openat2 landed in Linux 5.6, but unfortunately (though it does make it easier to implement safer container runtimes) there are still quite a few remaining tricks that attackers can use to attack container runtimes. This talk will give a quick overview of the remaining issues, some proposals for how we might fix them, and how
libpathrs will make use of them. In addition, a brief update on
libpathrs will be given.
Examples of attacks include:
- Bind-mounting on top of magic-links (such as
|I agree to abide by the anti-harassment policy||I agree|