From 454c109ef8aa94827eefb838730df54e95131b51 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 7 Sep 2024 15:39:50 +0000
Subject: [PATCH] seatd: sandbox with bunpen

---
 hosts/common/programs/seatd.nix | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/hosts/common/programs/seatd.nix b/hosts/common/programs/seatd.nix
index 001e92bf8..f4eefdf3f 100644
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -60,19 +60,18 @@ lib.mkMerge [
       serviceConfig.Type = "simple";
       serviceConfig.ExecStart = "${cfg.package}/bin/seatd -g seat";
       serviceConfig.Group = "seat";
-      # serviceConfig.AmbientCapabilities = [
-      #   "CAP_DAC_OVERRIDE"
-      #   "CAP_NET_ADMIN"
-      #   "CAP_SYS_ADMIN"
-      #   "CAP_SYS_TTY_CONFIG"
-      # ];
+      serviceConfig.AmbientCapabilities = [
+        # XXX(2024-09-07): bwrap doesn't need ambients, but bunpen does since bunpen doesn't know to raise the caps it needs
+        # "CAP_DAC_OVERRIDE"
+        "CAP_NET_ADMIN"
+        "CAP_SYS_ADMIN"
+        # "CAP_SYS_TTY_CONFIG"
+      ];
       serviceConfig.CapabilityBoundingSet = [
-        # TODO: these can probably be reduced if i switch to landlock for sandboxing,
-        # or run as a user other than root
         # "CAP_CHOWN"
         "CAP_DAC_OVERRIDE"  #< needed, to access /dev/tty
-        "CAP_NET_ADMIN"  #< needed by bwrap, for some reason??
-        "CAP_SYS_ADMIN"  #< needed by bwrap
+        "CAP_NET_ADMIN"  #< needed by bwrap/bunpen, for some reason??
+        "CAP_SYS_ADMIN"  #< needed by bwrap/bunpen
         "CAP_SYS_TTY_CONFIG"
       ];
     };