Spawning certain child processes outside the network namespace?

[097115]

Is it possible to tell certain child processes to launch outside the current namespace?

I understand, that would sound more like a bug than a feature but maybe a user can somehow force an escape from the jail? :)

[jamesmcm]

One thing to clarify is that there is no jail per se (unless you use it to run with firejail - https://github.com/jamesmcm/vopono/blob/master/USERGUIDE.md#creating-only-network-namespace), it's just that by default any process's children will share the same network namespace.

At a low level, the processes are forking, and changing the network namespace is done via unshare.

https://man7.org/linux/man-pages/man2/unshare.2.html

But I can't think of an easy way of doing this for a specific process that is already running, unless you are writing the code that is doing the spawning.

Maybe it could be done with ptrace - https://stackoverflow.com/questions/41253216/is-there-a-linux-system-call-that-lets-me-make-system-calls-in-the-context-of-an

But what is the use-case btw?

[097115]

@jamesmcm , thanks a lot once again :)

But what is the use-case btw?

Let's say we have a browser running in one network namespace, then a user clicks, e.g., an irc:// or a magnet: link, which -- via a wrapper script -- spawns a third party app, like a chat or a torrent client, in another network namespace.

Probably, not the most clever scheme but sometimes it may prove handy to to keep things separate :)