I need to be able to constrain a user application to always run in a particular network namespace. Assume I have previously set up my network configuration as such:
ip tuntap add name tap0 mode tap
ip link add veth0 type veth peer name veth1
ip netns add appns
ip link set dev tap0 netns appns
ip link set dev veth0 netns appns
ip netns exec appns ip addr add 10.0.0.254/24 dev tap0
ip netns exec appns ip link set dev tap0 up
ip netns exec appns ip addr add 10.20.30.1/24 dev veth0
ip netns exec appns iptables -t nat -A POSTROUTING -o veth0 -j SNAT --to 10.20.30.1
ip link add name br1 type bridge
# eth1 previously exists, maps to physical interface
ip link set dev eth1 master br1
ip link set dev veth1 master br1
ip link set dev eth1 up
ip link set dev br1 up
With this setup, I would like to have any non-sudo users¹ be able to run myapp such that myapp will be executing within the appns namespace, as if the user had run
> sudo ip netns exec appns sudo -u ${USER} myapp
myapp will read/write from the tap0 interface at 10.0.0.x, communicating with something at 10.20.30.x.
I can't create a shell wrapper with setuid set (per this answer to allowing setuid on shell scripts). How would I go about always having myapp always run in the appns network namespace? Could I make the namespace name configurable via some .conf file?
¹ These users can be part of a group that is necessary to run the application (e.g., similar to being in the wireshark group to run Wireshark).
setnsandexecvor similar, and make that be suid root. Though I haven't worked with namespaces much, and there may well be some ready-made utility that I don't know of. – Ralph Rönnquist Feb 27 '16 at 10:41