Post Syndicated from original https://lwn.net/Articles/920384/

Back in 2019, a high-profile container
vulnerability led to the adoption of some complex workarounds and a
frenzy of patching. The immediate problem was
fixed, but the incident was severe enough that security-conscious
developers have continued to look for ways to prevent similar
vulnerabilities in the future. This
patch set from Giuseppe Scrivano takes a rather simpler approach to the
problem.