container: optionally isolate host abstract UNIX domain sockets via landlock

2025-08-18 12:00:52 +09:00
parent 69a4ab8105
commit 5db0714072
17 changed files with 375 additions and 9 deletions
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@@ -33,6 +33,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		SeccompPresets: s.SeccompPresets,
 		RetainSession:  s.Tty,
 		HostNet:        s.Net,
+		HostAbstract:   s.Abstract,

 		// the container is canceled when shim is requested to exit or receives an interrupt or termination signal;
 		// this behaviour is implemented in the shim