From 786febbb9bddc8a138e9d73b9219fe779fc086bd Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Wed, 13 May 2026 12:53:31 +0200
Subject: [PATCH] fix(kiosk): strip caps so WebKit's bwrap sandbox can start

WebKitGTK launches bubblewrap for its web-content process; bwrap refuses
to run when the parent process still carries unexpected CAP_* bits ("but
not setuid, old file caps config?"). Setting CapabilityBoundingSet= +
AmbientCapabilities= empty and NoNewPrivileges=yes gives bwrap a clean
caps slate to drop from, so the sandbox initialises and web/dashboard
cells render instead of crashing the kiosk.
---
 deploy/systemd/betterframe-kiosk.service | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/deploy/systemd/betterframe-kiosk.service b/deploy/systemd/betterframe-kiosk.service
index 80485d5..f5749aa 100644
--- a/deploy/systemd/betterframe-kiosk.service
+++ b/deploy/systemd/betterframe-kiosk.service
@@ -36,5 +36,15 @@ ExecStart=/usr/bin/cage -s -- /opt/betterframe/kiosk/betterframe-kiosk
 Restart=always
 RestartSec=2
 
+# WebKitGTK uses bubblewrap for its web-content sandbox. bwrap aborts with
+# "Unexpected capabilities but not setuid" when launched from a process that
+# still carries CAP_* bits. Strip caps + lock NoNewPrivileges so WebKit's
+# sandbox can initialise cleanly. Without this WebKit cells crash on load.
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=yes
+# Fallback if the above isn't enough on a given distro (disables WebKit sandbox):
+#Environment=WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
+
 [Install]
 WantedBy=multi-user.target