[minimaltom]

This attack class lets you escalate from any user to UID 0. Not running as root won't save you, in fact, this attack is for those processes not running as root.

However, if you are in a user namespace where UID 0 doesn't map to system-wide capabilities, and you dont share page cache for the setuid binaries on the system, this attack doesn't lead to LPE.

[delamon]

setuid binaries are not the only way to get root. E.g. one can change /etc/crontab or /etc/passwd. Or add trojan to /bin/ls and wait until admin type 'ls'

[quantummagic]

It's not always as easy as you imply. All the attack vectors you mentioned, require root on the host, before you can make the change or install the trojan.

[delamon]

The attack gives you ability to overwrite any cached page. So you don't need to be root to "edit" /etc/passwd.

[quantummagic]

Not of the host system, assuming we're talking about a compromised VM, running as a non-root user.

[delamon]

I assume you mean container, not VM. But yes, container makes it harder.

[minimaltom]

Worth adding also that you can only use these vectors to corrupt the page cache for files reachable in your mount namespace.

Usually with containers, almost nothing is shared with the host namespaces (tho likely shared with other container namespaces, hopefully none of those are --priv).