diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
index 122ef938..82aaf26d 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
@@ -89,9 +89,9 @@ in
                     if metadata.action == "unset" then
                       "--unsetenv ${var}"
                     else if lib.elem metadata.action [ "prefix" "suffix" ] then
-                      "--setenv ${lib.escapeShellArg var} ${lib.escapeShellArg (lib.concatStringsSep metadata.separator metadata.value)}"
+                      "--setenv ${var} ${lib.concatStringsSep metadata.separator metadata.value}"
                     else
-                      "--setenv ${lib.escapeShellArg var} ${lib.escapeShellArg metadata.value}")
+                      "--setenv ${var} ${metadata.value}")
                   env';
             }
 
diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
index b952d105..11a3f1ec 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@@ -219,8 +219,8 @@ in
               let
                 makeFilesystemArgs = _: metadata:
                   let
-                    src = lib.escapeShellArg metadata.source;
-                    dst = lib.escapeShellArg metadata.destination;
+                    src = metadata.source;
+                    dst = metadata.destination;
                     hasPermissions = metadata.permissions != null;
                     isValidOperationWithPerms = lib.elem metadata.operation fileOperationsWithPerms;
                   in
@@ -246,7 +246,7 @@ in
               let
                 closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
               in
-                builtins.map (p: "--ro-bind ${lib.escapeShellArg p} ${lib.escapeShellArg p}") closurePaths;
+                builtins.map (p: "--ro-bind ${p} ${p}") closurePaths;
           })
         ]);
       };
diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh b/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
index 758c256f..9e1fd222 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
@@ -51,7 +51,7 @@ case "$(uname)" in
 
         for sysfs_dir in /sys/{block,bus,class,dev,devices}; do
             if [[ -r "$sysfs_dir" ]] && [[ -x "$sysfs_dir" ]]; then
-                additional_flags+=(--ro-bind "${sysfs_dir}")
+                additional_flags+=(--ro-bind "${sysfs_dir}" "${sysfs_dir}")
             fi
         done
         ;;