I am writing a binary that will run inside LXC containers. I control the source code of the binary but not the contents of the containers it will run in. In particular, I do not want to pollute the containers by writing my binary into them.
Is there any way I can run a binary stored on the host, but within the execution context (namespaces, chroot, dropped capabilities, etc.) of the container?
You can make you program to setns(2) (to some, but not all namespaces), chroot and then drop capabilities.
You can also attain something similar with dived (not actually chrooted, but having access to the container's chroot).
You can run [staticly linked] dived inside a container (with the appropriate options, for example, --client-chroot --root-to-current), listening UNIX socket on some filesystem part that is visible both in the containter and on the host; and run dive to ask that dived to start your non-statically-linked program in container's namespace. The root filesystem will stay the same as your host (so your program can find libraries), and the containter's root filesystem will be set as current directory.