Comment 9 for bug 1476662

Serge Hallyn (serge-hallyn) wrote :

Yup, that race is there in theory. This appears to be yet another reason to push for a 'fdmount/mountat' function. But lacking that I'm not sure how we can prevent this.

Do you have any suggestions?

If we have the separate fix in apparmor for writing to /proc/self/attr/current, and the pivot_root update backported, what other attacks remain meaningful here?