Comment 4 for bug 2060810

More applications will be getting confinement, on an individual level I don't think it will be everything from debs. In this case its because it uses unprivileged user namespaces. Which is now being restricted and treated as a semi-privileged because it gives access to several privileged kernel interfaces. Those privilege kernel interfaces should be in theory safe, but the reality is that they aren't. Unprivileged user namespaces are the first step in almost every kernel exploit chain for the last 7 or so years.

In pwn2own last year 4 of the 5 exploits used unprivileged user namespaces. This year all 4 did, however if you turn the restriction on (present in 23.10 but not enabled by default) everyone one of the exploits are blocked. The current step is far from perfect, but we are working on improving it.