The pam_namespace module allows to setup "polyinstantiated directories" when setting up a user's session during login. The typical example is
setting up a private /tmp and/or /var/tmp for every user.
To achieve this a separate mount namespace is setup during login and a bind mount is performed in configured locations. Different methods are
offered for this like a fixed per-user directory that is bind mounted (i.e. per-user contents are persistent and shared between sessions) or
an ephemeral temporary directory (contents are lost after a session is closed).

The PAM module explicitly supports bind mounting of polyinstantiated directories in user controlled locations, like beneath the user's home
directory. Operating with root privileges in user controlled directories comes with a lot of dangers. To avoid them the function `protect_dir()`
implements a special algorithm to protect the target path of a bind mount.

The function follows the target path for the bind mount starting from the file system root. Each path component that is under non-root control
is protected from user manipulation, by bind mounting the path upon itself.

There is one bit missing though: The algorithm is not passing the `O_DIRECTORY` flag to `openat()` and is thus subject to special files like
FIFOs being placed in user controlled directories. This can easily be reproduced e.g. using this configuration entry in the `namespace.conf`
configuration file:

    $HOME/tmp /var/tmp/tmp-inst/ user:create root

An unprivileged user (that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir) can now place a FIFO
there:

    nobody$ mkfifo $HOME/tmp

A subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block,
causing a local denial of service.