Forcing outgoing traffic via specific IP by process or user

Solution 1:

You may want to have a look at iptables-extensions(8):

iptables [-m name [module-options...]]  [-j target-name [target-options...]

...

owner
   This  module  attempts to match various characteristics of the packet
   creator, for locally generated packets. This match is only valid in the
   OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket
   associated with them. Packets from kernel threads do have a socket, but
   usually no owner.

   [!] --uid-owner username

   [!] --uid-owner userid[-userid]
          Matches if the packet socket's file structure (if it has one) is
          owned by the given user. You may also specify a numerical UID,
          or an UID range.

   [!] --gid-owner groupname

   [!] --gid-owner groupid[-groupid]
          Matches if the packet socket's file structure is owned by the
          given group.  You may also specify a numerical GID, or a GID
          range.

   [!] --socket-exists
          Matches if the packet is associated with a socket.

Edit: Sorry I just saw that this was your option 1.