modules/programs: sandbox: add enable flag and capabilities structured config

modules/programs/default.nix

@@ -34,7 +34,7 @@ let
 
   # wrap a package so that its binaries (maybe) run in a sandbox
   wrapPkg = pkgName: { fs, net, persist, sandbox, ... }: package: (
-    if sandbox.method == null then
+    if !sandbox.enable || sandbox.method == null then
       package
     else
       let
@@ -43,7 +43,7 @@ let
       in
         makeSandboxed {
           inherit pkgName package;
-          inherit (sandbox) binMap embedProfile extraConfig method wrapperType;
+          inherit (sandbox) binMap capabilities embedProfile extraConfig method wrapperType;
           vpn = if net == "vpn" then vpn else null;
           allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
           allowedRootPaths = [
@@ -222,6 +222,10 @@ let
           how/whether to sandbox all binaries in the package.
         '';
       };
+      sandbox.enable = mkOption {
+        type = types.bool;
+        default = true;
+      };
       sandbox.embedProfile = mkOption {
         type = types.bool;
         default = false;
@@ -258,6 +262,14 @@ let
             then set `sandbox.binMap.umpv = "mpv";` to sandbox `bin/umpv` with the same rules as `bin/mpv`
         '';
       };
+      sandbox.capabilities = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          list of Linux capabilities the program needs. lowercase, and without the cap_ prefix.
+          e.g. sandbox.capabilities = [ "net_admin" "net_raw" ];
+        '';
+      };
       sandbox.extraPaths = mkOption {
         type = types.listOf types.str;
         default = [];

modules/programs/make-sandboxed.nix

@@ -15,7 +15,7 @@ let
     runHook postFixup
   '';
 in
-{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {}, extraConfig ? [], embedProfile ? false }:
+{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
 let
   sane-sandboxed' = sane-sandboxed.meta.mainProgram;  #< load by bin name to reduce rebuilds
 
@@ -30,6 +30,8 @@ let
   allowPaths = paths: lib.flatten (builtins.map allowPath paths);
   allowHomePaths = paths: lib.flatten (builtins.map allowHomePath paths);
 
+  capabilityFlags = lib.flatten (builtins.map (c: [ "--sane-sandbox-cap" c ]) capabilities);
+
   vpnItems = [
     "--sane-sandbox-net"
     vpn.bridgeDevice
@@ -42,6 +44,7 @@ let
     "--sane-sandbox-method" method
   ] ++ allowPaths allowedRootPaths
     ++ allowHomePaths allowedHomePaths
+    ++ capabilityFlags
     ++ lib.optionals (vpn != null) vpnItems
     ++ extraConfig;
 
@@ -62,7 +65,7 @@ let
   # note that no.2 ("wrappedDerivation") *doesn't support .desktop files yet*.
   # the final package simply doesn't include .desktop files, only bin/.
   package' = if wrapperType == "inplace" then
-    if package.override.__functionArgs ? runCommand then
+    if ((package.override or {}).__functionArgs or {}) ? runCommand then
       package.override {
         runCommand = name: env: cmd: runCommand name env (cmd + lib.optionalString (name == package.name) ''
           # if the package is a runCommand (common for wrappers), then patch it to call our `postFixup` hook, first