NOTE: edited on 2023-08-10 to add details about an additional kernel change required to ensure unconfined applications get stacked within any chosen profile via change_profile such that a malicious application should not be able to abuse an existing permissive profile on the system to gain access to unprivileged user namespaces.
1 Like