Grsecurity has completely disabled, on purpose, the user namespace code for the kernel.
As the goal of this namespace is to gain (virtualy) root privilegies inside a namespace (in theory, it shouldn’t give more priviledgies than the one you initialy have outside of your namespace), there are some interesting use cases, or, in my case I need to perform some demo in front of my students.
Other distros, like Debian, choose to allow the use of user namespace through a
custom kernel config variable. In order to use them without both
CAP_SYS_ADMIN
, CAP_SETUID
and CAP_SETGID
, you need to activate (as root):
42sh# sysctl -w kernel.unprivileged_userns_clone=1
To reproduce the same behaviour with a grsecurity kernel, I made a patch, to apply after the grsecurity patch: grsec-enable-user-ns.patch.