Spawning certain child processes outside the network namespace? #282
Comments
|
One thing to clarify is that there is no jail per se (unless you use it to run with firejail - https://github.com/jamesmcm/vopono/blob/master/USERGUIDE.md#creating-only-network-namespace), it's just that by default any process's children will share the same network namespace. At a low level, the processes are forking, and changing the network namespace is done via unshare. https://man7.org/linux/man-pages/man2/unshare.2.html But I can't think of an easy way of doing this for a specific process that is already running, unless you are writing the code that is doing the spawning. Maybe it could be done with ptrace - https://stackoverflow.com/questions/41253216/is-there-a-linux-system-call-that-lets-me-make-system-calls-in-the-context-of-an But what is the use-case btw? |
|
@jamesmcm , thanks a lot once again :)
Let's say we have a browser running in one network namespace, then a user clicks, e.g., an Probably, not the most clever scheme but sometimes it may prove handy to to keep things separate :) |
Is it possible to tell certain child processes to launch outside the current namespace?
I understand, that would sound more like a bug than a feature but maybe a user can somehow force an escape from the jail? :)
The text was updated successfully, but these errors were encountered: