internal/pkg: optional landlock LSM

The alpine linux riscv64 kernel does not enable Landlock LSM, and kernel compilation is not yet feasible.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/pkg/exec.go

@@ -397,6 +397,7 @@ const SeccompPresets = std.PresetStrict &
 func (a *execArtifact) makeContainer(
 	ctx context.Context,
 	msg message.Msg,
+	flags int,
 	hostNet bool,
 	temp, work *check.Absolute,
 	getArtifact GetArtifactFunc,
@@ -423,7 +424,9 @@ func (a *execArtifact) makeContainer(
 	z.SeccompFlags |= seccomp.AllowMultiarch
 	z.ParentPerm = 0700
 	z.HostNet = hostNet
+	z.HostAbstract = flags&CHostAbstract != 0
 	z.Hostname = "cure"
+	z.SetScheduler = flags&CSchedIdle != 0
 	z.SchedPolicy = ext.SCHED_IDLE
 	if z.HostNet {
 		z.Hostname = "cure-net"
@@ -559,6 +562,7 @@ func (c *Cache) EnterExec(
 	var z *container.Container
 	z, err = e.makeContainer(
 		ctx, c.msg,
+		c.flags,
 		hostNet,
 		temp, work,
 		func(a Artifact) (*check.Absolute, unique.Handle[Checksum]) {
@@ -598,14 +602,13 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 	msg := f.GetMessage()
 	var z *container.Container
 	if z, err = a.makeContainer(
-		ctx, msg, hostNet,
+		ctx, msg, f.cache.flags, hostNet,
 		f.GetTempDir(), f.GetWorkDir(),
 		f.GetArtifact,
 		f.cache.Ident,
 	); err != nil {
 		return
 	}
-	z.SetScheduler = f.cache.flags&CSchedIdle != 0
 
 	var status io.Writer
 	if status, err = f.GetStatusWriter(); err != nil {