Can't drop net_raw, net_admin effectively on unprivileged containers


I’ve a friend who reported to me that when he attempts to drop net_raw and net_admin in the config of one unprivileged container with LXC3.0.4, he’s still able to run a tcpdump in the container, or change the network parameters.

I suspect it’s due to the fact that lxc-user-nic is suid. Does this seem relevant?

More generally, is there a way to restrict network manipulations after a container startup? Is it feasible within LXC4?


It’s likely more related to how capabilities work (or don’t) in unprivileged containers.

The container will not be capable of net_raw or net_admin against the host namespace but it will be against its own namespace.

Still, lxc.cap.drop should be able to drop those too. I’d recommend testing on LXC 4.0.x and see if that’s still an issue.

I got more intel from my friend. The issues he met were on a Proxmox cluster, and not a bare Debian. After having run some tests on a bare Debian, everything works as expected.

Feel free to close that topic.