Hi Serge - this patch looks good for the most part but I'm curious if it is possible for a container admin to modify the target path during or after the ensure_not_symlink() checks and before the mount? It feels like there's a TOCTOU issue in there but maybe the admin can't possibly make changes while the check is happening?
Hi Serge - this patch looks good for the most part but I'm curious if it is possible for a container admin to modify the target path during or after the ensure_ not_symlink( ) checks and before the mount? It feels like there's a TOCTOU issue in there but maybe the admin can't possibly make changes while the check is happening?