On Wed, Jan 13, 2021 at 5:46 PM Toke Høiland-Jørgensen <t...@toke.dk> wrote:
> 5. also requires CAP_SYS_ADMIN (and I think by extension, so does 3.,
> and 4.). From 'man setns':
>
> Network, IPC, time, and UTS namespaces
> In order to reassociate itself with a new network, IPC,
> time, or UTS namespace, the caller must have the
> CAP_SYS_ADMIN capability both in its own user namespace
> and in the user namespace that owns the target namespace.
For this, you just create a new user namespace first. You can try it
yourself from the command line:
zx2c4@thinkpad ~ $ unshare -n
unshare: unshare failed: Operation not permitted
zx2c4@thinkpad ~ $ unshare -Un
nobody@thinkpad ~ $ ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
