seatd: sandbox with bunpen

2024-09-07 15:39:50 +00:00
parent 4dfc0bf323
commit 454c109ef8
1 changed files with 9 additions and 10 deletions
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -60,19 +60,18 @@ lib.mkMerge [
      serviceConfig.Type = "simple";
      serviceConfig.ExecStart = "${cfg.package}/bin/seatd -g seat";
      serviceConfig.Group = "seat";
-      # serviceConfig.AmbientCapabilities = [
-      #   "CAP_DAC_OVERRIDE"
-      #   "CAP_NET_ADMIN"
-      #   "CAP_SYS_ADMIN"
-      #   "CAP_SYS_TTY_CONFIG"
-      # ];
+      serviceConfig.AmbientCapabilities = [
+        # XXX(2024-09-07): bwrap doesn't need ambients, but bunpen does since bunpen doesn't know to raise the caps it needs
+        # "CAP_DAC_OVERRIDE"
+        "CAP_NET_ADMIN"
+        "CAP_SYS_ADMIN"
+        # "CAP_SYS_TTY_CONFIG"
+      ];
      serviceConfig.CapabilityBoundingSet = [
-        # TODO: these can probably be reduced if i switch to landlock for sandboxing,
-        # or run as a user other than root
        # "CAP_CHOWN"
        "CAP_DAC_OVERRIDE"  #< needed, to access /dev/tty
-        "CAP_NET_ADMIN"  #< needed by bwrap, for some reason??
-        "CAP_SYS_ADMIN"  #< needed by bwrap
+        "CAP_NET_ADMIN"  #< needed by bwrap/bunpen, for some reason??
+        "CAP_SYS_ADMIN"  #< needed by bwrap/bunpen
        "CAP_SYS_TTY_CONFIG"
      ];
    };