An alternative proposed patch which verifies that mounts were not on symlinks after the fact using /proc/self/mountinfo.
Since mounts are made in a private namespace and lxc has made every effort to first force all mounts to MS_SLAVE, this should be safe. Upon failure, lxc will report an error and fail/stop the container startup.
An alternative proposed patch which verifies that mounts were not on symlinks after the fact using /proc/self/ mountinfo.
Since mounts are made in a private namespace and lxc has made every effort to first force all mounts to MS_SLAVE, this should be safe. Upon failure, lxc will report an error and fail/stop the container startup.