diff --git a/nixos.nix b/nixos.nix
index 84e58c7..8706d31 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -117,6 +117,9 @@ in
                           dev
                           env
                           ;
+                        syscall = {
+                          inherit (app) devel multiarch bluetooth;
+                        };
                         map_real_uid = app.mapRealUid;
                         no_new_session = app.tty;
                         filesystem =
diff --git a/options.nix b/options.nix
index 578c7fd..e2c44cc 100644
--- a/options.nix
+++ b/options.nix
@@ -141,16 +141,20 @@ in
                 '';
               };
 
-              nix = mkEnableOption "nix daemon access within the sandbox";
-              userns = mkEnableOption "userns within the sandbox";
-              mapRealUid = mkEnableOption "mapping to fortify's real UID within the sandbox";
-              dev = mkEnableOption "access to all devices within the sandbox";
-              tty = mkEnableOption "allow access to the controlling terminal";
+              nix = mkEnableOption "nix daemon";
+              userns = mkEnableOption "user namespace";
+              mapRealUid = mkEnableOption "mapping to priv-user uid";
+              dev = mkEnableOption "access to all devices";
+              tty = mkEnableOption "access to the controlling terminal";
 
-              net = mkEnableOption "network access within the sandbox" // {
+              net = mkEnableOption "network access" // {
                 default = true;
               };
 
+              devel = mkEnableOption "development kernel APIs";
+              multiarch = mkEnableOption "multiarch kernel support";
+              bluetooth = mkEnableOption "AF_BLUETOOTH socket operations";
+
               gpu = mkOption {
                 type = nullOr bool;
                 default = null;