[trikko]

Are (abstract) unix sockets supported?

I'm trying to run a self-contained webserver executable without any external dependency. It starts but daemon <-> workers communication doesn't seem working (it is done via unix socket)

It works fine with bubblewrap or inside a scratch docker container.

[dsp_person]

aren't abstract sockets un-jailable unless using network namespaces?

or in the other direction, to truly prevent e.g. xorg socket from being accessed by a bubblejailed application, it should exclude --share-net, regardless if you bind the actual path to the socket (since abstract permeates beyond that)

[trikko]

Well, so should it work?

You're telling me there's another reason, then... Can't guess which one.

Hmmm...

[Zoup]

they can be jailed by landlock, we don't have support in go-landlock tho afaik, @Gnoack

[gnoack]

It's tracked in https://github.com/landlock-lsm/go-landlock/issues/35 - signals and abstract Unix sockets do unfortunately not interact well with the inherently multithreaded Go runtime. We are working on a fix in https://github.com/landlock-lsm/go-landlock/issues/36 but this needs to be on the kernel side and this is delaying this feature in Go, unfortunately. It is usable from (single threaded) C programs though.

[Zoup]

Thanks!