container: optionally isolate host abstract UNIX domain sockets via landlock

app: set up acl on X11 socket
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1. Signed-off-by: Ophestra <cat@gensokyo.uk> # Conflicts: # test/sandbox/case/device.nix # test/sandbox/case/tty.nix
2025-08-18 11:50:05 +09:00 · 2025-08-18 11:49:49 +09:00
1 changed files with 0 additions and 10 deletions
--- a/container/container.go
+++ b/container/container.go
@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"os"
 	"os/exec"
 	"runtime"
@ -15,7 +14,6 @@ import (
 	. "syscall"
 	"time"

-	"hakurei.app/container/landlock"
 	"hakurei.app/container/seccomp"
 )

@ -94,8 +92,6 @@ type (
 		RetainSession bool
 		// Do not [syscall.CLONE_NEWNET].
 		HostNet bool
-		// Scope abstract UNIX domain sockets using LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET.
-		ScopeAbstract bool
 		// Retain CAP_SYS_ADMIN.
 		Privileged bool
 	}
@ -189,12 +185,6 @@ func (p *Container) Start() error {
 					"prctl(PR_SET_NO_NEW_PRIVS):")
 			}

-			if p.ScopeAbstract {
-				if err := landlock.ScopeAbstract(); err != nil {
-					log.Fatalf("could not scope abstract unix sockets: %v", err)
-				}
-			}
-
 			msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return msg.WrapErr(err, err.Error())
Author	SHA1	Message	Date
Clayton Gilmer	c9eeafbbf0	container: optionally isolate host abstract UNIX domain sockets via landlock Some checks failed Test / Create distribution (pull_request) Failing after 32s Details Test / Sandbox (pull_request) Failing after 51s Details Test / Sandbox (race detector) (pull_request) Failing after 54s Details Test / Hpkg (pull_request) Failing after 56s Details Test / Hakurei (pull_request) Failing after 1m9s Details Test / Hakurei (race detector) (push) Failing after 1m0s Details Test / Hakurei (push) Failing after 1m11s Details Test / Hakurei (race detector) (pull_request) Failing after 1m18s Details Test / Flake checks (pull_request) Has been skipped Details Test / Create distribution (push) Failing after 30s Details Test / Sandbox (push) Failing after 49s Details Test / Hpkg (push) Failing after 48s Details Test / Sandbox (race detector) (push) Failing after 51s Details Test / Flake checks (push) Has been skipped Details	2025-08-18 11:50:05 +09:00
Ophestra	2f1d42c8dd	app: set up acl on X11 socket The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1. Signed-off-by: Ophestra <cat@gensokyo.uk> # Conflicts: # test/sandbox/case/device.nix # test/sandbox/case/tty.nix	2025-08-18 11:49:49 +09:00