Comment 6 for bug 1381713

This technique looks quite promising. I have a few questions though:

1. if I do the aa_query_label() check followed by an open() call to read it, am I open to the same race conditions as if I was relying on access() to check permissions?

2. if the given path is a symlink, am I checking for permission to read the symlink or the destination of the symlink, or both?

If this lets us replace the FD passing hack, I'd love to use it. I'm just wondering how to safely use it in a race free manner.