Comment 19 for bug 1639345

Fwiw, the patch to liblxc I posted should be sufficient to prevent the attack. I tested this on a kernel without the ptrace fix and it seems you won't be able to escape to the host without the proc fd anymore. Waiting on Roman to confirm this.