Right, but "unprivileged user namespaces" are disabled in many contexts, because they've been a source of many vulnerabilities due to code originally thought to only be reachable by root anyway.
Archlinux has user namespaces disabled, docker does not use them by default and does not allow them inside containers by default, on Ubuntu I make sure to disable kernel.unprivileged_userns_clone on all the servers I deploy to, etc.
No. It's exploitable by a normal unprivileged user on modern Ubuntu. From the article, "Let’s see how we can exploit this vulnerability. I’m going to be targeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version with KASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces available to unprivileged users (CONFIG_USER_NS=y and no restrictions on it’s usage), so the bug can be exploited to gain root privileges by an unprivileged user."
As a rule of Thumb, an attack can ALWAYS escape from Docker containers.
These containers are a light way to separate processes. They are not intended as a security measure to isolate malicious processes that tries to escape.
No, Docker usually drops CAP_NET_RAW within the container. But you can change that and other container technologies definitely keep CAP_NET_RAW within the container.
You also need to create a network namespace, because to create an AF_PACKET socket you need to have CAP_NET_RAW in the user namespace that owns your network namespace, not the user namespace you're in.
Archlinux has user namespaces disabled, docker does not use them by default and does not allow them inside containers by default, on Ubuntu I make sure to disable kernel.unprivileged_userns_clone on all the servers I deploy to, etc.