diff --git a/lib/default.nix b/lib/default.nix
index 32ac0c58af6..cd0d8161c8c 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -17,11 +17,10 @@ let
   systems = import ./systems.nix;
   customisation = import ./customisation.nix;
   licenses = import ./licenses.nix;
-  sandbox = import ./sandbox.nix;
 
 in
   { inherit trivial lists strings stringsWithDeps attrsets sources options
-      modules types meta debug maintainers licenses platforms systems sandbox;
+      modules types meta debug maintainers licenses platforms systems;
   }
   # !!! don't include everything at top-level; perhaps only the most
   # commonly used functions.
diff --git a/lib/sandbox.nix b/lib/sandbox.nix
deleted file mode 100644
index 414bf36f779..00000000000
--- a/lib/sandbox.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-with import ./strings.nix;
-
-/* Helpers for creating lisp S-exprs for the Apple sandbox
-
-lib.sandbox.allowFileRead [ "/usr/bin/file" ];
-  # => "(allow file-read* (literal \"/usr/bin/file\"))";
-
-lib.sandbox.allowFileRead {
-  literal = [ "/usr/bin/file" ];
-  subpath = [ "/usr/lib/system" ];
-}
-  # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
-*/
-
-let
-
-sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
-generateFileList = files:
-  if builtins.isList files
-    then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files
-    else if builtins.isString files
-      then generateFileList [ files ]
-      else concatStringsSep " " (
-        (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
-        (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
-      );
-applyToFiles = f: act: files: f "${act} ${generateFileList files}";
-genActions = actionName: let
-  action = feature: sexp [ actionName feature ];
-  self = {
-    "${actionName}" = action;
-    "${actionName}File" = applyToFiles action "file*";
-    "${actionName}FileRead" = applyToFiles action "file-read*";
-    "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
-    "${actionName}DirectoryList" = self."${actionName}FileReadMetadata";
-    "${actionName}FileWrite" = applyToFiles action "file-write*";
-    "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
-  };
-  in self;
-
-in
-
-genActions "allow" // genActions "deny" // {
-  importProfile = derivation: ''
-    (import "${derivation}")
-  '';
-}