Limiting access to abstract unix domain sockets
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Dec 11 17:49:21 UTC 2014
Quoting Alexander Larsson (alexl at redhat.com):
> I'm working on using container technology to sandbox desktop
> applications, and I've run into an issue with abstract unix domain
> sockets. Generally unix domain sockets work fine in a container
> situation because they are naturally namespaced via the filesystem
> namespace.
>
> However, abstract socket addresses are global to the *network*
> namespace. This means that if you need to share the host network
> namespace (typically so you have full ip networking access) you can't
> limit access to *any* service that listens to an abstract unix socket.
>
> I don't particularly need to use abstract sockets, so it would be ok to
> just disallow its use in the container. I've looked at using seccomp for
> this, but it doesn't seem to help here, as it needs to dereference the
> socket address to tell if its abstract or not.
>
> Does anyone have any idea how to do this?
You should be able to use recent apparmor or selinux.
More information about the Containers
mailing list