From: Krister Johansen <k...@templeofstupid.com> Date: Fri, 20 Jan 2017 17:49:11 -0800
> Add net.ipv4.ip_unprivileged_port_start, which is a per namespace sysctl > that denotes the first unprivileged inet port in the namespace. To > disable all privileged ports set this to zero. It also checks for > overlap with the local port range. The privileged and local range may > not overlap. > > The use case for this change is to allow containerized processes to bind > to priviliged ports, but prevent them from ever being allowed to modify > their container's network configuration. The latter is accomplished by > ensuring that the network namespace is not a child of the user > namespace. This modification was needed to allow the container manager > to disable a namespace's priviliged port restrictions without exposing > control of the network namespace to processes in the user namespace. > > Signed-off-by: Krister Johansen <k...@templeofstupid.com> I'm not ignoring this change, I just want to think about it some more. Just FYI...