Some sysctls are modifiable in a user namespace, some are not. We should have the list of such sysctls.
This work is hard, but the list of sysctls that cannot be even read can be easily identified:
$ uname -a
Linux suda-ws01 5.11.0-17-generic #18-Ubuntu SMP Thu May 6 20:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ unshare -rminpCTf --mount-proc sysctl -a >/dev/null
sysctl: permission denied on key 'fs.protected_fifos'
sysctl: permission denied on key 'fs.protected_hardlinks'
sysctl: permission denied on key 'fs.protected_regular'
sysctl: permission denied on key 'fs.protected_symlinks'
sysctl: permission denied on key 'kernel.apparmor_display_secid_mode'
sysctl: permission denied on key 'kernel.cad_pid'
sysctl: permission denied on key 'kernel.unprivileged_userns_apparmor_policy'
sysctl: permission denied on key 'kernel.usermodehelper.bset'
sysctl: permission denied on key 'kernel.usermodehelper.inheritable'
sysctl: permission denied on key 'vm.mmap_rnd_bits'
sysctl: permission denied on key 'vm.mmap_rnd_compat_bits'
sysctl: permission denied on key 'vm.stat_refresh'
Some sysctls are modifiable in a user namespace, some are not. We should have the list of such sysctls. This work is hard, but the list of sysctls that cannot be even read can be easily identified: