seatd: ACTUALLY sandbox with bunpen

hosts/common/programs/seatd.nix

@@ -13,9 +13,8 @@ lib.mkMerge [
           "-Ddefaultpath=${seatdSock}"
         ];
       });
-      sandbox.method = "bwrap";
+      sandbox.method = "bunpen";
       sandbox.capabilities = [
-        # "chown"
         "dac_override"  #< TODO: is there no way to get rid of this? (use the `tty` group?)
         # "sys_admin"
         "sys_tty_config"
@@ -58,18 +57,18 @@ lib.mkMerge [
       restartIfChanged = false;
 
       serviceConfig.Type = "simple";
-      serviceConfig.ExecStart = "${cfg.package}/bin/seatd -g seat";
+      serviceConfig.ExecStart = "${cfg.package}/bin/seatd -g seat --bunpen-debug=4";
       serviceConfig.Group = "seat";
       # serviceConfig.AmbientCapabilities = [
-      #   # "CAP_DAC_OVERRIDE"
+      #   "CAP_DAC_OVERRIDE"
       #   "CAP_NET_ADMIN"
       #   "CAP_SYS_ADMIN"
-      #   # "CAP_SYS_TTY_CONFIG"
+      #   "CAP_SYS_TTY_CONFIG"
       # ];
       serviceConfig.CapabilityBoundingSet = [
-        # "CAP_CHOWN"
         "CAP_DAC_OVERRIDE"  #< needed, to access /dev/tty
         "CAP_NET_ADMIN"  #< needed by bwrap/bunpen to unshare net namespace (undocumented requirement?)
+        "CAP_SETPCAP"  #< TODO: this is a limitation of bunpen, which wants to add caps from bounding to inheritable, and drop from ambient
         "CAP_SYS_ADMIN"  #< needed by bwrap/bunpen
         "CAP_SYS_TTY_CONFIG"
       ];