diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 54ca69580fa..3e6ecc66c87 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2118,13 +2118,21 @@ void LocalDerivationGoal::runChild()
                             continue;
                         throw SysError("getting attributes of required path '%s", path);
                     }
-                    if (S_ISDIR(optSt->st_mode))
-                        sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
-                    else
-                        sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+                    /* Allow paths which are not below the Nix store directory */
+                    if (!path.starts_with(worker.store.storeDir)) {
+                        if (S_ISDIR(optSt->st_mode))
+                            sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+                        else
+                            sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+                    }
                 }
                 sandboxProfile += ")\n";
 
+                /* Allow accessing any path below the Nix store directory */
+                sandboxProfile += "(allow file-read* file-write* process-exec\n";
+                sandboxProfile += fmt("\t(regex #\"^%s/.*\")\n", worker.store.storeDir);
+                sandboxProfile += ")\n";
+
                 /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
                 sandboxProfile += "(allow file-read*\n";
                 for (auto & i : ancestry) {