Comment 17 for bug 1476662

Serge Hallyn (serge-hallyn) wrote :

An alternative proposed patch which verifies that mounts were not on symlinks after the fact using /proc/self/mountinfo.

Since mounts are made in a private namespace and lxc has made every effort to first force all mounts to MS_SLAVE, this should be safe. Upon failure, lxc will report an error and fail/stop the container startup.