bunpen/seatd: remove CAP_NET_ADMIN: creating a net namespace does NOT require that, rather it was a quirk in bwrap

hosts/common/programs/seatd.nix

@@ -67,7 +67,7 @@ lib.mkMerge [
       # ];
       serviceConfig.CapabilityBoundingSet = [
         "CAP_DAC_OVERRIDE"  #< needed, to access /dev/tty
-        "CAP_NET_ADMIN"  #< needed by bwrap/bunpen to unshare net namespace (undocumented requirement?)
+        # "CAP_NET_ADMIN"  #< only needed by bwrap
         "CAP_SETPCAP"  #< TODO: this is a limitation of bunpen, which wants to add caps from bounding to inheritable, and drop from ambient
         "CAP_SYS_ADMIN"  #< needed by bwrap/bunpen
         "CAP_SYS_TTY_CONFIG"

pkgs/additional/bunpen/restrict/namespace.ha

@@ -43,19 +43,13 @@ export fn namespace_restrict(what: *resources) void = {
     let unshare_keep_users = what_to_unshare & ~rt::ext::clone_flag::NEWUSER;
     if (try_unshare(unshare_keep_users)) {
       what_to_unshare = 0;
-    } else {
-      log::println("[namespace] failed to unshare w/o user namespace. raising caps and trying again");
+    } else if ((what_to_unshare & rt::ext::clone_flag::NEWNS) != 0) {
+      log::println("[namespace] failed to unshare w/o user namespace. raising CAP_SYS_ADMIN and trying again");
+
       let raise_caps = rt::ext::CAPS_NONE;
-      if ((what_to_unshare & rt::ext::clone_flag::NEWNS) != 0) {
-        caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN);
-        // i can't find documentation that unsharing the netns requires CAP_NET_ADMIN,
-        // but empirically, it does (? e.g. remove this and seatd fails)
-        if ((what_to_unshare & rt::ext::clone_flag::NEWNET) != 0)
-          caps_add(&raise_caps, rt::ext::cap::NET_ADMIN);
-      };
-      if (try_unshare_with(unshare_keep_users, raise_caps)) {
+      caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN);
+      if (try_unshare_with(unshare_keep_users, raise_caps))
         what_to_unshare = 0;
-      };
     };
   };