I'm working on using container technology to sandbox desktop applications, and I've run into an issue with abstract unix domain sockets. Generally unix domain sockets work fine in a container situation because they are naturally namespaced via the filesystem namespace. However, abstract socket addresses are global to the *network* namespace. This means that if you need to share the host network namespace (typically so you have full ip networking access) you can't limit access to *any* service that listens to an abstract unix socket. I don't particularly need to use abstract sockets, so it would be ok to just disallow its use in the container. I've looked at using seccomp for this, but it doesn't seem to help here, as it needs to dereference the socket address to tell if its abstract or not. Does anyone have any idea how to do this? _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
