programs: switch bridge-utils, btrfs-progs from landlock -> bwrap

landlock can't isolate net yet, so bwrap gives better sandboxing

hosts/common/programs/assorted.nix

@@ -242,7 +242,7 @@ in
       "/sys/devices"
     ];
 
-    bridge-utils.sandbox.method = "landlock";  #< has to be in the same net namespace, at least.
+    bridge-utils.sandbox.method = "bwrap";  #< bwrap, landlock: both work
     bridge-utils.sandbox.wrapperType = "wrappedDerivation";
     bridge-utils.sandbox.net = "all";
 
@@ -255,7 +255,7 @@ in
     ];
     brightnessctl.sandbox.whitelistDbus = [ "system" ];
 
-    btrfs-progs.sandbox.method = "landlock";
+    btrfs-progs.sandbox.method = "bwrap";  #< bwrap, landlock: both work
     btrfs-progs.sandbox.wrapperType = "wrappedDerivation";
     btrfs-progs.sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
 
@@ -467,6 +467,12 @@ in
     iftop.sandbox.wrapperType = "wrappedDerivation";
     iftop.sandbox.capabilities = [ "net_raw" ];
 
+    # inetutils: ping, ifconfig, hostname, traceroute, whois, ....
+    # TODO: requires more than this;
+    # - also, sandboxed `ping` doesn't make it onto /run/current-system/sw/bin; unsandboxed `ping` does instead
+    # inetutils.sandbox.method = "landlock";  # want to keep the same netns, at least.
+    # inetutils.sandbox.wrapperType = "wrappedDerivation";
+
     iotop.sandbox.method = "landlock";
     iotop.sandbox.wrapperType = "wrappedDerivation";
     iotop.sandbox.extraPaths = [