I want to put the child into a network namespace by calling setns, but this requires CAP_SYS_ADMIN, which I've lost after the uid/gid mapping. (Basically building a rootless container). The calls to setns happen in child_after_clone, which is called after the uid/gid mapping is done in after_start, which then wakes the child process. So the order currently is:
I want to put the child into a network namespace by calling setns, but this requires CAP_SYS_ADMIN, which I've lost after the uid/gid mapping. (Basically building a rootless container). The calls to setns happen in
child_after_clone, which is called after the uid/gid mapping is done inafter_start, which then wakes the child process. So the order currently is:Am I doing something wrong?