From 9b8bdfaf5e8a1c11b39da7de55acf58403513a0f Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 7 Sep 2024 18:24:33 +0000
Subject: [PATCH] seatd: ACTUALLY sandbox with bunpen

---
 hosts/common/programs/seatd.nix | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/hosts/common/programs/seatd.nix b/hosts/common/programs/seatd.nix
index dd950fa33..9994f0fe7 100644
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -13,9 +13,8 @@ lib.mkMerge [
           "-Ddefaultpath=${seatdSock}"
         ];
       });
-      sandbox.method = "bwrap";
+      sandbox.method = "bunpen";
       sandbox.capabilities = [
-        # "chown"
         "dac_override"  #< TODO: is there no way to get rid of this? (use the `tty` group?)
         # "sys_admin"
         "sys_tty_config"
@@ -58,18 +57,18 @@ lib.mkMerge [
       restartIfChanged = false;
 
       serviceConfig.Type = "simple";
-      serviceConfig.ExecStart = "${cfg.package}/bin/seatd -g seat";
+      serviceConfig.ExecStart = "${cfg.package}/bin/seatd -g seat --bunpen-debug=4";
       serviceConfig.Group = "seat";
       # serviceConfig.AmbientCapabilities = [
-      #   # "CAP_DAC_OVERRIDE"
+      #   "CAP_DAC_OVERRIDE"
       #   "CAP_NET_ADMIN"
       #   "CAP_SYS_ADMIN"
-      #   # "CAP_SYS_TTY_CONFIG"
+      #   "CAP_SYS_TTY_CONFIG"
       # ];
       serviceConfig.CapabilityBoundingSet = [
-        # "CAP_CHOWN"
         "CAP_DAC_OVERRIDE"  #< needed, to access /dev/tty
         "CAP_NET_ADMIN"  #< needed by bwrap/bunpen to unshare net namespace (undocumented requirement?)
+        "CAP_SETPCAP"  #< TODO: this is a limitation of bunpen, which wants to add caps from bounding to inheritable, and drop from ambient
         "CAP_SYS_ADMIN"  #< needed by bwrap/bunpen
         "CAP_SYS_TTY_CONFIG"
       ];