Docker 20 should not override sysctl ip_unprivileged_port_start to 0 for existing networks

[dubo-dubon-duponey]

This moby/moby#41030 changed the behavior of docker wrt cap NET_BIND_SERVICE by allowing non-root users to bind to privileged ports even when NET_BIND_SERVICE is not allowed.

If I understand correctly the intent here: https://github.com/moby/moby/pull/41030/files#diff-9f91bff23e0bd70d6429b63d9db2d8180d2e89cdb64db4fb3e10a96f74d36271R782-R783

this change should apply only for newly created net - and specifically not for net=host, or existing networks.

However, this does not seem to be true (for existing networks):

# Works as expected
docker run --rm --pull always  -ti debian cat /proc/sys/net/ipv4/ip_unprivileged_port_start
# -> 0

# Works as expected
docker run --rm --pull always  -ti --net host debian cat /proc/sys/net/ipv4/ip_unprivileged_port_start
# -> 1024

# Does NOT work as expected IMO
docker run --rm --pull always  -ti --net dubo-macvlan debian cat /proc/sys/net/ipv4/ip_unprivileged_port_start
# -> 0 not expected

The above network (dubo-macvlan) had been created previously with docker network create, and I was expecting it to inherit whatever is defined on the host instead of getting ip_unprivileged_port_start=0.

This is especially problematic for vlan networks (as in this case), as this is changing the security properties of containers exposed on the vlan compared to docker 19, and essentially now (in docker 20) making --cap-drop NET_BIND_SERVICE a no-op.

Am I missing something here (specifically on the intent of that changeset)?

Thanks.

cc @justincormack