kat/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity

container: skip landlock on hostnet

Browse Source 
This overlaps with net namespace, so can be skipped without degrading security.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2026-04-07 14:36:44 +09:00
parent 10f8b1c221
commit c758e762bd
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
container/container.go
View File

@@ -324,9 +324,9 @@ func (p *Container) Start() error {
} }
if abi, err := LandlockGetABI(); err != nil { if abi, err := LandlockGetABI(); err != nil {
if p.HostAbstract { if p.HostAbstract || !p.HostNet {
// landlock can be skipped here as it restricts access // landlock can be skipped here as it restricts access
// to resources already covered by namespaces (pid) // to resources already covered by namespaces (pid, net)
goto landlockOut goto landlockOut
} }
return &StartError{Step: "get landlock ABI", Err: err} return &StartError{Step: "get landlock ABI", Err: err}