diff --git a/package.nix b/package.nix
index da3a069fa..041786d47 100644
--- a/package.nix
+++ b/package.nix
@@ -33,7 +33,7 @@
 , rapidcheck
 , sqlite
 , toml11
-, util-linux
+, unixtools
 , xz
 
 , busybox-sandbox-shell ? null
@@ -195,7 +195,7 @@ in {
     man # for testing `nix-* --help`
   ] ++ lib.optionals (doInstallCheck || enableManual) [
     jq # Also for custom mdBook preprocessor.
-  ] ++ lib.optional stdenv.hostPlatform.isLinux util-linux
+  ] ++ lib.optional stdenv.hostPlatform.isStatic unixtools.hexdump
   ;
 
   buildInputs = lib.optionals doBuild [
diff --git a/src/libstore/meson.build b/src/libstore/meson.build
index 62137ef5f..0686a591e 100644
--- a/src/libstore/meson.build
+++ b/src/libstore/meson.build
@@ -99,15 +99,6 @@ deps_public += nlohmann_json
 sqlite = dependency('sqlite3', 'sqlite', version : '>=3.6.19')
 deps_private += sqlite
 
-
-enable_embedded_sandbox_shell = get_option('embedded-sandbox-shell')
-if enable_embedded_sandbox_shell
-  # This one goes in config.h
-  # The path to busybox is passed as a -D flag when compiling this_library.
-  # Idk why, ask the old buildsystem.
-  configdata.set('HAVE_EMBEDDED_SANDBOX_SHELL', 1)
-endif
-
 generated_headers = []
 foreach header : [
   'schema.sql',
@@ -122,7 +113,13 @@ foreach header : [
   )
 endforeach
 
-if enable_embedded_sandbox_shell
+busybox = find_program(get_option('sandbox-shell'), required : false)
+
+if get_option('embedded-sandbox-shell')
+  # This one goes in config.h
+  # The path to busybox is passed as a -D flag when compiling this_library.
+  # Idk why, ask the old buildsystem.
+  configdata.set('HAVE_EMBEDDED_SANDBOX_SHELL', 1)
   hexdump = find_program('hexdump', native : true)
   embedded_sandbox_shell_gen = custom_target(
     'embedded-sandbox-shell.gen.hh',
@@ -371,11 +368,15 @@ cpp_str_defines += {
   'LSOF': lsof_path
 }
 
-#if busybox.found()
+if get_option('embedded-sandbox-shell')
   cpp_str_defines += {
-#    'SANDBOX_SHELL': busybox.full_path()
+    'SANDBOX_SHELL': '__embedded_sandbox_shell__'
   }
-#endif
+elif busybox.found()
+  cpp_str_defines += {
+    'SANDBOX_SHELL': busybox.full_path()
+  }
+endif
 
 cpp_args = []
 
diff --git a/src/libstore/package.nix b/src/libstore/package.nix
index a08fabff7..d4859a411 100644
--- a/src/libstore/package.nix
+++ b/src/libstore/package.nix
@@ -5,6 +5,7 @@
 , meson
 , ninja
 , pkg-config
+, unixtools
 
 , nix-util
 , boost
@@ -20,6 +21,8 @@
 
 , versionSuffix ? ""
 
+, embeddedSandboxShell ? stdenv.hostPlatform.isStatic
+
 # Check test coverage of Nix. Probably want to use with at least
 # one of `doCheck` or `doInstallCheck` enabled.
 , withCoverageChecks ? false
@@ -66,7 +69,7 @@ mkDerivation (finalAttrs: {
     meson
     ninja
     pkg-config
-  ];
+  ] ++ lib.optional embeddedSandboxShell unixtools.hexdump;
 
   buildInputs = [
     boost
@@ -96,7 +99,7 @@ mkDerivation (finalAttrs: {
 
   mesonFlags = [
     (lib.mesonEnable "seccomp-sandboxing" stdenv.hostPlatform.isLinux)
-    (lib.mesonBool "embedded-sandbox-shell" stdenv.hostPlatform.isStatic)
+    (lib.mesonBool "embedded-sandbox-shell" embeddedSandboxShell)
   ] ++ lib.optionals stdenv.hostPlatform.isLinux [
     (lib.mesonOption "sandbox-shell" "${busybox-sandbox-shell}/bin/busybox")
   ];