container: optionally isolate host abstract UNIX domain sockets via landlock

2025-08-18 12:00:52 +09:00
parent 69a4ab8105
commit 5db0714072
17 changed files with 375 additions and 9 deletions
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@@ -28,6 +28,8 @@ type appInfo struct {
 	// passed through to [hst.Config]
 	Net bool `json:"net,omitempty"`
 	// passed through to [hst.Config]
+	Abstract bool `json:"abstract,omitempty"`
+	// passed through to [hst.Config]
 	Device bool `json:"dev,omitempty"`
 	// passed through to [hst.Config]
 	Tty bool `json:"tty,omitempty"`
@@ -87,6 +89,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
 			Devel:      app.Devel,
 			Userns:     app.Userns,
 			Net:        app.Net,
+			Abstract:   app.Abstract,
 			Device:     app.Device,
 			Tty:        app.Tty || flagDropShell,
 			MapRealUID: app.MapRealUID,