Comment 9 for bug 917660

@Andy -- that depends on whether we consider the kernel part of this a bug or not.

For lxc it'll be fixed with an apparmor policy shipped with lxc.

For update-binfmts more generally, there might be way for that program to be smarter.

But still the kernel itself is reading over proc and/or sys files, so there's the question of how far we go to protect the admin from himself.

My take right now: the container admin may be separate from the host admin, so we need the lxc policy. For the rest, update-binfmts and the kernel part can only be used by the host admin, so we let him shoot himself in the foot.