On Tue, Jan 12, 2021 at 8:06 AM Sasha Levin <sashal () kernel org> wrote:
I didn't take a look at this specific bug very closely, but on certain
distributions (Ubuntu etc) it has been possible to get CAP_NET_ADMIN
in your own network namespace for years. An unprivileged user can
become root with all capabilities in their own user/network namespace
and modify local iptables rules. On Redhat systems you still need
root.
Philip