sanebox: handle --flag=path style of autodetected paths

hosts/common/programs/assorted.nix

@@ -511,7 +511,6 @@ in
       ".persist/plaintext"
     ];
 
-    # sed: there is an edgecase of `--file=<foo>`, wherein `foo` won't be whitelisted.
     gnused.sandbox.method = "bwrap";
     gnused.sandbox.autodetectCliPaths = "existingFile";
     gnused.sandbox.whitelistPwd = true;  #< `-i` flag creates a temporary file in pwd (?) and then moves it.

pkgs/additional/sanebox/sanebox

@@ -403,6 +403,8 @@ tryPath() {
 tryArgAsPath() {
   local arg=$1
   local how=$2
+  # norecurseFlag is used internally by this function when it recurses
+  local norecurseFlag=$3
   local path=
   case $arg in
     (/*)
@@ -416,12 +418,27 @@ tryArgAsPath() {
       urldecode _path "${arg:7}"
       path=$_path
       ;;
-    (-*)
-      # 99% chance it's a CLI argument. if not, use `./-<...>`
-      return
-      ;;
     (*)
-      # assume relative path
+      # could be a CLI argument or a relative path
+      # want to handle:
+      # - `--file=$path`
+      # - `file=$path`
+      # - `$path`
+      if [ -z "$norecurseFlag" ]; then
+        local pathInFlag=${arg#*=}
+        if [ "$pathInFlag" != "$arg" ]; then
+          tryArgAsPath "$pathInFlag" "$how" --norecurse
+          # 0.01% chance this was a path which contained an equal sign and not a flag, but don't handle that for now:
+          return
+        fi
+      fi
+
+      if [ "${arg:0:1}" = "-" ]; then
+        # 99% chance it's a CLI argument. if not, use `./-<...>`
+        return
+      fi
+
+      # try it as a relative path
       path=$PWD/$arg
       ;;
   esac