Currently minijail can enter a completely new user namespace, but it cannot enter an existing user namespace. This prevents us from being able to share other namespaces between processes. For example, suppose we have process 123 in its own user namespace and network namespace. We want to share 123's network namespace with a new process 456. Even If 456 is created with a new user namespace and 456 has CAP_SYS_ADMIN capabilities in this user namespace, 456 must also have CAP_SYS_ADMIN capabilities in the user namespace that created 123's network namespace. The only way to accomplish this is by putting 456 in 123's user namespace.
Comment 1 by vapier@chromium.org
, Jun 21 2018