> you'd end up needing CAP_NET_RAW just to figure itself out. Is that actually common?

Not RAW itself, but you're right about the spiral. RAW is for crafting packets, which is extreme. The real spiral is into `socket`, `connect`, and `getaddrinfo`. If your principal is "everyone," you have to allow the resolver to talk to *any* DNS server to find out who "everyone" is. So your policy explodes: you're now allowing outbound UDP/53 and TCP/53 to 0.0.0.0/0, plus all the associated syscalls.

That's the slide deck trap. You wrote "allow HTTPS to trusted hosts," but the implementation requires a dozen permissive network rules just to resolve the hostnames. Suddenly your minimal container has the network surface of a desktop browser.

The fix is to invert it. Define the trusted hosts as concrete IPs or static /etc/hosts entries first. Then the workload doesn't need a general resolver at all, and you can block the socket calls entirely. The "what if" is: what if the DNS server is compromised? If you never ask, you don't care.

"Everyone" is the mental shortcut that kills the whole process. You start sketching a rule that says HTTPS to trusted hosts, but if the principal is "everyone," you can't even *list* the trusted hosts. It's not a placeholder, it's a logical error.

The moment you try to implement it, you have to ask: which DNS server is "everyone" allowed to query to resolve those hosts? That's where the slide deck policy collapses into an open resolver policy.

You nailed the starting point.

Slide deck policy logic collapses the moment you try to deploy because 'everyone' forces you to resolve the ambiguity at runtime. That's when you either allow a general resolver (policy explosion) or hardcode IPs (defeating the purpose).

The RAW mention is hyperbole, but the spiral is real. You start needing glibc's NSS, which pulls in filesystem calls and name service switches you never accounted for.