programs/assorted: remove explicit (and extraneous) sandbox.method = "bunpen" declarations

2024-09-21 23:35:06 +00:00
parent 4868fbb82c
commit 31615340a7
128 changed files with 9 additions and 246 deletions
--- a/hosts/common/programs/aerc.nix
+++ b/hosts/common/programs/aerc.nix
@@ -3,7 +3,6 @@
 {
  sane.programs.aerc = {
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  #< /share/aerc/aerc.conf mentions (in comments) other (non-sandboxed) /share files by absolute path
    sandbox.net = "clearnet";
    secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
--- a/hosts/common/programs/animatch.nix
+++ b/hosts/common/programs/animatch.nix
@@ -32,7 +32,6 @@
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    persist.byStore.plaintext = [
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -415,12 +415,11 @@ in
    # INDIVIDUAL PACKAGE DEFINITIONS
-    alsaUtils.sandbox.method = "bunpen";  # amixer, aplay, speaker-test, ...
+    # alsaUtils amixer, aplay, speaker-test, ...
    alsaUtils.sandbox.whitelistAudio = true;  #< not strictly necessary?
    backblaze-b2 = {};
    bash-language-server.sandbox.method = "bunpen";
    bash-language-server.sandbox.whitelistPwd = true;
    blanket.buildCost = 1;
@@ -442,7 +441,6 @@ in
    bridge-utils.sandbox.method = "bwrap";  #< bwrap, landlock: both work
    bridge-utils.sandbox.net = "all";
    btrfs-progs.sandbox.method = "bunpen";  #< bwrap, landlock: both work
    btrfs-progs.sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
    btrfs-progs.sandbox.extraPaths = [
      "/dev/btrfs-control"
@@ -451,7 +449,7 @@ in
    "cacert.unbundled".sandbox.enable = false;  #< data only
    cargo.persist.byStore.plaintext = [ ".cargo" ];
-    cargo.sandbox.method = "bunpen";  # probably this is too restrictive; i'm sandboxing it for rust-analyzer / neovim LSP
+    # probably this sandboxing is too restrictive; i'm sandboxing it for rust-analyzer / neovim LSP
    cargo.sandbox.whitelistPwd = true;
    cargo.sandbox.net = "all";
    cargo.sandbox.extraHomePaths = [ "dev" "ref" ];
@@ -461,13 +459,11 @@ in
    clang-tools.sandbox.method = "bwrap";
    clang-tools.sandbox.whitelistPwd = true;
    clightning-sane.sandbox.method = "bunpen";
    clightning-sane.sandbox.extraPaths = [
      "/var/lib/clightning/bitcoin/lightning-rpc"
    ];
    # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
    cryptsetup.sandbox.method = "bunpen";
    cryptsetup.sandbox.extraPaths = [
      "/dev/mapper"
      "/dev/random"
@@ -496,13 +492,11 @@ in
    # auth token, preferences
    delfin.persist.byStore.private = [ ".config/delfin" ];
    dig.sandbox.method = "bunpen";
    dig.sandbox.net = "all";
    # creds, but also 200 MB of node modules, etc
    discord.persist.byStore.private = [ ".config/discord" ];
    discord.suggestedPrograms = [ "xwayland" ];
    discord.sandbox.method = "bunpen";
    discord.sandbox.wrapperType = "inplace";  #< package contains broken symlinks that my wrapper can't handle
    discord.sandbox.whitelistAudio = true;
    discord.sandbox.whitelistDbus = [ "user" ];  # needed for xdg-open
@@ -524,10 +518,8 @@ in
    duplicity = {};
    e2fsprogs.sandbox.method = "bunpen";
    e2fsprogs.sandbox.autodetectCliPaths = "existing";
    efibootmgr.sandbox.method = "bunpen";
    efibootmgr.sandbox.extraPaths = [
      "/sys/firmware/efi"
    ];
@@ -540,7 +532,6 @@ in
    endless-sky.buildCost = 1;
    endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
    endless-sky.sandbox.method = "bunpen";
    endless-sky.sandbox.whitelistAudio = true;
    endless-sky.sandbox.whitelistDri = true;
    endless-sky.sandbox.whitelistWayland = true;
@@ -551,12 +542,10 @@ in
    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
    ethtool.sandbox.method = "bunpen";
    ethtool.sandbox.capabilities = [ "net_admin" ];
    ethtool.sandbox.net = "all";
    ethtool.sandbox.tryKeepUsers = true;
    evtest.sandbox.method = "bunpen";
    evtest.sandbox.autodetectCliPaths = "existingFile";  # `evtest /dev/foo` to monitor events for a specific device
    evtest.sandbox.extraPaths = [
      "/dev/input"
@@ -565,7 +554,6 @@ in
    # eza `ls` replacement
    # bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`)
    # bwrap loses group info (so files owned by other users appear as owner "nobody")
    eza.sandbox.method = "bunpen";
    eza.sandbox.tryKeepUsers = true;  #< to keep user/group info when running as root
    eza.sandbox.autodetectCliPaths = "existing";
    eza.sandbox.whitelistPwd = true;
@@ -575,11 +563,9 @@ in
      ".persist/plaintext"
    ];
    fatresize.sandbox.method = "bunpen";
    fatresize.sandbox.autodetectCliPaths = "parent";  # /dev/sda1 -> needs /dev/sda
    fatresize.sandbox.tryKeepUsers = true;
    fd.sandbox.method = "bunpen";
    fd.sandbox.autodetectCliPaths = "existing";
    fd.sandbox.whitelistPwd = true;
    fd.sandbox.extraHomePaths = [
@@ -589,13 +575,10 @@ in
    ];
    ffmpeg.buildCost = 1;
    ffmpeg.sandbox.method = "bunpen";
    ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent";  # it outputs uncreated files -> parent dir needs mounting
    file.sandbox.method = "bunpen";
    file.sandbox.autodetectCliPaths = "existing";  #< file OR directory, yes
    findutils.sandbox.method = "bunpen";
    findutils.sandbox.autodetectCliPaths = "existing";
    findutils.sandbox.whitelistPwd = true;
    findutils.sandbox.extraHomePaths = [
@@ -607,14 +590,12 @@ in
    fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
    font-manager.buildCost = 1;
    font-manager.sandbox.method = "bunpen";
    font-manager.sandbox.whitelistWayland = true;
    font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
      # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
      withWebkit = false;
    });
    forkstat.sandbox.method = "bunpen";
    forkstat.sandbox.keepPidsAndProc = true;
    forkstat.sandbox.tryKeepUsers = true;
    forkstat.sandbox.net = "all";  #< it errors without this, wish i knew why
@@ -626,7 +607,6 @@ in
      { path=".cache/fuzzel"; type="file"; }
    ];
    gawk.sandbox.method = "bunpen";
    gawk.sandbox.wrapperType = "inplace";  # /share/gawk libraries refer to /libexec
    gawk.sandbox.autodetectCliPaths = "existingFile";
@@ -637,7 +617,6 @@ in
    gh.persist.byStore.private = [ ".config/gh" ];
    gimp.buildCost = 1;
    gimp.sandbox.method = "bunpen";
    gimp.sandbox.whitelistX = true;
    gimp.sandbox.whitelistWayland = true;
    gimp.sandbox.extraHomePaths = [
@@ -659,19 +638,16 @@ in
    gitea = {};
    gnome-calculator.buildCost = 1;
    gnome-calculator.sandbox.method = "bunpen";
    gnome-calculator.sandbox.whitelistWayland = true;
    gnome-calendar.buildCost = 1;
    # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
    gnome-calendar.sandbox.method = "bunpen";
    gnome-calendar.sandbox.whitelistWayland = true;
    gnome-calendar.sandbox.whitelistDbus = [ "user" ];
    # gnome-disks
    # XXX(2024-09-02): fails to show any disks even when run as `SANEBOX_DISABLE=1 sudo -E gnome-disks`.
    gnome-disk-utility.buildCost = 1;
    gnome-disk-utility.sandbox.method = "bwrap";
    gnome-disk-utility.sandbox.whitelistDbus = [ "system" ];
    gnome-disk-utility.sandbox.whitelistWayland = true;
    gnome-disk-utility.sandbox.extraHomePaths = [
@@ -685,7 +661,6 @@ in
    google-chrome.sandbox.enable = false;  # google-chrome is my "pleeeaaase work" fallback, so let it do anything.
    # gparted: run with `sudo -E gparted` (-E to keep the wayland socket)
    gparted.sandbox.method = "bunpen";
    gparted.sandbox.tryKeepUsers = true;
    gparted.sandbox.capabilities = [ "dac_override" "sys_admin" ];
    gparted.sandbox.extraPaths = [
@@ -698,7 +673,6 @@ in
    ];
    gparted.sandbox.whitelistWayland = true;
    hping.sandbox.method = "bunpen";
    hping.sandbox.net = "all";
    hping.sandbox.capabilities = [ "net_raw" ];
    hping.sandbox.autodetectCliPaths = "existingFile";  # for sending packet data from file
@@ -707,17 +681,14 @@ in
    # seahorse: dump gnome-keyring secrets.
    seahorse.buildCost = 1;
    # N.B. it can lso manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
    seahorse.sandbox.method = "bunpen";
    seahorse.sandbox.whitelistDbus = [ "user" ];
    seahorse.sandbox.whitelistWayland = true;
    gnome-2048.buildCost = 1;
    gnome-2048.sandbox.method = "bunpen";
    gnome-2048.sandbox.whitelistWayland = true;
    gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
    gnome-frog.buildCost = 1;
    gnome-frog.sandbox.method = "bunpen";
    gnome-frog.sandbox.whitelistWayland = true;
    gnome-frog.sandbox.whitelistDbus = [ "user" ];
    gnome-frog.sandbox.extraPaths = [
@@ -744,10 +715,8 @@ in
    # 2. no two shaded tiles can be direct N/S/E/W neighbors
    # - win once (1) and (2) are satisfied
    hitori.buildCost = 1;
    hitori.sandbox.method = "bunpen";
    hitori.sandbox.whitelistWayland = true;
    gnugrep.sandbox.method = "bunpen";
    gnugrep.sandbox.autodetectCliPaths = "existing";
    gnugrep.sandbox.whitelistPwd = true;
    gnugrep.sandbox.extraHomePaths = [
@@ -756,51 +725,42 @@ in
      ".persist/plaintext"
    ];
    gnused.sandbox.method = "bunpen";
    gnused.sandbox.autodetectCliPaths = "existingFile";
    gnused.sandbox.whitelistPwd = true;  #< `-i` flag creates a temporary file in pwd (?) and then moves it.
    gpsd = {};
    gptfdisk.sandbox.method = "bunpen";
    gptfdisk.sandbox.extraPaths = [
      "/dev"
    ];
    gptfdisk.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use gdisk on a device file.
    # N.B.: if the user doesn't specify an output path, `grim` will output to ~/Pictures (which isn't included in this sandbox)
    grim.sandbox.method = "bunpen";
    grim.sandbox.autodetectCliPaths = "existingOrParent";
    grim.sandbox.whitelistWayland = true;
    hase.buildCost = 1;
    hase.sandbox.method = "bunpen";
    hase.sandbox.net = "clearnet";
    hase.sandbox.whitelistAudio = true;
    hase.sandbox.whitelistDri = true;
    hase.sandbox.whitelistWayland = true;
    # hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
    hdparm.sandbox.method = "bunpen";
    hdparm.sandbox.autodetectCliPaths = "existingFile";
    hdparm.sandbox.tryKeepUsers = true;
    host.sandbox.method = "bunpen";
    host.sandbox.net = "all";  #< technically, only needs to contact localhost's DNS server
    iftop.sandbox.method = "bunpen";
    iftop.sandbox.net = "all";
    iftop.sandbox.capabilities = [ "net_raw" ];
    iftop.sandbox.tryKeepUsers = true;
    # inetutils: ping, ifconfig, hostname, traceroute, whois, ....
    # N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
    inetutils.sandbox.method = "bunpen";  # want to keep the same netns, at least.
    inetutils.sandbox.net = "all";
    inetutils.sandbox.capabilities = [ "net_raw" ];  # for `sudo traceroute google.com`
    inetutils.sandbox.tryKeepUsers = true;
    iotop.sandbox.method = "bunpen";
    iotop.sandbox.capabilities = [ "net_admin" ];
    iotop.sandbox.keepPidsAndProc = true;
    iotop.sandbox.tryKeepUsers = true;
@@ -817,37 +777,30 @@ in
    #   "/var/run/netns"
    # ];
-    iptables = {};  # TODO: sandbox
+    iptables.sandbox.method = null;  # TODO: sandbox
    # iptables.sandbox.method = "landlock";
    # iptables.sandbox.net = "all";
    # iptables.sandbox.capabilities = [ "net_admin" ];
    # iputils provides `ping` (and arping, clockdiff, tracepath)
    iputils.sandbox.method = "bunpen";
    iputils.sandbox.net = "all";
    iputils.sandbox.capabilities = [ "net_raw" ];
    iputils.sandbox.tryKeepUsers = true;  # for `sudo arping 10.78.79.1`
    iw.sandbox.method = "bunpen";
    iw.sandbox.net = "all";
    iw.sandbox.capabilities = [ "net_admin" ];
    iw.sandbox.tryKeepUsers = true;
    jq.sandbox.method = "bunpen";
    jq.sandbox.autodetectCliPaths = "existingFile";
    killall.sandbox.method = "bunpen";
    killall.sandbox.keepPidsAndProc = true;
    landlock-sandboxer.sandbox.enable = false;  #< sandbox helper
    libcap_ng.sandbox.enable = false;  # TODO: `pscap` can sandbox with bwrap, `captest` and `netcap` with landlock
    libnotify.sandbox.method = "bunpen";
    libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
    lightning-cli.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.clightning "lightning-cli";
    lightning-cli.sandbox.method = "bunpen";
    lightning-cli.sandbox.extraHomePaths = [
      ".lightning/bitcoin/lightning-rpc"
    ];
@@ -855,7 +808,6 @@ in
    lightning-cli.fs.".lightning".symlink.target = "/var/lib/clightning";
    losslesscut-bin.buildCost = 1;
    losslesscut-bin.sandbox.method = "bunpen";
    losslesscut-bin.sandbox.extraHomePaths = [
      "Music"
      "Pictures/from"  # videos from e.g. mobile phone
@@ -870,7 +822,6 @@ in
    losslesscut-bin.sandbox.whitelistX = true;
    # use: `lsof`; `sudo lsof -i 4`
    lsof.sandbox.method = "bunpen";
    lsof.sandbox.keepPidsAndProc = true;
    lsof.sandbox.capabilities = [ "dac_override" "sys_ptrace" ];
    # `lsof -i 4` demands we keep net, and also for some reason `/`.
@@ -885,20 +836,17 @@ in
    lua = {};
    lua-language-server.sandbox.method = "bunpen";
    lua-language-server.sandbox.whitelistPwd = true;
    man-pages.sandbox.enable = false;  #< data only
    man-pages-posix.sandbox.enable = false;  #< data only
    marksman.sandbox.method = "bunpen";
    marksman.sandbox.whitelistPwd = true;
    mercurial.sandbox.method = "bwrap";
    mercurial.sandbox.net = "clearnet";
    mercurial.sandbox.whitelistPwd = true;
    mesa-demos.sandbox.method = "bunpen";
    mesa-demos.sandbox.whitelistDri = true;
    mesa-demos.sandbox.whitelistWayland = true;
    mesa-demos.sandbox.whitelistX = true;
@@ -922,23 +870,18 @@ in
    mumble.buildCost = 1;
    mumble.persist.byStore.private = [ ".local/share/Mumble" ];
    nano.sandbox.method = "bunpen";
    nano.sandbox.autodetectCliPaths = "existingFileOrParent";
    netcat.sandbox.method = "bunpen";
    netcat.sandbox.net = "all";
    nethogs.sandbox.method = "bunpen";  # *partially* works under landlock w/ full access to /
    nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
    nethogs.sandbox.tryKeepUsers = true;
    nethogs.sandbox.net = "all";
    # provides `arp`, `hostname`, `route`, `ifconfig`
    nettools.sandbox.method = "bunpen";
    nettools.sandbox.net = "all";
    nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
    networkmanagerapplet.sandbox.method = "bunpen";
    networkmanagerapplet.sandbox.whitelistWayland = true;
    networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
@@ -946,10 +889,8 @@ in
    nil.sandbox.whitelistPwd = true;
    nil.sandbox.keepPids = true;
    nixd.sandbox.method = "bunpen";
    nixd.sandbox.whitelistPwd = true;
    nixfmt-rfc-style.sandbox.method = "bunpen";
    nixfmt-rfc-style.sandbox.autodetectCliPaths = "existingDirOrParent";  #< it formats via rename
    nixpkgs-review.sandbox.method = "bwrap";
@@ -966,17 +907,14 @@ in
      ".cache/nixpkgs-review"  #< help it not exhaust / tmpfs
    ];
    nmap.sandbox.method = "bunpen";
    nmap.sandbox.net = "all";  # clearnet and lan
    nmon.sandbox.method = "bunpen";
    nmon.sandbox.keepPidsAndProc = true;
    nmon.sandbox.net = "all";
    nodejs = {};
    # `nvme list`
    nvme-cli.sandbox.method = "bunpen";
    nvme-cli.sandbox.extraPaths = [
      "/sys/devices"
      "/sys/class/nvme"
@@ -987,29 +925,25 @@ in
    # nvme-cli.sandbox.capabilities = [ "sys_rawio" ];
    # contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin
-    oath-toolkit.sandbox.method = "bunpen";
+    oath-toolkit = {};
    # settings (electron app)
    obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
    openscad-lsp.sandbox.method = "bunpen";
    openscad-lsp.sandbox.whitelistPwd = true;
    passt.sandbox.enable = false;  #< sandbox helper (netns specifically)
    parted.sandbox.method = "bunpen";
    parted.sandbox.extraPaths = [
      "/dev"
    ];
    parted.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use parted on a device file.
-    patchelf = {};
+    patchelf.sandbox.method = null;  #< TODO: sandbox
    pavucontrol.sandbox.method = "bunpen";
    pavucontrol.sandbox.whitelistAudio = true;
    pavucontrol.sandbox.whitelistWayland = true;
    pciutils.sandbox.method = "bunpen";
    pciutils.sandbox.extraPaths = [
      "/sys/bus/pci"
      "/sys/devices"
@@ -1017,7 +951,6 @@ in
    "perlPackages.FileMimeInfo" = {};
    powertop.sandbox.method = "bunpen";
    powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
    powertop.sandbox.tryKeepUsers = true;
    powertop.sandbox.extraPaths = [
@@ -1028,24 +961,19 @@ in
    ];
    # procps: free, pgrep, pidof, pkill, ps, pwait, top, uptime, couple others
    procps.sandbox.method = "bunpen";
    procps.sandbox.keepPidsAndProc = true;
    pstree.sandbox.method = "bunpen";
    pstree.sandbox.keepPidsAndProc = true;
-    pulseaudio = {};
+    pulseaudio.sandbox.method = null;  #< TODO: sandbox
    pulsemixer.sandbox.method = "bunpen";
    pulsemixer.sandbox.whitelistAudio = true;
    pwvucontrol.buildCost = 1;
    pwvucontrol.sandbox.method = "bunpen";
    pwvucontrol.sandbox.whitelistAudio = true;
    pwvucontrol.sandbox.whitelistDri = true;  # else perf on moby is unusable
    pwvucontrol.sandbox.whitelistWayland = true;
    pyright.sandbox.method = "bunpen";
    pyright.sandbox.whitelistPwd = true;
    python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
@@ -1055,7 +983,6 @@ in
      requests
      unidecode
    ]);
    python3-repl.sandbox.method = "bunpen";
    python3-repl.sandbox.net = "clearnet";
    python3-repl.sandbox.extraHomePaths = [
      "/"  #< this is 'safe' because with don't expose .persist/private, so no .ssh/id_ed25519
@@ -1065,12 +992,10 @@ in
    qemu.sandbox.enable = false;  #< it's a launcher
    qemu.buildCost = 2;
    rsync.sandbox.method = "bunpen";
    rsync.sandbox.net = "clearnet";
    rsync.sandbox.autodetectCliPaths = "existingOrParent";
    rsync.sandbox.tryKeepUsers = true;  # if running as root, keep the user namespace so that `-a` can set the correct owners, etc
    rust-analyzer.sandbox.method = "bunpen";
    rust-analyzer.sandbox.whitelistPwd = true;
    rust-analyzer.suggestedPrograms = [
      "cargo"
@@ -1080,7 +1005,6 @@ in
    rustup = {};
    sane-cast.sandbox.method = "bunpen";
    sane-cast.sandbox.net = "clearnet";
    sane-cast.sandbox.autodetectCliPaths = "existingFile";
    sane-cast.sandbox.whitelistAudio = true;  #< for blast audio casting
@@ -1088,10 +1012,8 @@ in
    sane-die-with-parent.sandbox.enable = false;  #< it's a launcher; can't sandbox
    sane-weather.sandbox.method = "bunpen";
    sane-weather.sandbox.net = "clearnet";
    sc-im.sandbox.method = "bunpen";
    sc-im.sandbox.autodetectCliPaths = "existingFile";
    screen.sandbox.enable = false;  #< tty; needs to run anything
@@ -1101,13 +1023,11 @@ in
      doCheck = false;
    });
    sequoia.buildCost = 1;
    sequoia.sandbox.method = "bunpen";
    sequoia.sandbox.whitelistPwd = true;
    sequoia.sandbox.autodetectCliPaths = "existingFileOrParent";  # supports `-o <file-to-create>`
    shattered-pixel-dungeon.buildCost = 1;
    shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
    shattered-pixel-dungeon.sandbox.method = "bunpen";
    shattered-pixel-dungeon.sandbox.whitelistAudio = true;
    shattered-pixel-dungeon.sandbox.whitelistDri = true;
    shattered-pixel-dungeon.sandbox.whitelistWayland = true;
@@ -1117,14 +1037,11 @@ in
    # slic3r.persist.byStore.plaintext = [
    #   ".Slic3r"  #< printer/filament settings
    # ];
    slic3r.sandbox.method = "bunpen";
    slic3r.sandbox.autodetectCliPaths = "existingFileOrParent";  # slic3r <my-file>.stl -o <out>.gcode
    slurp.sandbox.method = "bunpen";
    slurp.sandbox.whitelistWayland = true;
    # use like `sudo smartctl /dev/sda -a`
    smartmontools.sandbox.method = "bunpen";
    smartmontools.sandbox.wrapperType = "inplace";  # ships a script in /etc that calls into its bin
    smartmontools.sandbox.autodetectCliPaths = "existing";
    smartmontools.sandbox.capabilities = [ "sys_rawio" ];
@@ -1133,7 +1050,6 @@ in
    # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
    snapshot.sandbox.method = null;  #< TODO: sandbox
    sops.sandbox.method = "bunpen";
    sops.sandbox.extraHomePaths = [
      ".config/sops"
      "nixos"
@@ -1142,23 +1058,20 @@ in
      "knowledge"
    ];
    sox.sandbox.method = "bunpen";
    sox.sandbox.autodetectCliPaths = "existingFileOrParent";
    sox.sandbox.whitelistAudio = true;
    space-cadet-pinball.buildCost = 1;
    space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
    space-cadet-pinball.sandbox.method = "bunpen";
    space-cadet-pinball.sandbox.whitelistAudio = true;
    space-cadet-pinball.sandbox.whitelistDri = true;
    space-cadet-pinball.sandbox.whitelistWayland = true;
    speedtest-cli.sandbox.method = "bunpen";
    speedtest-cli.sandbox.net = "all";
    sqlite = {};
-    sshfs-fuse.sandbox.method = "bunpen";  #< N.B. if you call this from the CLI -- without `mount.fuse` -- set this to `none`
+    # N.B. if you call sshfs-fuse from the CLI -- without `mount.fuse` -- disable sandboxing
    sshfs-fuse.sandbox.net = "all";
    sshfs-fuse.sandbox.autodetectCliPaths = "parent";
    # sshfs-fuse.sandbox.extraPaths = [
@@ -1178,18 +1091,15 @@ in
    sudo.sandbox.enable = false;
    superTux.buildCost = 1;
    superTux.sandbox.method = "bunpen";
    superTux.sandbox.whitelistAudio = true;
    superTux.sandbox.whitelistDri = true;
    superTux.sandbox.whitelistWayland = true;
    superTux.sandbox.whitelistX = true;
    superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
    swappy.sandbox.method = "bunpen";
    swappy.sandbox.autodetectCliPaths = "existingFileOrParent";
    swappy.sandbox.whitelistWayland = true;
    tcpdump.sandbox.method = "bunpen";
    tcpdump.sandbox.net = "all";
    tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
    tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
@@ -1200,15 +1110,12 @@ in
    tokodon.buildCost = 1;
    tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
    tree.sandbox.method = "bunpen";
    tree.sandbox.autodetectCliPaths = "existing";
    tree.sandbox.whitelistPwd = true;
    typescript-language-server.sandbox.method = "bunpen";
    typescript-language-server.sandbox.whitelistPwd = true;
    tumiki-fighters.buildCost = 1;
    tumiki-fighters.sandbox.method = "bunpen";
    tumiki-fighters.sandbox.whitelistAudio = true;
    tumiki-fighters.sandbox.whitelistDri = true;  #< not strictly necessary, but triples CPU perf
    tumiki-fighters.sandbox.whitelistWayland = true;
@@ -1216,11 +1123,10 @@ in
    util-linux.sandbox.method = null;  #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries
    unzip.sandbox.method = "bunpen";
    unzip.sandbox.autodetectCliPaths = "existingOrParent";
    unzip.sandbox.whitelistPwd = true;
-    usbutils.sandbox.method = "bunpen";  # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work
+    # usbutils.sandbox.method = null;  # fixes `usbhid-dump`. OTOH `lsusb`, `usb-devices` work under bunpen
    usbutils.sandbox.extraPaths = [
      "/sys/devices"
      "/sys/bus/usb"
@@ -1237,7 +1143,6 @@ in
    valgrind.sandbox.enable = false;  #< it's a launcher: can't sandbox
    # `vulkaninfo`, `vkcube`
    vulkan-tools.sandbox.method = "bunpen";
    vulkan-tools.sandbox.whitelistDri = true;
    vulkan-tools.sandbox.whitelistWayland = true;
    vulkan-tools.sandbox.whitelistX = true;
@@ -1247,13 +1152,11 @@ in
    ];
    vvvvvv.buildCost = 1;
    vvvvvv.sandbox.method = "bunpen";
    vvvvvv.sandbox.whitelistAudio = true;
    vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
    vvvvvv.sandbox.whitelistWayland = true;
    vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
    w3m.sandbox.method = "bunpen";
    w3m.sandbox.net = "all";
    w3m.sandbox.extraHomePaths = [
      # little-used feature, but you can save web pages :)
@@ -1262,10 +1165,8 @@ in
    watch.sandbox.enable = false;  #< it executes the command it's given
    wdisplays.sandbox.method = "bunpen";
    wdisplays.sandbox.whitelistWayland = true;
    wget.sandbox.method = "bunpen";
    wget.sandbox.net = "all";
    wget.sandbox.whitelistPwd = true;  # saves to pwd by default
@@ -1273,26 +1174,21 @@ in
    whalebird.persist.byStore.private = [ ".config/Whalebird" ];
    # `wg`, `wg-quick`
    wireguard-tools.sandbox.method = "bunpen";
    wireguard-tools.sandbox.net = "all";
    wireguard-tools.sandbox.capabilities = [ "net_admin" ];
    wireguard-tools.sandbox.tryKeepUsers = true;
    # provides `iwconfig`, `iwlist`, `iwpriv`, ...
    wirelesstools.sandbox.method = "bunpen";
    wirelesstools.sandbox.net = "all";
    wirelesstools.sandbox.capabilities = [ "net_admin" ];
    wirelesstools.sandbox.tryKeepUsers = true;
    wl-clipboard.sandbox.method = "bunpen";
    wl-clipboard.sandbox.whitelistWayland = true;
    wl-clipboard.sandbox.keepPids = true;  #< this is needed, but not sure why?
    wtype = {};
    wtype.sandbox.method = "bunpen";
    wtype.sandbox.whitelistWayland = true;
    xwayland.sandbox.method = "bunpen";
    xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
    xwayland.sandbox.whitelistWayland = true;  #< just assuming this is needed
    xwayland.sandbox.whitelistX = true;
--- a/hosts/common/programs/audacity.nix
+++ b/hosts/common/programs/audacity.nix
@@ -16,7 +16,6 @@
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.whitelistWayland = true;
    sandbox.autodetectCliPaths = "existingFile";
--- a/hosts/common/programs/ausyscall.nix
+++ b/hosts/common/programs/ausyscall.nix
@@ -4,7 +4,6 @@
  sane.programs.ausyscall = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.audit "ausyscall";
    sandbox.method = "bunpen";
  };
 }
--- a/hosts/common/programs/avahi.nix
+++ b/hosts/common/programs/avahi.nix
@@ -28,7 +28,6 @@ in
        pkgs.makeBinaryWrapper
      ];
    });
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "system" ];
    sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
    # sandbox.extraPaths = [ ];  #< may be missing some paths; only tried service discovery, not service advertisement.
--- a/hosts/common/programs/blast-ugjka/default.nix
+++ b/hosts/common/programs/blast-ugjka/default.nix
@@ -24,7 +24,6 @@ let
 in
 {
  sane.programs.blast-ugjka = {
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.net = "clearnet";
  };
@@ -36,7 +35,6 @@ in
      pkgs = [ "blast-ugjka" ];
      srcRoot = ./.;
    };
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.net = "clearnet";
    #v  else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
--- a/hosts/common/programs/bonsai.nix
+++ b/hosts/common/programs/bonsai.nix
@@ -113,7 +113,6 @@ in
    fs.".config/bonsai/bonsai_tree.json".symlink.target = pkgs.writers.writeJSON "bonsai_tree.json" cfg.config.transitions;
    sandbox.method = "bunpen";
    sandbox.extraRuntimePaths = [
      "bonsai"
    ];
--- a/hosts/common/programs/brave.nix
+++ b/hosts/common/programs/brave.nix
@@ -13,7 +13,6 @@
    else
      pkgs.runCommandLocal "brave-not-supported" {} "false"
    ;
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  #< package contains dangling symlinks which my wrapper doesn't understand
    sandbox.net = "all";
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/brightnessctl.nix
+++ b/hosts/common/programs/brightnessctl.nix
@@ -4,7 +4,6 @@ let
 in
 {
  sane.programs.brightnessctl = {
    sandbox.method = "bunpen";
    sandbox.extraPaths = [
      "/sys/class/backlight"
      "/sys/class/leds"
--- a/hosts/common/programs/callaudiod.nix
+++ b/hosts/common/programs/callaudiod.nix
@@ -13,7 +13,6 @@
  sane.programs.callaudiod = {
    packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod;
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@@ -96,7 +96,6 @@ in
      ];
    }));
    sandbox.method = "bunpen";
    sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum
--- a/hosts/common/programs/captree.nix
+++ b/hosts/common/programs/captree.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.captree = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
    sandbox.method = "bunpen";
    sandbox.keepPidsAndProc = true;
  };
 }
--- a/hosts/common/programs/celeste64.nix
+++ b/hosts/common/programs/celeste64.nix
@@ -3,7 +3,6 @@
  sane.programs.celeste64 = {
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/conky/default.nix
+++ b/hosts/common/programs/conky/default.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.conky = {
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";  #< for the scripts it calls (weather)
    sandbox.extraPaths = [
      "/sys/class/power_supply"
--- a/hosts/common/programs/curl.nix
+++ b/hosts/common/programs/curl.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.curl = {
    sandbox.method = "bunpen";
    sandbox.net = "all";
    sandbox.autodetectCliPaths = "parent";  #< for `-o` option
  };
--- a/hosts/common/programs/curlftpfs.nix
+++ b/hosts/common/programs/curlftpfs.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.curlftpfs = {
    packageUnwrapped = pkgs.curlftpfs-sane;
    sandbox.method = "bunpen";
    sandbox.net = "all";
    sandbox.autodetectCliPaths = "existing";
    sandbox.keepPids = true;
--- a/hosts/common/programs/dbus.nix
+++ b/hosts/common/programs/dbus.nix
@@ -32,7 +32,6 @@ in
      '';
    });
    sandbox.method = "bunpen";
    sandbox.extraRuntimePaths = [
      "dbus"
    ];
--- a/hosts/common/programs/dconf.nix
+++ b/hosts/common/programs/dconf.nix
@@ -25,7 +25,6 @@ in
    };
    packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.dconf;
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];
    persist.byStore.private = [
      ".config/dconf"
--- a/hosts/common/programs/dialect.nix
+++ b/hosts/common/programs/dialect.nix
@@ -14,7 +14,6 @@
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
--- a/hosts/common/programs/dino.nix
+++ b/hosts/common/programs/dino.nix
@@ -58,7 +58,6 @@ in
      webrtc-audio-processing = null;
    };
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # notifications
--- a/hosts/common/programs/dissent.nix
+++ b/hosts/common/programs/dissent.nix
@@ -31,7 +31,6 @@ in
          --replace-fail '"login"' '"Default_keyring"'
      '';
    });
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # notifications
--- a/hosts/common/programs/dtrx.nix
+++ b/hosts/common/programs/dtrx.nix
@@ -9,7 +9,6 @@
      # build without rpm support, since `rpm` package doesn't cross-compile.
      rpm = null;
    };
    sandbox.method = "bunpen";
    sandbox.whitelistPwd = true;
    sandbox.autodetectCliPaths = "existing";  #< for the archive
  };
--- a/hosts/common/programs/eg25-control.nix
+++ b/hosts/common/programs/eg25-control.nix
@@ -6,7 +6,6 @@ in
  sane.programs.eg25-control = {
    suggestedPrograms = [ "mmcli" ];
    sandbox.method = "bunpen";
    sandbox.extraPaths = [
      "/dev/gpiochip1"
      "/sys/class/modem-power"
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@@ -27,7 +27,6 @@
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # notifications
--- a/hosts/common/programs/engrampa.nix
+++ b/hosts/common/programs/engrampa.nix
@@ -2,7 +2,6 @@
 {
  sane.programs."mate.engrampa" = {
    packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    sandbox.autodetectCliPaths = "existingOrParent";
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/epiphany.nix
+++ b/hosts/common/programs/epiphany.nix
@@ -8,7 +8,6 @@
 { pkgs, ... }:
 {
  sane.programs.epiphany = {
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
--- a/hosts/common/programs/errno.nix
+++ b/hosts/common/programs/errno.nix
@@ -12,6 +12,5 @@
      buildInputs = [];  #< errno has no runtime perl deps, and they don't cross compile, so disable them.
    });
    sandbox.method = "bunpen";
  };
 }
--- a/hosts/common/programs/exiftool.nix
+++ b/hosts/common/programs/exiftool.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.exiftool = {
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existingFile";
  };
 }
--- a/hosts/common/programs/fcitx5.nix
+++ b/hosts/common/programs/fcitx5.nix
@@ -34,7 +34,6 @@
      ];
    };
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];
    sandbox.whitelistWayland = true;  # for `fcitx5-configtool, if nothing else`
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/feedbackd.nix
+++ b/hosts/common/programs/feedbackd.nix
@@ -24,7 +24,6 @@ in
      default = {};
    };
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];
    sandbox.whitelistAudio = true;
--- a/hosts/common/programs/firefox-xdg-open.nix
+++ b/hosts/common/programs/firefox-xdg-open.nix
@@ -3,7 +3,6 @@
  sane.programs.firefox-xdg-open = {
    packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent;
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
    mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop";
--- a/hosts/common/programs/firefox/default.nix
+++ b/hosts/common/programs/firefox/default.nix
@@ -204,7 +204,6 @@ in
    inherit packageUnwrapped;
    sandbox.method = "bunpen";
    sandbox.net = "all";
    sandbox.whitelistAudio = true;
    sandbox.whitelistAvDev = true;  #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
--- a/hosts/common/programs/foliate.nix
+++ b/hosts/common/programs/foliate.nix
@@ -2,7 +2,6 @@
 { ... }:
 {
  sane.programs.foliate = {
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";  #< for dictionary, wikipedia, online book libraries
    sandbox.whitelistDbus = [ "user" ];  #< when clicking on links
    sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
--- a/hosts/common/programs/fontconfig.nix
+++ b/hosts/common/programs/fontconfig.nix
@@ -55,7 +55,6 @@ let
 in
 {
  sane.programs.fontconfig = {
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existingOrParent";  #< this might be overkill; or, how many programs reference fontconfig internally?
    # persist.byStore.plaintext = [
--- a/hosts/common/programs/fractal.nix
+++ b/hosts/common/programs/fractal.nix
@@ -26,7 +26,6 @@ in
    packageUnwrapped = pkgs.fractal-nixified.optimized;
    # packageUnwrapped = pkgs.fractal;
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # notifications
--- a/hosts/common/programs/free.nix
+++ b/hosts/common/programs/free.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.free = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "free";
    sandbox.method = "bunpen";
    sandbox.extraPaths = [ "/proc/meminfo" ];
  };
 }
--- a/hosts/common/programs/frozen-bubble.nix
+++ b/hosts/common/programs/frozen-bubble.nix
@@ -11,7 +11,6 @@
    });
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";  # net play
    sandbox.whitelistAudio = true;
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/g4music.nix
+++ b/hosts/common/programs/g4music.nix
@@ -10,7 +10,6 @@
  sane.programs.g4music = {
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # mpris
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/gdbus.nix
+++ b/hosts/common/programs/gdbus.nix
@@ -3,7 +3,6 @@
  sane.programs.gdbus = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus";
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
  };
 }
--- a/hosts/common/programs/geary.nix
+++ b/hosts/common/programs/geary.nix
@@ -19,7 +19,6 @@ in
      };
    };
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  #< XXX(2024-08-20): if executed from a directory different than the configured prefix, it fails to locate its sql migration files
    sandbox.net = "clearnet";
    sandbox.whitelistDbus = [ "user" ];  # notifications
--- a/hosts/common/programs/geoclue-demo-agent.nix
+++ b/hosts/common/programs/geoclue-demo-agent.nix
@@ -7,7 +7,6 @@
      path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent";
    }];
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [
      "system"
    ];
--- a/hosts/common/programs/git.nix
+++ b/hosts/common/programs/git.nix
@@ -18,7 +18,6 @@ in
        rm "$out/bin/git-jump"
      '';
    });
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.whitelistPwd = true;
    sandbox.autodetectCliPaths = true;  # necessary for git-upload-pack
--- a/hosts/common/programs/gnome-clocks.nix
+++ b/hosts/common/programs/gnome-clocks.nix
@@ -12,7 +12,6 @@
    });
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  #< required (alongside .config/dconf) to remember timers
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/gnome-keyring/default.nix
+++ b/hosts/common/programs/gnome-keyring/default.nix
@@ -3,7 +3,6 @@
 {
  sane.programs.gnome-keyring = {
    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring;
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];
    sandbox.extraRuntimePaths = [
      "keyring"  #< only needs keyring/control, but has to *create* that.
--- a/hosts/common/programs/gnome-maps.nix
+++ b/hosts/common/programs/gnome-maps.nix
@@ -37,7 +37,6 @@
    ];
    sandbox.wrapperType = "inplace";  #< /share directory contains Gir info which references libgnome-maps.so by path
    sandbox.method = "bunpen";
    sandbox.whitelistDri = true;  # for perf
    sandbox.whitelistDbus = [
      "system"  # system is required for non-portal location services
--- a/hosts/common/programs/gnome-weather.nix
+++ b/hosts/common/programs/gnome-weather.nix
@@ -5,7 +5,6 @@
  sane.programs.gnome-weather = {
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
--- a/hosts/common/programs/go2tv.nix
+++ b/hosts/common/programs/go2tv.nix
@@ -48,7 +48,6 @@ let
 in
 {
  sane.programs.go2tv = {
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.autodetectCliPaths = "existingFile";
    # for GUI invocation, allow the common media directories
--- a/hosts/common/programs/gocryptfs.nix
+++ b/hosts/common/programs/gocryptfs.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.gocryptfs = {
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existing";
    sandbox.capabilities = [
      # CAP_SYS_ADMIN is only required if directly invoking gocryptfs.
--- a/hosts/common/programs/gpodder.nix
+++ b/hosts/common/programs/gpodder.nix
@@ -22,7 +22,6 @@ in {
      ];
    });
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];  # it won't launch without it, dunno exactly why.
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
--- a/hosts/common/programs/gps-share.nix
+++ b/hosts/common/programs/gps-share.nix
@@ -26,7 +26,6 @@ in
      # and systemd, for udevadm
    ];
    sandbox.method = "bunpen";
    sandbox.net = "all";
    sandbox.autodetectCliPaths = "existing";  #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile`
    sandbox.whitelistDbus = [ "system" ];  #< to register with Avahi
--- a/hosts/common/programs/grimshot.nix
+++ b/hosts/common/programs/grimshot.nix
@@ -14,7 +14,6 @@
      # "sway"
      "wl-clipboard"
    ];
    sandbox.method = "bunpen";
    sandbox.keepPids = true;  #< needed by wl-clipboard
    sandbox.whitelistWayland = true;
    sandbox.whitelistDbus = [ "user" ];
--- a/hosts/common/programs/gst-device-monitor.nix
+++ b/hosts/common/programs/gst-device-monitor.nix
@@ -23,7 +23,6 @@
      ];
    });
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.extraPaths = [
      "/dev"  # tried, but failed to narrow this down (moby)
--- a/hosts/common/programs/handbrake.nix
+++ b/hosts/common/programs/handbrake.nix
@@ -3,7 +3,6 @@
  sane.programs.handbrake = {
    buildCost = 1;
    sandbox.method = "bunpen";  #< untested
    sandbox.whitelistDbus = [ "user" ];  # notifications
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/haredoc.nix
+++ b/hosts/common/programs/haredoc.nix
@@ -2,7 +2,6 @@
 { pkgs, ... }:
 {
  sane.programs.haredoc = {
    sandbox.method = "bunpen";
    sandbox.whitelistPwd = true;  #< search for function documentation below the current directory
    env.HAREPATH = "${pkgs.hare}/src/hare/stdlib";
  };
--- a/hosts/common/programs/htop/default.nix
+++ b/hosts/common/programs/htop/default.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.htop = {
    sandbox.method = "bunpen";
    sandbox.keepPidsAndProc = true;
    sandbox.extraPaths = [
      "/sys/devices"
--- a/hosts/common/programs/imagemagick.nix
+++ b/hosts/common/programs/imagemagick.nix
@@ -3,7 +3,6 @@
  sane.programs.imagemagick = {
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
    sandbox.whitelistPwd = true;
    sandbox.autodetectCliPaths = "existingOrParent";  #< arg formatting is complicated enough that this won't always work.
--- a/hosts/common/programs/inkscape.nix
+++ b/hosts/common/programs/inkscape.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.inkscape = {
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".config/dconf"  #< else opening images fails
--- a/hosts/common/programs/kdenlive.nix
+++ b/hosts/common/programs/kdenlive.nix
@@ -3,7 +3,6 @@
  sane.programs.kdenlive = {
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.extraHomePaths = [
      "Music"
      "Pictures/from"  # e.g. Videos taken from my phone
--- a/hosts/common/programs/komikku.nix
+++ b/hosts/common/programs/komikku.nix
@@ -10,7 +10,6 @@
      '' + (upstream.preFixup or "");
    });
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.whitelistDbus = [ "user" ];  # needs to connect to dconf via dbus
    sandbox.whitelistDri = true;  #< required
--- a/hosts/common/programs/krita.nix
+++ b/hosts/common/programs/krita.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.krita = {
    buildCost = 1;
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    sandbox.whitelistX = true;
    sandbox.autodetectCliPaths = "existing";
--- a/hosts/common/programs/less.nix
+++ b/hosts/common/programs/less.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.less = {
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existingFile";
    env.PAGER = "less";
    # LESS flags:
--- a/hosts/common/programs/lftp.nix
+++ b/hosts/common/programs/lftp.nix
@@ -9,7 +9,6 @@
 { ... }:
 {
  sane.programs.lftp = {
    sandbox.method = "bunpen";
    sandbox.net = "all";
    sandbox.extraPaths = [
      "Music"
--- a/hosts/common/programs/libreoffice.nix
+++ b/hosts/common/programs/libreoffice.nix
@@ -6,7 +6,6 @@
    # packageUnwrapped = pkgs.libreoffice-bin;
    # packageUnwrapped = pkgs.libreoffice-still;
    packageUnwrapped = pkgs.libreoffice-fresh;
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    sandbox.autodetectCliPaths = "existingFile";
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/loupe.nix
+++ b/hosts/common/programs/loupe.nix
@@ -12,7 +12,6 @@
    #   '';
    # }));
    sandbox.method = "bunpen";
    sandbox.whitelistDri = true;  #< faster rendering
    sandbox.whitelistWayland = true;
    sandbox.autodetectCliPaths = "parent";
--- a/hosts/common/programs/megapixels-next.nix
+++ b/hosts/common/programs/megapixels-next.nix
@@ -24,7 +24,6 @@
    });
    # this sandboxing was derived from original megapixels: possibly inaccurate
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  #< for share/megapixels/movie.sh
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/mepo.nix
+++ b/hosts/common/programs/mepo.nix
@@ -12,7 +12,6 @@
        )
      '';
    });
    sandbox.method = "bunpen";
    sandbox.net = "all";  # for tiles *and* for localhost comm to gpsd
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/mimetype.nix
+++ b/hosts/common/programs/mimetype.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.mimetype = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.perlPackages.FileMimeInfo "mimetype";
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existing";
  };
 }
--- a/hosts/common/programs/mpv/default.nix
+++ b/hosts/common/programs/mpv/default.nix
@@ -179,7 +179,6 @@ in
      "yt-dlp"
    ];
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "parent";  #< especially for subtitle downloader; also nice for viewing albums
    sandbox.net = "all";
    sandbox.whitelistAudio = true;
--- a/hosts/common/programs/nautilus.nix
+++ b/hosts/common/programs/nautilus.nix
@@ -14,7 +14,6 @@
    #   "gvfs"  # browse ftp://, etc  (TODO: fix!)
    # ];
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/neovim/default.nix
+++ b/hosts/common/programs/neovim/default.nix
@@ -40,7 +40,6 @@ in
      # "vala-language-server"  #< 2024-08-26: fails to recognize any imported types, complains they're all `null`
    ];
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existingOrParent";
    sandbox.whitelistWayland = true;  # for system clipboard integration
    # sandbox.whitelistPwd = true;
--- a/hosts/common/programs/networkmanager_dmenu/default.nix
+++ b/hosts/common/programs/networkmanager_dmenu/default.nix
@@ -2,7 +2,6 @@
 { ... }:
 {
  sane.programs.networkmanager_dmenu = {
    sandbox.method = "bunpen";
    # sandbox.keepPidsAndProc = true;  #< else it can't connect to NetworkManager (?)
    sandbox.whitelistDbus = [
      "system"
--- a/hosts/common/programs/newsflash.nix
+++ b/hosts/common/programs/newsflash.nix
@@ -15,7 +15,6 @@ let
  wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
 in {
  sane.programs.newsflash = {
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;  #< for embedded videos
    sandbox.whitelistDbus = [ "user" ];
--- a/hosts/common/programs/nicotine-plus.nix
+++ b/hosts/common/programs/nicotine-plus.nix
@@ -13,7 +13,6 @@
        ${upstream.postInstall}
      '';
    });
    sandbox.method = "bunpen";
    sandbox.whitelistDri = true;  #< required, else it fails to launch the gui
    sandbox.whitelistWayland = true;
    sandbox.net = "vpn";
--- a/hosts/common/programs/nix-index.nix
+++ b/hosts/common/programs/nix-index.nix
@@ -2,7 +2,6 @@
 {
  # provides `nix-locate`, backed by the manually run `nix-index`
  sane.programs.nix-index = {
    sandbox.method = "bunpen";
    sandbox.net = "clearnet";
    sandbox.extraPaths = [
      "/nix"
--- a/hosts/common/programs/nmcli.nix
+++ b/hosts/common/programs/nmcli.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.nmcli = {
    packageUnwrapped = pkgs.networkmanager-split.nmcli;
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [
      "system"
    ];
--- a/hosts/common/programs/nwg-panel/default.nix
+++ b/hosts/common/programs/nwg-panel/default.nix
@@ -187,7 +187,6 @@ in
      playerctlChars = if cfg.config.mediaTitle then 60 else 0;
    });
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDri = true;
    sandbox.whitelistS6 = true;
--- a/hosts/common/programs/objdump.nix
+++ b/hosts/common/programs/objdump.nix
@@ -4,7 +4,6 @@
    # binutils-unwrapped is like 80 MiB, just for this one binary;
    # dynamic linking means copying the binary doesn't reduce the closure much at all compared to just symlinking it.
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.binutils-unwrapped "objdump";
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existingFile";
  };
 }
--- a/hosts/common/programs/ols.nix
+++ b/hosts/common/programs/ols.nix
@@ -39,7 +39,6 @@
    secrets.".config/ols/ols.toml" = ../../../secrets/common/ols.toml.bin;
    sandbox.method = "bunpen";
    sandbox.net = "all";
    services.ols = {
--- a/hosts/common/programs/pactl.nix
+++ b/hosts/common/programs/pactl.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.pactl = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.pulseaudio "pactl";
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
  };
 }
--- a/hosts/common/programs/papers.nix
+++ b/hosts/common/programs/papers.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.papers = {
    buildCost = 2;  #< webkitgtk
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];  #< for clicking links
    sandbox.whitelistDri = true;  #< speedier
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/pidof.nix
+++ b/hosts/common/programs/pidof.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.pidof = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "pidof";
    sandbox.method = "bunpen";
    sandbox.keepPidsAndProc = true;
  };
 }
--- a/hosts/common/programs/pipewire/default.nix
+++ b/hosts/common/programs/pipewire/default.nix
@@ -54,8 +54,6 @@ in
      "wireplumber"
    ];
    # sandbox.method = "landlock";  #< works, including without rtkit
    sandbox.method = "bunpen";  #< also works, but can't claim the full scheduling priority it wants
    sandbox.whitelistAudio = true;
    # sandbox.whitelistDbus = [
    #   # dbus is used for rtkit integration
--- a/hosts/common/programs/pkill.nix
+++ b/hosts/common/programs/pkill.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.pkill = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "pkill";
    sandbox.method = "bunpen";
    sandbox.keepPidsAndProc = true;
  };
 }
--- a/hosts/common/programs/playerctl.nix
+++ b/hosts/common/programs/playerctl.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.playerctl = {
    sandbox.method = "bunpen";
    sandbox.wrapperType = "inplace";  #< /lib/pkgconfig/playerctl.pc refers to $out by full path
    sandbox.whitelistDbus = [ "user" ];  # notifications
--- a/hosts/common/programs/portfolio-filemanager.nix
+++ b/hosts/common/programs/portfolio-filemanager.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.portfolio-filemanager = {
    # this is all taken pretty directly from nautilus config
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/ps.nix
+++ b/hosts/common/programs/ps.nix
@@ -2,7 +2,6 @@
 {
  sane.programs.ps = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "ps";
    sandbox.method = "bunpen";
    sandbox.keepPidsAndProc = true;
  };
 }
--- a/hosts/common/programs/ripgrep.nix
+++ b/hosts/common/programs/ripgrep.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.ripgrep = {
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existing";
    sandbox.whitelistPwd = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/rofi/default.nix
+++ b/hosts/common/programs/rofi/default.nix
@@ -94,7 +94,6 @@ in
      "rofi-run-command"
    ];
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [ "user" ];  #< to launch apps via the portal
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
@@ -167,7 +166,6 @@ in
        })
      ];
    };
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".cache/rofi"
--- a/hosts/common/programs/sane-deadlines.nix
+++ b/hosts/common/programs/sane-deadlines.nix
@@ -15,7 +15,6 @@ in
    };
    packageUnwrapped = pkgs.sane-scripts.deadlines;
    sandbox.method = "bunpen";
    sandbox.extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
    fs.".profile".symlink.text = lib.mkIf cfg.config.showOnLogin ''
--- a/hosts/common/programs/sane-input-handler/default.nix
+++ b/hosts/common/programs/sane-input-handler/default.nix
@@ -93,7 +93,6 @@ in
      "xdg-terminal-exec"
      "wvkbd"
    ];
    sandbox.method = "bunpen";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  #< to launch applications
    sandbox.extraRuntimePaths = [ "sway" ];
--- a/hosts/common/programs/sane-open.nix
+++ b/hosts/common/programs/sane-open.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.sane-open = {
    sandbox.method = "bunpen";
    sandbox.autodetectCliPaths = "existing";  # for when opening a file
    sandbox.whitelistDbus = [ "user" ];
    sandbox.keepPidsAndProc = true;  #< to toggle keyboard
--- a/hosts/common/programs/sane-private-unlock-remote.nix
+++ b/hosts/common/programs/sane-private-unlock-remote.nix
@@ -5,7 +5,6 @@ in
 {
  sane.programs."sane-private-unlock-remote" = {
    packageUnwrapped = pkgs.sane-scripts.private-unlock-remote;
    sandbox.method = "bunpen";
    sandbox.net = "all";
    sandbox.extraHomePaths = [
      ".config/sops"
--- a/hosts/common/programs/sane-screenshot.nix
+++ b/hosts/common/programs/sane-screenshot.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.sane-screenshot = {
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    sandbox.whitelistDbus = [ "user" ];  #< to send notifications
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -153,7 +153,6 @@ in
      tryKeepUsers = true;
    };
    "sane-scripts.secrets-dump".sandbox.method = "bunpen";
    "sane-scripts.secrets-dump".sandbox.extraHomePaths = [
      ".config/sops"
      "knowledge/secrets"
@@ -241,7 +240,7 @@ in
      "sane-scripts.ip-check"
    ];
-    "sane-scripts.which".sandbox.method = "bunpen";
+    "sane-scripts.which" = {};
    "sane-scripts.wipe".sandbox = {
      method = "bunpen";
--- a/hosts/common/programs/sane-secrets-unlock.nix
+++ b/hosts/common/programs/sane-secrets-unlock.nix
@@ -2,7 +2,6 @@
 {
  sane.programs."sane-secrets-unlock" = {
    packageUnwrapped = pkgs.sane-scripts.secrets-unlock;
    sandbox.method = "bunpen";
    sandbox.extraHomePaths = [
      ".ssh/id_ed25519"
      ".ssh/id_ed25519.pub"
--- a/hosts/common/programs/sane-sysload.nix
+++ b/hosts/common/programs/sane-sysload.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  sane.programs.sane-sysload = {
    sandbox.method = "bunpen";
    sandbox.extraPaths = [
      "/sys/class/power_supply"
      "/sys/devices"
--- a/hosts/common/programs/satellite.nix
+++ b/hosts/common/programs/satellite.nix
@@ -50,7 +50,6 @@
 { ... }:
 {
  sane.programs.satellite = {
    sandbox.method = "bunpen";
    sandbox.whitelistDbus = [
      "system"  #< reads NMEA data via ModemManager
    ];
--- a/hosts/common/programs/schlock.nix
+++ b/hosts/common/programs/schlock.nix
@@ -24,7 +24,6 @@ in
      };
    };
    sandbox.method = "bunpen";
    sandbox.whitelistWayland = true;
    secrets.".config/schlock/schlock.pin" = ../../../secrets/common/schlock.pin.bin;
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -13,7 +13,6 @@ lib.mkMerge [
          "-Ddefaultpath=${seatdSock}"
        ];
      });
      sandbox.method = "bunpen";
      sandbox.capabilities = [
        "dac_override"  #< TODO: is there no way to get rid of this? (use the `tty` group?)
        # "sys_admin"
--- a/Show More
+++ b/Show More