From c758e762bd0334b6f86fbc41ab3223b9115e9982 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Tue, 7 Apr 2026 14:36:44 +0900
Subject: [PATCH] container: skip landlock on hostnet

This overlaps with net namespace, so can be skipped without degrading security.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/container.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/container/container.go b/container/container.go
index 30b77c8d..480452cd 100644
--- a/container/container.go
+++ b/container/container.go
@@ -324,9 +324,9 @@ func (p *Container) Start() error {
 				}
 
 				if abi, err := LandlockGetABI(); err != nil {
-					if p.HostAbstract {
+					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
-						// to resources already covered by namespaces (pid)
+						// to resources already covered by namespaces (pid, net)
 						goto landlockOut
 					}
 					return &StartError{Step: "get landlock ABI", Err: err}