Comment 46 for bug 1476662

Quoting Roman Fiedler (<email address hidden>):
> Also to me. If I understand correctly, code inside e.g. validate_symlink
> is only secure when applied to a non-running container (where any

The code is only run against non-running containers, however the symlinks
can be changed if the container configuration (under the host admin's
control) has two mount entries, the first bind-mounting the attacker's
homedir into the container, and the second mounting to someplace under
the bind-mounted home.

So the TOCTTOU between readlink and openat is a problem. Sigh.

We could re-check the readlink after the openat, but the attacker could
presumably try to very quickly move the link back...

So using destbuf may be better. If the target is also a link, simply
returning EPERM at that point should be ok. We're not trying to support
every possible configuration. The real cases we need to support are
things like /proc/net.