[systemd-devel] give unprivileged nspawn container write access to host wayland socket

[Nozz]

I recently moved to pure wayland, I want to run a graphical application in a unprivileged container(user namespace isolation) . The application needs write access to wayland socket on the host side. What's the best way to achieve this?
I've been able to do this if I map the host UID/GID range using --private-users=0:65536 but then there is no namespace isolation. Also I would have to map the same range to every container and documentation states it's bad security wise to have it overlap.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20211122/cc4d8427/attachment.htm>