container: optionally isolate host abstract UNIX domain sockets via landlock

2025-08-18 16:28:14 +09:00
6 changed files with 13 additions and 30 deletions
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@ -62,6 +62,7 @@ var testCasesPd = []sealTestCase{
 				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
+			HostAbstract:   true,
 			RetainSession:  true,
 			ForwardCancel:  true,
 		},
@ -203,6 +204,7 @@ var testCasesPd = []sealTestCase{
 				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
+			HostAbstract:   true,
 			RetainSession:  true,
 			ForwardCancel:  true,
 		},
--- a/internal/app/seal_linux.go
+++ b/internal/app/seal_linux.go
@ -240,6 +240,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		conf := &hst.ContainerConfig{
 			Userns:   true,
 			Net:      true,
+			Abstract: true,
 			Tty:      true,
 			AutoEtc:  true,

--- a/nixos.nix
+++ b/nixos.nix
@ -132,12 +132,12 @@ in
                        devel
                        userns
                        net
+                        abstract
                        device
                        tty
                        multiarch
                        env
                        ;
-                      scope_abstract = app.scopeAbstract;
                      map_real_uid = app.mapRealUid;

                      filesystem =
--- a/options.md
+++ b/options.md
@ -572,28 +572,6 @@ boolean



-*Example:*
-` true `
-
-
-## environment\.hakurei\.apps\.\<name>\.scopeAbstract
-
-
-
-Whether to restrict abstract UNIX domain socket access\.
-
-
-
-*Type:*
-boolean
-
-
-
-*Default:*
-` true `
-
-
-
 *Example:*
 ` true `

--- a/options.nix
+++ b/options.nix
@ -182,9 +182,7 @@ in
              net = mkEnableOption "network access" // {
                default = true;
              };
-              scopeAbstract = mkEnableOption "abstract unix domain socket access" // {
-                default = true;
-              };
+              abstract = mkEnableOption "abstract unix domain socket access";

              nix = mkEnableOption "nix daemon access";
              mapRealUid = mkEnableOption "mapping to priv-user uid";
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@ -194,5 +194,9 @@
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = false;
  };
 }