diff --git a/hosts/common/programs/waylock.nix b/hosts/common/programs/waylock.nix
index 7f397a97..e28d8865 100644
--- a/hosts/common/programs/waylock.nix
+++ b/hosts/common/programs/waylock.nix
@@ -5,6 +5,11 @@ let
   cfg = config.sane.programs.waylock;
 in
 {
+  sane.programs.waylock = {
+    sandbox.method = "capshonly";  # not even landlock with full access to / works.
+    sandbox.wrapperType = "wrappedDerivation";
+  };
+
   # without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
   security.pam.services = lib.mkIf cfg.enabled {
     waylock.unixAuth = true;