В Fri, 4 Feb 2022 10:45:15 +0100 Christian Brauner <brauner@xxxxxxxxxx> пишет: > If you want to turn off idmapped mounts you can already do so today via: > echo 0 > /proc/sys/user/max_user_namespaces It turns off much more than idmapped mounts only. More fine grained control seems better for me. > They can neither > be created as an unprivileged user nor can they be created inside user > namespaces. But actions of fully privileged user can open non-obvious ways to privilege escalation.
