Hacker News new | ask | show | jobs
by dsp_person 452 days ago
aren't abstract sockets un-jailable unless using network namespaces?

or in the other direction, to truly prevent e.g. xorg socket from being accessed by a bubblejailed application, it should exclude --share-net, regardless if you bind the actual path to the socket (since abstract permeates beyond that)
1 comments
trikko 452 days ago
Well, so should it work?

You're telling me there's another reason, then... Can't guess which one.

Hmmm...

link
Zoup 452 days ago
they can be jailed by landlock, we don't have support in go-landlock tho afaik, @Gnoack
link
gnoack 452 days ago
It's tracked in https://github.com/landlock-lsm/go-landlock/issues/35 - signals and abstract Unix sockets do unfortunately not interact well with the inherently multithreaded Go runtime. We are working on a fix in https://github.com/landlock-lsm/go-landlock/issues/36 but this needs to be on the kernel side and this is delaying this feature in Go, unfortunately. It is usable from (single threaded) C programs though.
link
Zoup 452 days ago
Thanks!
link