{ ... }:
{
  sane.programs.megapixels = {
    sandbox.method = "bwrap";
    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      "tmp"
      "Pictures"
    ];
    sandbox.extraPaths = [
      # needs /dev/media*, /dev/video*; easier to give it all of /dev which isn't that bad since it's not running as root.
      "/dev"
      # it passes the raw .dng files to a post-processor, via /tmp
      "/tmp"
    ];
    # TODO: surely needs access to the camera device, etc.
  };
}