From: Krister Johansen <k...@templeofstupid.com> Date: Wed, 11 Jan 2017 22:52:25 -0800
> Add net.ipv4.ip_unprotected_port_start, which is a per namespace sysctl > that denotes the first unprotected inet port in the namespace. To > disable all protected ports set this to zero. It also checks for > overlap with the local port range. The protected and local range may > not overlap. > > The use case for this change is to allow containerized processes to bind > to priviliged ports, but prevent them from ever being allowed to modify > their container's network configuration. The latter is accomplished by > ensuring that the network namespace is not a child of the user > namespace. This modification was needed to allow the container manager > to disable a namespace's priviliged port restrictions without exposing > control of the network namespace to processes in the user namespace. > > Signed-off-by: Krister Johansen <k...@templeofstupid.com> This is what CAP_NET_BIND_SERVICE is for, and why it is a separate network privilege, please use it.