add special devices to sandbox-defaults

src/libstore/sandbox-defaults.sb.in

@@ -35,7 +35,10 @@
        (literal "/private/var/run/resolv.conf"))
 
 ; some builders use filehandles other than stdin/stdout
-(allow file* (subpath "/dev/fd"))
+(allow file*
+        (subpath "/dev/fd")
+        (literal "/dev/ptmx")
+        (regex #"^/dev/[pt]ty.*$"))
 
 ; allow everything inside TMP
 (allow file* process-exec