From 49efb94a0ac501fbefa71419f85da1bf4c8c5715 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Wed, 7 Aug 2024 20:16:15 +0000
Subject: [PATCH] seatd: restrict capabilities

---
 hosts/common/programs/seatd.nix | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/hosts/common/programs/seatd.nix b/hosts/common/programs/seatd.nix
index 83884053c..7ab056437 100644
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -15,9 +15,10 @@ lib.mkMerge [
       });
       sandbox.method = "bwrap";
       sandbox.capabilities = [
-        "sys_tty_config" "sys_admin"
-        "chown"
+        # "chown"
         "dac_override"  #< TODO: is there no way to get rid of this?
+        # "sys_admin"
+        "sys_tty_config"
       ];
       sandbox.extraPaths = [
         "/dev"  #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear
@@ -65,13 +66,15 @@ lib.mkMerge [
       #   "CAP_SYS_ADMIN"
       #   "CAP_SYS_TTY_CONFIG"
       # ];
-      # serviceConfig.CapabilityBoundingSet = [
-      #   # TODO: reduce!
-      #   "CAP_CHOWN"
-      #   "CAP_DAC_OVERRIDE"
-      #   "CAP_SYS_ADMIN"
-      #   "CAP_SYS_TTY_CONFIG"
-      # ];
+      serviceConfig.CapabilityBoundingSet = [
+        # TODO: these can probably be reduced if i switch to landlock for sandboxing,
+        # or run as a user other than root
+        # "CAP_CHOWN"
+        "CAP_DAC_OVERRIDE"  #< needed, to access /dev/tty
+        "CAP_NET_ADMIN"  #< needed by bwrap, for some reason??
+        "CAP_SYS_ADMIN"  #< needed by bwrap
+        "CAP_SYS_TTY_CONFIG"
+      ];
     };
   })
 ]