[systemd-devel] give unprivileged nspawn container write access to host wayland socket
systemd-devel at notandy.de
systemd-devel at notandy.de
Mon Nov 22 20:42:43 UTC 2021
Hey Nozz,
I've tried the exact same setup and run into this problem. I've explained it a bit better here[1].
Since the linux kernel 5.12 there are filesystem id mappings that can be used for that in combination with --private-users=pick.
I've written the pull request[0] to include support in nspawn for that. In my opinion this is the best way to share such a socket.
There is not yet a systemd release containing the pull request.
I'm not sure if the tempfs, where I guess your socket is located, implementation in linux does yet support those mappings, last time I checked (when I wrote the pull request) it
didn't.
Yes support for filesystem id mappings depends on the source filesystem. You could solve this by moving the socket to another location, for example an ext4 filesystem, until tmpfs
supports it as well.
Alternatively you could use extended acls for that.
Another option would be to allow access for "other" on the socket, but not the parent folder, and use --bind as is.
Best regards,
nd
[0] https://github.com/systemd/systemd/pull/19828
[1] https://lists.freedesktop.org/archives/systemd-devel/2021-May/046503.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20211122/62ab2d29/attachment.sig>
More information about the systemd-devel
mailing list