Currently It Is recommended to disable user name spaces completely.
// Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
user.max_user_namespaces = 0
User namespaces are fine till they're used by privileged or root users. Unprivileged user namespaces Is where it gets problematic. They've lead to a lot of CVE's (as listed here) ) most major distributions carry a patch to disable unpriv user namespaces entierly.
However they're used by legit programs for sandboxing such as bubblewrap or the chromium-sandbox. If unpriv user namespaces are disabled by default it requires the programs to be SETUID to work correctly, but this increases the attack surface by alot. chromium-sandbox Is quite big and also written in C++ . That being said, it is possible to restrict user namespaces globally and allow them per-app using SELinux as well as AppArmor (however the patches required are not upstreamed and only included In ubuntu).
Currently It Is recommended to disable user name spaces completely.
User namespaces are fine till they're used by privileged or root users. Unprivileged user namespaces Is where it gets problematic. They've lead to a lot of CVE's (as listed here) ) most major distributions carry a patch to disable unpriv user namespaces entierly.
However they're used by legit programs for sandboxing such as bubblewrap or the chromium-sandbox. If unpriv user namespaces are disabled by default it requires the programs to be SETUID to work correctly, but this increases the attack surface by alot. chromium-sandbox Is quite big and also written in C++ . That being said, it is possible to restrict user namespaces globally and allow them per-app using SELinux as well as AppArmor (however the patches required are not upstreamed and only included In ubuntu).