libcap: split into separate capsh and captree programs, and sandbox the latter

hosts/common/programs/assorted.nix

@@ -38,6 +38,7 @@ in
       "bridge-utils"  # for brctl; debug linux "bridge" inet devices
       "btrfs-progs"
       "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      "captree"
       "cryptsetup"
       "curl"
       "ddrescue"
@@ -818,8 +819,6 @@ in
 
     libcamera = {};
 
-    libcap.packageUnwrapped = pkgs.libcap-with-captree;
-    libcap.sandbox.enable = false;  #< for `capsh`, which i use as a sandboxer
     libcap_ng.sandbox.enable = false;  # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
 
     libnotify.sandbox.method = "bwrap";

hosts/common/programs/capsh.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  sane.programs.capsh = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "capsh";
+    sandbox.enable = false;  #< i use `capsh` as a sandboxer.
+  };
+}

hosts/common/programs/captree.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  sane.programs.captree = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
+    sandbox.method = "bwrap";
+    sandbox.isolatePids = false;
+  };
+}

hosts/common/programs/default.nix

@@ -21,6 +21,8 @@
     ./callaudiod.nix
     ./calls.nix
     ./cantata.nix
+    ./capsh.nix
+    ./captree.nix
     ./catt.nix
     ./celeste64.nix
     ./chatty.nix

hosts/common/programs/sanebox.nix

@@ -20,7 +20,7 @@ in
       bubblewrap = cfg.bubblewrap.package;
       iproute2 = cfg.iproute2.package;
       iptables = cfg.iptables.package;
-      libcap = cfg.libcap.package;
+      libcap = cfg.capsh.package;  #< the sandboxer doesn't use any other libcap binaries
       passt = cfg.passt.package;
       landlock-sandboxer = cfg.landlock-sandboxer.package;
       # landlock-sandboxer = pkgs.landlock-sandboxer.override {

modules/programs/default.nix

@@ -480,11 +480,11 @@ let
       suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
         "bubblewrap" "passt" "iproute2" "iptables"
       ] ++ lib.optionals (config.sandbox.method == "landlock") [
-        "landlock-sandboxer" "libcap"
+        "landlock-sandboxer" "capsh"
       ] ++ lib.optionals (config.sandbox.method == "pastaonly") [
-        "passt" "iproute2" "iptables" "libcap"
+        "passt" "iproute2" "iptables" "capsh"
       ] ++ lib.optionals (config.sandbox.method == "capshonly") [
-        "libcap"
+        "capsh"
       ];
       # declare a fs dependency for each secret, but don't specify how to populate it yet.
       #   can't populate it here because it varies per-user.