Namespace proof
Rules 2.10, 5.16, 5.17, 5.21, 5.31 UID remap
uid_map starts as 0 0. After Dokuru userns-remap, root maps to a host subuid.
PID namespace
Before hardening, host processes are visible. After the fix, the process list is container-scoped.
Namespace links
Compare /proc/self/ns/* before and after Dokuru recreates the container.