From: Krister Johansen <k...@templeofstupid.com>
Date: Wed, 11 Jan 2017 22:52:25 -0800

> Add net.ipv4.ip_unprotected_port_start, which is a per namespace sysctl
> that denotes the first unprotected inet port in the namespace.  To
> disable all protected ports set this to zero.  It also checks for
> overlap with the local port range.  The protected and local range may
> not overlap.
> 
> The use case for this change is to allow containerized processes to bind
> to priviliged ports, but prevent them from ever being allowed to modify
> their container's network configuration.  The latter is accomplished by
> ensuring that the network namespace is not a child of the user
> namespace.  This modification was needed to allow the container manager
> to disable a namespace's priviliged port restrictions without exposing
> control of the network namespace to processes in the user namespace.
> 
> Signed-off-by: Krister Johansen <k...@templeofstupid.com>

This is what CAP_NET_BIND_SERVICE is for, and why it is a separate
network privilege, please use it.

Reply via email to