 
     libnotify.sandbox.method = "bwrap";
@@ -814,6 +816,8 @@ in
     smartmontools.sandbox.autodetectCliPaths = "existing";
     smartmontools.sandbox.capabilities = [ "sys_rawio" ];
 
+    snapshot = {};
+
     sops.sandbox.method = "bwrap";  # TODO:sandbox: untested
     sops.sandbox.extraHomePaths = [
       ".config/sops"
diff --git a/hosts/modules/gui/default.nix b/hosts/modules/gui/default.nix
index 899e9085..fd8899d0 100644
--- a/hosts/modules/gui/default.nix
+++ b/hosts/modules/gui/default.nix
@@ -86,6 +86,7 @@ in
     "gst-device-monitor"  # for debugging audio/video
     # "gthumb"
     # "lemoa"  # lemmy app
+    "libcamera"  # for `cam` binary (useful for debugging cameras)
     "libnotify"  # for notify-send; debugging
     # "lollypop"
     "loupe"  # image viewer
@@ -100,6 +101,7 @@ in
     # "picard"  # music tagging
     # "libsForQt5.plasmatube"  # Youtube player
     "signal-desktop"
+    "snapshot"  # camera app
     "spot"  # Gnome Spotify client
     # "sublime-music"
     # "tdesktop"  # broken on phosh