Right, CAP_SYS_ADMIN has been described as the new root. It gives the sandbox more rights than what a normal user process would have. Well, capability checks are often carried out against a resource. Their namespace does probably not own many resources.
So I would like to see a detailed analysis what doors CAP_SYS_ADMIN really opens. But I am very skeptical that this the right thing to do.
I wonder why they need CAP_SYS_ADMIN. I have used unprivilegded containers before. We needed to make some ugly compromises to have them do useful work, but CAP_SYS_ADMIN has never been required.
So I would like to see a detailed analysis what doors CAP_SYS_ADMIN really opens. But I am very skeptical that this the right thing to do.
I wonder why they need CAP_SYS_ADMIN. I have used unprivilegded containers before. We needed to make some ugly compromises to have them do useful work, but CAP_SYS_ADMIN has never been required.