Rootful podman allows "unshare -r" in containers whereas docker disallows it

[chetan-reddy]

In a docker container, running unshare -r fails with unshare: unshare failed: Operation not permitted. Rootful podman on the other hand allows it by default. I'm not too familiar with seccomp, but I think this is because podman's seccomp.json and docker's seccomp.json have different configuration for clone

Is it intentional to allow unshare -r in rootful podman? It seems like docker disallows it for good reason . If it is intentional, is there an easy way to disallow user namespaces in containers? I tried --sysctl=user.max_user_namespaces=0 but it fails with Error: sysctl 'user.max_user_namespaces' not allowed .

Is it safe to just copy docker's seccomp.json and use it with podman? I tried it and it does work (disallows unshare -r), but I wanted to check with the experts if that's safe or if there was an easier way to accomplish my goal.

[Luap99]

see https://github.com/containers/common/issues/1988

yes you can use the docker profile without issues

[chetan-reddy]

Thanks for the link. I searched the issues in this repo, but didn't realize that containers/common also has issues related to podman. Will search all the repos next time.