sanebox: improve the capsh stuff a bit more

pkgs/additional/sanebox/sanebox

@@ -886,17 +886,29 @@ capshonlyIngestCapability() {
   # `capsh --caps=CAP_FOO=eip -- true` will fail if we don't have CAP_FOO,
   # but for my use i'd still like to try running the command even if i can't grant it all capabilities.
   # therefore, only grant it those capabilities i know will succeed.
+  locate _capsh "capsh" "$CAPSH_FALLBACK"
 
-  capsh "--has-p=cap_$1" 2>/dev/null
-  local hasP=$?
-  capsh "--has-i=cap_$1" 2>/dev/null
-  local hasI=$?
-  if [ "$hasP" = 0 ] || [ "$hasI" = 0 ]; then
+  local hasP=
+  local hasI=
+  if "$_capsh" "--has-a=cap_$1" 2>/dev/null; then
+    # XXX: this ambient special case could probably be removed:
+    # a capability can't be ambient without also being I and P, IIUC.
+    hasP=1
+    hasI=1
+  else
+    if "$_capsh" "--has-p=cap_$1" 2>/dev/null; then
+      hasP=1
+    fi
+    if "$_capsh" "--has-i=cap_$1" 2>/dev/null; then
+      hasI=1
+    fi
+  fi
+  if [ -n "$hasI" ] || [ -n "$hasP" ]; then
     # hasP means "able to add to E or I set.
     # so, if we have the cap in *either* P or I, then we can place it in I here.
     # only if we have it in P can we add it to P and E.
     local ext=i
-    if [ "$hasP" = 0 ]; then
+    if [ -n "$hasP" ]; then
       ext="e${ext}p"
     fi
     capshCapsArg="$capshCapsArg cap_$1+$ext"