no edit summary
* access to /proc/pid/map_files which we use for restore of shared memory (CAP_SYS_ADMIN)
* using of SO_RCVBUFFORCE and SO_SNDBUFFORCE socket option (CAP_NET_ADMIN)
* open_by_handle_at requires CAP_DAC_READ_SEARCH
The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list.
[https://github.com/avagin/criu/tree/userns2 Here is a draft of userspace code]