Quoting Alexander Larsson (alexl@xxxxxxxxxx): > I'm working on using container technology to sandbox desktop > applications, and I've run into an issue with abstract unix domain > sockets. Generally unix domain sockets work fine in a container > situation because they are naturally namespaced via the filesystem > namespace. > > However, abstract socket addresses are global to the *network* > namespace. This means that if you need to share the host network > namespace (typically so you have full ip networking access) you can't > limit access to *any* service that listens to an abstract unix socket. > > I don't particularly need to use abstract sockets, so it would be ok to > just disallow its use in the container. I've looked at using seccomp for > this, but it doesn't seem to help here, as it needs to dereference the > socket address to tell if its abstract or not. > > Does anyone have any idea how to do this? You should be able to use recent apparmor or selinux. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
