diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index e73a76b6c..bcb2bed00 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -777,7 +777,12 @@ in
 
     libcap_ng.sandbox.enable = false;  # TODO: `pscap` can sandbox with bwrap, `captest` and `netcap` with landlock
 
-    libgpiod.sandbox.method = null;  #< TODO: sandbox
+    libgpiod.sandbox.extraPaths = [
+      # "/dev"  # really, /dev/gpiochip*
+      "/sys/bus/gpio"
+      "/sys/dev/char"
+      "/sys/devices"
+    ];
 
     libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send