I have a tool (https://github.com/ausbin/nsdo) that uses network namespaces and mount namespaces to isolate particular applications in VPNs. It’s useful if you want to run some applications through a VPN and others not.
This tool handles the networking part of this with network namespaces. But to handle /etc/resolv.conf, it uses overlayfs with mount namespaces. However, when I run a snap like Firefox, snap mangles the mount namespace I have set up, and the browser ends up in the original mount namespace (with the wrong /etc/resolv.conf) instead of the one it was exec()'d in. This was very confusing to debug, since I didn’t expect a non-privileged program to setns() itself — I only figured it out when I navigated snap Firefox to file:///etc/resolv.conf and saw the wrong configuration.
Is there a way around this? Currently I just stopped using the Firefox snap and things work great, but it would be nice to find a resolution for users who use snaps (e.g., Ubuntu 22.04 users for whom snap Firefox is the default)
edit: Forgot to say, this is snap 2.56 on Ubuntu 22.04