Document initially written by Vincent Batts, adapted to Slint by Didier Spaier

Many container runtime tools like systemd-nspawn, docker, etc. focus on
providing infrastructure for system administrators and orchestration tools
(e.g. Kubernetes) to run containers.

These tools are not suitable to give to unprivileged users, because it is
trivial to turn such access into to a fully privileged root shell on the host.

bubblewrapper is used by flatrpak in Slint.

We mitigate the risks of privilege escalation as the binary
/usr/bin/bwrap is installed setuid, setting user.max_user_namespaces=0
with the following code snippet, run after installation:

if [ ! f /etc/sysctl.conf.d/max_usernamespaces.conf ]; then
	echo "user.max_user_namespaces=0" > /etc/sysctl.conf.d/max_usernamespaces.conf
	sysctl -p/etc/sysctl.conf.d/max_usernamespaces.conf
fi

You may change this value, at your own risks. If it triggers an issue in your
use case, please report it in the Slint mailing list.