Consider Disabling Usernamespace(s) / Cloning

[clauspruefer]

Problem

Over 44% Browser-Attacks mitigate User-Namespaces to gain root access.

Implementation Or Not

Bubblewrap used by snap (which we have disabled completely).

Solution

Disable User-Namespace Cloning and set usable User-Namespaces to 0.

kernel.unprivileged_userns_clone = 0
user.max_user_namespaces = 0

Considerations

Check bubblewrap is used elsewhere, if not: apply the proposed change.