Mostly a thought experiment; hopefully I'll learn something; perhaps an actually potentially useful idea. I'm mixing in a bit of docker-esk terminology - as I have in mind this might be one approach.
I'm wondering if there is a way to run C++ code / applications so that they have library isolation; but still host application level use of the host UI and GPU.
How do applications running on Linux (in my case Ubuntu) write to the UI? When an application requests access to X11 unix socket; can the OS then control that access to only write to bits of the UI the given application owns?
Which bit of docker creates the "isolation" that prevents containers from doing this? Is it a restriction that comes from a cgroups / namespace / chroot change?
Is there a way to reduce the "isolation" level of a docker container so it could use the host UI without having to take additional steps to give the container access to the X11 unix socket?
I would be OK if this reduces other isolation levels of the container; I assume to the equivalent of if the application was running directly on the host. The only goal is to have library isolation, I trust the code I'm running to not be malicious.
I'm not sure; but this might be along the lines of what I'm thinking of. https://chromium.googlesource.com/chromium/src/+/master/docs/linux/using_a_chroot.md#Running-X-apps - as I understand its an approach to resolving some library dependency issues. The script is https://chromium.googlesource.com/chromium/src/+/master/build/install-chroot.sh
