I’ve a friend who reported to me that when he attempts to drop net_raw and net_admin in the config of one unprivileged container with LXC3.0.4, he’s still able to run a tcpdump in the container, or change the network parameters.
I suspect it’s due to the fact that lxc-user-nic is suid. Does this seem relevant?
More generally, is there a way to restrict network manipulations after a container startup? Is it feasible within LXC4?
I got more intel from my friend. The issues he met were on a Proxmox cluster, and not a bare Debian. After having run some tests on a bare Debian, everything works as expected.