programs/sandboxing: add required args to use pasta

modules/programs/make-sandbox-args.nix

@@ -54,7 +54,12 @@ let
         "stderr"
         # bwrap also does some stuff for /dev/{console,core,ptmx,pts,shm}, i don't need those (yet?)
       ]);
-    netDev = n: if n == "all" then [ "--bunpen-keep-net" ] else [ "--bunpen-net-dev" n ];
+    # if we need any sort of networking, keep /dev/net/tun. pasta will need that to create its tunnel.
+    # TODO: is this safe?
+    netDev = n: if n == "all" then
+      [ "--bunpen-path" "/dev/net/tun" "--bunpen-keep-net" ]
+    else
+      [ "--bunpen-path" "/dev/net/tun" "--bunpen-net-dev" n ];
     netGateway = netGateway: [ "--bunpen-net-gateway" netGateway ];
     path = p: [ "--bunpen-path" p ];
     path-home = p: [ "--bunpen-home-path" p ];