iotop: sandbox with bunpen

hosts/common/programs/assorted.nix

@@ -778,11 +778,10 @@ in
     inetutils.sandbox.capabilities = [ "net_raw" ];  # for `sudo traceroute google.com`
     inetutils.sandbox.tryKeepUsers = true;
 
-    iotop.sandbox.method = "landlock";
-    iotop.sandbox.extraPaths = [
-      "/proc"
-    ];
+    iotop.sandbox.method = "bunpen";
     iotop.sandbox.capabilities = [ "net_admin" ];
+    iotop.sandbox.keepPidsAndProc = true;
+    iotop.sandbox.tryKeepUsers = true;
 
     # provides `ip`, `routel`, `bridge`, others.
     # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace (which requires sudo)