container: skip landlock on hostnet
All checks were successful
Test / Create distribution (push) Successful in 1m34s
Test / Sandbox (push) Successful in 3m46s
Test / ShareFS (push) Successful in 5m0s
Test / Sandbox (race detector) (push) Successful in 6m10s
Test / Hakurei (race detector) (push) Successful in 7m29s
Test / Hakurei (push) Successful in 3m21s
Test / Flake checks (push) Successful in 1m43s
All checks were successful
Test / Create distribution (push) Successful in 1m34s
Test / Sandbox (push) Successful in 3m46s
Test / ShareFS (push) Successful in 5m0s
Test / Sandbox (race detector) (push) Successful in 6m10s
Test / Hakurei (race detector) (push) Successful in 7m29s
Test / Hakurei (push) Successful in 3m21s
Test / Flake checks (push) Successful in 1m43s
This overlaps with net namespace, so can be skipped without degrading security. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -324,9 +324,9 @@ func (p *Container) Start() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if abi, err := LandlockGetABI(); err != nil {
|
if abi, err := LandlockGetABI(); err != nil {
|
||||||
if p.HostAbstract {
|
if p.HostAbstract || !p.HostNet {
|
||||||
// landlock can be skipped here as it restricts access
|
// landlock can be skipped here as it restricts access
|
||||||
// to resources already covered by namespaces (pid)
|
// to resources already covered by namespaces (pid, net)
|
||||||
goto landlockOut
|
goto landlockOut
|
||||||
}
|
}
|
||||||
return &StartError{Step: "get landlock ABI", Err: err}
|
return &StartError{Step: "get landlock ABI", Err: err}
|
||||||
|
|||||||
Reference in New Issue
Block a user