On Wed, 17 Apr 2019 08:43:06 -0700, Richard Cochran wrote: > If NET_ADMIN is enabled in the container, don't the host and container > contend with each other for the physical interfaces anyhow?
Physical interfaces are not a problem, as each interface can be only in a single net name space. The problem here is this patch gives access to physical interface settings through a virtual interface layered on top of it. Whenever such thing is done, the virtual interface needs to provide a suitable way of moderating access to the shared resources, so the individual virtual interfaces do not affect each other. That's not what's being done here. I think this patch is wrong. Jiri
