From fc865574bf92bb5d1d02ec8d45dddc2bc595b92d Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 7 Sep 2024 20:26:36 +0000
Subject: [PATCH] iputils: sandbox with bunpen

---
 hosts/common/programs/assorted.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 2a66a57d6..79f3ab10f 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -801,9 +801,10 @@ in
     # iptables.sandbox.capabilities = [ "net_admin" ];
 
     # iputils provides `ping` (and arping, clockdiff, tracepath)
-    iputils.sandbox.method = "landlock";
+    iputils.sandbox.method = "bunpen";
     iputils.sandbox.net = "all";
     iputils.sandbox.capabilities = [ "net_raw" ];
+    iputils.sandbox.tryKeepUsers = true;  # for `sudo arping 10.78.79.1`
 
     iw.sandbox.method = "landlock";
     iw.sandbox.net = "all";