From 5eca45891bcc4b63475728d88a3b0437f768c8c8 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 5 Aug 2024 22:54:20 +0000
Subject: [PATCH] sanebox: fix landlock sandboxing IAB edgecases

i don't fully understand it. but adjusting the Inh capability set breaks things like gocryptfs. i think it isn't necessary: if we set E alone, and no-new-privs, then that gets us the same guarantees.
---
 pkgs/additional/sanebox/sanebox | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/additional/sanebox/sanebox b/pkgs/additional/sanebox/sanebox
index 17396ad28..7b5df7e0c 100755
--- a/pkgs/additional/sanebox/sanebox
+++ b/pkgs/additional/sanebox/sanebox
@@ -870,7 +870,7 @@ capshonlyIngestCapability() {
   # therefore, only grant it those capabilities i know will succeed.
   if capsh "--has-p=cap_$1" 2>/dev/null; then
     if [ -z "$capshCapsArg" ]; then
-      capshCapsArg=cap_$1=eip
+      capshCapsArg=cap_$1=ep
     else
       capshCapsArg=cap_$1,$capshCapsArg
     fi