From: Stephen Hemminger <step...@networkplumber.org> Date: Mon, 13 Nov 2017 07:37:38 -0800
> The restriction came from earlier discussion with Kees and Eric. > The security folks are paranoid about containers allowing loading > of modules. Probably CAP_SYS_MODULE is enough to control this already. People running tests in namespaces that want to choose a congestion control algorithm are going to break if you add a new restriction.
