Fwiw, the patch to liblxc I posted should be sufficient to prevent the attack. I tested this on a kernel without the ptrace fix and it seems you won't be able to escape to the host without the proc fd anymore. Waiting on Roman to confirm this.
Fwiw, the patch to liblxc I posted should be sufficient to prevent the attack. I tested this on a kernel without the ptrace fix and it seems you won't be able to escape to the host without the proc fd anymore. Waiting on Roman to confirm this.