nixos/captive-browser: drop setcap wrapper for captive-browser

Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)`
as unprivileged user if this operation doesn't imply escaping a VRF
interface[1].

Dropping the wrapper is actually desirable because `captive-browser`
itself doesn't drop capabilities and as a result, the capabilities are
passed on to `chromium` itself[2].

For older kernels, this is still necessary, hence the wrapper will only
be added nowadays if the kernel is older than 5.7.

[1] https://github.com/torvalds/linux/commit/c427bfec18f2190b8f4718785ee8ed2db4f84ee6
[2] https://github.com/FiloSottile/captive-browser/blob/08450562e58bf9564ee98ad64ef7b2800e53338f/bind_device_linux.go#L11-L14
    and because our setcap wrapper makes all capabilities
    inheritable.

0 files changed, 0 insertions, 0 deletions