modules/programs: sandboxing: unshare ipc/cgroup/uts by default

modules/programs/sane-sandboxed

@@ -315,11 +315,16 @@ bwrapIngestCapability() {
 # WIP
 
 bwrapExec() {
+  # --unshare-all implies the following:
   # --unshare-pid: mean that the /proc mount does not expose /proc/$PID/ for every other process on the machine.
   # --unshare-net creates a new net namespace with only the loopback interface.
   #               if `bwrapFlags` contains --share-net, thiss is canceled and the program sees an unsandboxed network.
+  # --unshare-ipc
+  # --unshare-cgroup
+  # --unshare-uts
+  # --unshare-user (implicit to every non-suid call to bwrap)
   PATH="$PATH:@bubblewrap@/bin" exec \
-    bwrap --unshare-net --unshare-pid --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
+    bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
     "${cliArgs[@]}"
 }