in progress but need to switch to linux for dev

Author: bcpeinhardt

go.mod

@@ -1,3 +1,5 @@
 module github.com/coder/squeeze
 
 go 1.25.0
+
+require golang.org/x/sys v0.35.0 // indirect

go.sum

@@ -0,0 +1,2 @@
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=

main.go

@@ -9,7 +9,27 @@ import (
 	"github.com/coder/squeeze/squeeze"
 )
 
+// runChildProcess handles the child process execution in isolated namespaces
+func runChildProcess() {
+	// TODO: We need to pass config data from parent to child
+	// For now, just create namespaces and exit to test
+	
+	if err := squeeze.CreateNamespaces(); err != nil {
+		fmt.Fprintf(os.Stderr, "Child: failed to create namespaces: %v\n", err)
+		os.Exit(1)
+	}
+	
+	fmt.Printf("Child: successfully created namespaces\n")
+	os.Exit(0)
+}
+
 func main() {
+	// Check if we're running as the child process for namespace setup
+	if len(os.Args) > 1 && os.Args[1] == "squeeze-child" {
+		runChildProcess()
+		return
+	}
+
 	var configFile = flag.String("config", "", "path to configuration file")
 
 	flag.Usage = func() {

squeeze/squeeze.go

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"os"
 	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 const (
@@ -104,3 +106,33 @@ func (c *IsolationConfig) RunIsolated() error {
 
 	return nil
 }
+
+// CreateNamespaces creates new user, mount, and network namespaces for the current process.
+// This isolates the process from the host system's users, filesystem, and network.
+// Must be called in the child process after fork.
+func CreateNamespaces() error {
+	// Create user namespace first - this allows us to have root privileges
+	// inside the namespace for subsequent mount/network operations
+	if err := unshare(CLONE_NEWUSER); err != nil {
+		return fmt.Errorf("failed to create user namespace: %w", err)
+	}
+
+	// Create mount namespace - gives us our own view of the filesystem
+	if err := unshare(CLONE_NEWNS); err != nil {
+		return fmt.Errorf("failed to create mount namespace: %w", err)
+	}
+
+	// Create network namespace - isolates network interfaces and routing
+	if err := unshare(CLONE_NEWNET); err != nil {
+		return fmt.Errorf("failed to create network namespace: %w", err)
+	}
+
+	return nil
+}
+
+// unshare is a wrapper around the unshare system call
+func unshare(flags int) error {
+	// On non-Linux systems, return an error indicating it's not supported
+	// On Linux, this will call the actual unshare syscall
+	return fmt.Errorf("namespace isolation not supported on this platform")
+}

test_constants.go

@@ -0,0 +1,12 @@
+package main
+
+import (
+	"fmt"
+	"golang.org/x/sys/unix"
+)
+
+func main() {
+	fmt.Printf("CLONE_NEWUSER: %x\n", unix.CLONE_NEWUSER)
+	fmt.Printf("CLONE_NEWNS: %x\n", unix.CLONE_NEWNS)  
+	fmt.Printf("CLONE_NEWNET: %x\n", unix.CLONE_NEWNET)
+}