diff --git a/hosts/common/programs/swaynotificationcenter/default.nix b/hosts/common/programs/swaynotificationcenter/default.nix
index 699f6172..e2fad80d 100644
--- a/hosts/common/programs/swaynotificationcenter/default.nix
+++ b/hosts/common/programs/swaynotificationcenter/default.nix
@@ -58,6 +58,7 @@ in
       "user"  # mpris; portal
       "system"  # backlight
     ];
+    sandbox.whitelistS6 = true;
     sandbox.whitelistWayland = true;
     sandbox.extraPaths = [
       "/sys/class/backlight"
diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index a7cda4fb..c37b92a5 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -73,6 +73,7 @@ let
                 ++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ]  # this includes pipewire/pipewire-0-manager: is that ok?
                 ++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
                 ++ lib.optionals sandbox.whitelistWayland [ "wayland" ]  # app can still communicate with wayland server w/o this, if it has net access
+                ++ lib.optionals sandbox.whitelistS6 [ "s6" ]  # TODO: this allows re-writing the services themselves: don't allow that!
               )
           );
           allowedPaths = [
@@ -386,6 +387,13 @@ let
           allow the program full access to whichever directory it was launched from.
         '';
       };
+      sandbox.whitelistS6 = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow the program to start/stop s6 services.
+        '';
+      };
       sandbox.whitelistWayland = mkOption {
         type = types.bool;
         default = false;