[systemd-devel] give unprivileged nspawn container write access to host wayland socket
Lennart Poettering
lennart at poettering.net
Tue Nov 23 09:08:49 UTC 2021
On Mo, 22.11.21 16:02, Nozz (nozz at protonmail.com) wrote:
> I recently moved to pure wayland, I want to run a graphical
> application in a unprivileged container(user namespace isolation)
> . The application needs write access to wayland socket on the host
> side. What's the best way to achieve this? I've been able to do
> this if I map the host UID/GID range using --private-users=0:65536
> but then there is no namespace isolation. Also I would have to map
> the same range to every container and documentation states it's bad
> security wise to have it overlap.
Well, if you run n containers and all n have the same UID/GID mapping
then of course they can access/change each other resources should they
be able to see it. That might or might not be OK.
In the upcoming 250 release nspawn bind mounts are changed (if a
kernel with uidmap support in the fs layer is available that is) so
that bind mounts placed in the kernel are optionally idmapped,
i.e. that host UID 0 is mapped to container UID 0 for such bind
mounts, instead of "nobody". That should make what you are trying to
do pretty easy, as you can mout individual inodes and make them appear
under their original ownership.
We might want to extend this later on: when bind mounting
non-directory inodes (such as sockets) we could even allow fixing
ownership to any uid of your choice, to give you full freedom there.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list