Post Syndicated from corbet original https://lwn.net/Articles/978846/

User namespaces in Linux create an
environment in which all privileges are granted, but their effect is
contained within the namespace; they have become an important tool for the
implementation of containers. They have also become a significant source
of worries for people who do not like the increased attack surface they
create for the kernel. Various attempts have been made to restrict that
attack surface over the years; the latest is user namespace
capabilities, posted by Jonathan Calmels.