@Andy -- that depends on whether we consider the kernel part of this a bug or not.
For lxc it'll be fixed with an apparmor policy shipped with lxc.
For update-binfmts more generally, there might be way for that program to be smarter.
But still the kernel itself is reading over proc and/or sys files, so there's the question of how far we go to protect the admin from himself.
My take right now: the container admin may be separate from the host admin, so we need the lxc policy. For the rest, update-binfmts and the kernel part can only be used by the host admin, so we let him shoot himself in the foot.
@Andy -- that depends on whether we consider the kernel part of this a bug or not.
For lxc it'll be fixed with an apparmor policy shipped with lxc.
For update-binfmts more generally, there might be way for that program to be smarter.
But still the kernel itself is reading over proc and/or sys files, so there's the question of how far we go to protect the admin from himself.
My take right now: the container admin may be separate from the host admin, so we need the lxc policy. For the rest, update-binfmts and the kernel part can only be used by the host admin, so we let him shoot himself in the foot.