sandbox a bunch more apps

hosts/common/programs/assorted.nix

@@ -221,6 +221,7 @@ in
 
 
     # INDIVIDUAL PACKAGE DEFINITIONS
+    "cacert.unbundled".sandbox.enable = false;
 
     cargo.persist.byStore.plaintext = [ ".cargo" ];
 
@@ -228,8 +229,12 @@ in
     delfin.persist.byStore.private = [ ".config/delfin" ];
 
     # creds, but also 200 MB of node modules, etc
+    discord.sandbox.method = "bwrap";
     discord.persist.byStore.private = [ ".config/discord" ];
 
+    dtc.sandbox.method = "bwrap";
+    dtc.sandbox.autodetectCliPaths = true;  # TODO:sandbox: untested
+
     endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
 
     # `emote` will show a first-run dialog based on what's in this directory.
@@ -237,28 +242,62 @@ in
     # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
     emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
 
+    eza.sandbox.method = "landlock";  # ls replacement
+    eza.sandbox.wrapperType = "wrappedDerivation";  # slow to build
+    eza.sandbox.autodetectCliPaths = true;
+    eza.sandbox.whitelistPwd = true;
+
+    fd.sandbox.method = "landlock";
+    fd.sandbox.wrapperType = "wrappedDerivation";  # slow to build
+    fd.sandbox.autodetectCliPaths = true;
+    fd.sandbox.whitelistPwd = true;
+
+    ffmpeg.sandbox.method = "bwrap";
+    ffmpeg.sandbox.wrapperType = "wrappedDerivation";  # slow to build
+    ffmpeg.sandbox.autodetectCliPaths = true;
+
+    file.sandbox.method = "bwrap";
+    file.sandbox.autodetectCliPaths = true;
+
     fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
 
+    font-manager.sandbox.method = "bwrap";
     font-manager.packageUnwrapped = pkgs.font-manager.override {
       # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
       withWebkit = false;
     };
 
+    gawk.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    gawk.sandbox.autodetectCliPaths = true;
+
+    gdb.sandbox.method = "landlock";  # TODO:sandbox: untested
+    gdb.sandbox.autodetectCliPaths = true;
+
     # MS GitHub stores auth token in .config
     # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
     gh.persist.byStore.private = [ ".config/gh" ];
 
     gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
 
+    # TODO: gnome-maps: move to own file
     "gnome.gnome-maps".persist.byStore.plaintext = [ ".cache/shumate" ];
     "gnome.gnome-maps".persist.byStore.private = [ ".local/share/maps-places.json" ];
 
+    # jq.sandbox.autodetectCliPaths = true;  # liable to over-detect
+
+    mercurial.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    mercurial.sandbox.whitelistPwd = true;
+    mimeo.sandbox.method = "capshonly";  # xdg-open replacement
+
     # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
     # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
     monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
 
     mumble.persist.byStore.private = [ ".local/share/Mumble" ];
 
+    nano.sandbox.method = "bwrap";
+    nano.sandbox.autodetectCliPaths = true;
+
     # settings (electron app)
     obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
 
@@ -266,6 +305,19 @@ in
       requests
     ]);
 
+    ripgrep.sandbox.method = "landlock";
+    ripgrep.sandbox.wrapperType = "wrappedDerivation";  # slow to build
+    ripgrep.sandbox.autodetectCliPaths = true;
+    ripgrep.sandbox.whitelistPwd = true;
+
+    rsync.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    rsync.sandbox.autodetectCliPaths = true;
+
+    sequoia.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    sequoia.sandbox.wrapperType = "wrappedDerivation";  # slow to build
+    sequoia.sandbox.whitelistPwd = true;
+    sequoia.sandbox.autodetectCliPaths = true;
+
     shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
 
     # printer/filament settings
@@ -273,17 +325,43 @@ in
 
     space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
 
+    subversion.sandbox.method = "bwrap";
+    subversion.sandbox.whitelistPwd = true;
+    sudo.sandbox.enable = false;
+
     superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
 
     tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
 
     tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
 
+    tcpdump.sandbox.method = "landlock";
+    tcpdump.sandbox.autodetectCliPaths = true;
+    tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
+    tree.sandbox.method = "landlock";
+    tree.sandbox.autodetectCliPaths = true;
+    tree.sandbox.whitelistPwd = true;
+
+    unzip.sandbox.method = "bwrap";
+    unzip.sandbox.autodetectCliPaths = true;
+    unzip.sandbox.whitelistPwd = true;
+
+    visidata.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    visidata.sandbox.autodetectCliPaths = true;
+
     vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
 
+    wget.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    wget.sandbox.whitelistPwd = true;  # saves to pwd by default
+
     whalebird.persist.byStore.private = [ ".config/Whalebird" ];
 
+    xdg-utils.sandbox.method = "capshonly";
+
     yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
+
+    yt-dlp.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    yt-dlp.sandbox.whitelistPwd = true;  # saves to pwd by default
   };
 
   programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {

hosts/common/programs/imagemagick.nix

@@ -1,6 +1,9 @@
 { pkgs, ... }:
 {
   sane.programs.imagemagick = {
+    sandbox.method = "bwrap";
+    sandbox.whitelistPwd = true;
+    sandbox.autodetectCliPaths = true;  #< arg formatting is complicated enough that this won't always work.
     packageUnwrapped = pkgs.imagemagick.override {
       ghostscriptSupport = true;
     };