container: skip landlock on hostnet

This overlaps with net namespace, so can be skipped without degrading security. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-04-07 14:36:44 +09:00
parent 10f8b1c221
commit c758e762bd
1 changed files with 2 additions and 2 deletions
--- a/container/container.go
+++ b/container/container.go
@@ -324,9 +324,9 @@ func (p *Container) Start() error {
 				}

 				if abi, err := LandlockGetABI(); err != nil {
-					if p.HostAbstract {
+					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
-						// to resources already covered by namespaces (pid)
+						// to resources already covered by namespaces (pid, net)
 						goto landlockOut
 					}
 					return &StartError{Step: "get landlock ABI", Err: err}