programs: sandbox lsof with capsh only

can't get it to sandbox any more aggressively with either landlock or
bwrap

hosts/common/programs/assorted.nix

@@ -443,6 +443,9 @@ in
     losslesscut-bin.sandbox.whitelistWayland = true;
     losslesscut-bin.sandbox.whitelistX = true;
 
+    lsof.sandbox.method = "capshonly";  # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
+    lsof.sandbox.wrapperType = "wrappedDerivation";
+
     "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
     "mate.engrampa".sandbox.wrapperType = "inplace";
     "mate.engrampa".sandbox.whitelistWayland = true;