Nix docker sanbox required capabilities list

In the official description of the image (https://hub.docker.com/r/nixos/nix), it states that in order for sandboxing to work, you need to run it with --privileged. --privileged gives out all capabilities.
While that a solution, I was wondering if anywhere exact required capabilities are documented?