sanebox: capshonly: be more precise about preserving e/i/p capabilities

with this, gocryptfs works AND wg works

pkgs/additional/sanebox/sanebox

@@ -855,7 +855,8 @@ landlockGetCli() {
 # this backend exists because apps which are natively bwrap may complain about having ambient privileges.
 # then, run them in a capsh sandbox, which ignores any path sandboxing and just lowers privs to what's needed.
 
-capshCapsArg=
+# all=: means to clear all capabilities
+capshCapsArg="all="
 
 capshonlySetup() {
   debug "capshonlySetup: noop"
@@ -885,12 +886,20 @@ capshonlyIngestCapability() {
   # `capsh --caps=CAP_FOO=eip -- true` will fail if we don't have CAP_FOO,
   # but for my use i'd still like to try running the command even if i can't grant it all capabilities.
   # therefore, only grant it those capabilities i know will succeed.
-  if capsh "--has-p=cap_$1" 2>/dev/null; then
-    if [ -z "$capshCapsArg" ]; then
-      capshCapsArg=cap_$1=ep
-    else
-      capshCapsArg=cap_$1,$capshCapsArg
+
+  capsh "--has-p=cap_$1" 2>/dev/null
+  local hasP=$?
+  capsh "--has-i=cap_$1" 2>/dev/null
+  local hasI=$?
+  if [ "$hasP" = 0 ] || [ "$hasI" = 0 ]; then
+    # hasP means "able to add to E or I set.
+    # so, if we have the cap in *either* P or I, then we can place it in I here.
+    # only if we have it in P can we add it to P and E.
+    local ext=i
+    if [ "$hasP" = 0 ]; then
+      ext="e${ext}p"
     fi
+    capshCapsArg="$capshCapsArg cap_$1+$ext"
   else
     debug "capsh: don't have capability $1"
   fi