Roman Fiedler discovered a directory traversal flaw that can occur while
lxc-start is initially setting up the mounts for a container.

If an attacker constructs a malicious symlink in the target path of a
container mount point, the symlink could be mishandled the next time the
container is started and the mount operation may be performed at an
undesired target location.

Additionally, if the source path of the mount is a malicious symlink
relative to the container, the symlink could be mishandled to bind mount
an undesired file or directory into the container.

Direct modification of the host's mount table is not possible since a
slave copy of the mount table is used.

An example of an attack that is made possible by this flaw is a user
inside of the container could leave behind a malicious symlink, at a
mount point target under their control, that would cause /proc/self/attr
to be mounted over. lxc-start would then unknowingly write to a "fake"
/proc/self/attr/current file, prior to launching the container init, to
perform an AppArmor profile transition. The profile transition would not
occur and the container init would run under incorrect confinement.

CVE-2015-1335
Bug: https://launchpad.net/bugs/1476662
Fix: https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be
Upstream announcement: https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html

Tyler