diff --git a/hosts/common/programs/seatd.nix b/hosts/common/programs/seatd.nix
index 001e92bf8..f4eefdf3f 100644
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -60,19 +60,18 @@ lib.mkMerge [
       serviceConfig.Type = "simple";
       serviceConfig.ExecStart = "${cfg.package}/bin/seatd -g seat";
       serviceConfig.Group = "seat";
-      # serviceConfig.AmbientCapabilities = [
-      #   "CAP_DAC_OVERRIDE"
-      #   "CAP_NET_ADMIN"
-      #   "CAP_SYS_ADMIN"
-      #   "CAP_SYS_TTY_CONFIG"
-      # ];
+      serviceConfig.AmbientCapabilities = [
+        # XXX(2024-09-07): bwrap doesn't need ambients, but bunpen does since bunpen doesn't know to raise the caps it needs
+        # "CAP_DAC_OVERRIDE"
+        "CAP_NET_ADMIN"
+        "CAP_SYS_ADMIN"
+        # "CAP_SYS_TTY_CONFIG"
+      ];
       serviceConfig.CapabilityBoundingSet = [
-        # TODO: these can probably be reduced if i switch to landlock for sandboxing,
-        # or run as a user other than root
         # "CAP_CHOWN"
         "CAP_DAC_OVERRIDE"  #< needed, to access /dev/tty
-        "CAP_NET_ADMIN"  #< needed by bwrap, for some reason??
-        "CAP_SYS_ADMIN"  #< needed by bwrap
+        "CAP_NET_ADMIN"  #< needed by bwrap/bunpen, for some reason??
+        "CAP_SYS_ADMIN"  #< needed by bwrap/bunpen
         "CAP_SYS_TTY_CONFIG"
       ];
     };