diff --git a/nix/module.nix b/nix/module.nix
index 11bfa6f..be5f004 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -32,10 +32,26 @@ let
         type = types.bool;
         default = false;
       };
-      additionalPaths = mkOption {
+      pathRules = mkOption {
         type = types.listOf types.str;
         default = [ ];
       };
+      tcpRules = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      unrestrictTcp = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      unrestrictSockets = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      unrestrictSignals = mkOption {
+        type = types.bool;
+        default = false;
+      };
     };
   };
 in
@@ -54,7 +70,8 @@ in
           envs = lib.concatStringsSep " " (
             lib.mapAttrsToList (n: v: "${n}=${lib.concatStringsSep ":" v}") opts.env
           );
-          extra = lib.concatStringsSep " " opts.additionalPaths;
+          extraPaths = lib.concatStringsSep " " opts.pathRules;
+          tcpRules = lib.concatStringsSep " " opts.tcpRules;
           sandboxArgs = pkgs.stdenvNoCC.mkDerivation {
             name = "${name}-opts";
             __structuredAttrs = true;
@@ -68,8 +85,9 @@ in
               echo -n "--fs rx=" > $out
               jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" \
                 | tr '\n' ':' | sed 's/:$//' >> $out
-              ${if (lib.length opts.additionalPaths != 0) then "echo -n ' ${extra}' >> $out" else ""}
-              ${if (strNotEmpty envs) then "echo -n ' --env ${envs}' >> $out" else ""}
+              ${lib.optionalString (lib.length opts.pathRules != 0) "echo -n ' ${extraPaths}' >> $out"}
+              ${lib.optionalString (lib.length opts.tcpRules != 0) "echo -n ' --tcp ${tcpRules}' >> $out"}
+              ${lib.optionalString (strNotEmpty envs) "echo -n ' --env ${envs}' >> $out"}
             '';
           };
           command = lib.getExe' opts.package (
@@ -79,8 +97,11 @@ in
           script = ''
             #! /usr/bin/env bash
             ${lib.getExe' config.wrapperPkg "yoke"} \
-              ${if opts.addPwd then "--fs rwx=$PWD" else ""} \
-              ${if opts.retainEnv then "--retain-env" else ""} \
+              ${lib.optionalString opts.addPwd "--fs rwx=$PWD"} \
+              ${lib.optionalString opts.retainEnv "--retain-env"} \
+              ${lib.optionalString opts.unrestrictTCP "--no-tcp"} \
+              ${lib.optionalString opts.unrestrictSockets "--sockets"} \
+              ${lib.optionalString opts.unrestrictSignals "--signals"} \
               --fd-args -- \
               ${command} \
               ${wrappedArgs} $@ \