container: optionally isolate host abstract UNIX domain sockets via landlock

internal/app/app_pd_linux_test.go

@@ -62,6 +62,7 @@ var testCasesPd = []sealTestCase{
 				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
+			HostAbstract:   true,
 			RetainSession:  true,
 			ForwardCancel:  true,
 		},
@@ -203,6 +204,7 @@ var testCasesPd = []sealTestCase{
 				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
+			HostAbstract:   true,
 			RetainSession:  true,
 			ForwardCancel:  true,
 		},

internal/app/seal_linux.go

@@ -238,10 +238,11 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}
 
 		conf := &hst.ContainerConfig{
-			Userns:  true,
-			Net:     true,
-			Tty:     true,
-			AutoEtc: true,
+			Userns:   true,
+			Net:      true,
+			Abstract: true,
+			Tty:      true,
+			AutoEtc:  true,
 
 			AutoRoot:  container.AbsFHSRoot,
 			RootFlags: container.BindWritable,

nixos.nix

@@ -132,12 +132,12 @@ in
                         devel
                         userns
                         net
+                        abstract
                         device
                         tty
                         multiarch
                         env
                         ;
-                      scope_abstract = app.scopeAbstract;
                       map_real_uid = app.mapRealUid;
 
                       filesystem =

options.md

@@ -572,28 +572,6 @@ boolean
 
 
 
-*Example:*
-` true `
-
-
-## environment\.hakurei\.apps\.\<name>\.scopeAbstract
-
-
-
-Whether to restrict abstract UNIX domain socket access\.
-
-
-
-*Type:*
-boolean
-
-
-
-*Default:*
-` true `
-
-
-
 *Example:*
 ` true `
 

options.nix

@@ -182,9 +182,7 @@ in
               net = mkEnableOption "network access" // {
                 default = true;
               };
-              scopeAbstract = mkEnableOption "abstract unix domain socket access" // {
-                default = true;
-              };
+              abstract = mkEnableOption "abstract unix domain socket access";
 
               nix = mkEnableOption "nix daemon access";
               mapRealUid = mkEnableOption "mapping to priv-user uid";

test/sandbox/case/pd.nix

@@ -194,5 +194,9 @@
     ];
 
     seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = true;
+    socket_pathname = false;
   };
 }