network namespace wireguard routing [Was: Re: Userspace Networking Stack + WireGuard + Go]

Jason A. Donenfeld Jason at zx2c4.com
Wed Jan 13 16:49:49 UTC 2021


On Wed, Jan 13, 2021 at 5:46 PM Toke Høiland-Jørgensen <toke at toke.dk> wrote:
> 5. also requires CAP_SYS_ADMIN (and I think by extension, so does 3.,
> and 4.). From 'man setns':
>
>        Network, IPC, time, and UTS namespaces
>               In order to reassociate itself with a new network, IPC,
>               time, or UTS namespace, the caller must have the
>               CAP_SYS_ADMIN capability both in its own user namespace
>               and in the user namespace that owns the target namespace.

For this, you just create a new user namespace first. You can try it
yourself from the command line:

zx2c4 at thinkpad ~ $ unshare -n
unshare: unshare failed: Operation not permitted
zx2c4 at thinkpad ~ $ unshare -Un
nobody at thinkpad ~ $ ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00


More information about the WireGuard mailing list