No.

Create a new user namespace and you have CAP_NET_RAW within your shiny new namespace.

Right, but "unprivileged user namespaces" are disabled in many contexts, because they've been a source of many vulnerabilities due to code originally thought to only be reachable by root anyway.

Archlinux has user namespaces disabled, docker does not use them by default and does not allow them inside containers by default, on Ubuntu I make sure to disable kernel.unprivileged_userns_clone on all the servers I deploy to, etc.

But you need capabilities to create that new user namespace (CAP_SYS_ADMIN, I think)

No. It's exploitable by a normal unprivileged user on modern Ubuntu. From the article, "Let’s see how we can exploit this vulnerability. I’m going to be targeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version with KASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces available to unprivileged users (CONFIG_USER_NS=y and no restrictions on it’s usage), so the bug can be exploited to gain root privileges by an unprivileged user."

That's pretty interesting. Does it mean it allows escaping Docker containers if you compromise a service ran as root in it?

As a rule of Thumb, an attack can ALWAYS escape from Docker containers.

These containers are a light way to separate processes. They are not intended as a security measure to isolate malicious processes that tries to escape.

Not true. CAP_NET_RAW is on by default: https://github.com/moby/moby/blob/master/oci/defaults_linux....

Otherwise no one could ping from a container.

Thanks for the correction.

You also need to create a network namespace, because to create an AF_PACKET socket you need to have CAP_NET_RAW in the user namespace that owns your network namespace, not the user namespace you're in.