# Support for the user namespace in grsecurity kernel

Grsecurity has completely disabled, on purpose, the user namespace code for the kernel.

As the goal of this namespace is to gain (virtualy) root privilegies inside a namespace (in theory, it shouldn’t give more priviledgies than the one you initialy have outside of your namespace), there are some interesting use cases, or, in my case I need to perform some demo in front of my students.

Other distros, like Debian, choose to allow the use of user namespace through a custom kernel config variable. In order to use them without both CAP_SYS_ADMIN, CAP_SETUID and CAP_SETGID, you need to activate (as root):

42sh# sysctl -w kernel.unprivileged_userns_clone=1


To reproduce the same behaviour with a grsecurity kernel, I made a patch, to apply after the grsecurity patch: grsec-enable-user-ns.patch.