setns happens in child process after uid/gid mapping

[skeptomai]

I want to put the child into a network namespace by calling setns, but this requires CAP_SYS_ADMIN, which I've lost after the uid/gid mapping. (Basically building a rootless container). The calls to setns happen in child_after_clone, which is called after the uid/gid mapping is done in after_start, which then wakes the child process. So the order currently is:

clone->wait->after_start (which does uid/gid mapping) -> wakeup -> child_after_clone (which calls setns)

Am I doing something wrong?