Limiting access to abstract unix domain sockets

Serge Hallyn serge.hallyn at ubuntu.com
Thu Dec 11 17:49:21 UTC 2014


Quoting Alexander Larsson (alexl at redhat.com):
> I'm working on using container technology to sandbox desktop
> applications, and I've run into an issue with abstract unix domain
> sockets. Generally unix domain sockets work fine in a container
> situation because they are naturally namespaced via the filesystem
> namespace.
> 
> However, abstract socket addresses are global to the *network*
> namespace. This means that if you need to share the host network
> namespace (typically so you have full ip networking access) you can't
> limit access to *any* service that listens to an abstract unix socket.
> 
> I don't particularly need to use abstract sockets, so it would be ok to
> just disallow its use in the container. I've looked at using seccomp for
> this, but it doesn't seem to help here, as it needs to dereference the
> socket address to tell if its abstract or not.
> 
> Does anyone have any idea how to do this?

You should be able to use recent apparmor or selinux.


More information about the Containers mailing list