sanebox: add --sanebox-capsh-arg flag

pkgs/additional/sanebox/sanebox

@@ -94,6 +94,7 @@ portalEnv=()
 
 # arguments to forward onto a specific backend (if that backend is active)
 bwrapArgs=()
+capshArgs=()
 pastaArgs=()
 
 usage() {
@@ -126,6 +127,7 @@ usage() {
   echo '  --sanebox-no-portal'
   echo '      undo a previous `--sanebox-portal` arg'
   echo '  --sanebox-bwrap-arg <arg>'
+  echo '  --sanebox-capsh-arg <arg>'
   echo '  --sanebox-pasta-arg <arg>'
   echo '  --sanebox-net-dev <iface>|all'
   echo '  --sanebox-net-gateway <ip-address>'
@@ -550,6 +552,11 @@ parseArgs() {
         shift
         bwrapArgs+=("$bwrapArg")
         ;;
+      (--sanebox-capsh-arg)
+        local capshArg=$1
+        shift
+        capshArgs+=("$capshArg")
+        ;;
       (--sanebox-pasta-arg)
         local pastaArg=$1
         shift
@@ -808,11 +815,11 @@ landlockGetCli() {
   # N.B: capsh passes its arg to bash (via /nix/store/.../bash), which means you have to `-c "my command"` to
   # invoke the actual user command.
   locate _sandboxer "sandboxer" "$LANDLOCK_SANDBOXER_FALLBACK"
-  locate _capsh "capsh" "$CAPSH_FALLBACK"
   locate _env "env" "$ENV_FALLBACK"
+  capshonlyGetCli
   cliArgs=("$_env" LL_FS_RO= LL_FS_RW="$landlockPaths" "${landlockNetFlags[@]}"
     "$_sandboxer"
-    "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" -- "${portalEnv[@]}" "${cliArgs[@]}"
+    "${cliArgs[@]}"
   )
 }
 
@@ -866,7 +873,7 @@ capshonlyGetCli() {
   locate _capsh "capsh" "$CAPSH_FALLBACK"
   locate _env "env" "$ENV_FALLBACK"
   cliArgs=(
-    "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" -- "${portalEnv[@]}" "${cliArgs[@]}"
+    "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- "${portalEnv[@]}" "${cliArgs[@]}"
   )
 }