I recently moved to pure wayland, I want to run a graphical application in a unprivileged container(user namespace isolation) . The application needs write access to wayland socket on the host side. What's the best way to achieve this?
I've been able to do this if I map the host UID/GID range using
--private-users=0:65536 but then there is no namespace isolation. Also I would have to map the same range to every container and documentation states it's bad security wise to have it overlap. Best regards.
