UNTESTED: assorted: add sandbox.tryKeepUsers to programs which appear to need capabilities

hosts/common/programs/assorted.nix

@@ -482,8 +482,9 @@ in
     cryptsetup.sandbox.tryKeepUsers = true;
     cryptsetup.sandbox.keepIpc = true;
 
-    ddrescue.sandbox.method = "landlock";  # TODO:sandbox: untested
+    ddrescue.sandbox.method = "bunpen";
     ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
+    ddrescue.sandbox.tryKeepUsers = true;
 
     delfin.buildCost = 1;
     delfin.sandbox.method = "bwrap";
@@ -550,9 +551,10 @@ in
     # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
     emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
 
-    ethtool.sandbox.method = "bwrap";
+    ethtool.sandbox.method = "bunpen";
     ethtool.sandbox.capabilities = [ "net_admin" ];
     ethtool.sandbox.net = "all";
+    ethtool.sandbox.tryKeepUsers = true;
 
     evtest.sandbox.method = "bunpen";
     evtest.sandbox.autodetectCliPaths = "existingFile";  # `evtest /dev/foo` to monitor events for a specific device
@@ -573,8 +575,9 @@ in
       ".persist/plaintext"
     ];
 
-    fatresize.sandbox.method = "landlock";
+    fatresize.sandbox.method = "bunpen";
     fatresize.sandbox.autodetectCliPaths = "parent";  # /dev/sda1 -> needs /dev/sda
+    fatresize.sandbox.tryKeepUsers = true;
 
     fd.sandbox.method = "bunpen";
     fd.sandbox.autodetectCliPaths = "existing";
@@ -825,9 +828,10 @@ in
     iputils.sandbox.capabilities = [ "net_raw" ];
     iputils.sandbox.tryKeepUsers = true;  # for `sudo arping 10.78.79.1`
 
-    iw.sandbox.method = "landlock";
+    iw.sandbox.method = "bunpen";
     iw.sandbox.net = "all";
     iw.sandbox.capabilities = [ "net_admin" ];
+    iw.sandbox.tryKeepUsers = true;
 
     jq.sandbox.method = "bunpen";
     jq.sandbox.autodetectCliPaths = "existingFile";