Comment by ameliaquining

Comment by ameliaquining 3 days ago

I don't think this is really intended for container runtimes. You might be able to make it work in a square-peg-round-hole sort of way but the core use case is different.

als0 3 days ago

If the application in the container wants to add more restrictive rules then it should be allowed to. But it should not be able to mess with the existing rules imposed by the container manager. This would be the ideal outcome.

Reply View 2 replies

arianvanp 3 days ago

There is nothing to do here. Landlock already a guarantees that you can't undo rules that were already applied. Your application can further restrict itself but it can't unrestrict itself.

Reply View | 1 reply
- als0 3 days ago
  
  Just need the container manager to not block the landlock system call
  
  Reply View | 0 replies