diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 07dbf1111..c34332353 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -110,6 +110,7 @@ in
       "tcpdump"
       "tree"
       "unixtools.ps"
+      "unixtools.sysctl"
       "unixtools.xxd"
       "usbutils"  # lsusb
       "util-linux"  # lsblk, lscpu, etc
@@ -1161,6 +1162,7 @@ in
     util-linux.sandbox.method = null;  #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries
 
     "unixtools.ps".sandbox.keepPidsAndProc = true;
+    "unixtools.sysctl" = {};  #< XXX: probably not sandboxed correctly for sysctl writes; only for reads
 
     unzip.sandbox.autodetectCliPaths = "existingOrParent";
     unzip.sandbox.whitelistPwd = true;