search for: clone_newnet

https://bugzilla.netfilter.org/show_bug.cgi?id=1064 Bug ID: 1064 Summary: iptables-save fails silently in unprivileged lxc/lxd container Product: iptables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component:

Hi, This patch (relative to -HEAD) defines an API to allow sandboxing of the pre-auth privsep child and a couple of sandbox implementations. The idea here is to heavily restrict what the network-face pre-auth process can do. This was the original intent behind dropping to a dedicated uid and chrooting to an empty directory, but even this still allows a compromised slave process to make new