According to clone(2) and unshare(2), the various CLONE_NEW* flags for creating new namespaces require CAP_SYS_ADMIN. But this is not the case, and never has been (as best I can tell from some git log grepping in the kernel).
$ cat unshare.c #define _GNU_SOURCE #include <err.h> #include <sched.h> #include <stdlib.h> int main(void) { if (unshare(CLONE_NEWPID) == -1) err(EXIT_FAILURE, "unshare(2)"); exit(EXIT_SUCCESS); } $ cc -Wall -Wextra unshare.c $ sudo setcap 'cap_sys_admin=' a.out $ ./a.out a.out: unshare(2): Operation not permitted $ sudo setcap 'cap_sys_admin=eip' a.out $ ./a.out $ CAP_SYS_ADMIN is required, as the example above demonstrates.
Ah, I understand the confusion I was having now: all namespaces, *except user namespaces*, require CAP_SYS_ADMIN. But creating a new user namespace automatically confers a full set of capabilities. So, when using clone(2) with CLONE_NEWUSER and some other CLONE_NEW* flags for other namespaces, at the same time, you don't need CAP_SYS_ADMIN in the parent, because it's given to the child during the clone call. Is this worth mentioning somewhere?
Maybe we could add that to NOTES in unshare(2). Would you mind sending a patch? Thanks, Alex