An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume.
Created docker tracking bugs for this issue:
Affects: fedora-all [bug 1796110]
Affects: openstack-rdo [bug 1796112]
Created runc tracking bugs for this issue:
Affects: fedora-all [bug 1796109]
Upstream commit for this issue:
Jindrich can you get an update out for this?