In particular the user namespace is still moving in the direction of converting all of the checks from simple uid equality to comparing the tuple of usernamespace and uid.
The specific question about remounting a filesystem, the filesystem of piece of the permission checks has yet to be updated.
The reason getting a full set of capabilities will be harmless is because it is actually equivalent to dropping all capabilties. The capabilities will only apply to objects and namespaces created after you create the user namespace. So once properly implemented you simply won't be able to do anything dangerous but you will be able to use facilities that today are root only, only because suid root applications could be spoofed.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds