bunpen: sandbox with bunpen

hosts/common/programs/captree.nix

@@ -2,7 +2,8 @@
 {
   sane.programs.captree = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
-    sandbox.method = "bwrap";
+    sandbox.method = "bunpen";
     sandbox.isolatePids = false;
+    sandbox.extraPaths = [ "/proc" ];
   };
 }