container: optionally isolate host abstract UNIX domain sockets via landlock

2025-08-18 12:00:52 +09:00
parent 69a4ab8105
commit 5db0714072
17 changed files with 375 additions and 9 deletions
--- a/test/sandbox/case/device.nix
+++ b/test/sandbox/case/device.nix
@@ -243,7 +243,7 @@ in
    seccomp = true;

    try_socket = "/tmp/.X11-unix/X0";
-    socket_abstract = true;
+    socket_abstract = false;
    socket_pathname = true;
  };
 }
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@@ -269,7 +269,7 @@ in
    seccomp = true;

    try_socket = "/tmp/.X11-unix/X0";
-    socket_abstract = true;
+    socket_abstract = false;
    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@@ -194,5 +194,9 @@
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/pdlike.nix
+++ b/test/sandbox/case/pdlike.nix
@@ -264,7 +264,7 @@ in
    seccomp = true;

    try_socket = "/tmp/.X11-unix/X0";
-    socket_abstract = true;
+    socket_abstract = false;
    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@@ -262,7 +262,7 @@ in
    seccomp = true;

    try_socket = "/tmp/.X11-unix/X0";
-    socket_abstract = true;
+    socket_abstract = false;
    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@@ -275,7 +275,7 @@ in
    seccomp = true;

    try_socket = "/tmp/.X11-unix/X0";
-    socket_abstract = true;
+    socket_abstract = false;
    socket_pathname = true;
  };
 }